Researcher Shares Findings on Data Security with FTC

Consumers face trade-offs when it comes to digital devices and data security. While they prioritize usability and functionality in the products they use, they often let data security slip by the wayside.

In a Federal Trade Commission Hearing on Data Security, a panel of experts from business, education and regulatory agencies agreed that when it comes to the data they share, consumers need to be more informed. Rick Wash, Ph.D., associate professor of Media & Information at Michigan State University, was among the experts invited to testify on Dec. 11, 2018 in Washington, D.C., on the panel entitled Consumer Demand for Data Security.

Moderated by the FTC’s Jared Ho and Marc Luppino, the panel also included Justin Brookman, director of consumer privacy and technology policy at Consumer Reports; Wiley Hodges, director of product marketing at Apple; Michael Higgins, partner at Bluewater International; and Kirsten Martin, associate professor at George Washington University.

Determining Who’s Responsible for Data Security

The discussion addressed the question of who holds the responsibility for data security, whether it rests with the company, falls on the consumer, or is shared between the two. Experts also explored whether data security features could be automated for consumers, hidden from view, or explained outright on the sales floor.

“Usability is always going to be king, but you’ve got to trade that with security,” said Higgins.

Companies hold more knowledge and expertise about data security, and the panelists agreed that data security measures can’t be left solely to the consumer. Most consumers don’t read the full terms of agreement before they share data, and they don’t understand how their data is being used.

“People expect it to be taken care of it for them, because the firms are the ones who are the experts here,” said Brookman.

Consumers do have an interest in keeping their data secure, and they try to understand the demands of data security.

“They often see it as a balancing act between what it is they’re trying to accomplish and what the security goals are,” said Wash.

With an interest in saving time, working efficiently and avoiding obstacles, consumers often try to find “a middle ground” for data security. They look for solutions that are less intrusive, while still trying to follow the advice of technology experts.

“To me, that’s a real sign that they think that security is really important, but they see it as kind of a shared responsibility,” said Wash. “They know that they don’t know everything about security. They look to advice from experts and advice from people like the FTC to try to figure out what they should be doing, but then they have to adjust that advice to whatever situation they’re in and what their life is like.”

Wash supported automating security features as much as possible, but he pointed out that users do need to be involved in a number of decisions and that their involvement should not be overlooked. He also advocated for more consumer education, suggesting users need to understand why data security and security updates matter.

Understanding the Trade-Off with Security

“There’s an interesting, really clear trade-off around security and then usability, because software updates often change functionality,” said Wash.

In his research, Wash found that users who installed minor software updates after routine prompts had an easier time and a better understanding of why the updates were needed. They adjusted to changes on their devices gradually, whereas those who ignored software updates ran into problems when confronted with a major upgrade.

“So, there is actually an intentional choice that consumers end up needing to make about how to trade off security in software updates,” said Wash. “That comes up in a lot of different security situations, where you can’t just entirely remove the user from the security decision.”

To understand how people view data and cybersecurity issues, Wash worked on a project to examine what information was readily available. Researchers looked at three possible sources of information, including news organizations, security advice provided by the tech industry or federal agencies, and a third source—consumer stories. The latter included the stories individuals tell to one another about security issues.

“What we found, surprisingly, was that there was very little overlap in the kinds of info that they were talking about. A lot of the advice from the experts seem to really focus on threats and countermeasures,” said Wash. “Interestingly, that kind of discussion almost never appeared in the news or amongst the security stories.”

The information shared between users was less technical—and less focused on solutions.

“The stories that people were telling to each other focused a lot more on who was doing this and why were they doing it,” said Wash. “Currently, the way we’re talking about cybersecurity doesn’t really focus on who the attackers and the perpetrators are and why they’re doing this.”

When someone hacked an account, consumers sought to understand who it was and what they intended. For example, a sister logging in to a social media site to post a joke was perceived differently than a foreigner hacking the same site to obtain financial information.

“They’re trying to understand these trade-offs,” said Wash, “and so to do that, they had to kind of envision the types of attacks and types of problems that they possible were into.”

The Missing Link Between Users and Security

Many consumers know how to use security measures such as two-factor authentication, and they recognize it’s needed. What they don’t understand is the reason—the “why” or the “how” that explains what security measures do to protect data.

Whether it means using two-step authentication or mobile pin numbers, experts agree that consumers have to be part of the solution. The challenge is motivating consumers to be more engaged in data security.

“We’re all points of vulnerability in a larger system,” said Kirsten Martin. “[Consumers] should see it as part of a larger system, but I’m not sure that they do.”

Over time, Wash has observed how people talk about data security. When asked how they think about security, people don’t offer security-centric responses. Instead, they focus on what they’re trying to get done. For example, users view their mobile phones as more than a simple device. To them, it’s the tool they use to talk to their mom at night.

“That’s the important thing,” said Wash. “They want to be able to accomplish these things in their life that have meaning for them, and the security is the ability to do that.”

By Melissa Priebe