It’s only September, and yet 2017 has seen some of the largest data breaches and most significant cybercriminal activity ever. From the global WannaCry and Petya/NotPetya attacks, to the recent Equifax data breach, there is no shortage of unsettling cybersecurity news.
In light of these increasing threats, and as part of a broader effort to understand how people perceive risk, ESET researchers Stephen Cobb and Lysa Myers commissioned a survey to examine the most significant perceived technology risks to Americans’ health safety and prosperity.
The researchers asked over 700 U.S. adults to rate the risks to human "health, safety, or prosperity" of a variety of technology-based hazards, from air pollution to motor vehicle accidents to criminals hacking into computer systems. “Criminal hacking of computer systems” emerged as the greatest risk, ahead of such threats as global warming, air pollution, and disposal of hazardous waste in landfills. Other cyber-risks, such as theft or exposure of private information, also registered strongly relative to non-cyber risks in the survey. (The survey was conducted in late July and early August, after the WannaCry and NotPetya malware outbreaks, but before the Equifax breach.)
Cobb and Myers were somewhat in disbelief over the results, so much so that they ran the survey a second time, but got the same results. Cobb noted that this is not the first time that social scientists have studied how the public perceives a range of technology risks, but as far as he knows, this is the first time anyone has put “cyber-risks” into the mix.
Also, risk perceptions were found to vary between different demographic groups but several cyber-related hazards were consistently rated as moderate to high risk by multiple groups.
Age also makes a difference in perception of criminal hacking. Respondents under 45 years of age tend to see less risk in criminal hacking than those who are 45 or older. Income also matters. Respondents with household income under $75,000 tend to rate the risk of criminal hacking as high or very high more often than those with household income above that (58% versus 48%). (Additional details below.)
Cobb and Myers will present their findings, including a demographic analysis of variations in risk perception and the implications for risk communication and reduction, at (ISC)² Security Congress (September 25-27 in Austin, TX).
Survey Methodology and Additional Survey Findings
ESET Senior Security Researcher Stephen Cobb and ESET Security Researcher Lysa Myers
To conduct their research, Cobb and Myers adapted two survey instruments previously used in numerous academic studies of risk perception: the “Industrial Strength Risk Perception Measure” and the “Cultural Cognition Worldview Scales.” Both were derived from the work of Prof. Dan M. Kahan of the Cultural Cognition Project at Yale Law School, to whose pioneering work in this field the researchers are indebted.
The survey was conducted online via Survey Monkey’s “SurveyMonkey Audience,” and asked randomly selected respondents between the age of 18-60+ to rate 15 different risks on an eight-point Likert scale (0 for “No Risk At All”, to 7 for “Very High Risk”). Each question was presented on a separate page, independent of each other, in this format: “How much risk do you believe criminal hacking into computer systems poses to human health, safety, or prosperity?”
The weighted average score for that question, “criminals hacking into computer systems” was 5.41. Here are the hazards that were asked about, listed by weighted average risk score:
- Criminals hacking into computer systems: 5.41
- Air pollution: 5.33
- Disposal of hazardous wastes in landfill sites: 5.24
- Theft or exposure of private data: 5.22
- Global warming: 4.92
- Motor vehicle accidents: 4.92
- Companies accumulating your personal data: 4.65
- Government monitoring of citizens' emails and web searches: 4.58
- Nuclear power: 4.47
- "Fracking" (extracting natural gas by hydraulic fracturing): 4.47
- Corporate computer network failures: 4.34
- Genetically modified foods: 4.05
- Private gun ownership: 3.62
- Artificial intelligence: 3.47
- Medical X-rays: 3.00
To further evaluate respondents’ risk perceptions they used a technique widely employed in the biennial (ISC)2 Workforce Study, a top two box score. They calculated the number of respondents who rated hazards in the top two categories: “high risk” and “very high risk.” The results were largely the same, although global warming moved up one position.
- Criminals hacking into computer systems: 54.6%
- Air pollution: 53.8%
- Disposal of hazardous wastes in landfill sites: 52.3%
- Global warming: 50.1%
- Theft or exposure of private data: 48.9%
- Motor vehicle accidents: 42.8%
- Government monitoring of citizens' emails and web searches: 38.0%
- Nuclear power: 35.6%
- Companies accumulating your personal data: 34.2%
- "Fracking" (extracting natural gas by hydraulic fracturing): 33.5%
- Genetically modified foods: 29.3%
- Corporate computer network failures: 25.9%
- Private gun ownership: 25.6%
- Artificial intelligence: 17.3%
- Medical X-rays: 7.3%
The age breakdown was 21% age 18-29, 25% age 30-44, 30% age 45-59, and 25% age 60 and over. More than half of respondents (53%) were in full-time employment. (Age chart shown above.)
Using standard quantitative methods we found significant demographic differences in the perception of cyber risk. For example, age makes a difference in perception of criminal hacking. Respondents under 45 years old tend to see less risk in criminal hacking than those who are 45 or older. Income also matters. Respondents with household income under $75,000 tend to rate the risk of criminal hacking as high or very high more often than those with household income above that (58% versus 48%).
Also found, in common with many other risk perception studies, that women tend to see more risk than men in technology hazards. However, our respondents saw less gender difference in cyber-risks than in non-cyber risks. For example, based on weighted averages, women saw 8% more risk than men for criminal hacking, but 14% more risk for hazardous waste disposal and 24% more risk for fracking.
A note from the researchers: We hope to encourage other researchers to expand on this work, from repeating the survey with a larger sample, to diving deeper into more specific cyber-risks. Examining perception differences between countries could also prove useful.
References:
Kahan, D. M. (2015) “Climate-Science Communication and the Measurement Problem” Advances in Political Psychology, 36, 1-43. doi:10.1111/pops.12244, pp. 8-9.
Kahan, D. M. (2012) “Cultural Cognition as a Conception of the Cultural Theory of Risk” R. Hillerbrand, P. Sandin, S. Roeser, & M. Peterson (Eds.), Handbook of Risk Theory: Epistemology, Decision Theory, Ethics and Social Implications of Risk (pp. 725-760) Springer, London.