TY - GEN
T1 - What breach? Measuring online awareness of security incidents by studying real-world browsing behavior
AU - Bhagavatula, Sruti
AU - Bauer, Lujo
AU - Kapadia, Apu
N1 - Funding Information:
This work was supported in part by the Carnegie Mellon University CyLab Security and Privacy Institute. Parts of the dataset we used were created through work supported by the National Security Agency under Award No. H9823018D0008. We would also like to thank Jeremy Thomas and Sarah Pearman for help with working with the SBO data.
Publisher Copyright:
© 2021 Owner/Author.
PY - 2021/10/11
Y1 - 2021/10/11
N2 - Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.
AB - Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.
KW - Data breaches
KW - Security awareness
KW - Security incidents
UR - http://www.scopus.com/inward/record.url?scp=85121752514&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85121752514&partnerID=8YFLogxK
U2 - 10.1145/3481357.3481517
DO - 10.1145/3481357.3481517
M3 - Conference contribution
AN - SCOPUS:85121752514
T3 - ACM International Conference Proceeding Series
SP - 180
EP - 199
BT - Proceedings - EuroUSEC 2021
PB - Association for Computing Machinery
T2 - 2021 European Symposium on Usable Security, EuroUSEC 2021
Y2 - 11 October 2021 through 12 October 2021
ER -