17 March 2018

Who Cares About Cybersecurity?

By Paul Rosenzweig

In the professional world of Lawfare (national security, homeland security, intelligence, privacy and civil liberties) nobody would doubt the salience of questions of cybersecurity. They seem to resonate across many dimesions and to pose some of the most vexing legal and policy questions. What to do, for example, about encryption is an issue that has generated far more heat than light and continues to divide analysts in ways that confound resolution.


But if you asked the mythical “average” person what they thought about cybersecurity, it seems that there is much less concern. At least that is the reasonable inference one can draw from what people actually do to protect themselves. Perhaps that is the wrong prism through which to ask the question, but it seems reasonable to base a judgment on the premise that “actions speak louder than words.” Last month we asked public opinion questions concerning personal cybersecurity using Google Surveys. The short answer: Very few people make any effort at all to protect themselves—evincing at least facialy a disregard for cybersecurity concerns.

Here are the questions we asked:
Do you encrypt data on your phone or computer?
Do you ever use an anonymous browser like Tor?
Do you use a password locker or storehouse like LastPass or OnePass?
Please think of the password you use most often. How many letters or numbers or characters long is it?
Have you ever had personal information of yours stolen from a company you patronize, like Target or Home Depot?

We Don’t Care

We don’t care. At least not on a personal level. That’s the only reasonable interpretation of the data on the general lack of uptake for personal private security measures among the general population.

To take the first, and most obvious example, encryption policy is a debate that is roiling Washington—pitting law enforcement concerns about “going dark” against civil liberatarian fears of big brother and goverment abuse. Yet the general populace seems not to care. Roughly one in five use encryption on their devices:


Now, it is possible that this understates the use of encryption. There is at least some possibility that the fraction of “I don't know” includes some people whose devices are encrypted because they have a device (like a newer Apple) that encrypts automatically. At least in theory that means that the prevalance of encryption may be greater than the survey suggests. And it is also almost certainly true that the people who conciously use encyrption in the 17.7 percent are those for whom it has the greatest utility—those who are protecting sources and methods like journalists and those who are protecting their own malicious conduct. So as a true measure of cybersecurity awareness, this question may understate the degree to which people are paying attention.

Or maybe not. One would also expect those who use encryption to consider using other security systems—like anonymous browsing and password lockers. But the survey (which had more than 4000 respondents) suggests these additiona measures are rare in the extreme. Fewer than 8 percent use an anonymous browser and fewer than 13 percent use a password locker of some sort.



These systems are ones that cannot be used accidentally or by default, so the respondents who don't know the answer to the question (or don't understand it) can safely be presumed to not be implementing these practices. The survey therefore sets a lower bound of roughly 10 percent of respondents who can fairly be characterized as aware of their own personal cybersecurity and engaged in taking self-protective steps—which is a pretty dim view of the general uptake of security awareness among the general citizenry.

We see slightly better results when we ask about password strength. In general, longer is stronger. It is slightly gratifying to see that a clear plurality of respondents have internalized that guidance and have trended toward longer passwords:


We can't be sure, of course, since the “other responses” were not further specified, but it is gratifying that among those responding with a specific number roughy 40 percent have passwords that are at least eight characters long.

Maybe We Shouldn’t Care

One final note worth thinking about. The lack of interest in security may actually be rational. It is by now commonplace that most victims of cyber crime or theft do not experience a personal loss. The banks, credit card companies and vendors all bear the costs. Perhaps more importantly, it seems that most of the general population still feel as though the problem is for someone else and not for them. When only 16 percent have experience theft, we can infer that the problem has yet to generate a great salience within the population.


And so we come back to a place where reality meets policy. Much of the policy approach for the past decade has been an effort to educate the population and help it protect itself. DHS has run programs like “Think Before You Click,” and other agencies have pushed “Cybersecurity Awareness” months. If this survey has any relationship to reality, we can safely say that the message has not yet been taken up. And that, in turn, may mean one of three things—either the problem is not as significant as we think it is (not my view); or we need to do more, better education (not likely possible); or we need to think of ways in which government intervention can “nudge” the general population in the right direction.

The bottom line: People just don’t seem to care that much yet, despite the hue and cry in the media. That reality needs to be dealt with.

No comments: