INTRODUCTION

  1.  This submission is made on an individual basis and presents material in relation to five of the key questions posed by the Call for Evidence.

OVERVIEW OF EVIDENCE SOURCES

  2.  The findings presented in this document are drawn from two survey-based investigations (addressing public perceptions of online security and the usability of security technology), and a hands-on user trial which was conducted to supplement the usability findings.

  3.  The Security Perceptions Survey was mounted from mid-May to mid-August 2006, and promoted to the end-user community via email, word of mouth, and postings to Internet forums likely to be visited by personal users. The survey questionnaire was hosted on a dedicated website (www.securityperceptions.net) and yielded a total of 415 responses (71% male and 29% female), with an age profile as shown Figure 1. All respondents had their own Internet connection (87% of which were broadband), and 92% had been using the Internet for more than three years. The majority of respondents rated themselves as "intermediate" (50%) or "advanced" (43%) level users, with the remainder rating themselves as "novice".

  4.  The Security Usability Survey aimed to assess users' understanding, and hence the potential usability, of security-related interfaces within a number of well-known software packages (specifically Windows XP, Internet Explorer, Word, and Outlook Express). The survey was conducted online during July and August 2005, and promoted via targeted emails and subsequent word-of-mouth, yielding a total of 342 responses with an almost equal split between male and female respondents. The majority of respondents (80.5%) were aged 17-29, suggesting that most were likely to have grown up with information technology as part of their everyday lives. 96.5% of the overall group classed themselves as regular computer users at home and/or at work, with almost 90% rating themselves as "intermediate" or "advanced" users.

  5.  The associated Security User Trial involved 15 participants in a series of hands-on activities, using security features within a range of software applications. Eight participants were classed as general users, with a familiarity with using IT (and some of the applications concerned) on a regular basis, but with no specific knowledge about the detail of the technology. By contrast the other seven participants were advanced users, all with academic qualifications relating to IT and some prior knowledge in relation to security. The required tasks were presented in writing and explained to the participants. Note that they were told what they needed to achieve, but not how to do it, and the aim of the trial was to determine whether they could understand and use the security features within the application sufficiently well to achieve the objectives. Each trial session lasted between one and two hours, depending upon the ability of the participants and the ease with which they completed the tasks.

How well do users understand the nature of the threat?

  6.  The security perceptions survey asked respondents to indicate their understanding of a range of security-related terms (mostly relating to the types of threat that they would have been expected to encounter in media coverage). As Figure 2 illustrates, the general findings were positive, but the significantly lower awareness of the term "phishing" is perhaps surprising given the prevalence of the threat at the time of the study.

  7.  A further indication of users' threat awareness was provided by the extent to which they deployed security countermeasures appropriate to personal users, with usage figures of 93% for antivirus, 87% for personal firewalls, 77% for anti-spyware and 60% for anti-spam. However, when asked whether they were aware of the specific role that each of them played, more than a quarter of the respondents were unaware or had only partial understanding. It is also suspected that although they may be using the protection, many users will be relying entirely upon the suitability of the default settings. For example, when asked whether knew how to configure a firewall, or had ever attempted to do so, only 58% responded positively.

  8.  Although the use of countermeasures meant that the majority of respondents were "satisfied" (51%) or "very confident" (20%) that their computer was secure, a significant proportion remained "slightly worried" (22%) about their system or "not confident at all" (7%). In addition, in spite of their various controls, 46% of respondents agreed or strongly agreed that they felt at risk from online fraud.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  9.  The Security Perceptions Survey sought to determine respondents' awareness of a variety of advisory websites that they could turn to for security guidance. Of specific interest were the UK Government sponsored Get Safe Online and ITsafe sites, which were established to assist home users and SMEs, and the findings are presented in Table 1. The overall results clearly suggest that the majority of respondents have not heard of the resources, leading to correspondingly small percentages for those who had visited sites and found them useful. From a more positive perspective, roughly half of those who had heard of a site had visited it, and similarly half of those who visited one found it useful. Having said this, however, it is also worth noting approximately two thirds of those that had heard of the Get Safe Online site classed themselves as "advanced" users, suggesting that the users most likely to be in need of assistance may be failing to receive the message.

What factors may prevent private individuals from following appropriate security practices?

  10.  One factor that may have a clear influence here is the extent to which the issue is emphasised when a user buys their system or starts to get it online. Perceptions survey respondents were asked whether they received any security-related information or advice when they purchased their computer or Internet connection. Significantly, 70% responded negatively.

  11.  Figure 3 illustrates the responses to the question "Is there anything that stops you from carrying out security practices?" While a fair proportion believe that they understand the issues and devote time to addressing their security needs, the remaining respondents indicated a wide variety of impediments. While several of these suggest a requirement for action by parties such as product developers, many also point towards a need for further education of the users themselves.

  12.  Other results confirm that the actual level of awareness and understanding is relatively small. For example, questions relating to respondents' knowledge of the existence of security features in web browsers, email clients, office applications and the operating system all revealed awareness of around just 40% (and then significantly less in terms of respondents' actual understanding of them). Remembering that this was a population in which over 90% rated themselves as "intermediate" or "advanced" users, the findings do not suggest that a more general user population would fair very well.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  13.  The comments in this section are drawn from the security usability survey and the associated user trial. Rather than focus upon the full range of software that was evaluated in each context, the results here focus specifically upon the findings from Internet Explorer (which was used by 92% of the survey respondents and already familiar to all of the trial participants). This is considered to be a good candidate for examination, because web browsing is a fairly standard activity for end-users both at home and at work, and represents a context in which a range of security threats may be encountered.

  14.  The main user-configurable aspects of security within Internet Explorer are accessed via the "Internet Options" within the "Tools" menu. Proceeding from this entry point, the main security options interface is shown, and there are essentially two main elements that a user is required to understand. The first is the concept of different Web content zones, which enable the level of security to be specified differently in relation to the Internet, the local intranet, and for sites that the user has specifically elected to regard as "trusted" or "restricted". The survey asked respondents whether they understood the distinction between trusted and restricted sites, which revealed that 14% did not and 22% were unsure. For each zone, the desired security level is selected via a 4-position slider (low, medium-low, medium or high). Although this may seem straightforward, the challenge comes in understanding what the different levels actually mean. For example, if the user wishes to understand the implications of "medium" security, then he needs to appreciate what an accompanying description such as "Unsigned ActiveX controls will not be downloaded" actually means. In this particular case, the survey revealed that only 65% had even heard of ActiveX, and only 54% of those that had heard of it actually understood what it meant.

  15.  If users cannot understand the descriptions, then the keywords such as "medium" are their only form of guidance. Thus, although the configuration settings can be used very effectively if users know what they are doing, there is the potential for mistakes. For example, a user who feels particularly concerned about security may be inclined to set the level to "high" for the Internet zone. However, they may then find that legitimate sites no longer work—with the browser sometimes giving no indication that the security settings are to blame.

  16.  For more advanced users, there is the option to customised the level of protection, and alter settings (of which there may be 30 or so distinct options, depending upon the version of IE in use). However, these options are provided with no accompanying help, and it is therefore likely that very few users will be able to use them (for example, in the survey, only 40% of respondents claimed to understand the subset of options shown in the figure—remembering that this was a respondent group in which many considered themselves to be "advanced" users). A further indication of the poor usability is evidenced when the user leaves the custom settings. Following this, they are only informed that their security is at the "Custom" level, with no indication of whether the actual protection is now lower or higher than the default setting.

  17.  In the subsequent hands-on trials, the participants were asked to attempt a number of tasks in relation to these elements of browser security. The nature of the tasks, and the ultimate level of success amongst the study group, is shown in Table 2. It is notable that even with the baseline task (determining the current security settings), a quarter of the participants were unable to complete the actions required of them. It should also be noted that even the participants who completed the tasks successfully often took a fairly long time to do so. Such apparent difficulties are particularly notable in an application such as Internet Explorer, which is aimed at the general user community rather than specialists.

  18.  Internet Explorer is by no means the only end-user application in which such problems can be identified, and the issue of usability can consequently represent a significant obstacle to effective use of security by personal Internet users.

Who should be responsible for ensuring effective protection from current and emerging threats?

  19.  Returning to the findings from the perceptions survey, Figure 4 reveals the apparent conflict between users' willingness to take a role in their own protection versus their capability to do so. Although the responses to the statement "It is my responsibility to protect my computer from online attacksine attacks" suggested an overwhelming impression of personal responsibility, a subsequent question in relation to the threat of online fraud revealed that a substantially smaller proportion of users considered that they had the skills necessary to protect themselves (which also links back to the earlier figure of 46% considering themselves at risk from this threat).

  20.  In view of the above, users must still rely upon help and guidance from other sources, and the responses indicate that they have varying expectations about where such sources of advice will be found (Figure 5). It is notable that the "informal"" sources of advice such as friends and relatives score higher than most of the other categories.

ACKNOWLEDGEMENTS

  21.  The authors would like to acknowledge the significant contributions made by Peter Bryant, Adila Jusoh and Dimitris Katsabas in the conduct of the research studies that have been drawn upon in order to collate this evidence.

17 October 2006