Most people say they care about their online security and privacy. Poll after poll confirm what one would expect: They don’t want their identities stolen, phones hacked, credit cards compromised or bank accounts drained. They don’t welcome government or anyone else conducting surveillance on them, especially in their private lives.
But those polls also show that an alarmingly small percentage of those same people don’t seem to be willing to make much effort to do what they say they want – protect their privacy and security.
One of the more recent, a survey of 2,000 consumers done by Morar Consulting for the VPN provider Hide My Ass!, found that 67 percent of respondents said they wanted extra layers of privacy, but only 16 percent used privacy enhancing browser plug-ins; 13 percent used two-factor authentication; 11 percent used a VPN, 9 percent used email encryption; and 4 percent used anonymity software, such as Tor (the onion router).
Why? It is not just that people are lazy or incompetent, according to psychological research. It is more the way we are hard-wired. Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology (CDT), notes that research about it goes back more than a century.
Indeed, in 1883, Dutch cryptographer Auguste Kerckhoff wrote that in order for a military cryptographic system to work, it would have to be, “… easy to use and must neither require stress of mind, nor the knowledge of a long series of rules …”
Apply that to the modern online world, and it pretty much guarantees that exhortations to use complex passwords for different sites and devices to maintain security will be ignored by most people.
As Brett McDowell, executive director of the FIDO Alliance, put it, “unfortunately for those of us in information security, users have ‘voted with their habits,’ and the vast majority have told us loud and clear that user experience (UX) trumps privacy and security.”
Brett McDowell, executive director, the FIDO Alliance
It is not just the UX that is in play either. Much more recently, in 2008, researcher Ryan West wrote that more than a century of research shows that most people believe they are less vulnerable to risks than others – better drivers than others, less likely to be harmed by consumer products and that they will live beyond average life expectancy.
“It stands to reason that any computer user has the preset belief that they are at less risk of a computer vulnerability than others,” he wrote.
West added there is evidence that when people do increase their security measures, such as installing a personal firewall, they tend to engage in more risky behavior – something known as “risk homeostasis,” or risk leveling.
Sign up for CIO Asia eNewsletters.