1. User Security Behavior Denise Anthony PKI Unlocked Summit Dartmouth College July 2004

2. Computer Networks Collective resource systems Produced and maintained by multiple actors; Individual behavior effects integrity of system virus exposure unauthorized access Feels like consuming a private good

3. User surveys Dartmouth students: April 2003: Computer use and security behavior –Representative sample of 171 undergrads –Method: on-line survey November 2003: Use of Wireless and Wired networks –Total of 247 undergraduate and graduate students –Method: paper survey –Conducted by student Emiliano Trere from University of Bologna in Italy 20 in-depth interviews Nationally representative data from UCLA Center for Communication Policy www.ccp.ucla.edu

4. Dartmouth Students

5. Basic Use Statistics 99% use email daily –~95% use home-grown Blitzmail program –Primary medium of communication on campus 70% browse the Web at least 1 hour/day 67% P2P file-sharing in average week 90% purchased on-line in last 6 months 78% use both wired and wireless networks – Over 2/3 use wireless on almost daily basis – 22% no wireless: lack of technology, seniors

6. Virus Protection 87% have anti-virus software loaded on their computer –2/3 of them scan for viruses at least once per month –About 40% up-date their anti-virus software at least once per month

7. Password Security 75% have shared their password – Over 50% did NOT change it afterward Nearly two-thirds never change password 36% use same password for all apps/sites – all websites that require password – no distinction between secure (SSL) and non- secure websites

8. Behavior across networks

9. Security Concerns About half concerned about PRIVACY on WWW More than half concerned about SECURITY of information on WWW

10. Web security? How do users think about website security? Implicit trust and experience “If [a website] mention[s] they are secure…I usually trust it.” “I don’t really think about it, but when the windows pop up saying I should do something, I always say yes.” “All the websites I use are secure, and everyone else is doing it [without] a problem.”

11. Web security How do users think about website security? Use brand name sites - reputation “I just order from Amazon and places like that.” “I use it if it is an official site of a major company.” “I would never order stuff off a website that looks like its program could change…you know, a crappy website.” “I trust Norton to do it for me.”

12. Security Behavior Online How often check browser security signals when submitting sensitive information?

13. Security Features Used

14. Link between concern and behavior

15. How concerned are users? 2002 National data (UCLA): 54% very/extremely concerned about privacy when purchasing online –11.2% not at all (up from 5.5%) Non-purchasers (58%) more concerned than purchasers (33%) New users (65%) more concerned than experienced users (47%) Methods to reduce concerns: 23% Nothing! 6% better technology 27% guarantee/3 rd party verification/Gov regulation

16. Implications Not evaluating security of websites –Don’t use security signals Don’t know what to look for –Engage in un-secure behavior Users already ‘trust’ infrastructure –Rely on reputation of company –Expectation that technology is secure Want ‘assurance’ that system works –Third party incentives/regulation of security