SOUPS 2018 Using Data from Breaches What is Users Level of Comfort? Sowmya Karunakaran, Google
Let's start with a pop quiz... Roughly, how many online accounts have been compromised through data breaches? 5,371,008,023 SOURCE: haveibeenpwned.com
What happens to the data that was compromised during the breach? Most times becomes available in the black market for free/paid download
Several Uses for Data from Breaches RESEARCH BREACH LOOKUP SERVICE INVESTIGATIVE JOURNALISM PROACTIVE SECURITY
Research Questions What according to users are Do users understand breaches? acceptable uses for breached data? Comprehension Level of Comfort
Users understand risk of breaches Top user fears 93% Identity theft of participants understand Personal data loss meaning of data breach Monetary loss What is their level of comfort with various uses of breached data?
Research design considerations Challenge N=10,000 Individuals’ behavior in context of ethical dilemmas cannot be studied through observation or by asking respondents US, IN, DE, UK, AU, CA about the behavior directly. Scenario-based assessment 2 scenarios per participant Minimize Availability bias
Sample scenario
Scenarios LOOKUP SERVICES PROACTIVE PROTECTION - SCANNING Security (ex: HAVE I BEEN PWNED) OF BREACHED DATA DUMPS THREAT INTELLIGENCE: NOTIFIES THREAT INTELLIGENCE: NOTIFIES SOCIAL NETWORK SERVICE PAYMENT SERVICES Investigative REVEALING A TAX EVASION SCAM REVEALING DATING SITE PRIVATE Journalism PROFILES COMPETITOR USING BREACHED Marketing DATA FOR MARKETING TO HACKED USERS Researcher RESEARCHER USING THE BREACHED DATA FOR SECURITY RESEARCH 2 sub scenarios covering source of hacked data: Buy from hacker vs Free download
Proprietary + Confidential SCENARIO Threat Intelligence Sharing 40% reported comfort “ “ I don't have any issue with hacked firm Global Inc has already failed in securing contacting them. It is probably the best my data, and I do not trust them to thing to do. They can reset my password make any efforts to secure my data before anyone has a chance to try and elsewhere in the future. hack my account. ” ”
Proprietary + Confidential SCENARIO Security Research A mere 15% reported comfort the long run. “ “ It's incredibly unethical for John to buy If John is a genuine researcher, then no passwords from hackers. It's no problem. His work would benefit us in different than someone buying a car that was stolen. ” ”
Level of comfort highest for scenarios with direct security benefit Direct security benefit Threat Proactive Hacked or Journalism Competitor/ Journalism Intelligence Scanning & not lookup Research (Tax Scam) Marketing (Dating) sharing protection service Most Comfortable Comfort Spectrum Least Comfortable
Order preserved regardless of buy vs free download Proactive Hacked or Journalism Competitor/ Journalism Scanning & not lookup Research (Tax Scam) Marketing (Dating) protection service Most Comfortable Comfort Spectrum Least Comfortable Significant differences in level of comfort between buy vs free download
Comfort spectrum consistent across countries LEVEL OF COMFORT
Prior victims of data breach expressed significantly higher level of comfort ← → Victims more comfortable 1 * * 1. Proactive measures 2 * (Irrespective of method of procurement - buy vs free download) 2 * 2. Damage control measures (Both financial and social networking data) 3 * 3. Hacked or not service (Only if method of procurement is free)
Implications Key expectations and remediation steps Articulate how any security Breached companies need Proactively reset passwords and service can provide a direct to be transparent and lock down accounts from benefit to the victims. notify victims. further damage “ “ “ I have faith that this action will This is a proactive step from [the I think it's imperative for the company], and one that they are ultimately contribute to making company to tell the people the general population less not actually obligated to do. This whose data has been accessed. makes me feel like the company vulnerable in the long Companies should not control run. cares about protecting my identity but rather empower ” ” ”
Address security & privacy concerns Match user’s strong Clarify the skepticism expectations about privacy surrounding security actions and ethical behavior while that would help secure their using breached datasets. accounts.
Thank You sowmyakaru@google.com @Sowmya_Karu
Recommend
More recommend
