User Security Behavior
Denise Anthony
PKI Unlocked Summit
Dartmouth College
July 2004
Computer Networks
Collective resource systems
• Produced and maintained by multiple actors;
• Individual behavior effects integrity of system
• virus exposure
• unauthorized access
Feels like consuming a private good
User surveys
Dartmouth students:
• April 2003: Computer use and security behavior
– Representative sample of 171 undergrads
– Method: on-line survey
• November 2003: Use of Wireless and Wired networks
– Total of 247 undergraduate and graduate students
– Method: paper survey
– Conducted by student Emiliano Trere from University of Bologna in
Italy
• 20 in-depth interviews
Nationally representative data from UCLA Center for
Communication Policy www.ccp.ucla.edu
Dartmouth Students
Hardware on campus
Operating System
8%
9%
23%
12%
69%
79%
Laptop only
Both
Desktop only
Windows
Mac
Linux
Basic Use Statistics
• 99% use email daily
– ~95% use home-grown Blitzmail program
– Primary medium of communication on campus
• 70% browse the Web at least 1 hour/day
• 67% P2P file-sharing in average week
• 90% purchased on-line in last 6 months
• 78% use both wired and wireless networks
– Over 2/3 use wireless on almost daily basis
– 22% no wireless: lack of technology, seniors
Virus Protection
• 87% have anti-virus software loaded on
their computer
– 2/3 of them scan for viruses at least once
per month
– About 40% up-date their anti-virus software
at least once per month
Password Security
• 75% have shared their password
– Over 50% did NOT change it afterward
• Nearly two-thirds never change password
• 36% use same password for all apps/sites
– all websites that require password
– no distinction between secure (SSL) and nonsecure websites
Behavior across networks
100
90
80
70
60
50
40
30
20
10
0
99
98
87
88
53
43
43
28
Email
Web
Browse
Banking
Wired
5 6
Purchase
Wireless
VoIP
Security Concerns
• About half concerned about PRIVACY
on WWW
• More than half concerned about
SECURITY of information on WWW
Web security?
How do users think about website security?
Implicit trust and experience
“If [a website] mention[s] they are secure…I
usually trust it.”
“I don’t really think about it, but when the windows
pop up saying I should do something, I always
say yes.”
“All the websites I use are secure, and everyone
else is doing it [without] a problem.”
Web security
How do users think about website security?
Use brand name sites - reputation
“I just order from Amazon and places like that.”
“I use it if it is an official site of a major
company.”
“I would never order stuff off a website that
looks like its program could change…you
know, a crappy website.”
“I trust Norton to do it for me.”
Security Behavior Online
How often check browser security signals
when submitting sensitive information?
60%
58%
50%
40%
30%
34%
20%
10%
9%
0%
Always
Often/Sometimes
Rarely/Never
Security Features Used
60%
50%
55%
40%
https in URL
Certificate
Security Icon
30%
20%
10%
0%
26%
24%
Link between concern and behavior
Check Web Security Features
80
70
60
50
71
40
30
20
10
0
47
20
26
27
9
Low Concern
High Concern
Always/Often
Sometimes
Rarely/Never
How concerned are users?
2002 National data (UCLA):
• 54% very/extremely concerned about privacy when
purchasing online
– 11.2% not at all (up from 5.5%)
• Non-purchasers (58%) more concerned than purchasers (33%)
• New users (65%) more concerned than experienced users (47%)
• Methods to reduce concerns:
• 23% Nothing!
• 6% better technology
• 27% guarantee/3rd party verification/Gov regulation
Implications
• Not evaluating security of websites
– Don’t use security signals
• Don’t know what to look for
– Engage in un-secure behavior
• Users already ‘trust’ infrastructure
– Rely on reputation of company
– Expectation that technology is secure
• Want ‘assurance’ that system works
– Third party incentives/regulation of security