You Don’t Know Hack: Public Struggles with Cyber Security Concepts

man at computer
Most U.S. adults had trouble identifying key cyber security concepts including what data was secure online and the definition of a botnet.

In-brief: U.S. adults may be able to identify a strong password when they see one, but on many questions of how to identify and protect themselves from online threats, they are worryingly ignorant, according to a new survey by The Pew Center.

U.S. adults may be able to identify a strong password when they see one, but on many questions of how to identify and protect themselves from online threats, they are worryingly ignorant.

Less than half of Americans knew what ransomware was or understood that their email messages and wireless traffic are not encrypted by default. Just 16 percent correctly identified a description of a “botnet.” And, in an age of widespread password theft and account takeovers, just 10 percent of adults could identify an example of multi-factor authentication. The results have implications for employers and public policy experts alike, as sophisticated cyber attacks often rely on so-called “social engineering” attacks on individuals, especially in their earliest stages.

The data is part of a new survey out from The Pew Center for Internet, Science and Technology, which surveyed 1,055 adult Internet users living in the United States.  Respondents were asked to complete a short, 13-item questionnaire that covered a range of topics, from password strength to the applications of virtual private networking (VPN) technology. The typical (median) respondent answered only five of the 13 knowledge questions correctly, Pew found. One-in-five (20%) answered more than eight questions accurately, and just 1% of the thousand survey takers received a “perfect score” by correctly answering all 13 questions, Pew reported.

This is just the latest survey by Pew to expose lax security knowledge and practices by U.S. residents. A recent survey by Pew found that 8 in 10 Americans simply memorize or write down their passwords, while a substantial minority (39%) solve the password complexity problem by reusing the same (or a very similar) password across accounts.

Survey results were not uniformly bad. Three quarters of respondents could pick out a secure password from a list of four password options. (Though it is worth noting that 17% were not sure and 8% incorrectly identified a strong password.) And 73% said (correctly) that public wi-fi hotspots are not always safe for sensitive activities, even if they are password protected. A majority (54%) of respondents could identify a phishing attack from a set of descriptions and understood that turning off GPS on a smart phone did not prevent all location tracking (52%).

However, in other areas, the survey showed how cyber security topics are still terra incognito for average Americans. Eighty three percent of those taking the survey either did not know (10%) or were “not sure” what the definition of a botnet is, despite recent headlines about botnet-based attacks on Dyn and other companies. Eighty six percent did not know (16%) or were “not sure” whether using virtual private networking (VPN) software minimized the risk of using insecure Wi-Fi networks.

Internet users’ knowledge of cybersecurity varied based on their level of education. Those with college degrees or higher answered an average of 7  of the 13 questions in the survey correctly, compared with an average of 5.5 among those who have attended but not graduated from college and an average of just 4.0 for those with high school diplomas or less. Roughly one-quarter (27%) of those with college degrees answered 10 or more questions correctly, compared with 4% of those with just a high school degree, Pew found.

The implications of a lack of cyber security know-how can be profound. The U.S. Department of Justice on Tuesday announced charges filed against a Lithuanian man alleged to have bilked two U.S. firms out of close to $100 million over a period of years using phishing email messages to arrange high value wire transfers to bank accounts controlled by the scammer.

Spread the word!

One Comment

  1. Glad to see a major institution like Pew take on cybersecurity awareness. Especially with more and more home devices being used to launch cyberattacks in a botnet and the growth of phishing (the latest US elections were an example of how smart people can get phished and we all get these mails).

    There’s some good resources online to read about it and educate, but it seems like it’s only for digital natives or computer professionals.