Haastattelulomakkeen vastaukset

Survey of daily information security 2020

1. Introduction	4. General about smart phones	7. Security practices
2. Background	5. Networking	8. Security evaluation
3. Other devices	6. Opportunities and threats	9. Context

1. Introduction

This survey is part of a long-standing study that looks at how information security ('infosec') shows in people's daily lives and how it could be supported. The focus is on mobile devices outside of work and study, but other data processing is also considered. The questions usually only mention a phone, or smartphone. If another similar device, such as a tablet, almost always follows with you, take that into account in your answers.

You have received a link from a student on an infosec course at Tampere university, and hopefully you have also agreed on an time for an interview. The student will

- read your answers before your appointment,

- formulate a preliminary assessment of your infosec risks,

- adjust it in the interview by asking more detailed questions,

- write your interview answers and the adjusted assessments in a separate view of this form, and

- probably give you recommendations or advice on infosec measures.

Your answers are anonymous already when you save them, and only the student knows who you are. The answers can be quoted when the survey results are published.

In the introductory questions infosec is viewed in general, and not only on smartphones. By the way, take a look at the clock when you start, so you know how much time it took at the end.

(1) How much do you know about the threats to your own information security? (Note that it is enough to click the text instead of the button. ICS = I can't say.)

11.9% ( 8 ) Enough 40.3% ( 27 ) I am moderately well aware. 31.3% ( 21 ) My knowledge is rather limited. 16.4% ( 11 ) Very little 0.0% ( 0 ) ICS or empty

(N=67)

(2) How much do the infosec threats worry you?

0.0% ( 0 ) ICS or empty 23.9% ( 16 ) I am not worried. 59.7% ( 40 ) Sometimes I am worried. 10.4% ( 7 ) I am often worried, but this does not limit my actions. 6.0% ( 4 ) Worriedness makes me to abstain form many actions.

(N=67)

(2ax) Has a piece of news about infosec still caused some worry in you? What was it about? Recent news can be seen in the tweet list of the student group. The answer can be supplemented in the open question 8.10x.

34.3% ( 23 ) No or ICS 23.9% ( 16 ) Information leak 20.9% ( 14 ) Identity theft of phishing 13.4% ( 9 ) Failure of banking security 14.9% ( 10 ) A vulnerability or hack elsewhere than in banking

22.4% ( 15 ) Problems with mobile systems 14.9% ( 10 ) Something else, or just general worriedness from the infosec news

(N=67)

(2bx) "If yes, did those news have consequences in your daily life?"

45.0% ( 27 ) No effect 35.0% ( 21 ) Increased vigilance or suspicion 10.0% ( 6 ) Checking / deleting personal information at a service 16.7% ( 10 ) Removal / Update / Replacement of a vulnerable application 16.7% ( 10 ) Password change

1.7% ( 1 ) Something else

(N=60)

(3) In how good state do you think your information security is? (Regardless of whether it is taken care of by you, someone else, or you together.)

41.8% ( 28 ) In good state 43.3% ( 29 ) Not in good, but neither in bad state 11.9% ( 8 ) ICS or empty 3.0% ( 2 ) In bad state

(N=67)

(5x) Find out in your own words how important the respondent’s electronic information, media, connections, etc. are to him or her and categorize the response. The goal is only an overview of the respondent's attitude and is not limited to a smartphone. You need this kind of information in your risk assessment.

3.0% ( 2 ) Not at all important 11.9% ( 8 ) A little important 44.8% ( 30 ) Rather important 40.3% ( 27 ) Very important

(N=67)

(6x) This and the next two questions deal specifically with the smartphone. The goal is still an overview of the respondent\'s awareness, not exact descriptions of events.

"How much do you monitor or guard your environment when you enter data, especially a password?"

3.0% ( 2 ) Not at all. 16.4% ( 11 ) Has not thought about it. 56.7% ( 38 ) Somewhat, sometimes, enough; or doesn't need to do it in public. 23.9% ( 16 ) Meticulously.

(N=67)

(7x) "Do you think you have ever fallen victim to malware? If so, what made you think so?" (Note: on the phone!)

73.1% ( 49 ) No or ICS 9.0% ( 6 ) Maybe; only indirect symptoms 16.4% ( 11 ) Certainly or almost certainly; rather obvious symptoms 1.5% ( 1 ) Certainly and more than once

(N=67)

(8x) Is the respondent sometimes concerned about the possible independent operations of the phone's microphone or camera?

34.3% ( 23 ) No or ICS 10.4% ( 7 ) Has not thought about it. 41.8% ( 28 ) Yes, somewhat 13.4% ( 9 ) Yes, quite a lot

(N=67)

(9x) If yes, which is of higher concern?

38.1% ( 24 ) Empty 30.2% ( 19 ) Microphone 12.7% ( 8 ) Camera 19.0% ( 12 ) About as high both

(N=63)

2. Background

(1) Gender

47.8% ( 32 ) male 47.8% ( 32 ) female 4.5% ( 3 ) other, or: I don't tell

(N=67)

(2) Age in years

(3) Are you primarily

66.7% ( 44 ) working 19.7% ( 13 ) studying 13.6% ( 9 ) doing something else (also taking care of your household or being retired)

(N=66)

(4) If you are mainly occupied by work or studies, how big portion of your tasks do you carry out by using computers? Answer with one approximate number, between 0 and 100 percent (without the % sign though).

(5) How active user of computers are you outside work and study? Answer with one approximate number, between 0 and 100 percent, where 100 would represent the situation where you use all your spare time to social media, internet calls, web browsing, image processing, computer games or similar.

(6) Your educational background, generally:

10.4% ( 7 ) primary level (until 9 years) 58.2% ( 39 ) secondary level (until approx. 12 years, incl. vocational education) 31.3% ( 21 ) tertiary level (degree from a college or university)

(N=67)

(7) Your education in information technology (IT):

43.9% ( 29 ) only as part of other studies 24.2% ( 16 ) non-degree IT studies chosen by yourself 31.8% ( 21 ) education offered by the employer 9.1% ( 6 ) a degree in the field of IT 19.7% ( 13 ) not at all

(N=66)

(8) How many years have you been using a smartphone, approximately?

3. What else than a smartphone?

There are no questions for you to answer in advance in this section. The student will discuss with you, trying to see if something in your use of IT equipment other than the smartphone affects the mobile risk assessment.

(1x) Record here your main observations related to the use of other information technologies that affect the risk assessment of the smartphone. You can start with the two questions below and complete in writing if something important appears in other devices, hobbies, security programs, assisting neighbours, etc.

(2x) What proportion of out-of-work computing occurs on a mobile device (i.e., a phone or tablet, but not a laptop.) Express the proportion with one approximate percentage from 0 to 100.

(3x) Does the respondent maintain his or her own equipment (including the phone) and is he or she able to do so?

9.0% ( 6 ) Does not maintain, and would not be able to. 4.5% ( 3 ) Does not maintain, even if might know how to do it. 28.4% ( 19 ) Does maintain, even if doesn't feel like being able to. 58.2% ( 39 ) Does maintain and knows how to do it.

(N=67)

4. Generally on your smartphone

(1) What operating system does your phone have?

82.1% ( 55 ) Android 16.4% ( 11 ) iOS 0.0% ( 0 ) Windows Phone 1.5% ( 1 ) other 0.0% ( 0 ) ICS

(N=67)

(2) Your phone naturally stores contact data, that are needed for its immediate use. Do you have in your phone some other data, which you mainly use via the phone? (Ignore here the passwords - they will be dealt with later.)

80.6% ( 54 ) Yes, there is data that I produced myself with the phone, like photos, memos, measurements, routes ... (ignore here the contents and connection data produced by communications)
      9.0% ( 6 ) Yes, but only such contents, that I have downloaded to the phone from elsewhere and I can download again if needed. (For example music, not necessarily free. If you only have applications, choose the next one:)
      7.5% ( 5 ) Yes, but only applications.
      3.0% ( 2 ) No other data than those produced by communication (or updates of applications that where in the phone originally)
      0.0% ( 0 ) ICS

(N=67)

(3) Are there sensitive data on your phone, i.e. such data, that you would not like others to see—not even all your close ones? (We'll deal with protections later, so answer here as if those data were not protected.)

50.7% ( 34 ) yes 47.8% ( 32 ) no 1.5% ( 1 ) I don't tell.

(N=67)

(4) If there are such data, are they

62.2% ( 28 ) your own, e.g. messages or texts written by you, photos, or files that you have downloaded? (Ignore also here the passwords.)
35.6% ( 16 ) from acquaintances and sensitive also from their point of view, e.g. messages from them?
28.9% ( 13 ) from your work, e.g. documents or data from applications? 22.2% ( 10 ) I don't tell.

(N=45)

(5) What connections do you usually have on your phone constantly open, i.e. accessible without logging in to them? (but still possibly behind your screen lock.)

53.0% ( 35 ) Bluetooth 60.6% ( 40 ) WiFi 25.8% ( 17 ) WiFi-hotspot 87.9% ( 58 ) Mobile data 80.3% ( 53 ) Email

33.3% ( 22 ) Cloud storage 7.6% ( 5 ) Connection to IoT devices 10.6% ( 7 ) Mobile payments 81.8% ( 54 ) Instant messenger of any kind but which you use to communicate with people or groups that you know 60.6% ( 40 ) Social media account (where there are also people that you do not know) 1.5% ( 1 ) I don't tell anything

(N=66)

5. Use of internet services

Like Section 3 above this section will only be used by the interviewer to assist in the risk assessment.

(1x) First, check that the respondent has correctly understood question 4.5 above and try to refine the answer if he or she did not want to tell. “Without logging in” is related to what a user of the device can do after passing any security code.
The purpose of this section 5 is to establish a “profile” of the respondent as a mobile user of the internet services. In the same style as in Section 3, you can start with the following three dimensional questions and supplement them by writing here things that will help in understanding the risk assessment. For example, there is no direct question about reusing passwords over time or over different accounts, but the issue may indirectly pop up here.

2x The respondent uses the data network (i.e. reads, watches, communicates, stores; having just the mobile data open is not considered))

22.4% ( 15 ) constantly 37.3% ( 25 ) very often 26.9% ( 18 ) often 7.5% ( 5 ) occasionally 6.0% ( 4 ) rarely

(N=67)

3x The number of services and applications in use is

26.9% ( 18 ) counted in tens 26.9% ( 18 ) around 20 26.9% ( 18 ) around 10 19.4% ( 13 ) a handful

(N=67)

4x In terms of services and applications, the respondent is

19.4% ( 13 ) experimenting quite a lot. 52.2% ( 35 ) well-established. 28.4% ( 19 ) something between these – installs/takes up new ones a little more often than once per year.

(N=67)

6. Some general opportunities and threats

Again, this section only has questions from the interviewer. They concern the fall of the device and personal data into the wrong hands.

(1ax) Discuss different situations in which the mobile device is at risk of being lost or broken. Find out if the respondent is aware of the dangers and how well prepared he or she is.

Note that there are two types of danger:
* the physical event itself, and
* its consequences for data and connections in the form of
-- loss, or
-- disclosure and misuse.

Try to summarize awareness with respect to both types, and then do the same for preparedness. You have learned the responder's baseline in these matters already from the prior answers in section 7.

- Awareness:

6.2% ( 4 ) low 23.1% ( 15 ) moderate 53.8% ( 35 ) good 16.9% ( 11 ) emphasized

(N=65)

(1bx) - Preparedness:

12.5% ( 8 ) low 32.8% ( 21 ) moderate 45.3% ( 29 ) good 9.4% ( 6 ) emphasized

(N=64)

(2x) Personal data of people registered to a network service can leak as a result of a security break-in and also otherwise. Has the respondent prepared herself or himself to such by:

- the use of pseudonyms, or something similar?

18.5% ( 12 ) always when possible 44.6% ( 29 ) occasionally 36.9% ( 24 ) no

(N=65)

(3x) - not telling personal data to services?

49.2% ( 32 ) always when possible 41.5% ( 27 ) occasionally 9.2% ( 6 ) no

(N=65)

(4x) - completely abstaining from the use of services?

16.9% ( 11 ) often 67.7% ( 44 ) occasionally 15.4% ( 10 ) no

(N=65)

(5x) From other questions, you have already got an idea,

what sensitive information the respondent may have on the phone (4.2 & 4.4),

how “large and hot contact surface” the respondent has with the internet (Section 5),

how the respondent uses the device and accounts (first part of this section),

and what technical protections the respondent has (Section 7).

On a scale of 1 (low) to 5 (high), evaluate the probability that the respondent’s personally identifiable information will fall into the wrong hands. Only consider information that is on the internet and used by the respondent over the telephone. And note that now you must ignore how important or valuable the information is.

12.5% ( 8 ) -1- 42.2% ( 27 ) -2- 25.0% ( 16 ) -3- 17.2% ( 11 ) -4- 3.1% ( 2 ) -5-

(N=64)

(6x) Estimating the probability above is already part of the risk analysis and almost the same is repeated in 8.8A3x. While being a real thing this evaluation is an exercise, where you observe that a reasonable estimate still requires you to ask some details from the respondent.
Write down here what you asked and what you got in response. No matter how you discussed the issue, try to make your note here in such a way that the same question could have been on the respondent’s own form, possible even with answer options. (While thinking in this way you might gain a little insight on what it would require to build an infosec app to do automatic risk assessments for users.)

7. Security practices

(1) Which of the following have you taken into use?

78.8% ( 52 ) self-set PIN code 48.5% ( 32 ) phone lock 78.8% ( 52 ) screen lock 3.0% ( 2 ) I don't tell.

(N=66)

(2) Where do you copy data from your phone?

20.9% ( 14 ) I don't copy 40.3% ( 27 ) onto a computer 19.4% ( 13 ) onto an external memory 44.8% ( 30 ) into a network service 0.0% ( 0 ) I don't tell.

(N=67)

(3) If you copy, how do you do it?

50.0% ( 28 ) "manually", i.e. each piece or collection separately 51.8% ( 29 ) with a back-up program 8.9% ( 5 ) in some other way

(N=56)

(4) If you use a back-up program, what is it like?

58.6% ( 34 ) originally on the phone 1.7% ( 1 ) obtained separately 39.7% ( 23 ) (empty)

(N=58)

(4x) More specifically: how regular and covering is the back-up procedure? Give a combined estimate after discussion, with respect to quality, quantity and volatility of data, and characteristics of the copying:

12.1% ( 8 ) badly insufficient 31.8% ( 21 ) better than nothing 24.2% ( 16 ) moderately good 31.8% ( 21 ) fully sufficient

(N=66)

(5) Have you stored the IMEI number (phone serial number) somewhere, where you can find it?

31.3% ( 21 ) yes 65.7% ( 44 ) no 3.0% ( 2 ) I don't tell.

(N=67)

(6) Does your phone have a remote or theft management system?

37.3% ( 25 ) yes 61.2% ( 41 ) no 1.5% ( 1 ) I don't tell.

(N=67)

(7) If there is, what can you do with it?

19.0% ( 8 ) Erase the memory 21.4% ( 9 ) Prevent the user from seeing your email or calendar 42.9% ( 18 ) Trace the location 21.4% ( 9 ) Trace the unauthorized user 38.1% ( 16 ) I don't know

21.4% ( 9 ) I don't tell.

(N=42)

(8) How do you react when the downloaded applications request access rights to various resources on the phone?

1.5% ( 1 ) I haven't encountered such requests. 13.8% ( 9 ) I grant them without thinking further. 27.7% ( 18 ) I read what they request and then grant the rights. 56.9% ( 37 ) Occasionally I do not install the application, because it is requesting too much.

(N=65)

(9) Is your (or your relative's) contact information visible on the phone? That is, also when the phone is locked.

91.0% ( 61 ) no 0.0% ( 0 ) (only) written e.g. on a sticker 9.0% ( 6 ) (only) on the screen 0.0% ( 0 ) both written and on the screen

(N=67)

(10) Do you have passwords stored in you phone?

23.9% ( 16 ) yes 73.1% ( 49 ) no 3.0% ( 2 ) I don't tell.

(N=67)

(11) If you have, how have you protected them?

38.2% ( 13 ) in no way (beyond eventual PIN-, lock- and screen codes)
26.5% ( 9 ) by hiding them in your own way (into a memory rule, photo or similar) 17.6% ( 6 ) with the password protection provided by the phone
2.9% ( 1 ) with an application obtained separately 23.5% ( 8 ) I don't tell.

(N=34)

(12) Have you protected other data on your phone?

73.1% ( 49 ) in no way (beyond eventual PIN-, lock- and screen codes) 10.4% ( 7 ) with encryption provided by the phone 10.4% ( 7 ) with an application obtained separately 7.5% ( 5 ) I don't tell.

(N=67)

(13) What have you done to protect your phone from malware?

17.9% ( 12 ) Nothing 47.8% ( 32 ) I use a protection program. 52.2% ( 35 ) I am cautious with respect to web pages that I visit. 70.1% ( 47 ) I avoid downloading suspicious applications. 44.8% ( 30 ) I limit the rights that I grant to applications.

14.9% ( 10 ) I limit the connections of my phone.

(N=67)

(14x) To what extent has the respondent restricted applications from accessing location?

13.4% ( 9 ) Not at all, or ICS. 31.3% ( 21 ) Occasionally 34.3% ( 23 ) Often, or would restrict more if it were easier. 20.9% ( 14 ) As much as possible, or abstained from installing an application that cannot be restricted.

(N=67)

(15x) What additions does the interview bring to the above? It could be e.g. a specific way to use the smartphone or a situation, which leads to the answers giving a wrong whole picture. For instance, would it be more illustrative to say in question 7.8 that the respondent adjusts the limits to the rights of applications?

8. Evaluation of your information security

There are no questions to be answered in advance in this section. Instead, the student gives a summary of evaluating your daily mobile infosec based on your previous answers, and you can adjust it together: What risk category do you belong to, what kind of security do you need and is the current level appropriate?

(1x) To what extent does the respondent want to protect personal data (i.e. data about him/herself)?

1.5% ( 1 ) very little 3.0% ( 2 ) fairly little 19.7% ( 13 ) not little, not much 51.5% ( 34 ) fairly much 24.2% ( 16 ) remarkably much

(N=66)

(2x) Does the respondent have data to protect, other than personal data?

20.9% ( 14 ) very little 25.4% ( 17 ) fairly little 25.4% ( 17 ) not little, not much 26.9% ( 18 ) fairly much 1.5% ( 1 ) remarkably much

(N=67)

(3x) Are there vulnerabilities in the respondent's mobile information processing?

7.5% ( 5 ) very little 35.8% ( 24 ) fairly little 41.8% ( 28 ) not little, not much 13.4% ( 9 ) fairly much 1.5% ( 1 ) remarkably much

(N=67)

(4x) Is the respondent aware of IS threats and the need of protections against them?

1.5% ( 1 ) very little 9.1% ( 6 ) fairly little 28.8% ( 19 ) not little, not much 51.5% ( 34 ) fairly much 9.1% ( 6 ) remarkably much

(N=66)

(5x) Has the respondent taken protections into use?

3.0% ( 2 ) very little 31.3% ( 21 ) fairly little 31.3% ( 21 ) not little, not much 25.4% ( 17 ) fairly much 9.0% ( 6 ) remarkably much

(N=67)

(6x) Has the respondent also invested money in protections, possibly in the price of the internet or phone connection?

61.2% ( 41 ) very little 19.4% ( 13 ) fairly little 14.9% ( 10 ) not little, not much 3.0% ( 2 ) fairly much 1.5% ( 1 ) remarkably much

(N=67)

(7x) How tempting target is the respondent to an attacker, who is attempting to get financial gain through cheating, malware, or capture of the device?

26.9% ( 18 ) very little 32.8% ( 22 ) fairly little 22.4% ( 15 ) not little, not much 14.9% ( 10 ) fairly much 3.0% ( 2 ) remarkably much

(N=67)

(7Bx) Was there need to adjust your preliminary interpretations? If yes what kind of additional information was needed? (Try to answer this in the same spirit as question 6.6x above.)

Next, the student presents the actual risk analysis, i.e. evaluates

(A) the probability that something bad happens, and if so,

(B) the size of damage + difficulty of recovery.

The student will do this with respect to the following infosec goals:

(1) availability and integrity of data

(2) private data staying private, in some cases even secret

(3) personal data staying protected

(8A1x) Problem with availability and integrity. (A) Probability:

16.4% ( 11 ) negligible 44.8% ( 30 ) small 25.4% ( 17 ) medium 10.4% ( 7 ) large 3.0% ( 2 ) very large (=a wonder, if did not yet occur)

(N=67)

(8B1x) (B) Seriousness:

18.2% ( 12 ) negligible 54.5% ( 36 ) small 25.8% ( 17 ) medium 1.5% ( 1 ) large 0.0% ( 0 ) very large (=It would revolutionize life for a while.)

(N=66)

(8A2x) Problem with secrecy. (A) Probability:

7.5% ( 5 ) negligible 53.7% ( 36 ) small 28.4% ( 19 ) medium 9.0% ( 6 ) large 1.5% ( 1 ) very large

(N=67)

(8B2x) (B) Seriousness:

10.4% ( 7 ) negligible 40.3% ( 27 ) small 32.8% ( 22 ) medium 16.4% ( 11 ) large 0.0% ( 0 ) very large

(N=67)

(8A3x) Problem with personal data. (A) Probability:

13.4% ( 9 ) negligible 44.8% ( 30 ) small 34.3% ( 23 ) medium 7.5% ( 5 ) large 0.0% ( 0 ) very large

(N=67)

(8B3x) (B) Seriousness:

9.1% ( 6 ) negligible 37.9% ( 25 ) small 47.0% ( 31 ) medium 6.1% ( 4 ) large 0.0% ( 0 ) very large

(N=66)

If there are risks, the student will tell about them and give advice to improve your IS.

(9x) What are the biggest infosec risks in the respondent's daily life? Something is possibly found, even if all of the above had been just negligible. Only mention issues about the mobile everyday. Of course, you can discuss much more in the interview.

(10x) What are your main tips for improving the respondent's mobile infosec? Conversely, if the risks are very small, could the respondent operate with fewer restrictions, for example in the internet? Also, write here if you think the respondent should improve his or her security awareness - or should be more / less concerned about infosec issues.

The research form only needs a very short answer in this and the preceding question. In the interview, however, both issues may need a lot of time.

(13x) "Are there still some infosec issues related to smartphones, not covered above?"

9. Context

(0) How many minutes did it take for you to fill in the form, approximately altogether?

(1x) Where was the respondent during the interview? You don't, of course, ask this and the next ones in the interview.

85.1% ( 57 ) at home 1.5% ( 1 ) at workplace 0.0% ( 0 ) public indoor place 0.0% ( 0 ) outdoors 13.4% ( 9 ) elsewhere

(N=67)

(2x) The interviewer used:

31.3% ( 21 ) paper 88.1% ( 59 ) web form 37.3% ( 25 ) audio call 3.0% ( 2 ) video call 0.0% ( 0 ) recorder

(N=67)

(3x) Which questions or topics proved awkward in advance or in the interview situation?

(4x) What kind of advice did the respondent ask on infosec matters? Or did you receive any question at all?

(5x) The date of the interview (in the form 'yymmdd')

(6x) Duration of the interview, in minutes.

(7x) Duration of your, the interviewer's prior work, in minutes.