What breach? Measuring online awareness of security incidents by studying real-world browsing behavior

TL;DR

This study analyzes real-world browsing data from 303 individuals to assess their awareness and actions regarding security incidents, revealing low engagement and suggesting ways to improve security awareness online.

Contribution

It provides the first quantitative analysis of actual browsing behavior related to security incidents, highlighting gaps in awareness and factors influencing engagement.

Findings

Only 16% visited pages about major security incidents

More severe incidents prompted more user action

Constructive articles increased likelihood of engagement

Abstract

Awareness about security and privacy risks is important for developing good security habits. Learning about real-world security incidents and data breaches can alert people to the ways in which their information is vulnerable online, thus playing a significant role in encouraging safe security behavior. This paper examines 1) how often people read about security incidents online, 2) of those people, whether and to what extent they follow up with an action, e.g., by trying to read more about the incident, and 3) what influences the likelihood that they will read about an incident and take some action. We study this by quantitatively examining real-world internet-browsing data from 303 participants. Our findings present a bleak view of awareness of security incidents. Only 16% of participants visited any web pages related to six widely publicized large-scale security incidents; few read about one even when an incident was likely to have affected them (e.g., the Equifax breach almost universally affected people with Equifax credit reports). We further found that more severe incidents as well as articles that constructively spoke about the incident inspired more action. We conclude with recommendations for specific future research and for enabling useful security incident information to reach more people.