Distribution of answers in the survey form

Note: The questions with "x" in their number were addressed during an interview by the student.
Others were answered by the respondent prior to the interview.
There were several open questions within the interview but their answers are not shown here.



Survey of daily information security 2021

1. Introduction 4. General about smart phones 7. Security practices
2. Background 5. Networking 8. Security evaluation
3. Other devices 6. Opportunities and threats 9. Context

1. Introduction

This survey is part of a long-standing study that looks at how information security ('infosec') shows in people's daily lives and how it could be supported. The focus is on mobile devices outside of work and study, but other data processing is also considered. The questions usually only mention a phone, or smartphone. If another similar device, such as a tablet, almost always follows you, take it into account in your answers.

You have received a link from a student on an infosec course at Tampere university, and hopefully you have also agreed on a time for an interview. The student will

- read your answers before your appointment,
- formulate a preliminary assessment of your infosec risks,
- adjust it in the interview by asking more detailed questions,
- write your interview answers and the adjusted assessments in a separate view of this form, and
- probably give you recommendations or advice on infosec measures.

Your answers are anonymous already when you save them, and only the student knows who you are. The answers may be quoted when the survey results are published. On a smartphone this text may look nicer with a horizontal screen.

In the introductory questions infosec is viewed in general, and not only on smartphones. By the way, take a look at the clock when you start, so you know how much time it took at the end.

(1)   How much do you know about the threats to your information security? (Note that it is enough to click the text instead of the button. ICS = I can't say.)

15.5% ( 11 )   Enough       54.9% ( 39 )   I am moderately well aware.       16.9% ( 12 )   My knowledge is rather limited.       9.9% ( 7 )   Very little       2.8% ( 2 )   ICS or empty      
(N=71)

(2)   How much do the infosec threats worry you?

1.4% ( 1 )   ICS or empty       15.5% ( 11 )   I am not worried.       40.8% ( 29 )   Sometimes I am worried.       36.6% ( 26 )   I am often worried, but this does not limit my actions.       5.6% ( 4 )   Worriedness makes me to abstain form many actions.      
(N=71)

(2ax)   Has a piece of news about infosec still caused some worry in you? What was it about? Recent news can be seen in the tweet list of the student group. The answer can be supplemented in the open question 8.10x.

15.5% ( 11 )   No or ICS       47.9% ( 34 )   Information leak       36.6% ( 26 )   Identity theft or phishing       22.5% ( 16 )   Failure of banking security       23.9% ( 17 )   A vulnerability or hack elsewhere than in banking      
14.1% ( 10 )   Problems with mobile systems       23.9% ( 17 )   Something else, or just general worriedness from the infosec news      
(N=71)

(2bx)   "If yes, did those news have consequences in your daily life?"

35.7% ( 25 )   No effect       28.6% ( 20 )   Increased vigilance or suspicion       32.9% ( 23 )   Checking / deleting personal information at a service       28.6% ( 20 )   Removal / Update / Replacement of a vulnerable application       32.9% ( 23 )   Password change      
11.4% ( 8 )   Something else      
(N=70)

(3)   In how good state do you think your information security is? (Regardless of whether it is taken care of by you, someone else, or you together.)

25.4% ( 18 )   In good state       63.4% ( 45 )   Not in good, but neither in bad state       7.0% ( 5 )   ICS or empty       4.2% ( 3 )   In bad state      
(N=71)

(5x)   Find out in your own words how important the respondent’s electronic information, media, connections, etc. are to him or her and categorize the response. The goal is only an overview of the respondent's attitude and is not limited to a smartphone. You need this kind of information in your risk assessment.

7.0% ( 5 )   Not at all important       18.3% ( 13 )   A little important       31.0% ( 22 )   Rather important       43.7% ( 31 )   Very important      
(N=71)

(6x)   This and the next two questions deal specifically with the smartphone. The goal is still an overview of the respondent\'s awareness, not exact descriptions of events.

"How much do you monitor or guard your environment when you enter data, especially a password?"

7.0% ( 5 )   Not at all.       18.3% ( 13 )   Has not thought about it.       50.7% ( 36 )   Somewhat, sometimes, enough; or doesn't need to do it in public.       23.9% ( 17 )   Meticulously.      
(N=71)

(7x)   "Do you think you have ever fallen victim to malware? If so, what made you think so?" (Note: on the phone!)

46.5% ( 33 )   No or ICS       29.6% ( 21 )   Maybe; only indirect symptoms       21.1% ( 15 )   Certainly or almost certainly; rather obvious symptoms       2.8% ( 2 )   Certainly and more than once      
(N=71)

(8x)   Is the respondent sometimes concerned about the possible independent operations of the phone's microphone or camera?

17.1% ( 12 )   No or ICS       11.4% ( 8 )   Has not thought about it.       50.0% ( 35 )   Yes, somewhat       21.4% ( 15 )   Yes, quite a lot      
(N=70)

(9x)   If yes, which is of higher concern?

22.5% ( 16 )   Empty       16.9% ( 12 )   Microphone       32.4% ( 23 )   Camera       28.2% ( 20 )   About as high both      
(N=71)



2. Background

(1)   Gender

54.9% ( 39 )   male       43.7% ( 31 )   female       1.4% ( 1 )   other, or: I don't tell      
(N=71)

(2)   Age in years

Average: 29,8       Standard deviation: 10,7

(N=71)

(3)   Are you primarily

42.3% ( 30 )   working       45.1% ( 32 )   studying       12.7% ( 9 )   doing something else (also taking care of your household or being retired)      
(N=71)

(4)   If you are mainly occupied by work or studies, how big portion of your tasks do you carry out by using computers? Answer with one approximate number, between 0 and 100 percent.

Average: 79,6       Standard deviation: 26,3

(N=71)

(5)   How active user of computers are you outside work and study? Answer with one approximate number, between 0 and 100 percent, where 100 would represent the situation where you use all your spare time to social media, internet calls, web browsing, image processing, computer games or similar.

Average: 63,2       Standard deviation: 27,1

(N=71)

(6)   Your educational background, generally:

1.4% ( 1 )   primary level (until 9 years)       19.7% ( 14 )   secondary level (until approx. 12 years, incl. vocational education)       78.9% ( 56 )   tertiary level (degree from a college or university)      
(N=71)

(7)   Your education in information technology (IT):

36.6% ( 26 )   only as part of other studies       12.7% ( 9 )   non-degree IT studies chosen by yourself       8.5% ( 6 )   education offered by the employer       40.8% ( 29 )   a degree in the field of IT       15.5% ( 11 )   not at all      
(N=71)

(8)   How many years have you been using a smartphone, approximately?

Average: 9,9       Standard deviation: 3,4

(N=71)

3. What else than a smartphone?



There are no questions for you to answer in advance in this section. The student will discuss with you, trying to see if something in your use of IT equipment other than the smartphone affects the mobile risk assessment.

(1x)   Record here your main observations related to the use of other information technologies that affect the risk assessment of the smartphone. You can start with the two questions below and complete in writing if something important appears in other devices, hobbies, security programs, assisting neighbours, etc.

(2x)   What proportion of out-of-work computing occurs on a mobile device (i.e., a phone or tablet, but not a laptop.) Express the proportion with one approximate percentage from 0 to 100.

Average: 60,8       Standard deviation: 25,7

(N=71)

(3x)   Does the respondent maintain his or her own equipment (including the phone) and is he or she able to do so?

15.5% ( 11 )   Does not maintain, and would not be able to.       7.0% ( 5 )   Does not maintain, even if might know how to do it.       23.9% ( 17 )   Does maintain, even if doesn't feel like being able to.       53.5% ( 38 )   Does maintain and knows how to do it.      
(N=71)



4. Generally on your smartphone

(1)   What operating system does your phone have?

66.2% ( 47 )   Android       31.0% ( 22 )   iOS       0.0% ( 0 )   Windows Phone       1.4% ( 1 )   other       1.4% ( 1 )   ICS      
(N=71)

(2)   Your phone naturally stores contact data, that are needed for its immediate use. Do you have in your phone some other data, which you mainly use via the phone? (Ignore here the passwords - they will be dealt with later.)

78.9% ( 56 )   Yes, there are data that I produced myself with the phone, like photos, memos, measurements, routes ... (ignore here the contents and connection data produced by communications)
      9.9% ( 7 )   Yes, but only such contents, that I have downloaded to the phone from elsewhere and I can download again if needed. (For example music, not necessarily free. If you only have applications, choose the next one:)
      7.0% ( 5 )   Yes, but only applications.
      0.0% ( 0 )   No other data than those produced by communication (or updates of applications that where in the phone originally)
      4.2% ( 3 )   ICS      
(N=71)

(3)   Are there sensitive data on your phone, i.e. such data, that you would not like others to see—not even all your close ones? (We'll deal with protections later, so answer here as if those data were not protected.)

54.9% ( 39 )   yes       31.0% ( 22 )   no       14.1% ( 10 )   I don't tell.      
(N=71)

(4)   If there are such data, are they

66.2% ( 43 )   your own, e.g. messages or texts written by you, photos, or files that you have downloaded? (Ignore also here the passwords.)
      23.1% ( 15 )   from acquaintances and sensitive also from their point of view, e.g. messages from them?
      24.6% ( 16 )   from your work, e.g. documents or data from applications?       32.3% ( 21 )   I don't tell.      
(N=65)

(5)   What connections do you usually have on your phone constantly open, i.e. accessible without logging in to them? (but still possibly behind your screen lock.)

52.9% ( 37 )   Bluetooth       74.3% ( 52 )   WiFi       8.6% ( 6 )   WiFi-hotspot       70.0% ( 49 )   Mobile data       78.6% ( 55 )   Email      
21.4% ( 15 )   Cloud storage       5.7% ( 4 )   Connection to IoT devices       20.0% ( 14 )   Mobile payments       77.1% ( 54 )   Instant messenger of any kind, that you use to communicate with people or groups you know       71.4% ( 50 )   Social media account (where there are also people that you do not know)       1.4% ( 1 )   I don't tell anything      
(N=70)



5. Use of internet services

Like Section 3 above this section will only be used by the interviewer to assist in the risk assessment.

(1x)   First, check that the respondent has correctly understood question 4.5 above and try to refine the answer if he or she did not want to tell. “Without logging in” is related to what a user of the device can do after passing any security code.
The purpose of this section 5 is to establish a “profile” of the respondent as a mobile user of the internet services. In the same style as in Section 3, you can start with the following three dimensional questions and supplement them by writing here things that will help in understanding the risk assessment. For example, there is no direct question about reusing passwords over time or over different accounts, but the issue may indirectly pop up here.

2x The respondent uses the data network (i.e. reads, watches, communicates, stores; having just the mobile data open is not considered))

32.4% ( 23 )   constantly       28.2% ( 20 )   very often       21.1% ( 15 )   often       14.1% ( 10 )   occasionally       4.2% ( 3 )   rarely      
(N=71)

3x The number of services and applications in use is

16.9% ( 12 )   counted in tens       29.6% ( 21 )   around 20       40.8% ( 29 )   around 10       12.7% ( 9 )   a handful      
(N=71)

4x In terms of services and applications, the respondent is

9.9% ( 7 )   experimenting quite a lot.       52.1% ( 37 )   well-established.       38.0% ( 27 )   something between these – installs/takes up new ones a little more often than once per year.      
(N=71)



6. Some general opportunities and threats

Again, this section only has questions from the interviewer. They concern the fall of the device and personal data into the wrong hands.

(1ax)   Discuss different situations in which the mobile device is at risk of being lost or broken. Find out if the respondent is aware of the dangers and how well prepared he or she is.

Note that there are two types of danger:
 * the physical event itself, and
 * its consequences for data and connections in the form of
    -- loss, or
    -- disclosure and misuse.

Try to summarize awareness with respect to both types, and then do the same for preparedness. You have learned the responder's baseline in these matters already from the prior answers in section 7.

- Awareness:

8.5% ( 6 )   low       19.7% ( 14 )   moderate       56.3% ( 40 )   good       15.5% ( 11 )   emphasized      
(N=71)

(1bx)   - Preparedness:

18.3% ( 13 )   low       32.4% ( 23 )   moderate       39.4% ( 28 )   good       9.9% ( 7 )   emphasized      
(N=71)

(2x)   Personal data of people registered to a network service can leak as a result of a security break-in and also otherwise. Has the respondent prepared herself or himself to such by:

- the use of pseudonyms, or something similar?

26.8% ( 19 )   always when possible       35.2% ( 25 )   occasionally       38.0% ( 27 )   no      
(N=71)

(3x)   - not telling personal data to services?

40.8% ( 29 )   always when possible       47.9% ( 34 )   occasionally       11.3% ( 8 )   no      
(N=71)

(4x)   - completely abstaining from the use of services?

15.5% ( 11 )   often       38.0% ( 27 )   occasionally       46.5% ( 33 )   no      
(N=71)

(5x)   From other questions, you have already got an idea,

On a scale of 1 (low) to 5 (high), estimate the probability that the respondent’s personally identifiable information will fall into the wrong hands. Only consider information that is on the internet and used by the respondent over the telephone. And note that now you must ignore how important or valuable the information is.
8.5% ( 6 )   -1-       31.0% ( 22 )   -2-       35.2% ( 25 )   -3-       23.9% ( 17 )   -4-       1.4% ( 1 )   -5-      
(N=71)

(6x)   Estimating the probability above is already part of the risk analysis and almost the same is repeated in 8.8A3x. While being a real thing this evaluation is an exercise, where you observe that a reasonable estimate still requires you to ask some details from the respondent.
Write down here what you asked and what you got in response. No matter how you discussed the issue, try to make your note here in such a way that the same question could have been on the respondent’s own form, possible even with answer options. (While thinking in this way you might gain a little insight on what it would require to build an infosec app to do automatic risk assessments for users.)


7. Security practices

(1)   Which of the following have you taken into use?

73.2% ( 52 )   self-set PIN code       49.3% ( 35 )   phone lock       77.5% ( 55 )   screen lock       4.2% ( 3 )   I don't tell.      
(N=71)

(2)   Where do you copy data from your phone?

25.4% ( 18 )   I don't copy       49.3% ( 35 )   onto a computer       18.3% ( 13 )   onto an external memory       38.0% ( 27 )   into a network service       5.6% ( 4 )   I don't tell.      
(N=71)

(3)   If you copy, how do you do it?

63.6% ( 42 )   "manually", i.e. each piece or collection separately       28.8% ( 19 )   with a back-up program       21.2% ( 14 )   in some other way      
(N=66)

(4)   If you use a back-up program, what is it like?

36.6% ( 26 )   originally on the phone       14.1% ( 10 )   obtained separately       49.3% ( 35 )   (empty)      
(N=71)

(4x)   More specifically: how regular and covering is the back-up procedure? Give a combined estimate after discussion, with respect to quality, quantity and volatility of data, and characteristics of the copying:

22.1% ( 15 )   badly insufficient       27.9% ( 19 )   better than nothing       39.7% ( 27 )   moderately good       10.3% ( 7 )   fully sufficient      
(N=68)

(5)   Have you stored the IMEI number (phone serial number) somewhere, where you can find it?

11.3% ( 8 )   yes       78.9% ( 56 )   no       9.9% ( 7 )   I don't tell.      
(N=71)

(6)   Does your phone have a remote or theft management system?

53.5% ( 38 )   yes       39.4% ( 28 )   no       7.0% ( 5 )   I don't tell.      
(N=71)

(7)   If there is, what can you do with it?

31.9% ( 22 )   Erase the memory       17.4% ( 12 )   Prevent the user from seeing your email or calendar       53.6% ( 37 )   Trace the location       14.5% ( 10 )   Trace the unauthorized user       34.8% ( 24 )   I don't know      
11.6% ( 8 )   I don't tell.      
(N=69)

(8)   How do you react when the downloaded applications request access rights to various resources on the phone?

2.8% ( 2 )   I haven't encountered such requests.       14.1% ( 10 )   I grant them without thinking further.       46.5% ( 33 )   I read what they request and then grant the rights.       36.6% ( 26 )   Occasionally I do not install the application, because it is requesting too much.      
(N=71)

(9)   Is your (or your relative's) contact information visible on the phone? That is, also when the phone is locked.

84.5% ( 60 )   no       1.4% ( 1 )   (only) written e.g. on a sticker       11.3% ( 8 )   (only) on the screen       2.8% ( 2 )   both written and on the screen      
(N=71)

(10)   Do you have passwords stored in you phone?

52.1% ( 37 )   yes       42.3% ( 30 )   no       5.6% ( 4 )   I don't tell.      
(N=71)

(11)   If you have, how have you protected them?

25.4% ( 17 )   in no way (beyond eventual PIN-, lock- and screen codes)
      20.9% ( 14 )   by hiding them in your own way (into a memory rule, photo or similar)       28.4% ( 19 )   with the password protection provided by the phone
      6.0% ( 4 )   with an application obtained separately       29.9% ( 20 )   I don't tell.      
(N=67)

(12)   Have you protected other data on your phone?

52.1% ( 37 )   in no way (beyond eventual PIN-, lock- and screen codes)       28.2% ( 20 )   with encryption provided by the phone       14.1% ( 10 )   with an application obtained separately       11.3% ( 8 )   I don't tell.      
(N=71)

(13)   What have you done to protect your phone from malware?

14.1% ( 10 )   Nothing       33.8% ( 24 )   I use a protection program.       52.1% ( 37 )   I am cautious with respect to web pages that I visit.       67.6% ( 48 )   I avoid downloading suspicious applications.       57.7% ( 41 )   I limit the rights that I grant to applications.      
35.2% ( 25 )   I limit the connections of my phone.      
(N=71)

(14x)   To what extent has the respondent restricted applications from accessing location?

9.9% ( 7 )   Not at all, or ICS.       38.0% ( 27 )   Occasionally       31.0% ( 22 )   Often, or would restrict more if it were easier.       21.1% ( 15 )   As much as possible, or abstained from installing an application that cannot be restricted.      
(N=71)

(15x)   What additions does the interview bring to the above? It could be e.g. a specific way to use the smartphone or a situation, which leads to the answers giving a wrong whole picture. For instance, would it be more illustrative to say in question 7.8 that the respondent adjusts the limits to the rights of applications?


8. Evaluation of your information security

There are no questions to be answered in advance in this section. Instead, the student gives a summary of evaluating your daily mobile infosec based on your previous answers, and you can adjust it together: What risk category do you belong to, what kind of security do you need and is the current level appropriate?

(1x)   To what extent does the respondent want to protect personal data (i.e. data about him/herself)?

5.6% ( 4 )   very little       7.0% ( 5 )   fairly little       14.1% ( 10 )   not little, not much       42.3% ( 30 )   fairly much       31.0% ( 22 )   remarkably much      
(N=71)

(2x)   Does the respondent have data to protect, other than personal data?

14.1% ( 10 )   very little       26.8% ( 19 )   fairly little       28.2% ( 20 )   not little, not much       22.5% ( 16 )   fairly much       8.5% ( 6 )   remarkably much      
(N=71)

(3x)   Are there vulnerabilities in the respondent's mobile information processing?

14.1% ( 10 )   very little       22.5% ( 16 )   fairly little       43.7% ( 31 )   not little, not much       18.3% ( 13 )   fairly much       1.4% ( 1 )   remarkably much      
(N=71)

(4x)   Is the respondent aware of IS threats and the need of protections against them?

5.6% ( 4 )   very little       7.0% ( 5 )   fairly little       15.5% ( 11 )   not little, not much       43.7% ( 31 )   fairly much       28.2% ( 20 )   remarkably much      
(N=71)

(5x)   Has the respondent taken protections into use?

5.7% ( 4 )   very little       12.9% ( 9 )   fairly little       37.1% ( 26 )   not little, not much       32.9% ( 23 )   fairly much       11.4% ( 8 )   remarkably much      
(N=70)

(6x)   Has the respondent also invested money in protections, possibly in the price of the internet or phone connection?

33.8% ( 24 )   very little       22.5% ( 16 )   fairly little       14.1% ( 10 )   not little, not much       21.1% ( 15 )   fairly much       8.5% ( 6 )   remarkably much      
(N=71)

(7x)   How tempting target is the respondent to an attacker, who is attempting to get financial gain through cheating, malware, or capture of the device?

18.3% ( 13 )   very little       25.4% ( 18 )   fairly little       35.2% ( 25 )   not little, not much       18.3% ( 13 )   fairly much       2.8% ( 2 )   remarkably much      
(N=71)

(7Bx)   Was there need to adjust your preliminary interpretations? If yes what kind of additional information was needed? (Try to answer this in the same spirit as question 6.6x above.)


Next, the student presents the actual risk analysis, i.e. estimates

(A) the probability that something bad happens, and if so,
(B) the size of damage + difficulty of recovery.

The student will do this with respect to the following infosec goals:

(1) availability and integrity of data
(2) private data staying private, in some cases even secret
(3) personal data staying protected

(8A1x)   Problem with availability and integrity. (A) Probability:

7.0% ( 5 )   negligible       47.9% ( 34 )   small       28.2% ( 20 )   medium       15.5% ( 11 )   large       1.4% ( 1 )   very large (=a wonder, if did not yet occur)      
(N=71)

(8B1x)   (B) Seriousness:

7.0% ( 5 )   negligible       40.8% ( 29 )   small       35.2% ( 25 )   medium       15.5% ( 11 )   large       1.4% ( 1 )   very large (=It would revolutionize life for a while.)      
(N=71)

(8A2x)   Problem with secrecy. (A) Probability:

7.0% ( 5 )   negligible       39.4% ( 28 )   small       29.6% ( 21 )   medium       16.9% ( 12 )   large       7.0% ( 5 )   very large      
(N=71)

(8B2x)   (B) Seriousness:

7.0% ( 5 )   negligible       36.6% ( 26 )   small       28.2% ( 20 )   medium       25.4% ( 18 )   large       2.8% ( 2 )   very large      
(N=71)

(8A3x)   Problem with personal data. (A) Probability:

7.0% ( 5 )   negligible       32.4% ( 23 )   small       33.8% ( 24 )   medium       16.9% ( 12 )   large       9.9% ( 7 )   very large      
(N=71)

(8B3x)   (B) Seriousness:

4.2% ( 3 )   negligible       28.2% ( 20 )   small       32.4% ( 23 )   medium       31.0% ( 22 )   large       4.2% ( 3 )   very large      
(N=71)



If there are risks, the student will tell about them and give advice to improve your IS.

(9x)   What are the biggest infosec risks in the respondent's daily life? Something is possibly found, even if all of the above had been just negligible. Only mention issues about the mobile everyday. Of course, you can discuss much more in the interview.

(10x)   What are your main tips for improving the respondent's mobile infosec? Conversely, if the risks are very small, could the respondent operate with fewer restrictions, for example in the internet? Also, write here if you think the respondent should improve his or her security awareness - or should be more / less concerned about infosec issues.

The research form only needs a very short answer in this and the preceding question. In the interview, however, both issues may need a lot of time.

(13x)   "Are there still some infosec issues related to smartphones, not covered above?"


9. Context

(0)   How many minutes did it take for you to fill in the form, approximately altogether?

Average: 16,2       Standard deviation: 11,4

(N=71)

(1x)   Where was the respondent during the interview? You don't, of course, ask this and the next ones in the interview.

74.3% ( 52 )   at home       7.1% ( 5 )   at workplace       4.3% ( 3 )   public indoor place       4.3% ( 3 )   outdoors       10.0% ( 7 )   elsewhere      
(N=70)

(2x)   The interviewer used:

12.9% ( 9 )   paper       44.3% ( 31 )   web form       30.0% ( 21 )   audio call       24.3% ( 17 )   video call       0.0% ( 0 )   recorder      
(N=70)

(3x)   Which questions or topics proved awkward in advance or in the interview situation?

(4x)   What kind of advice did the respondent ask on infosec matters? Or did you receive any question at all?

(5x)   The date of the interview (in the form 'yymmdd')

(The survey was carried out in September and October.)

(6x)   Duration of the interview, in minutes.

Average: 26,7       Standard deviation: 20,3

(N=69)

(7x)   Duration of your, the interviewer's prior work, in minutes.

Average: 22,1       Standard deviation: 26,1

(N=69)