Earlier this fall it was revealed that the digital travel platform Uber had been the victim of a data breach, where the personal information of 57 million users was stolen (Fortune, 2017). This event is one of many in a slew of customer data breaches, a string of events that have motivated companies to invest in cyber security systems (UK Gov, 2017) in order to align themselves with new data and ePrivacy regulation (see EU GDPR, 2017; EC, 2017). However, we argue that the burden of cyber security is as much on the user as it is on systems (Vishwanath et al., 2011) and the ‘human factor’ is significant in protecting personal information online.
Generally, people do not like to give up their personal information (EC, 2015), yet many have little knowledge of just what is risky online and how to protect themselves. For example even seemingly insensitive information, such as Uber user data, can act as a gateway to falling victim to more invasive threats (Fortune, 2017; Vishwanath et al., 2011). One such threat is called phishing, in which fraud emails trick you into revealing personal account details (see Dhamija et al., 2006). These deceptive emails are often personalised using data stolen from low sensitivity accounts, invoking a sense of safety due to the fact that seemingly private information is already known to the sender.
In response to the Uber breach (and others like it), UK MP Matt Hancock suggested that ”people just need to make sure they do not respond to a phishing email” (Guardian, 2017a). Although this is sound advice, it is not as simple as it may seem.
A study by Dhamija et al. (2006) reveals that the majority of individuals do in fact fall for these customised phishing emails, contributing to the strong increase in successful personal data theft (see ENISA, 2017). Since the emails often are addressed specifically to the recipient, protection from phishing is particularly dependent on recipients ability to recognise and discard the email (Vishwanath et al., 2011). So while the data holder may ‘own’ the primary risk of data breach, the user holds the tools to resist the secondary risk of successful phishing.
The configuration of these secondary risks may be well known among cyber security professionals. Yet, studies (e.g. Dahamija et al., 2006; Furnell et al., 2007) indicate that the public continues to struggle at keeping their information safe. For example, Olmstead and Smith (2017) show that only half of internet users can correctly identify a phishing email. This divergence in public and expert knowledge is far from new, and is exemplified in debates on controversial subjects such as nuclear power and food safety (see work by Irwin and Michael, 2003; Slovic, 1987). However, the case of cyber security is somewhat unique as it seems to be combined with a false sense of public knowledge. An EC survey from 2015 found that 74% of the participants do in fact perceive themselves as being able to protect their personal information and 47% feel very well informed about cyber threats. This perception of ‘feeling safe’ is supported by other studies, such as Furnell et al. (2007). In comparison to the sheer number that do in fact fall for phishing emails, this points to a discrepancy between perceived cyber protection and actual vulnerability to specific threats; possibly creating further personal risk as actions are taken using false information and inherent biases.
Inversely, the mere request for personal information may deflate trust for an organisation (Martin et al., 2016) and the EC survey revealed that 89% of its participants avoided disclosing personal information online even to legitimate entities. Yet most activities do in fact leave an online trace, ”when a firm collects, stores, and uses customers’ personal information, it increases the potential for harm” (Martin et al., 2016, p.2). But the question arises, how much of this harm can be mitigated by systems and how much will fundamentally rely on the personal users?
This post has focused on phishing, but the cyber threats are many (see ENISA, 2017). What you think? Who bares the responsibility to keep you datasafe and how do you know if your data is safe?
– Agnes Maripuu
References and further reading:
Dhamija, R, Tygar J. D. and Hearst M. (2006) Why phishing works. Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM.
EC (2015) European Commission, Special Eurobarometer 423 CYBER SECURITY REPORT. Available online: http://ec.europa.eu/commfrontoffice/publicopinion/archives/ebs/ebs_423_en.pdf. Accessed: 12-12-2017.
EC (2017) Proposal for an ePrivacy Regulation. Available online: https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation. Accessed: 12-12-2017.
ENISA (2017) ENISA Threat Landscape Report 2016. European Union Agency For Network and Information Security, ETL 2016.
EU GDPR (2017) GDPR Portal: Site Overview. Available online: https://www.eugdpr.org/. Accessed: 12-12-2017.
Fortune (2017) Uber Hack: Here’s How to Find Out If You’ve Been Affected. Available online:
http://fortune.com/2017/11/22/uber-hack-were-you-impacted/. Accessed: 12-12-2017.
Furnell, S. M., Bryant P., and Phippen A. D. (2007) Assessing the security perceptions of personal Internet users. Computers & Security 26(5), 410-417.
Vishwanath A., Herath T., Chen R., Wang J. and Rao H. R. (2011) Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems 51(3), 576-586.
Martin K. D., Borah A., and Palmatier R. W. (2017) Data privacy: Effects on customer and firm performance. Journal of Marketing 81(1), 36-58.
Olmstead K. and Smith A. (2017) What the Public Knows about cybersecurity. Pew Research Center, March.
UK Gov (2017) Cyber security breaches survey 2017. Available online: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_PUBLIC.pdf. Accessed: 12-12-2017.