Monday, July 18, 2011

Survey: People Know Online Risks But Often Ignore Them

Surveys are a great window into people’s minds, especially when they can illuminate contrasting, and even contradictory, behaviors in the same group. Results from the Symantec Online Internet Safety Survey have done just that. The most compelling finding—that respondents frequently proceed with online transactions they know might be insecure—inspired me to ask not just, “What are they thinking?” but “What are they thinking?!?”

The survey’s focus must be on many people’s minds, as we’ve had an extraordinary response: 301 people in just a few days! My initial impressions of the results are below. Feel free to share your comments and questions on the original edition of this post.

Findings

Risky behavior remains common despite respondents knowing better
What struck me the most was that in many cases respondents continued online transactions even when those transactions lacked security cues respondents knew should be there. For example, 80 percent of respondents knew to look for the padlock icon signifying Secure Sockets Layer (SSL) encryption, but only 55 percent said they would abort a transaction if they didn’t see it. Similarly, 81 percent knew to look for secure Internet connections (HTTPS) but only 56 percent got spooked by secure URLs not matching certificate domains (not an exact correlation, I know, but related). These are differences of nearly 30 points! What is driving this reckless behavior?

An equally notable figure is that 15 percent don’t use secure connections for social media activities even though they know improved security is available. Come on, people!  

People know to bail out of online transactions they suspect aren’t secure
Exactly three out of four (75 percent) of respondents have abandoned online transactions because they felt the website wasn’t secure. This figure affirms respondents’ understanding of security cues and isn’t surprising given respondents’ high sensitivity to data loss. In fact, I’m wondering why the figure isn’t higher, closer to the high 90s like in Questions 1 and 2 (see below). Why would a quarter of respondents not cancel such transactions? Do they only go to websites they trust? And how do they know that trust is warranted without those security cues?

Many people are still learning about new browser security cues developed to counter evolving threats
The majority (55%) of the respondents knew to look for a green address bar—the sign of a website having an Extended Validation Secure Sockets Layer (EV SSL) certificate. More than half of respondents (54 percent) knew a green address bar means a website is secure and only one percent said it didn’t make them feel safe. In contrast, nearly half (46 percent) either didn’t remember seeing the bar or didn’t feel either way about it. These figures indicate that popular understanding of the value of the green address bar is growing, but this new security feature is still not top of mind for many users. Perhaps businesses can help educate their users about their use of the green bar, where applicable. If you need help with that, there are great resources available at the VeriSign Authentication Services site.

Moreover, 42 percent knew to look for a third-party trust mark or seal. In fact, one in three (35 percent) respondents said lack of a seal worried them enough to end an online transaction. These figures may indicate most people don’t yet understand how seals represent an important security guarantee. Think about that for a moment. There is a potential for online businesses to be having a third of their businesses not transacting simply because the site lacks a recognizable trust mark to encourage users the site is safe.

At the same time, more than four out of five respondents knew to look for the padlock icon and/or the “s” in the HTTPS in the URL address of a website (80 percent and 81 percent, respectively) which is not too surprising, since users have been conditioned over the years to look for these traditional cues. A vast majority of respondents know the value of secure connections (HTTPS) and how to use them—77 percent set their social media security tools to use secure connections whenever browsing or logging in.

Nearly everyone has armed themselves with knowledge about security, but room for improvement still exists
Nearly all respondents (97 percent) considered themselves either somewhat or extremely knowledgeable about keeping their confidential data safe when shopping or banking online. The breakdown here was much more even, with 54 percent saying they were extremely knowledgeable and 43 percent somewhat knowledgeable.

Keeping confidential data safe when shopping or banking online is a universal concern:
Ninety-eight percent of respondents were either somewhat or extremely concerned. What’s telling is that 82 percent were extremely concerned and only 17 percent somewhat concerned. That means more than four out of five respondents see protecting their data as a top priority.

This data ties into other findings that phishing attacks are widespread but not always recognized as a threat. More than one out of seven respondents (16 percent) said they had been phished, highlighting how endemic cybercrime is today. Five percent of respondents, though, had no idea what phishing attacks are—a dangerous blind spot. Think you know what a phishing site looks like? Play our Phish or No Phish game to see if you can tell the difference.

That wraps up my first take on the data. Thanks again to everyone taking part in the survey.

By: Ryan White