Security Experts:

Americans Want to Protect Their Information, but Don't Know How: Survey

Americans are keen on security, but do not necessarily understand it. This is the conclusion of a new survey of 1,300 Americans undertaken by YouGov, which basically suggests that attitudes towards cybersecurity exceed actions taken to ensure cybersecurity.

The survey, commissioned by Palo Alto Networks, shows for example that 66% of Americans believe they are doing everything possible to remain secure -- yet only 27% attempt to verify the identity of an unknown sender when receiving an email. Palo Alto Networks calls it a 'gap between responsibility and action', and it is repeated through the survey. Sixty-two percent of Americans believe they should be responsible for the security of their data, while only 24% run a computer scan after interacting with a link they subsequently believe to be malicious.

Interpreting the results of any survey can be tricky because so much depends on the precise wording of the question, and the potential variability in how the respondent replies to that question. One question attempted to find Americans' attitude towards AI. This is a complex issue because of the wider societal questions (loss of jobs in manufacturing in the short term and doomsday scenarios of AI robots gone bad in the future) -- so, it is unclear whether these issues affect attitudes towards AI in cybersecurity.

Cybersecurity's use of AI (for the most part it is machine learning that can be subcategorized into unsupervised ML -- actually AI -- and supervised machine learning -- with human expert control) is one of the least contentious areas. It merely seeks potentially malicious patterns of activity with no wider effect on society.

Palo Alto Networks asked the respondents whether they would prefer cybersecurity managed by humans or managed by AI. It did not suggest that supervised ML could be considered as 'AI-aided human management'. The response was that 37% would prefer human management, 36% don't know, and only 26% would prefer AI management.

Palo Alto Networks believe the key response is the number of 'don't knows'. "People still have a hard time understanding artificial intelligence, especially in the context of cybersecurity," Rick Howard, CSO at Palo Alto Networks, told SecurityWeek. "In fact, most respondents [well, not quite most, but the point is clear] replied ‘Don’t know’ to this question, which shows that there is an overall lack of understanding of what AI is in general -- let alone the difference between supervised and unsupervised AI."

Other responses to the survey are less difficult to interpret, but still frequently indicate a dichotomy between understanding and action. Asked who should be responsible for the security of personal data online, most respondents (66%) replied, 'myself'. This was followed by the ISP (48%), the mobile network operator (35%), and the device manufacturer (29%). The government scored 26%, and law enforcement a lowly 17%.

While this displays a laudable attitude towards personal responsibility, 'myself' can do little more than use a strong password and limit the amount of data put online. Users have little control over ISPs and operators selling meta data, and usually no control over the security of the service holding that data. Howard suggests that users still struggle to understand who should be held accountable for data security, adding, "it is a shared responsibility model, where the vendor and the customer share different security responsibilities. But in all cases, the customer should own the security of their data."

One complication in the results is that the survey doesn't differentiate between business users and home users, and it is very likely that the two usages differ. Home users, for example, are forced to take more personal responsibility since they have no company IT department or security team to rely on for help. This complicates an analysis of responses to a query on first reaction after clicking a link that then appears to be malicious.

Twenty-four percent of respondents will run a security scan, while 17% will trust that an existing anti-virus will protect them. Only 6% (if in a work environment) will notify the IT department. The difficulty here is that we don't know 6% of how many -- but either way, it suggests that most work users have faith that their company will protect them even without telling the company that there was a problem.

The one area in which work users are specifically separated is a query over the frequency of training. Here the total number of work respondents was 675. Given the current understanding of the importance of staff security awareness training, the results are disappointing. Responding to 'how often do you participate in cybersecurity training?', only 10% responded 'more often than every six months'. Sixteen percent replied once a year, and a colossal and disappointing 28% said 'never'.

Howard believes that continuous training is important, but doesn't believe that the lack of training should be seen as a reason for cybersecurity breaches. "Many practitioners say that the user is the weakest link, but I disagree with that assessment," he told SecurityWeek. "It should not fall to the user to be fluent in security. Provide awareness training for sure, but users should be protected further up the security stack."

Despite the difficulty in making a detailed analysis from this survey, the broad sweep is clear: users believe that they are doing more to protect themselves than they actually are. "The discrepancy between consumers’ belief that they’re already doing all they can to stay safe, despite their lack of security knowledge," writes Palo Alto Networks, "highlights a major need for businesses to do more to keep their customers protected and educated."

Related: User Security is a Responsibility, Not an Excuse 

Related: Security Awareness Training Top Priority for CISOs: Report 

Related: Awareness Training Firm CybeReady Opens U.S. Office With $5 Million Funding 

Related: Security is a People Problem, Training is the Solution 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.