Large language models (LLMs) exhibit reliability concerns when deployed for end-user security Q&A, yet systematic empirical evaluations of their domain-specific performance remain scarce. Method: This study conducts a large-scale, human-annotated evaluation of GPT, LLaMA, and Gemini on 900 real-world security questions, employing a multidimensional qualitative assessment framework. Contribution/Results: We identify three pervasive failure modes—outdated/inaccurate information, off-topic responses, and evasive answers—revealing systemic limitations in timeliness, factual accuracy, and communicative effectiveness within security contexts. Our analysis constitutes the first empirical benchmark for LLMs in high-stakes cybersecurity applications, yielding actionable insights for model refinement (e.g., knowledge updating, safety-aware fine-tuning) and human-AI interaction design (e.g., response calibration, uncertainty signaling). The findings provide both a foundational evaluation standard and concrete, implementable pathways to enhance LLM trustworthiness in security-critical domains.

Answering end user security questions is challenging. While large language models (LLMs) like GPT, LLAMA, and Gemini are far from error-free, they have shown promise in answering a variety of questions outside of security. We studied LLM performance in the area of end user security by qualitatively evaluating 3 popular LLMs on 900 systematically collected end user security questions. While LLMs demonstrate broad generalist ``knowledge'' of end user security information, there are patterns of errors and limitations across LLMs consisting of stale and inaccurate answers, and indirect or unresponsive communication styles, all of which impacts the quality of information received. Based on these patterns, we suggest directions for model improvement and recommend user strategies for interacting with LLMs when seeking assistance with security.