The individuals participating in the survey, across all competence groups, were requested to self-evaluate their knowledge on aspects related to information security, both before and after participating in the survey (Table 1
and Figure 1
). A degradation is noticeable at the “before” and “after” responses across the groups, with the exception of HSCG group participants that selected “Insufficient”. In conjunction with the results presented in the following sections, this is attributed to the increased user confidence that characterizes the everyday use, when security threats are not prioritized or not directly visible. This contributes to the unjustified perception of being secure, hence intensifying the security risk, and necessitates increased effort towards educating and making the users aware of the risks.
4.1. Use of Mobile Devices
This section includes questions related to the use of mobile devices and applications, as well as questions related to user behavior when selling or losing a mobile device, and modifying its operating system.
We asked the digital natives what they store on their mobile devices, while a section of the question referred to personal passwords. As presented in Table 2
, despite the frequent warnings, an average of 29.1% of the responders stores personal passwords in their mobile devices, regardless of their security related competence or background.
Subsequently, we asked the digital natives if, in the case of loss/theft of their mobile device, they reported the event to the authorities. The results that are presented in Table 3
highlight the fact that the users are not widely aware of the ability to deny access to wireless networks based on the IMEI (International Mobile Equipment Identity) and other misuse countermeasures. Additionally, some of the differences in the responses between the GSCG and the MSCG/HSCG groups are likely caused due to regional variations in legislation, trust in the efficiency of the authorities, and the awareness of related countermeasures.
The next question focused on software updates on cellphones/tablets and laptops. The results for each category of mobile devices are presented in Table 4
and Figure 2
and Figure 3
. It is noticeable that 14.5% of the GSCG group state that they do not update anything in their laptops, while across all groups, updating only the applications ranks higher than updating only the operating system. Furthermore, comparing the results of the two categories, we observe that the GSCG and MSCG groups better maintain the software of their cellphones/tablets in comparison to their laptops.
Regarding the use of applications, the next question focused on the sources that the digital natives use in order to download applications from, as presented in Table 5
. Over 80% of the digital natives primarily use the official store, while an average of 12.3% across groups consciously uses non-official sources, regardless of the potential security threats. However, there is a positive correlation between security competence and application source.
Focusing on the behavior of the digital natives in terms of the application usage patterns, we asked how they manage their credentials when they have finished using an application. The results that are presented in Table 6
highlight that, regardless of knowledge on the potential privacy and other implications, they select usability over security, since only an average of 24.5% logs out. Furthermore, there is a notable difference between the MSCG and HSCG regarding saving the credentials, where the HSCG group more frequently chooses to save the credentials to stay logged in. Another notable finding is that a significant percentage of participants states that logging-out is “not important”.
Another aspect of application usage patterns with significant security implications is the control of application access rights. Thus, we asked the digital natives how frequently they check the permissions that an application requires prior to accepting its installation. The results, in Table 7
, show significant differences across the groups with a positive correlation between competence and security behavior. Analyzing these responses, in conjunction with the results of Table 6
, highlights that expertise and knowledge can affect user behavior when security is not in conflict with usability.
A set of questions in this section focused on technical knowledge regarding mobile devices, in particular jailbreaking and rooting, as presented in Table 8
and Figure 4
. The respondents across all groups seem to be familiar with these practices, and despite justifiably considering them potentially hazardous in terms of security, an average of 41.6% has used them in their mobile devices. The results show a difference between the groups where the competence level correlates positively with having a jailbroken or rooted mobile device, while the HSCG is slightly (8–10%) less likely to consider these practices as risky. It is evident, from the second data set presented in this table, that individuals with computer science/engineering background are less reluctant in applying such methods. This has also been traced across the GSCG group, when filtering the digital natives according to their academic background [14
Additionally to these results, the questionnaire included a number of propositions regarding the security of these techniques (jailbreaking, etc.), which the respondents had to evaluate as “True”, “False”, or “Unknown”. An example of the investigated propositions is: “Some Jailbreaking methods delete some operating systems’ protections, which can be exploited by malicious code”. In the majority of cases, these propositions have been answered incorrectly by all groups, suggesting that the digital natives are willing to apply such methods on their mobile devices, despite being aware of the involved security risks and without the required experience/knowledge.
4.2. Connectivity and Network Access
This section was focused on analyzing the behavior of digital natives towards connectivity and network access. The results show significant variations across the groups, while one of the most notable differences relates to user behavior when they have the opportunity to connect to an unsecured wireless network, as presented in Table 9
As presented in Figure 5
, there exists a significant difference between the GSCG and the other two groups when it comes to connecting to free Wi-Fi, with both mobile devices and laptops, the former having the largest divergence. The MSCG are more likely to connect their mobile devices, but restrict the use of activities that require credential authentication. Moreover, the HSCG stands out with 42.9% opting not to connect with mobile devices at all, which represents a 20% difference from the two other groups. It is also noticeable that a larger portion of the HSCG (45.7%) opts to connect their laptops, rather than their mobile devices, to unsecured Wi-Fi with restricted activities.
The results across all types of mobile devices, show that user background and knowledge of the involved risks can affect their behavior, according to the significant differences across groups in response to the “I connect and use the Internet without restrictions” question. However, the results highlight that only with small exceptions across people with a security related background do users disregard or are unaware of the involved risks. Furthermore, users tend to be less reluctant when using their laptops in comparison to other mobile devices, potentially due to a falsely increased trust level in the security of such devices.
4.3. Management of Credentials
This section presents results in questions related to the management of credentials and the use of protection technologies. Initially, the digital natives have been asked about the solutions they use, in order to enforce access control to their mobile devices. The results revealed that 40.1% of the GSCG group, 19.9% of the MSCG group and 8.6% of the HSCG group choose to not use any access control mechanism in their mobile devices, while the pattern lock and PINs (Personal Identification Numbers) were the most popular solutions among the GSCG–MSCG groups and biometrics for the HSCG group. The results showed that the users’ background can significantly affect related decisions regarding the overall use of access control mechanisms, while the exact choice of technologies can also be affected by financial or cultural agents.
Aiming to identify potential external influences on these results, we asked the digital natives to identify the reasons behind the decision to not utilize an access control mechanism. The results that are presented in Table 10
show that the usability of these mechanisms can significantly affect this decision. For the HSCG group, the use of access control was at 91.4%, with biometrics used in 54.3% of the sample, which highlights that users who are aware of the involved risks and provided with usable solutions (biometrics) will increasingly incorporate access control mechanisms.
A further set of questions was dedicated to analyzing the use of passwords for authentication purposes. The results in Table 11
and Table 12
show that a mixture of best and worst practices is implemented across the groups, with significant variations among the different password types. Lasting and persistent awareness campaigns focused in the past several years on educating the public and raising awareness about best practices. However, these results show that, despite the visible positive influence, the system did not reach a stable state yet, while educating the users on security best practices requires sending a simple and clear message.