What breach? Measuring online awareness of security incidents by studying real-world browsing behavior

Sruti Bhagavatula; Lujo Bauer; Apu Kapadia

doi:10.1145/3481357.3481517

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior

Sruti Bhagavatula, Lujo Bauer, Apu Kapadia

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Scopus citations

Abstract

Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.

Original language	English (US)
Title of host publication	Proceedings - EuroUSEC 2021
Subtitle of host publication	2021 European Symposium on Usable Security
Publisher	Association for Computing Machinery
Pages	180-199
Number of pages	20
ISBN (Electronic)	9781450384230
DOIs	https://doi.org/10.1145/3481357.3481517
State	Published - Oct 11 2021
Event	2021 European Symposium on Usable Security, EuroUSEC 2021 - Virtual, Online, Germany Duration: Oct 11 2021 → Oct 12 2021

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	2021 European Symposium on Usable Security, EuroUSEC 2021
Country/Territory	Germany
City	Virtual, Online
Period	10/11/21 → 10/12/21

Funding

This work was supported in part by the Carnegie Mellon University CyLab Security and Privacy Institute. Parts of the dataset we used were created through work supported by the National Security Agency under Award No. H9823018D0008. We would also like to thank Jeremy Thomas and Sarah Pearman for help with working with the SBO data.

Keywords

Data breaches
Security awareness
Security incidents

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/3481357.3481517

Cite this

Bhagavatula, S., Bauer, L., & Kapadia, A. (2021). What breach? Measuring online awareness of security incidents by studying real-world browsing behavior. In Proceedings - EuroUSEC 2021: 2021 European Symposium on Usable Security (pp. 180-199). (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3481357.3481517

@inproceedings{cca681ac81a14082876c39da0b8b2932,

title = "What breach? Measuring online awareness of security incidents by studying real-world browsing behavior",

abstract = "Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.",

keywords = "Data breaches, Security awareness, Security incidents",

author = "Sruti Bhagavatula and Lujo Bauer and Apu Kapadia",

note = "Funding Information: This work was supported in part by the Carnegie Mellon University CyLab Security and Privacy Institute. Parts of the dataset we used were created through work supported by the National Security Agency under Award No. H9823018D0008. We would also like to thank Jeremy Thomas and Sarah Pearman for help with working with the SBO data. Publisher Copyright: {\textcopyright} 2021 Owner/Author.; 2021 European Symposium on Usable Security, EuroUSEC 2021 ; Conference date: 11-10-2021 Through 12-10-2021",

year = "2021",

month = oct,

day = "11",

doi = "10.1145/3481357.3481517",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "180--199",

booktitle = "Proceedings - EuroUSEC 2021",

}

Bhagavatula, S, Bauer, L & Kapadia, A 2021, What breach? Measuring online awareness of security incidents by studying real-world browsing behavior. in Proceedings - EuroUSEC 2021: 2021 European Symposium on Usable Security. ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 180-199, 2021 European Symposium on Usable Security, EuroUSEC 2021, Virtual, Online, Germany, 10/11/21. https://doi.org/10.1145/3481357.3481517

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior. / Bhagavatula, Sruti; Bauer, Lujo; Kapadia, Apu.
Proceedings - EuroUSEC 2021: 2021 European Symposium on Usable Security. Association for Computing Machinery, 2021. p. 180-199 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - What breach? Measuring online awareness of security incidents by studying real-world browsing behavior

AU - Bhagavatula, Sruti

AU - Bauer, Lujo

AU - Kapadia, Apu

N1 - Funding Information: This work was supported in part by the Carnegie Mellon University CyLab Security and Privacy Institute. Parts of the dataset we used were created through work supported by the National Security Agency under Award No. H9823018D0008. We would also like to thank Jeremy Thomas and Sarah Pearman for help with working with the SBO data. Publisher Copyright: © 2021 Owner/Author.

PY - 2021/10/11

Y1 - 2021/10/11

N2 - Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.

AB - Learning about real-world security incidents and data breaches can inform people how their information is vulnerable online and thus encourage safer security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action (e.g., trying to read more about the incident), and 3) what influences the likelihood that they will read about an incident and take some action. Our quantitative study of the real-world internet-browsing behavior of 303 participants finds a low level of awareness. Only 16% of participants visited any web page related to six widely publicized large-scale security incidents; few read about an incident even when it was likely to have affected them. We also found that more severe incidents and articles that constructively spoke about the incident were associated with more action. Our findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.

KW - Data breaches

KW - Security awareness

KW - Security incidents

UR - http://www.scopus.com/inward/record.url?scp=85121752514&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85121752514&partnerID=8YFLogxK

U2 - 10.1145/3481357.3481517

DO - 10.1145/3481357.3481517

M3 - Conference contribution

AN - SCOPUS:85121752514

T3 - ACM International Conference Proceeding Series

SP - 180

EP - 199

BT - Proceedings - EuroUSEC 2021

PB - Association for Computing Machinery

T2 - 2021 European Symposium on Usable Security, EuroUSEC 2021

Y2 - 11 October 2021 through 12 October 2021

ER -

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior

Abstract

Publication series

Conference

Funding

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this