What breach? Measuring online awareness of security incidents by studying real-world browsing behavior
This addresses the problem of low public awareness of security risks for improving online safety habits, but it is incremental as it quantifies existing concerns without proposing new solutions.
The paper measured how often people read about security incidents online and their follow-up actions, finding that only 16% of participants visited pages related to major incidents, with more severe incidents and constructive articles inspiring more action.
Awareness about security and privacy risks is important for developing good security habits. Learning about real-world security incidents and data breaches can alert people to the ways in which their information is vulnerable online, thus playing a significant role in encouraging safe security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action, e.g., by trying to read more about the incident, and 3) what influences the likelihood that they will read about an incident and take some action. We study this by quantitatively examining real-world internet-browsing data from 303 participants. Our findings present a bleak view of awareness of security incidents. Only 16% of participants visited any web pages related to six widely publicized large-scale security incidents; few read about one even when an incident was likely to have affected them (e.g., the Equifax breach almost universally affected people with Equifax credit reports). We further found that more severe incidents as well as articles that constructively spoke about the incident inspired more action. We conclude with recommendations for specific future research and for enabling useful security incident information to reach more people.