When it comes to the internet, “evil is everywhere under the sun”, as the popular quote goes. By adopting safe practices, however, we can make it more difficult for cybercriminals to steal our data or cause damage in other ways. But what constitutes safe practices? What do you have to do to protect yourself from data theft and similar crimes? “There’s a lot of confusion about this, among people from all over the world,” is what Franziska Herbert has learned. The psychology graduate is currently completing her dissertation in the Cluster of Excellence CASA. In collaboration with Professor Markus Dürmuth, Professor Angela Sasse and other researchers, she has conducted a comprehensive survey that assesses the human factor in IT security.
More than 12,000 individuals in twelve countries took part in the online survey, which focused on what people understand safe behaviour in cyberspace to be, how they approach it and what misconceptions they may have. Participants came from China, Germany, the UK, India, Israel, Italy, Mexico, Poland, Saudi Arabia, Sweden, the USA and South Africa. They represent 42 per cent of the world’s population. The questions revolved, for example, around end-to-end encryption, WiFi surfing, the https standard, virtual private networks (VPN), and passwords.
Some risks are understood by people all over the world
“It emerged that some risks are equally well understood by all participants around the world,” points out Franziska Herbert, who designed the survey together with the team. One of these is the phenomenon of shoulder surfing, where unauthorised persons obtain personal data simply by looking over a user’s shoulder.
Certain misconceptions, however, are apparently also widespread around the world. “For example, in all the countries we covered in the survey, 80 per cent of the participants believe that it is necessary to change passwords periodically to keep them secure,” says Franziska Herbert. IT security experts actually used to recommend this for a long time, until it turned out that this practice actually doesn’t do any good at all. “All that happens is that passwords become more and more insecure as a result, because otherwise users won’t be able to remember them. It’s much better to choose really strong passwords that are not easy to crack – a password manager is very helpful for this purpose,” explains Franziska Herbert. “Once you have a secure password, you can stick to it, as long as it doesn’t fall into the wrong hands.”
Participants in all countries also agreed with the statement that their computers could be infected by malware when they click on a link. “This only happens in a few exceptional cases,” say the researchers. “Most of the time, further actions are needed, such as entering data on the website accessed via the link.”
Uncertainty across the board
The researchers also found that uncertainty about IT security issues prevailed across the board among participants worldwide. “This is reflected in the fact that our survey participants chose exactly the middle on a scale ranging from ‘completely agree’ to ‘completely disagree’ on many questions,” says the researcher.
In addition to all the similarities, the researchers also identified differences between participants from different countries, especially with regard to the scale of the assessments. “We found the biggest differences to exist between Western and non-Western countries,” says Herbert. The researchers include China, India, Mexico, Saudi Arabia and South Africa among the latter. “Compared to participants from Germany, participants in all other countries were more likely to have misconceptions about malware, device security and passwords,” outlines Franziska Herbert. German participants were the least likely to agree with misconceptions – even though they still fell in the middle of the scale between ‘completely agree’ and ‘completely disagree’. The highest level of agreement with misleading statements came from participants from China and India.
Two examples from the survey:
“I am more likely to catch malware when I visit a porn site than when I visit a sports site.” Approximately 49 per cent of respondents in Germany agreed with this misconception, while 75 per cent from Saudi Arabia and 86 per cent from China agreed with it.
The correct statement “Links in emails can lead me to fake websites in order to intercept my login data” was agreed to by 87 per cent of German participants and 78 per cent of Chinese participants.
Family and friends can be adversaries too
All groups participating in the survey had in common that they tended not to consider family and friends an IT security risk. “That’s not how we see it,” says Markus Dürmuth. There are risks, especially when people share a computer or passwords. When it comes to domestic violence or stalking, it’s often people in a user’s closest circle who pose a threat. “And there’s another thing: among friends, pranks may be played that are not at all funny for the victim,” concludes the researcher.
Franziska Herbert, Steffen Becker, Leonie Schaewitz, Jonas Hielscher, Marvin Kowalewski, M. Angela Sasse, Yasemin Acar, Markus Dürmuth: A world full of privacy and security (mis)conceptions? Findings of a representative survey in 12 countries, vorgestellt auf der CHI-Konferenz 2023, DOI: 10.48550/arXiv.2212.10382
The article is published as part of the IT security special issue of the science magazine Rubin 2022/23.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.