Cybersecurity involves protecting the digital technologies upon which we depend against criminals who seek to abuse them for their own ends. Public support for efforts to reduce cybercrime is critical to society’s efforts to preserve the benefits of digital technologies. That is why I am so interested in what the public thinks about cybercrime and cybersecurity, and why I have been researching the topic by means of surveys, several of which I have summarized below. Later this month I will be publishing, here on WeLiveSecurity.com, the results of our most recent survey. This article serves as background and context for those cybercrime statistics.

The public connection

Many people think of cybersecurity as a highly technical challenge, one that consumes the brain power of technology experts; however, the general public plays a vital role in cybersecurity. Members of the public interact with cybercrime and cybersecurity in numerous ways; for example, they form opinions about cybercrime through media reports and exposure to cybercrime as victims, or friends and family of victims.

As voters, it is the public who elect the politicians who determine government’s cybercrime policy. The cost of law enforcement efforts to reduce cybercrime is often born by the public in the form of taxes or higher costs for goods sold by companies that pay taxes. That’s why I believe that knowing what the public thinks about cybercrime and cybersecurity is essential to successful cybercrime policy and critical to success in society’s cybersecurity efforts.

At the same time, public attitudes toward cybercrime can influence the way that companies regard cybersecurity. If companies think that the public does not perceive cybercrime to be a serious threat to their personal wellbeing, then they may feel less inclined to place a high priority on the security of company systems. Furthermore, it is reasonable to expect that, if cybersecurity and cybercrime deterrence are not treated as priorities, the rate at which systems and data are abused will continue to rise, further undermining the public’s trust in technology. That trust is, in my opinion, vital to our current and future economic wellbeing.

Risk perception

Criminals currently abuse computer systems and data for a variety of reasons but the net effect can be summarized like this: to some degree, criminal activity puts at risk our health, safety, and prosperity. The extent of that risk is something about which people may disagree and there are multiple factors involved, from personal experiences to cultural background. One way to get a handle on how serious a particular risk is perceived to be is to ask people about a range of risks, and that is exactly what fellow ESET researcher Lysa Myers and I did in 2017.

Using a survey of US adults who use computers, we attempted to statistically quantify risk perception as it relates to a range of technology hazards, from hazardous waste disposal to hacking of computers. As regular readers of WeLiveSecurity will know, our findings were quite revelatory, with criminal hacking emerging as the top threat, as you can see in Figure 1.

As far as we know, that survey was the first time cyber-risks had been rated in parallel with more established sources of risk, like air pollution and fracking. It was clear that cyber-risks were of significant concern to a large percentage of the population, and that chart of our survey statistics was a strong visual tool with which to raise awareness of this among people making cybersecurity policy or deciding on cybersecurity budgets.
While my employer, ESET, is firmly committed to objective research, it would be naïve of me to stand in front of an audience and say “cybercrime is a serious problem” without expecting some people to think “well he would say that wouldn’t he, after all, he works for a company that sells cybersecurity software”. My response is to offer results from a survey conducted using standard methodologies, results that show a random sample of adult Americans agree with me.

To be clear, if I conducted a survey that found very few people thought that cybercrime was a problem, I would also share that (and then try to understand why concern was not more widespread). The fact is, those findings from 2017 – and the new cybercrime statistics we will be announcing shortly – do not exist in isolation. The next section reviews prior survey work carried out or sponsored by ESET in our ongoing efforts to address all three parts of the cybersecurity problem: people, process, and technology.

The Snowden factor

In June of 2013 the world witnessed the beginning of a sustained series of disclosures, facilitated by Edward Snowden, about the broad and intrusive nature of US government surveillance in cyberspace. In the next few months it seemed reasonable to hypothesize that one effect of the public becoming aware of this state of affairs might be a reduction in online activity and an erosion of trust in digital technology.

To test this hypothesis we carried a modest survey of US adults later in 2013. Almost one in five (19%) said they were doing less banking online and a similar number said there were less inclined to use email. Some 14% said were doing less shopping online. I think it was reasonable to characterize those as significant hits to activity that is central to the online economy.

However, those findings were not widely reported and to be honest the survey sample was relatively small. Not surprisingly some commentators took the view that this was a blip, a panic-response. So in 2014 we commissioned Harris to conduct a broader survey (N=1691). The results provided even stronger evidence of “internet aversion” such as:

  • 26% of US adults said they are shopping less online.
  • Among people aged 18 to 34, one third said they were doing less online shopping.
  • 29% of women said they were doing less shopping online, compared with 23% of men and 26% overall.
  • 29% of people aged 18 to 34 said they had reduced online banking.
  • 24% of respondents said they were “less inclined to use email.”
  • 47% said that they have “changed their behavior and think more carefully about where they go, what they say, and what they do online.”

These findings gained more traction and were reported by the Wall Street Journal and USA Today. The same survey also captured sentiment around “digital distrust.” Two-thirds of the people who said they were at least somewhat familiar with the NSA revelations said they believed that internet service providers and software companies had violated the trust of users “by working with the government to secretly monitor communications of private citizens.” That violation of trust led 60% of those familiar with the NSA revelations to agree with this statement: “I am now less trusting of technology companies … as they may be assisting the government in surveillance of private citizens.”

Opinions about cybercrime

Since 2014, I have used Google Consumer Surveys to keep tabs on public sentiment around cybercrime. For example, in June of 2015, I asked 640 US adults: “Are you concerned that cybercriminals could steal your personal data such as emails, bank account info, or medical records?” As you can see from Figure 2, almost two thirds (645) expressed concern and only 22% said they were not concerned.

That same month I posed a slightly different question. I asked 734 US adults to rate, on a five point Likert scale, the extent to which they agreed or disagreed with the following statement: “America is experiencing a cybercrime wave.” As you can see from Figure 3, more than half agreed.

About a year later I asked 1013 US adults to express agreement or disagreement with another statement: "The federal government is not doing enough to catch and prosecute people who commit computer crimes." As you can see from Figure 4, a solid majority (60.9%) agreed and less than a quarter disagreed (23.8%). In the interests of full disclosure, I will admit that I was somewhat surprised that 15.3% of respondents – all of whom were computer users – were not bothered by computer crime.

In August of 2016, I probed the same subject but with a binary response: “Do you agree that America is currently experiencing a cybercrime wave?” When I put it that way, 69.4% of the 389 respondents agreed, as you can see from Figure 5.

During 2016, as I was working on my master’s dissertation about cybersecurity, I got the chance to put the same question to a small sample of security professionals and 88% of them agreed that yes, there is a cybercrime wave.
In 2017, when I got approval to explore risk perception in depth, I used Google to test the waters for the project that eventually produced the chart in Figure 1. In March I asked 813 US adults: “Do you think problems with technology, like computer hacking and network outages, pose a risk to your security and well-being?” As you can see from Figure 6, more than two thirds of respondents perceived the level of risk as either moderate to high.

What I did not have at that point in time was a comparative statistic. Any policy maker or politician who was looking for an excuse to downplay public concerns about cybercrime could say “sure, when you ask people if cybercrime is scary they are likely to agree, but people say that other things are scary too, and we are busy dealing with those”. Fortunately, we were able answer that objection with our risk perception survey, the one that produced the chart in Figure 1. Clearly, criminal hacking deserves attention, right up there with other perceived hazards to prosperity and well-being.
In 2018 I continued to use that chart from Figure 1 in talks about cybersecurity to various audiences, so in April I thought it prudent to check if the sentiment was still real. So again I turned to Google and asked 750 US adults: “How much risk do you believe criminals hacking into computer systems pose to human health, safety, or prosperity?” And again, as displayed in Figure 7, the answer to that question was: a lot of people see a lot of risk in cybercrime.

Onwards and outwards

The next step is to get more stats about cybercrime experiences, cybercrime fears, and further comparative statistics about cybercrime in relation to other crimes, like money laundering, drug trafficking, and financial fraud. It would also be helpful – policymakers and cybersecurity professionals – to extend the data pool with survey results from other countries.

Fortunately, the European Union (EU) has been doing what good governments should: surveying its citizens about crimes of all kinds and over time. There is one particular set of EU stats, called the Eurobarometer, which offers some intriguing possibilities for expanding our ability to track public cybersecurity sentiment. Every two years this project polls 1,000 people in each of the 28 EU countries about a variety of cybercrime-related issues.

The most recent of these surveys – Eurobarometer 464a – was done in 2017. What ESET has done in 2018 is have a survey company pose a similar set of questions to people in the US and Canada. My analysis of the answers will be published here on WeLiveSecurity.com later this month. With any luck, our US/Canada survey can be repeated in 2019, when the EU does its next survey. That will create the opportunity to see changes in public attitudes to cybercrime and cybersecurity over time as well as similarities and differences between countries and continents.