
People are much less security savvy with their phones than they think they are. We know that many people compromise their security by doing things like reusing old passwords, but a new study lays bare the gap between how smart we believe we are about fending off information security threats, and how good we are in practice.
Most efforts to measure individuals’ information security awareness (ISA) around their smartphone use are based on surveys and questionnaires, so tend to be subjective and biased.
To provide a more accurate picture, Ron Bitton and his colleagues at Ben-Gurion University of the Negev combined questionnaires completed by 162 students at two Israeli universities with software installed on their Android phones, plus analysis of the network traffic to and from the devices. Over two months, the volunteers were faced with four “real life” security challenges.
Advertisement
The results: while the software and traffic were a good indicator of how high someone’s ISA was, the questionnaire was not. There were big contradictions between what people said, and what they did.
While 70 per cent of people said they would never provide personal data in pop-ups on websites, almost 40 per cent entered their details when a pop-up promised the chance to win an iPad. Half of those who said they would never enter a website that displayed a security warning proceeded to do exactly that. More than a third of students who said they always used lock screen protection on their phone, such as a PIN code, didn’t use any method at all.
“People have difficulties in quantifying their behaviour,” says Bitton. “Unaware people usually perceive themselves as acting cautiously, due to some very rare cautious actions that they performed, where in practice they are acting dangerously most of the time.”
The students involved could be considered average smartphone users, says Bitton, given that popular apps such as Facebook, WhatsApp and Instagram were installed on more than half of their devices. He says the first step to making people security conscious with their phone use is in convincing them that they can be a target for attackers – and that such an attack would harm them.
Bitton says the findings show the importance of not relying solely on surveys and questionnaires to assess our security skills.
Reference: arXiv,