Ransomware attacks. Catfish incidents. Fraudulent credit card charges. One quick search on “data breach” returns a long, long list of results; its prevalence is hard to dismiss. Information is beautiful, a website with interactive visualizations, helps us put it in perspective: every year, millions of accounts are compromised.
Naturally, these incidents got media coverage. For example, the Marriott hack was reported by multiple agencies including the New York Times, The Washington Post, Bloomberg, and Vox. The scale and frequency of these hacks made me wonder how they influence our behavior. How much does the general public pay attention to these issues? To what extent do people proactively seek out the opportunity to learn more about cybersecurity?
To find out more, I decided to look up research projects that assess Americans’ habits and attitudes on this topic. Enter Pew Research Center: they conducted a survey in 2016 that did exactly this. The survey included questions on trust, data theft, general knowledge, and more. Some highlights of the results are:
- 64% reported that they have experienced a major data breach, such as fraudulent credit card charges and personal accounts being taken over.
- About 50% lacked trust in the federal government and/or social media sites to protect their data (anecdotally, I’d like to offer that I fall into this category. In fact, hello, Instagram… there are some popular yet creepy — disturbingly creepy — accounts that repost photos which aren’t rightfully theirs. I’ve reported a few, only to receive a generic “it does not violate our community standards” response).
- 49% responded to have written down their passwords on a piece of paper as a way of keeping track of them. This, writes Adams and Sasse in Users Are Not the Enemy, is a bad practice that compromises security.
- 28% of smartphone owners did not set up a lock screen on their devices. That is surprisingly high!
- There seems to be a knowledge gap in how to securely browse the internet. For example, 49% were unsure of whether their internet service providers could monitor their online activity when they are browsing in a private mode (such as Incognito in Chrome). 70% were unsure of the benefits of VPN.
These results are certainly interesting, and it made me wonder how Georgia Tech students compare to the sampled population. Are we, as people working in tech, more cautious about cybersecurity issues? Are we more knowledgeable about how the internet works through the lens of privacy and security? Do we practice more secure behaviors and are less vulnerable to these types of attacks?
To do this, I picked a few the questions from Pew Research Center’s report, used these questions to set up a survey on Qualtrics, and distributed it to my fellow students. Because this wasn’t very rigorously done and did not gather a large enough sample (N=14), I can only speak to the trend and nothing about its statistical significance.
Question 1: don’t hack me! Experience with data theft
First question I asked was their experience with data theft. I had picked this question because I wondered if our technical fluency had any influence on our likelihood of getting attacked. Interestingly, close to half of the students surveyed have had their social media accounts taken over. Why is this? Are there certain platforms which are more vulnerable than the others? Does it have anything to do with the number of accounts we have? Are public accounts more likely to be taken over than private ones?
Question 2: did data protection glow up?
Second question I picked assesses participants’ attitudes towards data security. The difference between Pew Research’s population and GT students isn’t super substantial. Nonetheless, the numbers are worrying. A significant portion of participants responded that they think their data is less secure than five years ago. As we move towards a more connected, computing world, how might companies protect the people using these systems and devices?
Question 3: hey, I’ve got trust issues — confidence in various organizations to protect user data
I was excited to see the results for this one, because I wanted to see how/if my peers are as pessimistic as I am. Turns out, yes. A whopping 93% did not see social media companies as their able data protector. Interestingly, GT students seem to be more skeptical than the people that Pew Research had surveyed: their confidence levels are lower for all but credit card companies.
Question 4: open sesame… how do you keep track of your passwords? Which method do you use most often?
Not surprisingly, most people do memorize passwords in their heads (86%). For at least half of the participants, that’s their go-to method. I’d be curious to see what kind of passwords they choose to use — do they opt for meaningful passwords that they can remember easily, or do they brute-force memorize strings of random, alphanumeric symbols?
Question 5: do people practice common standards? Using different passwords, sharing logins, and activating two-factors
I picked these “complete the statement” questions because they involve practices that people in cybersecurity might deem as common sense, such as using different passwords and activating two-factor authentications. Looking at the chart below, it might be tempting to conclude that people neglect cyber hygiene; however, I think it’s necessary to dig deeper. For example, maybe passwords need to be shared in order to access subscription services like Netflix. In this instance, it’s not really fair to blame the people if sharing these sensitive information is the only way to use the same account. Alternatively, perhaps we can think about how we might design creative, usable solutions to support shared accounts while allowing each individual customize their own login.
Question 6: jeopardy time. What do people know? Do people know things? Let’s find out
(By the way, that’s a BoJack Horseman reference.)
The researchers at Pew suggest that “many Americans are unsure on a range of cybersecurity topics.” How do GT students compare to the population? Overall, a higher percentage of GT students scored correctly and less were uncertain about their answers.
Based on the results of the survey, I think the idea that “it won’t be me” when it comes to data theft is rather outdated. Many people have had their information compromised. How might we raise awareness so that the Flat-Earthers of cybersecurity will understand the importance of cyber hygiene?
Second, the overwhelming distrust in communication and social media companies presents an interesting design challenge. As Prof. Das mentioned in class, when we interact in the physical world, we can evaluate the states around us to assess our privacy: rooms, doors, distance to other people… how might we design the equivalence in the digital world? How might we tackle the false dichotomy between usability and security?
Third, the rather high percentages of unsure’s regarding cybersecurity topics are worth mentioning. I don’t think it’s fair to blame the public for not proactively learning about these things—privacy and security are sometimes so under-the-hood. For example, when we browse the internet, it’s not immediately obvious as to how third-party apps are tracking our activity. Without an informative interface, it’s hard for an average user to find out more about a system in terms of how private and secure it is, let alone configuring or customizing the settings to serve their needs. Might we integrate these topics into our educational curriculum? Might cybersecurity 101 be as prevalent as, say, learning how to use Microsoft Word in a K-12 computer science class, such that it’s a fundamental instead of an elective? It would be interesting to think about ways to address the knowledge gap.