At the National Cyber Security Alliance (NCSA), we encourage everyone to learn how they can be more #CyberAware in their day-to-day lives. Online safety is a shared responsibility, and we all have roles to play in educating ourselves, our families, our colleagues and staff and our communities about being safer and more secure online. But according to a new Pew Research Center study, despite the prevalence of cybersecurity and cyber threats in the news, many Americans lack clarity on some key cybersecurity issues.
In an effort to test Americans’ cyber awareness, Pew surveyed 1,055 adult internet users living in the United States, asking them 13 questions covering many of the general concepts and basic building blocks of protecting oneself online. I recently spoke with Lee Rainie, the director of internet, science and technology research at the Pew Research Center, about this research and Pew’s valuable work in the fields of cybersecurity and privacy.
MICHAEL KAISER: Pew Research Center has been conducting studies on cybersecurity, technology usage and privacy for quite a while. What prompted this particular study, and what did you hope to learn via a quiz that you couldn’t from a survey?
LEE RAINIE: This actually is a survey AND a quiz, and we think both things will give us deeper insights into how much knowledge people have about “cyber-hygiene.” We did this survey as a follow-up to our broader examination of the state of Americans’ thinking about cybersecurity.
We released a report in January that explored 1) how many people had experienced some kind of major breach (64% of adults had); 2) how Americans feel about the security of their data that is being held by a variety of enterprises and the federal government; 3) how people manage their passwords (answer: mostly in their heads); 4) the ways in which folks use free WiFi in places like hotels, airports and restaurants; and 5) how people feel about government access to encrypted information (it’s a split verdict).
This new survey followed up by testing internet users’ knowledge about a variety of cybersecurity issues and concepts. We asked 13 questions and just released a report analyzing who answered them correctly/incorrectly.
Our overall goal was to see how closely online Americans are following the best practices recommended by experts to protect their information. We found that the typical respondent answered only five of our 13 questions correctly – with a mean of 5.5 correct answers – and just 1 percent of online adults could correctly answer all 13 questions.
The survey gives us a great snapshot of how a representative sampling of internet-using adults does on questions about their knowledge of cybersecurity issues and concepts.
MK: Where can people find the questions and test their own knowledge?
LR: We created a quiz for others to take to see how they compare with other Americans. We’ll see how users of our website – and of other sites that embed our quiz – do compared with this representative poll. If you take the quiz, you can also share your score on social media and encourage others to take the quiz, too.
MK: Did any particular finding at all surprise you?
LR: We think this was the first representative survey gauging Americans’ knowledge about these kinds of cybersecurity matters. In a way, all of the answers were news and surprising, because no one had tested them in a broad sampling before. It was particularly striking to see how many people said they couldn’t even be sure what the right answer was. For instance:
- 73 percent of internet users said they could not answer a question about what a botnet is. (It’s a group of computers networked together and used by hackers to steal data.)
- 70 percent said they didn’t know if using a virtual private network (VPN) can minimize their risks when they use insecure WiFi networks (in fact, it does).
- 54 percent didn’t even venture an answer about the meaning of https:// at the beginning of a URL. (It means that information entered into the site is encrypted.)
MK: Can you provide a breakdown of where you think respondents had a good grasp of cybersecurity and where their knowledge showed gaps?
LR: There were basically three “tiers” of cybersecurity knowledge that showed up in the answers. In the top tier, people showed pretty high levels of awareness of strong passwords and the vulnerabilities of using public WiFi networks. Some 75 percent of online adults can correctly identify the strongest password from a list of options. A similar share (73%) is aware that if a public WiFi network is password protected, it does not necessarily mean it’s safe to perform sensitive tasks, such as online banking, using that network.
In the middle tier, about half of internet users are able to correctly answer several other questions. Some 54 percent are able to identify examples of phishing attacks. Similarly, 52 percent correctly say that turning off the GPS function of a smartphone does not prevent all tracking of that device (mobile phones can also be tracked via cellular towers or WiFi networks to which they are connected). Additionally, 49 percent of internet users know Americans are entitled to get a free copy of their credit report annually from each of the three major credit bureaus. A similar share (48%) can correctly define the term ransomware (when criminals access someone’s computer, encrypt their personal files and data and hold that data hostage unless they are paid to decrypt the files).
Internet users demonstrated the lowest level of awareness when the issues got more technical. For instance, only 39 percent are aware that internet service providers (ISPs) are able to see the sites their customers are visiting while using the private browsing mode on their internet browsers. Only a third (33%) are aware that the letter “s” in a URL beginning with https:// indicates that the traffic on that site is encrypted. And just 16 percent of online adults are aware that a group of computers networked together and used by hackers to steal data is referred to as a botnet. A similar share (13%) is aware that the risks of using insecure WiFi networks can be minimized by using a VPN.
MK: More than 1,000 adult internet users participated in this study. What, if any, significant differences did you find by education level, age or other socioeconomic factors?
LR: Every time Pew Research Center does a knowledge quiz, we find that those with higher levels of education (college degrees and beyond) do better than those whose education ended when they graduated from high school. This quiz shows that, too. There were statistically meaningful differences through all 13 questions when it came to people’s levels of education.
The other actor that modestly showed up related to age. On some – but not all – of these questions, younger internet users were more likely than older users to know the correct answers. Overall, 18- to 29-year-old internet users correctly answered a mean of 6.0 out of 13 questions, compared with a mean of 5.0 among those 65 and older.
MK: Growing the adoption of multi-factor authentication (MFA) has been a priority of many organizations, including NCSA. One troubling finding of this study was that only 10 percent of respondents could correctly identify an example of MFA (compared to other examples not depicting MFA). Any thoughts on this finding – or advice for those working in the education and awareness space?
LR: This was a tough question, and the answers show how much the public is struggling to figure this out. The fact that there were relatively few “don’t know” responses suggests that people might be aware of the idea of MFA,, even if they gave the wrong answer.
Given the litany of login screens users see across their accounts, they may simply not be aware that true MFA – in the very precise way cybersecurity professionals define it – is not the same as something like a security question (e.g., “What is your mother’s maiden name?”).
In our previous privacy-related research, we heard regularly that many people would like to be more educated and trained about best practices for protecting their personal data. The answers we got on this question are in line with that sentiment.
MK: Given that phishing scams remain some of the biggest vectors of attacks targeting consumers and businesses, how concerning is it that just slightly more than half (54%) of respondents could correctly identify a phishing email?
LR: We hear pretty constantly from cybersecurity professionals that they feel phishing scams are one of the top vulnerabilities they face. These figures suggest that a little under half of internet users are incorrect or simply don’t know what a phishing attack is. That’s a significantly sized group.
MK: NCSA believes that everyone has a role to play in promoting a safer and more secure internet. Where do you think general cybersecurity knowledge plays into this, and why is it important for everyone to be more aware of the implications of their online actions?
LR: Social scientists have long demonstrated that people’s awareness and knowledge about a host of issues is a key factor that shapes how they act and think as citizens and consumers. We at Pew Research Center have been documenting since 1996 that people are living more of their lives online and entrusting the online world to handle critical transactions in their lives and key information about who they are.
Our opening line is this report is: “In an increasingly digital world, an individual’s personal data can be as valuable – and as vulnerable – to potential wrongdoers as any other possession.” When people don’t know about the ways they are vulnerable, they are likely to behave differently compared with those who have knowledge about risks.
MK: What are your plans for continuing and/or expanding on this study in the future?
LR: Our privacy research in recent years has attempted to parse the complex ways in which people think and act when it comes to sharing personal information or surveillance issues. And the environment keeps shifting as new gadgetry, modes of connectivity and methods of capturing and analyzing data arise. We will keep exploring many of these issues in the context of a changing tech environment.
The rise of the Internet of Things (IoT) – connected cars, homes, appliances, public spaces, commercial realms and sensor-laden environments – will bring any number of new issues to the fore. The IoT is already in play as a target for bad actors using new (and older) techniques. We’ll be watching that pretty carefully, too.
You can view the full Pew report here. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.