Exploring internet users' perceptions and behaviors around digital security

After a major data breach event, someone asked whether "my data had been compromised in the breach, and if I had changed my [website] password yet", using terminology from popular news, associating threat with a single account.  This raised questions about how people perceive personal data, cybersecurity, and risky behavior on the web.

NOTE: Classroom based research for course: Inquiry and research methods at DePaul University, conducted by a group of 4 students. My role: Literature review and research questions, research protocols, data collection, qualitative and statistical analyses of data for insights

 defining the problem space 

Despite expressing concern about cybersecurity and personal data, people tend to neglect basic safety practices

Users' presence on the web is constantly increasing through many devices and sensors, and the risk of personal data theft is pervasive. Though a vast array of security products and information sources are available, people don't often employ safe measures.

Americans have an online account associated with their personal information, and nearly 2/3rds of those reported having experienced data theft or fraud[source]

65%

Average number of accounts are associated with a single email in the US[source], but people tend to reuse their passwords, don't use two-factor authentication, and share data over unsecured networks[source]

130

 prior knowledge and research hypotheses 

We are beyond the antivirus era of device security, but do people view security from the same lens?

Exponential rates of growth in consumer technology has left potential gaps in adoption of cybersecurity measures. We surveyed literature to understand what kind of gaps there may be.

1. perception of cyber risk

2. behavior around data

What is the risk?

Research has established that cybersecurity terminology doesn't resonate with people, and few indulge in the privacy legalese of "notice and choice" [source] models. 

The convenience/security trade-off

A study of novice and expert users employing security measures revealed that novice users perceived less benefit in following security measures, and valued convenience over expert users [source]. 

What put's my information at risk?

A study of effectiveness of cybersecurity campaigns suggests that the reason behind the ineffectiveness of informative campaigns is a disconnect between risk perception, and applying security advice towards reducing risk [source].

What can I really control?

In their study of cybersecurity attitudes, PEW reported - "Many Americans do not trust modern institutions to protect their personal data – even as they frequently neglect cybersecurity best practices in their own personal lives" [source].

CAPTION: HOW people use the web has changed vastly over time.

DOEs that parallel a similar understanding of cyber risk and safe behavior?

 research plan & methodology 

Our team used triangulated user research methodologies to understand people's perceptions of cyber risk, and secure behaviour

​Task based observations

structured Interviews

survey tool - quantitative data

We observed 4 participants' perceptions around data sharing when creating new Gmail accounts - passwords, privacy notices, and giving access to data - in the presence of Gmail's security suggestions on the account creation pages

We conducted 8 interviews, asking about:

- use of browser security features,

- account related activity

- payment related activity

- using internet on different devices. 

We received 38 responses on our survey designed using Qualtrics. We asked a mix of open ended, single choice, multiple choice and matrix choice questions.

Online survey hosted on qualtrics
Online survey hosted on qualtrics

Survey screenshot 1 - Q1 asks users to define security risks. Q2 -what they think is at risk. Q3- what makes them safe. Q4- how they receive information about cybersecurity. and Q5- rate how much they know.

Survey screenshot 2 - Q6 asks users what websites they shop/visit and trust. Q7 - rate phrases such as “brand name websites”, “well designed websites”, “redirected” on a scale of 1(unsecured)-5(secure) or not sure. Q8 - how user creates new password, what safety practices. Q9 - Rate concerns regarding autofill from 1, not at all concerned, to 5, extremely concerned or don’t use.

Survey screenshot 4 - Q12 and 13 asks user about last time they adjusted browser security settings, and rate this activity from being easy to being difficult, 1-5. Q14 asks users to choose how they use autofill, 4 options, such as use browser default for what’s saved/ change settings. Q15 asks users to select how frequently they perform updates on mobile device, automatic or skip. Q16 asks the same for computer device.

Online survey hosted on qualtrics
Online survey hosted on qualtrics

Survey screenshot 1 - Q1 asks users to define security risks. Q2 -what they think is at risk. Q3- what makes them safe. Q4- how they receive information about cybersecurity. and Q5- rate how much they know.

1/4

CAPTION: online survey hosted on qualtrics

 findings | User perceptions 

We found that risk perception did not correlate with safe cyber practices. Moreover, those who perceived higher risk were equally likely to neglect basic safety practices.

No significant associations between risk perception and safety measures : [X^2 (2, N = 38) = 1.088, p;.05(.3)], and those who perceived high risk were equally likely to practice/ not practice safety measures [X^2 (2, N = 25)= 1, p;0.05(.3)]

To classify participants as perceiving "High risk" (27) or "Low risk" (11), we assigned scores on 4 responses describing threat perceived from unsafe websites, autofill, certain browsing activities such as https:// and using adblockers. 

To classify participants as practicing "Safe" or "Unsafe" cybersecurity measures, we assigned scores based on 5 responses describing measures used. 

In open ended questions, majority of participants perceived risk from "Data breach", and reported getting their cybersecurity information from web articles. 

50% people perceived risk from Phishing, Hacking and Identity theft

50% people perceived risk from breaches of popular website databases

Over 50% people obtained cybersecurity information from popular web articles 

Risk was associated to idea of unsecure and secure websites, limited to passwords. People semed ambiguous about data-related activity such as cookies, autofill, sharing information. 

Perceived as

highly unsecure 

Perceived as

highly secure 

  • Sharing passwords 

  • Using public networks

  • Websites without contact information 

  • Website redirects 

  • Allowing cookies 

  • Using autofilll

  • Sharing data online

  • URL begins with https://

  • Brand name websites 

  • Websites with privacy policy 

  • Well designed websites 

No single person mentioned browser features as significant safety measures when asked earlier. Yet they reported relying on their browser for various security purposes when presented with the survey choices. 

Mean scores assigned by 38 survey respondents

Additionally, over 50% participants reported using preset autofill settings on their browser, and perceived mild risk from autofill, avoided immediately following updates. 

 gaps in understanding of risk= gaps in secure behavior 

Risk 

 

PERCEIVED FROM

  • From "Data breach", "Hacking", "Phishing"
     

  • From unsecure websites: non-brand, look and feel, http://, without contact info, without "privacy notice"
     

  • Unsafe Passwords 

  • Unsafe Public networks

  • Sensitive payment information

Behaviors

current practices 

 

  • Avoid "unsafe" websites, a safe password, visit only trusted websites
     

  • Visit "safe" websites that look and feel safe, trusted brand names, have a privacy notice 

  • 8 characters, alphanumeric

  • Mostly connect to secure networks

  • Do not save card information on browser, use Apple Pay
     

SEcurity GAPS

  • Securing account information and personal details such as username, email, name associated to multiple account

  • Reading privacy notice and understand data sharing via cookies to share account information, using autofill on websites, not taking measures on secure websites

  • Same passwords across accounts rendering many accounts unsecure, not using password managers

  • Sometimes using free networks, not using security tools across devices

knowledge GAPS

  • More information about "data", what data is stored by websites, what data is shared and at risk

  • A toolkit of updated security tools such as password managers, browser extensions for data sharing

  • Browser settings such as "autofill" that allow customizing saving of account related information such as emails, usernames, form details 

  • Of Security patches in updates, such that users do not avoid updating their devices

  • Adoption of these safety measures of sharing personal information across multiple devices.

Qualitative Infographic based on findings of user perceptions of security -  On the left, Web is divided into two amoeba like areas - 1. secure websites and 2. insecure websites. Callouts on secure websites say “brand names”, “look and feel”, “https”, “browser blocks insecure”. Callouts on unsecure websites say “too many popups”, “looks unsafe”.  On the right, practical considerations of browsing depicts how information is at risk. Picturing a users internet presence. A laptop showing G account site open, callout says “created a strong password, and using two factors authentication, my data is safe!”. A phone showing an update notification on lock screen, callout says “maybe later”. One browser window open showing a xyz website allowed user to create an account in 1 click using G account credentials. Callout says “so easy to create new account, i trust this website”. A callout on privacy notice link describes user thinking that it warns them of data collection, and they have no choice

caption: users' mental models of web safety - Safe and unsafe areas of the web, and visiting trusted websites as secure behavior