Survey Data on Americans and Cybersecurity

Pew Research just published their latest research data on Americans and their views on cybersecurity:

This survey finds that a majority of Americans have directly experienced some form of data theft or fraud, that a sizeable share of the public thinks that their personal data have become less secure in recent years, and that many lack confidence in various institutions to keep their personal data safe from misuse. In addition, many Americans are failing to follow digital security best practices in their own personal lives, and a substantial majority expects that major cyberattacks will be a fact of life in the future.

Here's the full report.

Posted on February 14, 2017 at 6:48 AM • 22 Comments

Comments

WinterFebruary 14, 2017 7:15 AM

It seems to me that Americans have a very realistic view on their cybersecurity. If anything, their view might be too optimistic.

In addition, many Americans are failing to follow digital security best practices in their own personal lives,

This looks like learned helplessness: Users are not seeing a point in follow best practices as they do not believe it will help them.
And they might very well be right in this.

supersaurusFebruary 14, 2017 8:50 AM

"...In addition, many Americans are failing to follow digital security best practices in their own personal lives..."

I doubt most Americans have the foggiest idea what "best practices" are.

institutions are a big help too, for example I once had online account access to a bank who required only 8 char alpha passwords. many sites refuse passwords with "special" characters (like '%' or '*') or have stupid maximum length rules (who cares? it's hashed? right?). I had one site accept a nice long password like "rWsc8.,mL2^cat6H've", but then refuse it later...turns out they just truncated it silently before hashing it (assuming they did hash it). why should '3' be ok but '#' not be ok? I can see why '0x0d' or '0x08' wouldn't be ideal given typical usage, but most 7-bit ascii should be no problem, and most people wouldn't know how to enter the others anyway.

My InfoFebruary 14, 2017 9:04 AM

@Winter

You are absolutely right.

The "majority of Americans" are not stupid. They have no reason to think that those "various institutions" are doing anything whatsoever "to keep their personal data safe."

All our personal information and data are being stored out there "in the cloud" ripe for the taking.

There is no evidence that following "digital security best practices" does anything to prevent the misappropriation and misuse of one's personal data. If anything, any effort even slightly out of the ordinary to improve one's personal security just sets one up to be further targeted by the Mafia gangsters who have infiltrated NSA after being cleared by Katherine Archuleta just like all those Social Security employees who think they are the Schutzstaffel, yes, that SS. Why do you think they numbered us all and put us in that damn government database in the first place?

There is no evidence yet that individuals or end users benefit by trying to get smart online.

WinterFebruary 14, 2017 10:08 AM

@My Info
"those Social Security employees who think they are the Schutzstaffel, yes, that SS. "

Either you have no idea what the SS was, or you need professional help. Maybe, professional help would be good advice anyway.

Bob Dylan's Fart BongoFebruary 14, 2017 11:03 AM

This looks like learned helplessness: Users are not seeing a point in follow best practices as they do not believe it will help them.
And they might very well be right in this

If they are right then it isn't learned helplessness because learned helplessness means there is an alternative course of action to take but one doesn't take it because one has been conditioned not to.

Peter S. ShenkinFebruary 14, 2017 11:09 AM

Bruce has long said that there is probably no way to make yourself secure against a state-sponsored hacking effort. Given that complete immunity to hacking may be impossible, or at least that it's impossible to know whether you have achieved it, and given that there is no end to the amount of effort that a private citizen could go to make himself as immune as possible, it is reasonable to ask what "best practices" consist of.

Seems to me that it depends on who you are and whether you have secrets you have that would cause you or others harm if revealed. Even using unique secure passwords for sites that allow them presents the difficulty of remembering them or getting to them when you need them. Yes, there are a variety of automated solutions available, but how is a private citizen to know which of them are safe, or even if any of them are? And how much time do you really want to spend to learn enough to make informed decisions?

On the other hand, if you are a corporation and there are IP considerations, you might spend more time on securing your site, including your employees' accounts. And if you are famous or wealthy, you are a target and need to protect yourself; and you'll probably hire someone to help you. But then the question is still, how much are you willing to pay for how much protection?

DanielFebruary 14, 2017 11:25 AM

My own view on this topic is that the major reason that people engage in lax security practices is because they judge that the effort is futile over the long term. I think they are correct in that assessment. The fundamental reality is that when it comes to the panopticon whether that be Google, the intelligence community, or someone else the panopticon can be wrong 9999 times and right just once and the person's name goes on a list. Meanwhile, the individual can be right 9999 times and wrong just once and their name goes on a list. Since everyone is human and everyone makes mistakes there is no winning sequence of moves long term. If one gives in, one loses; if one doesn't give in one loses. So whether to engage in effective security measures is not actually a question; it's a testament of faith.

Dirk PraetFebruary 14, 2017 12:13 PM

@ herman

A rifle or pistol doesn't work online.

A take it you have never heared of HOIC and LOIC ?

@ My Info, @ Winter

... those Social Security employees who think they are the Schutzstaffel, yes, that SS.

I can't for the life of me comprehend how comparing Social Security employees to the SS is in any way contributing to an even remotely sane discussion. Please get a grip on yourself before @Moderator does.

TedFebruary 14, 2017 2:05 PM

I wish this survey also shared the respondents’ vocation, level of exposure, and/or reasoning for their survey answers. Responses to the seven policy questions from the survey, such as “How likely do you think it is that in the next five years, the United States will experience a significant cyberattack on our public infrastructure, such as our air traffic control system or power grid?” could vary greatly based on knowledge or experience. (The answers were: 18% definitely happen, 51% probably happen, 23% probably not happen, 3% definitely not happen, 4% don’t know)

A 2015 Pew Research survey measuring the views of the public and the views of scientists on science-related issues found the following:

Astronauts are essential for the future of the U.S. space program: 59% US Adults, 47% Scientists

http://www.pewinternet.org/interactives/public-scientists-opinion-gap/

Clive RobinsonFebruary 14, 2017 2:14 PM

@ Peter S. Shenkin,

Bruce has long said that there is probably no way to make yourself secure against a state-sponsored hacking effort.

There are an awful lot of qualifiers behind the idea of making yourself secure or not, even with very high level attackers such as the NSA. After all even their Tailored Access Operations (TAO) head has talked about how to keep him and his colleagues out[1].

You have to remember that the NSA just like every other attacker needs access to your information to copy it. Also like everybody else they are limited by the laws of physics. They are thus, not omnipotent, nor are they omnipresent even when you are a "person of interest".

The main problems are firstly "communications" and "OpSec with COTS hardware and software".

Which is why you can relatively easily stop the NSA fairly dead in their tracks if you go about things in appropriate ways.

I've listed what you have to do in the past, but the main problem with it is "it's not convenient for lazy people".

Good OpSec is hard and requires that you never take short cuts, or drop your guard, doing so is what gets you or somebody else killed etc.

[1] https://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/

cphinxFebruary 14, 2017 2:59 PM

Although by nature, this topic is fairly complex, when considering cybersecurity in any capacity, the person responsible for security must work based on the lowest common denominator. Which in most cases isn't done very well. Security is hard but bypassing security is not.

Perfect example: that machine in the small office which has Windows Updates, Firewall, and all AV/Endpoint Security turned off because the user was having trouble connecting to the QuickBooks file improperly stored on another users computer.

Or, the impatient user at home who is too desperate to turn on that new Windows machine to pay any attention to "recommended settings" and goes months, years, or forever without receiving a single Defender or OS update (which I might add is pretty hard to do in 2017).

Business is business. If the cybersecurity fails, the credit card institution will likely float the bill, alleviating the end user of ramifications. Or, the user will suffer from credit score hits which supplies the identity theft protection industry. If that doesn't factor in then its the AV products that are sold at large which fails to prevent the user from clicking on a link that encrypts his/her hard drive.

You can't make it any easier for people to follow instructions of some type or another. But you can make it less convenient for them to get their Facebook or Twitter fix. All the while, billions of dollars later the cybersecurity industry is doing well.

Short of a conspiracy theory, this problem will never go away. Users will never get smarter. Security will always be bypassed somehow. And we will continue to engineer new security which will be obsolete next year. The problem isn't a people problem when humanity can't be re-programmed.

BifFebruary 14, 2017 5:40 PM

@supersaurus

institutions are a big help too, for example I once had online account access to a bank who required only 8 char alpha passwords. many sites refuse passwords with "special" characters (like '%' or '*') or have stupid maximum length rules (who cares? it's hashed? right?).

Or MS who don't allow more than 14-char passwords online, even in Azure Gov!

My InfoFebruary 14, 2017 5:40 PM

@cphinx

There is a false dichotomy or more accurately a false trade-off at work between convenience and security.

The Mafia are not dummies. Vigilantism and IQ limitations for law enforcement personnel are not working against the Mafia. They are experts at making security hard and insecurity easy.

For example, I use KMail. It integrates very easily and conveniently with GPG and/or S/MIME for encryption, if I ever had anything private or confidential to say. Yet people complain about PGP and GPG because of a poor user interface.

Business is business. If the cybersecurity fails, the credit card institution will likely float the bill,

And no one ever got fired for buying IBM, or Microsoft, or MongoDB, or the like. People are choosing in droves to buy protection from the H-1B Mafia.

If I'm being forced to pay that kind of money, (and you'd better believe I resent every penny of it,) I want a real gun in my own hand that meets my own specifications. I don't want a goon squad from the local criminal cartel hanging around with throwing stars and butterfly knives.

rFebruary 14, 2017 6:22 PM

@Dirk Praet,

Let's see if we can attract the mods attention over in these here parts.

I once claimed to my Aspergers friend that the government was keeping mathematically inclined people on payroll, I further claimed that schitzophrenics savants and downsyndrome people were actively being sought out if not outright recruited (a beautiful mind).

He freaked out, flat out, denied my position.

I then brought up the fact that he collects a social security check for his 'disability' (not to belittle it, he really does have certain issues (genius is often a curse)).

So, @My Info's statement: it's not really so far off.

If he rails too hard and they find out they will sedate him, end of story.

I'm very curious to see how far the collusion with the insurance industry medical community and government really goes.

One small step for assertion, one giant leap for reality?

The washingtonpost while digging tonight has a funny little article, excuse me: the new york times:: https://www.nytimes.com/2017/02/13/health/psychiatric-drugs-prescriptions.html

However did we make it through the last 8000 years?

rFebruary 14, 2017 6:27 PM

@My Info,

If you can't vote, can't own a gun, can't drive, can't own property.

Do you even have intellectual property rights at this point?

Is this or are you a touchy subject?

It's a fair question considering your prior assertions and the question's I'm presenting to you here and now.

Do you know if you still possess intellectual property rights?

My InfoFebruary 14, 2017 8:31 PM

@Winter

professional help

Not today. Spring is just around the corner.

@Bob

I don't think the Geodon is working anymore.

Oh, you mean the Geoduck?

@r

the new york times:: https://www.nytimes.com/2017/02/13/health/psychiatric-drugs-prescriptions.html

This is not even news. The Baby Boomers have been taking psychedelic — oh, I mean psychotropic — no, anti-psychotic drugs ever since the 1970s.

Do you know if you still possess intellectual property rights?

If I were the artsy-fartsy type and I had money to rent a studio and time to sit there with an easel and a palette and a paintbrush, sure. But intellectual property is an abstract concept, a legal fiction. I cannot eat it, I cannot clothe myself with it, it does not shelter me from the elements, nor does it protect me from my enemies. It's not even pretty to look at like a precious metal or gemstone, it's no good for trading, and it certainly doesn't feel good. Nor do I have access to the courts to assert any "intellectual property rights" as if I were a corporation or something like that.

The thieves in law took that all way for individuals, consumers, and end users.

JohnnyH8February 16, 2017 1:42 PM

Well, since Pew Research said so. Something smells... Pew!
It's like having McKinsey tell EMC what "big data" is. Who pays these people?

We all slip up, but look at the OSes we are dealing with. They are stacking crap on top of crap. I think they call that abstraction. Not exactly intuitive anymore. We are not just talking about people that don't have a backup drive. TLS education is difficult at best, for example. The pros have problems with TLS. They just did a spiel on session tickets. Who thought that session tickets was a good idea?

Now, I am not worried about some Eastern Bloc hacker. We are talking about the US govt jacking with our privacy at the dinner table. Imagine being Brit with cameras all over the place. Orwellian society actually doesn't help. Terrorists are the excuse. A criminal outlier is an excuse to jack with everyone.

How do you prevent data theft/fraud? Hmm, well one way is to stop uploading to a cloud storage company. Surfacing cards? That is the dumbest idea ever, so take it away. This is stuff that happens when marketing departments figure out how to program cookies. Rather than stay minimalist, programmers have become way too fractalized. I would like to blame the "idea go-to guy" at the top for inventing some of this nonsense.

Identity theft. Well, our country still has not fully enforced chip cards. Does anyone know if that is supposed to happen? Like before we die?

And just quite possibly, there is too much government interface, because those idiots will hire thousands of contractors from another country to build a website.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.