Abstract
Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - EuroUSEC 2021 |
Subtitle of host publication | 2021 European Symposium on Usable Security |
Publisher | Association for Computing Machinery |
Pages | 180-199 |
Number of pages | 20 |
ISBN (Electronic) | 9781450384230 |
DOIs | |
State | Published - Oct 11 2021 |
Event | 2021 European Symposium on Usable Security, EuroUSEC 2021 - Virtual, Online, Germany Duration: Oct 11 2021 → Oct 12 2021 |
Publication series
Name | ACM International Conference Proceeding Series |
---|
Conference
Conference | 2021 European Symposium on Usable Security, EuroUSEC 2021 |
---|---|
Country/Territory | Germany |
City | Virtual, Online |
Period | 10/11/21 → 10/12/21 |
Funding
This work was supported in part by the Carnegie Mellon University CyLab Security and Privacy Institute. Parts of the dataset we used were created through work supported by the National Security Agency under Award No. H9823018D0008. We would also like to thank Jeremy Thomas and Sarah Pearman for help with working with the SBO data.
Keywords
- Data breaches
- Security awareness
- Security incidents
ASJC Scopus subject areas
- Software
- Human-Computer Interaction
- Computer Vision and Pattern Recognition
- Computer Networks and Communications