Author: Tim O'Connor
Encouraging employees to improve their security hygiene can feel like an endless battle. Sometimes it feels like having modern medical knowledge and time-travelling back to plague-ridden middle ages. That is why it’s a welcome relief when we see some good news regarding effective tools to help with security awareness and behavior change.
New peer-reviewed scientific studies recently released by Penn State University shed light on what might be some relatively easy methods to help influence behavior on insecure wireless networks. Interestingly, some of it pertains to “Terms and Conditions” contracts or portals.
A common belief is that nobody reads the “Terms and Conditions” (T&C) when using technology. This belief is so widespread that the satire show South Park created an episode making fun of this cultural phenomenon. We do have some good news though. The new study from Penn State shows that when people are presented with a T&C portal when joining a wireless network they will tend to share less personal information over that network.
Let’s look at the behavior cues used and what behavior was studied.
Researchers decided to look at four behaviors measured against “publicness heuristic levels”. I read numerous journals but publicness heuristic levels (PHL) was a new one on me. The simplistic description of a PHL is how the person identifies or feels about the location or environment they are using on a scale from being in public to being at home. The four behaviors that were examined were those that could be identified as: disclosure of personal information, disclosure of financial information, ethical behavior and unethical behavior.
The variables studied in the experiments were the physical location of the person (home, coffee shop, university or Airbnb) and screen-displayed visual cues such as the previously mentioned Terms and Conditions portal, as well as prominent icons indicating that the wireless connection was connected using a VPN.
The participants were measured against control groups as they accessed the internet from the defined physical locations and randomized use of the visual clues. Participants during their time on the wireless network were asked to visit several websites that asked for information such as income, debt-to-loan ratio and even questions about pornographic material. The participants were not told about the visual clues or how behavior would be monitored.
So what were the results?
Participants at a coffee shop showed a PHL indicating that they felt they were in the most insecure location of all the tested locations and, as a result, disclosed less personal information and participated in fewer unethical behaviors when the T&C portal and VPN ON visual clues were not displayed.
Interestingly, participants PHL showed they perceived being at an Airbnb location as much more secure than a coffee shop and as/almost as secure as being at home. At the Airbnb location they were very willing to disclose personal information with little difference in behavior whether or not a T&C portal was present or a “VPN ON” icon was displayed.
The information from these studies is a goldmine for security analysts that design and implement security controls, security awareness programs and education.
From a controls design perspective, we have the surprising realization that T&C portals, while typically not read by users, do in fact have an impact on security hygiene. While it is unlikely that most of the study participants actually know what a VPN is and how it works, it is likely they are aware that it is security related. Creating systems with visual notifications of the controls in use could increase the effectiveness of the control and perhaps also the frequency of use.
Security awareness analysts and program designers have the good news that visual icons in some environments can improve security hygiene. This is more significant news than it may seem on the surface. Security awareness is considered one of the most needed security controls in business and government today, yet 70% of employees have ineffective or non-existent security awareness skills.
Knowing that coffee shops are widely perceived as a location where personal information and behavior may be seen by evil hackers confirms that some general knowledge by the public is correct about the risks that are present in this type of location. This might seem ‘common sense’ to security personal however we know that other ‘common sense’ public perceptions are often wrong. Confirmation of public perception allows us to concentrate resources on where perceptions are incorrect.
A false sense of security or false assumptions about security controls are some of the worst and most dangerous risks in information security. The Airbnb results provide more than one example of this.
Airbnb is a service that does not own any of the properties that its customers use for lodging. When you are staying at an Airbnb they are private properties and don’t have consistent standards and regulations, like hotels do. You are using another person’s wifi connection and even if the property owner has not knowingly placed malware on the wifi system or on attached devices, a neighbor or previous customer certainly could have.
We can see from the research results that many people while having a good sense of the risk in using coffee shop wifi have an unjustified sense of privacy and security from an Airbnb location. This means that Airbnb users often have a false sense of security. Additionally, security professionals designing security awareness programs might think the average person’s “common sense” would equate the security risks of a coffee shop to Airbnb locations, but they would be wrong.
The next critical thing we see from this research is that the visual controls that worked well in most environments, the VPN ON icons and Terms and Conditions portals, did not work for the Airbnb locations. This sets up security awareness designers for another potential false sense of security when assuming that just because these visual controls were helpful in some locations that they would be helpful in all locations.
The study of the effectiveness and in some cases the ineffectiveness of visual controls helps us to understand important limitations of these controls and brings to our attention the dangers of assuming how people judge personal security.
Security awareness design and implementation is an ongoing and changing discipline and one of the most important and needed programs for personal and organizational security. Communicating to people the concepts of privacy, technology, con-artist techniques and ethics in a wifi environment is a challenge. Straightfoward controls like visual icons and understanding their influence and limitations is critical to risk analysis and mitigation. Likewise, we can see great value in more studies of this type if they illuminate how people change their behavior in various environments where technology is used and people can be exposed to cybercrime.
If you would like to keep up-to-date on current science and fact-driven information about security awareness and other information security issues, please check back regularly to this blog series. If you would like a trusted advisor to help you develop a security awareness program based on adult learning and sound science please contact us.
The results of the principle studies cited in this article were presented on May 8th 2019 at the ACM Conference on Human Factors in Computing Systems in Glasgow, Scotland.
“2017 State of Privacy and Security Awareness Report” DARKReading 3, October 2017
"Wi-Fi location affects online privacy behavior." ScienceDaily. ScienceDaily, 10 May 2019. www.sciencedaily.com/releases/2019/05/190510102927.htm