《CybSafe:2023年度网络安全意识与行为报告(英文版)(102页).pdf》由会员分享,可在线阅读,更多相关《CybSafe:2023年度网络安全意识与行为报告(英文版)(102页).pdf(102页珍藏版)》请在三个皮匠报告上搜索。
1、1OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023TABLE OF CONTENTSOh,Behave!The Annual Cybersecurity Attitudes and Behaviors Report 20232OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023TABLE OF CONTENTSHope(is not a strategy)Double the funFull of BSReport
2、aim&structureUp close and personalFeverishly fresh!Key termsExecutive summaryOur online presence is getting swoleWere frustrated and doubtful about online securityMove over cybersecurity training,nudges are comingCybercrime reporting is increasingAre we behaving?The main findingsOur online presenceO
3、nline security and reliance on othersGeneral attitudes to online securityCybersecurity responsibilityCybersecurity trainingCybercrime victimizationCybersecurity behaviors and practicesConclusionSecurity fatigue is realSecurity vs.productivityGenerational challengesThe role of the mediaCybersecurity
4、trainingThats a wrap!AppendicesAppendix A:MethodologyAppendix B:Country comparisonsNational Cybersecurity AllianceCybSafeAuthorsExpert contributorsAcknowledgments03237379050709040426272835374553757677777878808521215173OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS R
5、EPORT 2023Hope(is not a strategy)Its early September.As we pen the final parts to this years behemoth,summer is a sizzlin,and good feelings are in the air.So break out the bunting,because this year marks the 20th anniversary of Cybersecurity Awareness Month.It happens every October,and it has the la
6、udable goal of educating and inspiring behavior change.Since the inception of Cybersecurity Awareness Month,the threats we face have evolved,significantly.The importance of cybersecurity has never been greater.Theres no doubt the security professionals of 2003 knew peoples behavior was important.But
7、 there was a disconnect when it came to the human factors that contribute to security breaches and incidents.The belief went like this:If we just made people aware of the risks,theyll start behaving more securely.That was wrong.Now we know better.And when you know better,you do better.Today,as secur
8、ity professionals with a keen eye on the evidence,we know awareness is not enough.Its not enough to tell people about risks,and hope they remember what they need to do at the point of action.Or,indeed,hope they care enough to act in the first place!From the risk-takers to the rule-followers,we need
9、to understand why people behave the way they do,and what motivates them to change their behavior.Behavioral science plays a vital role in strengthening cybersecurity.Thats why we created this report.Again.Welcome to the 2023 Annual Cybersecurity Attitudes and Behaviors Report.Or,as its known round t
10、hese parts,Oh,Behave!4OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023HOPE(IS NOT A STRATEGY)Double the funThis year,we got ambitious.We surveyed over 6,000 people across the United States,Canada,the United Kingdom,Germany,France,and New Zealand to get a better understanding of
11、 our security behaviors and attitudes.Double the participants.Double the countries.Double the fun!We asked people about their knowledge of cybersecurity risks,their security best practices,and the challenges they face in staying safe online.The findings are eye-opening,to say the least.They show,eve
12、n though people are becoming more aware of risks,theyre not always taking the necessary steps to protect themselves.For example,only 60 percent of people use strong passwords,and only 40 percent use multi-factor authentication.And even though most people know about phishing scams,theyre still fallin
13、g for them.Full of BS*The good news is there are things we can do to improve peoples security behavior.This report provides a number of recommendations for organizations and individuals.We know changing peoples behavior isnt easy.But if we want to make the digital world a safer place,it is essential
14、.Were particularly excited about this years report because it shines a spotlight on the workforce.Cybercriminals know if they want to target an organization,they need to target its people.We believe this report will help organizations to better protect themselves and their people.We hope you enjoy r
15、eading this report as much as we enjoyed producing it.Grab your lab coat.Youve got a date with behavioral science.Oz&Lisa*Behavioral science.Lisa Plaggemier Executive Director,The National Cybersecurity AllianceOz Alashe,MBE CEO&Founder,CybSafe5OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVI
16、ORS REPORT 2023Report aim&structureIts all about you,the people!Specifically,how you feel and how you act when it comes to cybersecurity.Tech ninjas.Click-curious newbies.Everybody in between.Our third Cybersecurity Attitudes and Behaviors report uncovers the nitty gritty of how people engage with t
17、he digital realm.Thats the general public,and the workforce too.Thats right,were no slouches.Our goal?To paint a vibrant picture of the cybersecurity behaviors and attitudes that shape our digital existence.Youre looking at a comprehensive,international snapshot across representative global samples.
18、This year,its never been truer:theres something for everyone.But were not just here to chat.Weve been busy building on the last two years findings.Weve really gotten into it with five game-changing security behaviors that keep the virtual world spinning:1.Ensuring password hygiene:Password creation
19、habits(i.e.,using strong and separate passwords)Frequency of changing passwords Password management techniques2.Using Multi-Factor Authentication(MFA)3.Installing the latest device updates4.Checking emails for signs of phishing and reporting them onward5.Backing up dataUp close and personalWeve got
20、an exciting journey ahead of us.Zooming in on peoples access to cybersecurity training.Dissecting how the media/news coverage influences cybersecurity perceptions.Getting up close and personal with peoples experiences of cybercrime victimization.And how people report incidentsif indeed they do.6OH B
21、EHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023REPORT AIM&STRUCTUREPsst!Heads-up,weve organized the results into themes:How deep is peoples online presence?What do people really think about cybersecurity?The good,the bad,the need-to-know truths.Whos got your back at work and at ho
22、me?Whos got access to training,and how do people use it?What types of cybercrimes do people encounter?How people like youyes,youengage with those five key security behaviors.Whats that?Youre curious about our behind-the-scenes magic?Of course you are.In the appendices we:unveil our research methodol
23、ogy,introduce you to the diverse participant pool,and even toss in the country-specific numbers.Pretty sweet,no?Feverishly fresh!Its our third report in the series,so were really hitting our stride.Our research design and data collection was already on point(head to Appendix A to learn more).But wev
24、e switched some things up to deliver even more illumination and insight.Heres whats new:Double the fun:We doubled the sample size from 3000 to over 6000 people(6,064,to be precise).Going global:New countries=new perspectives.Germany,France,and New Zealand have entered the party.They join the United
25、States(US),Canada,and the United Kingdom(UK).Strategic targeting:We wanted to shine a spotlight on the general public and the global workforce.This years sample boasts a whopping 66 percent of employed participants.Making the findings super-useful for organizations.Fresh questions:We asked new quest
26、ions about training engagement and preferences(e.g.,delivery style),the media/news impact,and a bunch of password-related behaviors.Question makeover:We reworded questions and made multi-choice options sleeker.Why?Because making sure participants have a smooth,clear survey experience leads to better
27、 data.And becausego figurenot everyone are cyber geeks like us,weve added some examples and key terms to keep everyone on the same page.Qualitative questions:The survey remains mostly multiple-choice.But this year participants could also share their thoughts in their own words through our new qualit
28、ative questions.Figuring out peoples cybersecurity feelings means letting them speak from the heart.7OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023KEY TERMSKey termsWe get itthese report thingamajigs often come with a side of brain cramps.Fret not.Heres the lowdown on the lin
29、go.The key terms weve used throughout the report are:(Security)attitude:A psychological disposition we have towards making an evaluative judgment about security(i.e.,the way we think or feel about it).For reporting attitudes,we have used 5-and 10-point Likert scales(e.g.,“strongly disagree”to“strong
30、ly agree”)to examine positive and negative views people hold about particular security topics.(Security)behaviors:For this report,we have narrowed down our investigation to five security behaviors.These include:password hygiene(password creation,management,and frequency of change),applying MFA,insta
31、lling the latest updates,checking messages for signs of phishing and reporting them,and backing up data.Cyberbullying:Bullying is unwanted,aggressive behavior that involves a real or perceived power imbalance.This power imbalance can be physical.It can also revolve around popularity or the bully hav
32、ing access to embarrassing information about the victim.Generally,bullying is a repeated behavior,or it has the potential to be repeated.Cyberbullying,then,is when these bullying behaviors occur online,either through messaging,social media,or other digital channels.Cybercrime:Cybercrime has been def
33、ined in several ways but is essentially regarded as any crime(traditional or new)that can be conducted through,enabled by,or using digital technologies(e.g.,phishing attempts).Cybercrime victimization:The result of criminal behavior in which harm or loss is caused to a person or organization,and inf
34、ormation and communication technology plays a notable role in the execution of the offense.Identity theft:When a cybercriminal steals someones personal information and uses it to assume their identity.This can involve the criminal applying for credit and loans,or even filing taxes using the victims
35、identity,potentially damaging their credit status.8OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Multi-Factor Authentication(MFA):The process of using two or more pieces of information to log in to an account.This can be a password and code sent to a phone.Also known as Two-F
36、actor Authentication(2FA)and Two-Step Verification(2SV).Password hygiene:Creating unique and separate passwords for sensitive online accounts,managing passwords using browser or stand-alone applications,and the tactics of changing passwords.Password management application:A password manager is a sta
37、nd-alone program that stores,generates,and manages passwords for local applications and online services.Phishing(scams):Cybercriminals trick people into providing information or installing dangerous software to steal money or data from them.This is often done via fake emails that appear to be from t
38、rusted senders,encouraging people to click malicious links or open malicious attachments.Online dating scam:Cybercriminals adopt a fake online identity to create the illusion of a romantic or close relationship to manipulate and/or steal from the victim.They often use highly emotive requests for mon
39、ey,claiming they need emergency medical care or must pay for transport costs to visit the victim if they are overseas.Sensitive(important)online accounts:Online accounts holding details of identity,address,and bank cards(e.g.,payment-related sites,social media accounts,and work accounts).Vocab sessi
40、on over.Whos ready for the highlights?Step this way.KEY TERMS9OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023TABLE OF CONTENTSExecutive summaryOur online presence is getting swoleWere frustrated and doubtful about online securityMove over cybersecurity training,nudges are comi
41、ngCybercrime victims are reporting moreAre we behaving?10OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023ExecutivesummaryOur online presence is getting swoleA whopping 93 percent of participants are online at least daily.Just seven percent of people in our sample reported being
42、 connected to the Internet less than once a day.All of us hold at least a few online accounts,across different websites and applications,and some include our sensitive personal information.But heres the big reveal:It turns out that almost half(47%)of the participants have ten or more sensitive onlin
43、e accounts,like payment-related and primary email accounts.Andget this15 percent admitted theyd lost count(Figure 1).Figure 1.“Overall,how many sensitive online accounts that hold personal information do you have?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the tota
44、l number of participants:6064,dates conducted:April 13,2023-April 27,2023.11OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Were frustrated and doubtfulabout online securityAttitudes towards online security remain positive.A solid 84 percent consider staying secure a priority,a
45、nd 69 percent perceive it as achievable.But not everyones having a chill time.A sizable 39 percent of participants felt frustrated,and 37 percent were intimidated by staying secure online(Figure 2).One in three(32%)often feel overwhelmed by cybersecurity information,scaling down their online actions
46、 as a result.Plus,the cost of taking protective action online doesnt come cheap,according to almost half of us(49%).A cool 69 percent of participants thought staying secure online is worth the effort.But the younger generations(21%of Gen Z and 23%of Millennials)are skeptical about the return on inve
47、stment.They were more than twice as likely as Baby Boomers(6%)and the Silent Generation(9%)to doubt online security is worth the effort(Figure 3).Figure 2.“I feel that staying secure online is.”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of particip
48、ants:6064,dates conducted:April 13,2023-April 27,2023.Figure 3.Participants levels of agreement when answering“I feel that staying secure online is worth the effort”by generation.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with gener
49、ation information:5748,dates conducted:April 13,2023-April 27,2023.EXECUTIVE SUMMARY12OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Over half of the participants(56%)said the news motivates them to take protective security actions.And 51 percent find the media/news coverage h
50、elps them stay informed about online security(Figure 4).But its not all sunshine44 percent of the participants said the media evokes fear,and 42 percent felt it overcomplicates online security.Move over cybersecurity training,nudges are comingAccess to trainingLets turn our attention to the training
51、 scene.First up,just over a quarter of participants(26%)reported having access to,and taking advantage of,cybersecurity training.Meanwhile,an eyebrow-raising two-thirds(64%)noted they had no access to training whatsoever(Figure 5).Figure 4.“What impact does the media/news have on your viewstowards o
52、nline security?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Figure 5.“Do you have access to cybersecurity training(e.g.,at work,school,or library)?”Base:US,Canada,UK,Germany,France,and
53、 New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.EXECUTIVE SUMMARY13OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Hold up,whos getting the training?Mainly,its people in employment(47%)or those studying
54、(49%).They had better training access than retirees(8%)or people not in active employment or studying(15%,Figure 6).But get this:Even among the employed,more than half(53%)are out in the cold when it comes to training access.Wondering how people like to be shown the security ropes?When asked about t
55、heir preference for learning about cybersecurity topics,almost half(47%)of employed participants favored online training courses over in-person training(24%).On the flip side,preference towards nudges and alerts is growing,with nearly a fifth(19%)preferring to receive just-in-time alerts and notific
56、ations.Figure 6.“Do you have access to cybersecurity training(e.g.,at work,school,or library)?”by employment status.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Figure 7.“How would you
57、most prefer cybersecurity training to be delivered?”by employment.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.EXECUTIVE SUMMARY14OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVI
58、ORS REPORT 2023Cybersecurity trainingDoes training make a splash?Most people rated cybersecurity training as useful(84%)and engaging(78%),no matter whether theyd done it at home or work.Seventy-nine percent of participants reported having put the cybersecurity advice into action.Only six percent rep
59、orted that they didnt change any of their cybersecurity behaviors,and 15 percent believed they were already doing the right things,and therefore didnt need to change their behaviors(Figure 8).But what did training do for people?Half of the participants(50%)felt they became better at recognizing and
60、reporting phishing messages,37 percent had started using strong and unique passwords,and a third(34%)had begun using MFA.Figure 8.“When you attended training course(s),how did it influence your security behaviors?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the tota
61、l number of participants who had attended training courses:1559,dates conducted:April 13,2023-April 27,2023.Note:Multiple-choice question.EXECUTIVE SUMMARYI started saving passwords using a password manager(e.g.in Browser,1Password,Lastpass,iCloud Keychain)15OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITU
62、DES AND BEHAVIORS REPORT 2023Cybercrime reporting is increasingWhos getting hit,and by which cyber nasties?Our participants disclosed 2,047 incidents led to losing money or data.Think phishing,identity theft,and online dating scams.Over a quarter(27%)reported having been a victim of at least one typ
63、e of cybercrime.The good news is thats a seven percent drop on last years figures.Heres the less good news:There was a seven percent increase in the number of people who feel they may become victims of cybercrime.In fact,half of the participants(50%)thought they were potential targets for cybercrimi
64、nals(Figure 9).Figure 9.Participants responses to statements about how staying secure online can help protect others,perceived likelihood of becoming a target of cybercrime,and concerns about falling victim to cybercrime.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),t
65、he total number of participants:6064,dates conducted:April 13,2023-April 27,2023.EXECUTIVE SUMMARYPhishing is the out-and-out star of the shady cybercrime show.Overall,phishing incidents accounted for the highest proportion of total incidents(47%,Figure 10).And,check this out:Online dating scams(27%
66、)took the lead over identity thefts(26%)compared to last year.Figure 10.Types of cybercrime incidents.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of cybercrime incidents 2047,dates conducted:April 13,2023-April 27,2023.16OH BEHAVE!THE ANNUAL CYBERSE
67、CURITY ATTITUDES AND BEHAVIORS REPORT 2023Millennials,looks like the cybercrime spotlights on you.Youre leading the pack with incidents(Figure 11).Specifically,online dating scams(44%)were the apple of your eye,followed by phishing(36%)and identity thefts(37%).Putting aside the Silent Generation due
68、 to their small sample size,Gen Zs and Baby Boomers reported the fewest identity thefts(15%and 17%respectively).Figure 11.Cybercrime incidents by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of cybercrime victims:Phishing,911;Online datin
69、g scam,541;Identity theft,508(excluding any cybercrime incidents noted by 316 participants from New Zealand,who didnt provide their age),dates conducted:April 13,2023-April 27,2023.EXECUTIVE SUMMARYBut now for some cheering newsyes,even if youre a romantically inclined Millennial.Most folks(88%)repo
70、rted their cybercrime experiences to someone.Incident reporting rates were favorable for all crime types.Only a smidge of incidents which led to data or money loss went unreported:14 percent of phishing,16 percent of online dating scams,and eight percent of identity thefts(Figure 12).When it came to
71、 reporting,the type of crime made a difference.Fifty-nine percent of phishing victims reported the incident to their bank or credit card company,and 54 percent of identity theft,and 42 percent of online dating scams did likewise.This is encouraging.Figure 12.Crime reporting frequency by crime type.B
72、ase:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of cybercrime victims:Phishing,961;Online dating scam,555;Identity theft,531,dates conducted:April 13,2023-April 27,2023.Identity theft17OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 202
73、3Are we behaving?We wouldnt have enjoyed our summer as much if we hadnt done a deep dive on the nitty-gritty of behavior.Specifically those five key behaviors that spell good cybersecurity.Need a reminder?Weve got you:Ensuring good password hygiene Using MFA Installing the latest device updates Chec
74、king messages for signs of phishing and reporting them Backing up dataPassword hygieneWe peeled back the layers of password hygiene through its three sub-behaviors:frequency of changing passwords,creation of strong and separate passwords,and password management strategies.While NIST guidelines1 have
75、 ditched the requirement to change passwords periodically,some people and organizations still think this is the gold standard for good password hygiene.However,over a third(34%)said they only change their sensitive online account passwords if they have to.Meanwhile,31 percent change theirs every few
76、 months.Almost half(48%)of those who changed their passwords mentioned they used their own techniques for creating new passwords.This technique was prevalent with older generations(e.g.,62%of Baby Boomers).How about the more fresh-of-face,then?Well,over a quarter of Gen Zs(26%)opted for passwords su
77、ggested by websites or apps.However,younger generations dabbled more with risky password practices.Plenty(37%of Gen Z and 44%of Millennials)admitted to only updating a few characters or a couple of words in their passwords compared to older generations(27%of Baby Boomers and 26%of Silent Generation,
78、Figure 13).EXECUTIVE SUMMARY1 https:/pages.nist.gov/800-63-3/sp800-63b.html18OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Next up!Eyes on the size.According to the national guidelines the recommended standards for password length is more than 12 characters or using a string
79、of three or more words(e.g.,NCA2,NCSCs CyberAware3,Get Cyber Safe4 and CERT NZ5)Forty-six percent of participants create passwords nine to 11 characters long.Almost a third(30%)go shorter than that though.Oh,and heres something really interesting:Older folks tend to go briefer(32%of Baby Boomers and
80、 36%of Silent Generation),while younger generations lean a tad longer(Figure 14).EXECUTIVE SUMMARY2 https:/staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/3 https:/www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words4 https:/www.getcybersafe.gc.ca/en/secure-your-
81、accounts/passphrases-passwords-and-pins5 https:/www.cert.govt.nz/individuals/guides/how-to-create-a-good-password/Figure 13.“What action do you most often take when changing your password(s)?”by generationFigure 14.“How long are the password(s)you usually create?”by generationBase:US,Canada,UK,Germa
82、ny,France,and New Zealand based participants(aged 18+),the total number of participants with generation information and excluding those who never or less than yearly change their passwords:4983,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based partici
83、pants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.I change a character or two on my existing passwordI change a word or twoI use passwords suggested by websites or applicationsI change my password to something completely dif
84、ferent(I have my own technique)Baby BoomersI change my password using the passphrase technique(e.g.three random words)19OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Despite creating long passwords,over a third(34%)resort to using a single dictionary word or someones name,sim
85、ply throwing in a few numbers and/or symbols for good measure.The majority(67%)rock separate passwords for their important online accounts either all of the time or the majority of the time.A third(33%)were more laid back,juggling fewer passwords for their important online accounts(Figure 15).Managi
86、ng passwordsHold onto your hats for this oneover half(56%)have never used a password manager.But 31 percent are giving it a go.The hottest password wrangling technique?Writing passwords into a notebook takes the cake(31%).One in four of us are memory machines:A quarter(24%)say they remember their pa
87、sswords without storing or writing them anywhere(Figure 16).Some folks even rely on resetting their password each time they login as opposed to remembering it(3%)!EXECUTIVE SUMMARYFigure 15.“How often do you use unique passwords for your important online accounts(e.g.,emails,social media,payment-rel
88、ated sites)?”Figure 16.Preferred password management strategies.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+
89、),the total number of participants with multiple passwords:5403,dates conducted:April 13,2023-April 27,2023.Save in browser(e.g.,Google Chrome)20OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023For those who use password managers,theres an even split between using a free stand-a
90、lone password manager(38%)or an internet browser(39%).Less than a quarter(23%)mentioned paying for a stand-alone password manager.Applying Multi-Factor Authentication(MFA)Almost a third(30%)of us have(still)never heard of MFA.The generation gap seen in previous reports is alive and well.A majority o
91、f Gen Z(77%)and Millennials(77%)had come across MFA before(Figure 17).However,a sizable chunk of older generations remain in the dark about MFA(37%of Baby Boomers and 41%of Silent Generation never having heard of it).Installing software updates and backing up dataSixty-five percent of us know the dr
92、ill when it comes to keeping devices updated.And 60 percent noted they either always or very often update their devices when notified about available updates(Figure 18).EXECUTIVE SUMMARYFigure 17.“Have you ever heard of Multi-Factor Authentication(MFA)?Also known as Two-Factor or Two-Step Verificati
93、on”by generations.Figure 18.“How often do you install the latest software or application updates to your devices when notified that they are available?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,date
94、s conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.NeverRarelySometimesVery oftenAlways21OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REP
95、ORT 2023A close-up on back-ups:Fifty-six percent are in the know and on the case when it comes to backing up their data.A solid 42 percent said they perform frequent backups(i.e.,very often or always),but over a quarter(26%)stated they never,rarely do so,or they dont have the know-how(Figure 19).Rec
96、ognizing and reporting phishing messagesA hefty 63 percent rated their phish-spotting skills.However,over a quarter either didnt know how to identify(18%)or didnt know what phishing scams were(8%).Whats more,67 percent reported they very often or always check whether messages are genuine before clic
97、king any links or responding to them(Figure 20).EXECUTIVE SUMMARYFigure 19.“How often do you backup your most important data?”Figure 20.Frequency of checking messages for signs of phishing before taking action.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total nu
98、mber of participants:6064,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.NeverNeverRarelySometimesVery oftenAlways/Always/Automaticto cloud ser
99、viceI dont know howto do this22OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Spottings all well and good.But how about reporting phishing messages?Forty-four percent of participants said theyre all in,hitting that spam or report phishing button very often or always(Figure 21)
100、.Conversely,a third of us(33%)either lacked the know-how,never,or rarely reported phishing.There you have it,a tour of the major landmarks of what people think and do when it comes to cybersecurity.The adventures just beginning,though.Join us as we get our teeth into the truth,bit by bit.EXECUTIVE S
101、UMMARYFigure 21.“How often do you report phishing messages usingthe spam or report phishing button?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.23OH BEHAVE!THE ANNUAL CYBERSECURITY ATT
102、ITUDES AND BEHAVIORS REPORT 2023TABLE OF CONTENTSThe main findingsOur online presenceOnline security and reliance on othersGeneral attitudes to online securityCybersecurity responsibilityCybersecurity trainingCybercrime victimizationCybersecurity behaviors and practices24OH BEHAVE!THE ANNUAL CYBERSE
103、CURITY ATTITUDES AND BEHAVIORS REPORT 2023THE MAIN FINDINGSThe main findingsOur trip into the ever-so-serious realm of research began in April 2023.We ran our third survey online between April 13th and April 27th.Representative samplesmeticulously matched in terms of age and genderwere obtained from
104、 the United States,Canada,the United Kingdom,France,Germany,and New Zealand.Toluna6 ran the survey in every corner except for New Zealand,where CERT NZ7 handled the data collection.A whopping six thousand and sixty-four participants generously shared their thoughts.Sorry,kids!This was all about the
105、grown-ups.We surveyed the adult population(18+),with the average age being 48 years(SD=17.00)8.Sixty-six percent of the participants stated they were in either full-or part-time employment.As per the previous year,we explored the sample population and delved into differences between age groups.6 htt
106、ps:/7 https:/www.cert.govt.nz/8 This excludes participants from New Zealand(N=1064),who were asked to use age brackets instead stating their exact age.9 New Zealand,who had overlapping age grouping categories were excluded from the generational analysis.Where generational differences are reported in
107、 the main findings section,these participants are excluded.Age group%within country of residenceGen Z(18-26)15915.9%28328.3%26826.8%24924.9%414.1%00.0%10710.7%24524.5%28728.7%34434.4%171.7%00.0%12212.2%27827.8%26826.8%30130.1%313.1%00.0%13013.0%24624.6%30730.7%31031.0%70.7%00.0%13513.5%27827.8%28528
108、.5%28228.2%202.0%00.0%969.0%25924.3%19017.9%20315.9%00.0%316929.7%74913.0%158927.7%160527.9%168929.4%1162.0%3165.2%Millennials(27-42)Gen X(43-58)Baby Boomers(59-77)SilentGeneration(78+)Inconclusive(age not provided)UnitedStates(N=1000)Canada(N=1000)United Kingdom(N=1000)Germany(N=1000)France(N=1000)
109、New Zealand(N=1064)Total(N=6064)Table 1.Number of participants per country and age group.25OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Weve shone light on differences related to employment status,where applicable,and for our fellow number nerds weve further analyzed the cou
110、ntry differences separately in Appendix B.Table 1 shows the number of participants in each age group and their employment statuses are shown in Figure 22.In fact,weve even given you further participants demographics in Appendix A.Dont say we never spoil you.Sixty-six percent of the participants stat
111、ed they were in either full-or part-time employmentFigure 22.Participants employment status.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGS26OH BEHAVE!THE ANNUAL CYBERSEC
112、URITY ATTITUDES AND BEHAVIORS REPORT 2023Our online presenceLets be clear.Were not talking hit rates and followers.Well leave that to the influencers.It turns out most of us are glued to the internet like a barnacle to a rock.All.Day.Long.A full 50 percent of us are always connected.Only seven perce
113、nt connect less than once a day(e.g.,once per week).Entirely less shockingly,younger age groups are the most digitally connected.Sixty-nine percent of Gen Z and 64 percent of Millennials are always connected(Figure 23).Thats up by five and 16 percent from last year(2022).Right,online accounts.We wan
114、ted to know how many online accounts people have containing sensitive information.Almost half(47%)of people have ten or more accounts,including 15 percent confessing that theyd lost count(Figure 24).Younger generations led the charge here,with Gen Zs(37%)and Millennials(35%)reported having over 20 s
115、ensitive online accounts10.Meanwhile Baby Boomers(25%)and the Silent Generation(22%)reported having fewer accounts.Figure 23.“How frequently do you use the Internet?”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:5748,dat
116、es conducted:April 13,2023-April 27,2023.10 This includes those participants who answered Not sure,I lost the count.Most of us are glued to theinternet like a barnacle to a rockGen ZMillennialsGen X0%20%40%60%80%Baby BoomersSilent GenTHE MAIN FINDINGSOUR ONLINE PRESENCE27OH BEHAVE!THE ANNUAL CYBERSE
117、CURITY ATTITUDES AND BEHAVIORS REPORT 2023Online security and reliance on others We were curious about whether peoples families depended on them to stay safe online.Over a third(34%)said yes.Another 23 percent said they relied on friends or family to keep them safe online.Thats a decrease of 12 perc
118、ent from last years report.Heavy is the head that wears the family tech support crown.Millennials(46%)and Gen Z(39%)report the highest percentage of family members relying on them for online security,compared to just 21 percent of Baby Boomers(21%,Figure 25).Figure 24.“Overall,how many sensitive onl
119、ine accounts that hold personal information do you have?”Figure 25.“Family members rely on me to keep them secure online”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Base
120、:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.I only have one online account2-4 online accounts5-9 online accounts10-19 online accounts20 or more online accountsN
121、ot sure,I lost countTHE MAIN FINDINGSOUR ONLINE PRESENCEGen ZMillennialsGen XBaby BoomersSilent Gen0%5%10%15%20%25%0%20%40%60%80%28OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023But then there are the digital lone wolves(56%),who dont need anyone else to stay safe online(Figur
122、e 26).For the 23 percent who did seek help,their needs included general security advice(61%),software updates(60%),and backing up data(59%).Figure 26.“I rely on others(e.g.,my family,my colleagues)to keep me secure online”by generations.Figure 27.“I feel that staying secure online is.”Base:US,Canada
123、,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates cond
124、ucted:April 13,2023-April 27,2023.General attitudes to online securityMost of us have a sunny cybersecurity attitude,with a blinding eighty-four percent of participants saying that staying secure online was a priority.Plus a cheery 69 percent consider it achievable.These two attitudes had the highes
125、t agreement,with mean scores close to strongly agree(Priority:M=8.3,SD=1.9,N=6064;Achievable:M=7.3,SD=2.1,N=6064).Moreover,69 percent of participants thought staying secure online was worth their effort(Figure 27).It wasnt clear skies and plain sailing for everyone,though.While feelings of frustrati
126、on and intimidation were reduced from last year(by 7%and 5%,respectively),39 percent of participants still felt frustrated,and 37 percent were intimidated by staying secure online.It seems help is reaching the people who need it,but very slowly.THE MAIN FINDINGSONLINE SECURITY AND RELIANCE ON OTHERS
127、Gen ZMillennialsGen XBaby BoomersSilent GenA priorityFrustratingIntimidatingAchievablePossibleUnder my controlWorth the effort0%20%40%60%29OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Half of the participants(50%)found staying secure online easy(Figure 28).However,38 percent
128、 agreed that most information about staying safe online was confusing,and sadly this hasnt fallen since last year.Almost one-third of participants(32%)reported feeling overwhelmed by cybersecurity information,which led them to minimize their online actions.Figure 28.Participants levels of agreement
129、with online security ease,clarity,and being overwhelmed.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.It is important to be able to safely and securely use the internet without having to
130、 worry about my information getting leaked.(P3387,United States)Online security means personal data,firewalls and safety online.Data security is one of the most important(e.g.,passwords,online tracking)things I worry about.(P368,United Kingdom)It is impossible to be safe online.Of course I use a vir
131、us scanner,update my browser regularly and use different passwords.But I dont feel sure either.(P809,Germany)THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITY0%20%40%30OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Damn.A third of us(33%)presume our devices are automatical
132、ly secure.That figure is similar to last year.Seemingly our confidence in our devices is hard to shake.Meanwhile,almost half(49%)believed that online protection was costly(Figure 29).This paragraph should have been sponsored by a casual shrug,or maybe a,meh.Because 22 percent of us dont see the poin
133、t of trying to protect ourselves further(Figure 30).Similarly,some had a sense of helplessness when it came to losing money online,with 22 percent believing it was unavoidable.There was even more meh when it came to theft of personal details,with a third of participants(33%)believing having their pe
134、rsonal details stolen online was unavoidable.These results echo last years data(with only 1-3%differences).Figure 29.Participants levels of agreement to presuming their devices are secure and the cost of taking protective action.Base:US,Canada,UK,Germany,France,and New Zealand based participants(age
135、d 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITYA third of us(33%)presume our devicesare automatically secureThis paragraph should have been sponsoredby a casual shrug or maybe a,meh31OH BEHAVE!THE ANNUAL C
136、YBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Generational differences in attitudesAge is more than just a number when it comes to cybersecurity attitudes.Our data reveals some intriguing generational disparities.Older generations(91%of Baby Boomers)prioritized online security more than younger ge
137、nerations(69%of Gen Z,Figure 31).The Silent Generation(43%)and Millennials(40%)experienced the highest levels of intimidation,while Gen X felt least intimidated by staying secure online(39%disagreed with the statement,Figure 32).Perhaps its because they grew up in the age of mixtapes and Walkmans,ma
138、king firewalls and MFA feel like childs play.Figure 30.Participants perceptions about the value of protection and avoidability of losing money or personal details on the Internet.Figure 31.Participants levels of agreement when answering“I feel that staying secure online is a priority”by generation.B
139、ase:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:57
140、48,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITY32OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Figure 32.Participants levels of agreement when answering“I feel that staying secure online is intimidating”by generation.Figure
141、 33.Participants levels of agreement when answering“I feel that staying secure online is worth the effort”by generation.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April
142、27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Younger generations(21%of Gen Z and 23%of Millennials)were more than twice as likely as Baby Boomers(6%)
143、and the Silent Generation(9%)to disagree with the idea that online security is worth their efforts(Figure 33).Similar trends and feelings reared their heads when we asked whether online security was seen as achievable.Among Gen Zs,59 percent believed it was achievable,while the other generations agr
144、eed anywhere from 68 percent to 79 percent of the time(Figure 34).THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITYGen ZMillennialsGen XBaby BoomersSilent Gen0%10%20%30%40%33OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Figure 34.Participants levels of agreement when answ
145、ering“I feel that staying secure online is achievable”by generation.Figure 35.Participants levels of agreement when answering“I feel that staying secure online is under my control”by generation.Figure 36.Participants levels of agreement with answering“I often feel overwhelmed by information and mini
146、mize my actions online”by generation.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18
147、+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023
148、.Which generation are most likely to be masters of their own digital destiny?Certainly not Gen Z,as less than half of them(44%)expressed feeling in control of their online security.Other generations were more confident,with over half of each(ranging from 52%to 53%)agreeing with the sentiment(Figure
149、35).Twenty-one percent of Gen Zs felt out of control regarding staying secure online,suggesting being a digital native doesnt automatically grant you security self-esteem.Younger generations(35%of Gen Z and 38%of Millennials)and the Silent Generation(45%)felt overwhelmed.The outcome?They minimized a
150、ctions online more than Gen X(29%)and Baby Boomers(28%,Figure 36).THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITY34OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Figure 37.“What impact does the media/news have on your views towards online security?”Figure 38.Participants
151、 levels of agreement,by generation,with statement media/news help them to stay informed about online security.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,Fran
152、ce,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Actually,the data suggests growing up with tech makes it more likely youll be visited by digital demons.The generational data shows digital na
153、tives(i.e.,Gen Zs and Millennials)and those with little online exposure during active employment(i.e.,Silent Generation)are most at risk,tending to struggle with online security.Media impact on attitudes and behaviorsNew question alert!As a new angle this year,we asked participants about the impact
154、of media and news coverage on their views of online security.Lets face it,if the news said jumping up and down while brushing your teeth made your Wi-Fi faster,a large portion of us would be bathroom acrobats by the end of the week.Surprisingly,56 percent of the participants reported the media&news
155、motivated them to take protective security actions.Fifty-one percent said it helps them to stay informed about online security(Figure 37).However,44 percent of participants pointed out the media&news makes them feel scared,and 42 percent believed such coverage complicates online security.A mixed bag
156、 for sure.We uncovered a few generational differences in media&news-related statements.This is surprising,given how different generations consume news.One important distinction:Gen Zs(22%)tended to disagree more than other generations with the idea that news&media helped them stay informed about onl
157、ine security(Figure 38).THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITYThey make me scared about my online securityThey make online security seem complicatedThey help me stay informed aboutonline securityThey motivate me to take protective actions for my online security0%20%40%60%35OH BEHAVE!T
158、HE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Gen Z(47%)also felt least motivated to take protective measures based on the media&news coverage compared to Millennials(58%)and older generations(57%of Baby Boomers and 65%of Silent Generation,Figure 39).Maybe Gen Z are too busy creating th
159、e future to worry about the present?Or maybe theyre yet to develop the healthy skepticism experienced later in life.Figure 39.Participants levels of agreement,by generation,with the statement that the media/news motivates them to take protective online security actions.Figure 40.Participants ranking
160、 of responsibility in answering“Who is most responsible for protecting your information?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germa
161、ny,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Cybersecurity responsibilityA vital question we invited people to ponder next:Who shoulders most of the responsibility for protecting online information?Well,ponde
162、r they didAn impressive 66 percent of people pointed to none other than themselves as the primary guardians of their online info(Figure 40).This marks a seven percent increase from last years survey.Is personal responsibility taking center stage?THE MAIN FINDINGSGENERAL ATTITUDES TO ONLINE SECURITYG
163、en ZThe governmentThe app/platform I useThe technology industryMy internet servvice providerMy employerMy familyMeMillennialsGen XBaby BoomersSilent Gen0%20%40%60%80%36OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Meanwhile,on the flip,were not keen on entrusting our families
164、(57%),employers(56%),or governments(37%)with our digital wellbeing.Just like last year,these three were seen as the least responsible agencies.But get thisapplication and platform responsibility edged up by five percent from 2022,to 41 percent.When it comes to trust perceptions,Silicon Valley the st
165、ate.What about workplace information?Here,the countrys government takes the unfortunate title of being the least reliable protector,with 59 percent of participants rating it as the least trustworthy agency(Figure 41).So,who is guarding the flock?You are.Apparently.Individual responsibility is on the
166、 rise at work as well as in our home lives.The percentage of people taking it upon themselves to safeguard workplace information has surged from 25 percent in 2022 to a commendable 39 percent this year.But that wasnt the biggest leap.A positive trend was also noted with more responsibility placed on
167、 workplace security departments(from 28%in 2022 to 46%in 2023)and IT departments(from 36%in 2022 to 48%in 2023).This could have been due to the option employer being removed from this years survey.That was the option with the highest percentage(43%in 2022)in previous years.Figure 41.Participants res
168、ponsibility rankings in answering“Who is most responsible for protecting your workplaces information?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants in employment:4021,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSGENERAL
169、 ATTITUDES TO ONLINE SECURITYThe countrys government takes the unfortunate titleof being the least reliable protector37OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Cybersecurity trainingAccess to trainingDeep breath.Its time to tackle the all-important topic of training.For
170、the third year in a row,we found access to cybersecurity advice and training remains alarmingly low.Just 26 percent(Figure 42)of participants said they had access to cybersecurity training and had used it(30%in 2022).A staggering 64 percent(a 2%increase from 2022)are without access,despiteoh,you kno
171、w,all those looming global cybercrime threats.Anyone have a paper bag we can breathe into?What else about access?Theres a dramatic divide between people in employment and education versus those who are not(Figure 43).People who work or study reported having access to training(47%and 49%,respectively
172、),compared to those who were retired(8%)or not in active employment or studying(15%).However,a job isnt your ticket to training,as 53 percent of employed participants reported having no access to cybersecurity training.Figure 42.“Do you have access to cybersecurity training(e.g.,at work,school,or li
173、brary)?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.Figure 43.“Do you have access to cybersecurity training(e.g.,at work,school,or library)?”by employment status.Base:US,Canada,UK,Germ
174、any,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY TRAININGFor the third year in a row,we found access to cybersecurity advice and training remains alarmingly lowEmployed(FT/PT)Stude
175、ntsRetiredNot in active employment38OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023This trend pops up in older generations,where 93 percent of the Silent Generation and 85 percent of Baby Boomers(an increase of 10%and 5%from 2022,respectively)reported a cybersecurity training
176、level of zilch(our word,not theirs,Figure 44).Millennials access to training is dwindling(down by 9%from 2022),while 23 percent of Gen Zs have access but dont use it(a 12%increase from 2022).Two important things here:training access seems lower than in the past,and while no demographic has stellar a
177、ccess to it,people not in active employment and older generations may be more susceptible to cybercrime,as they lack access to the necessary tools and information to reduce their vulnerability.Meanwhile,many Gen Zs have the knowledge at their fingertips,but arent taking advantage of it.In the age of
178、 TikTok and short form content,are employers kidding themselves by thinking the future workforce are prepared to sit through hours of static e-learning?Training locationsLets dive into the digital dojo.We asked our participants where they sought their cybersecurity training.We made it easier this ye
179、ar by allowing for multiple-choice answers.Location,location,location.Just like last year,the majority(52%)accessed cybersecurity training at work or place of study.Only 16 percent accessed it from home.We also found 19 percent mixed it up,accessing resources at both work and home.Five percent repor
180、ted having access to cybersecurity training in multiple locations.As more of us work on the move,and in hybrid setups,that figures likely to grow.It seems the allure of traditional training methods remains strong,with 43 percent(N=1559)reporting getting their cybersmarts through one-off individual t
181、raining courses.Overall,only 30 percent reported continuous training over time,whether individually or in groups.Figure 44.“Do you have access to cybersecurity training(e.g.,at work,school,or library)?”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the t
182、otal number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY TRAININGGen ZMillennialsGen XBaby BoomersSilent Gen39OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Weve long been proponents that one-time s
183、ecurity awareness training doesnt cut it.It needs to be an ongoing activity,helping people understand how to respond to threats as and when threats occur.We asked how common it is for cybersecurity training to be a mandatory mission.Most training completed at work or place of education was a must(82
184、%,N=1149).And of those reporting having to complete compulsory training,55 percent completed it once a year(Figure 45).Thats up by 13 percent from last year(2022).Unfortunately,19 percent of participants have to complete training when something goes wrong or something bad happens(e.g.,a security inc
185、ident at work).Sigh.Maybe theres a glimmer of hope,as these figures were slightly reduced from last year(by 5%).A small yet vital side noteits not a great plan to make folks link failing with training.It turns training into a punishment,and that really doesnt help it do its job effectively.The major
186、ity of participants still favored traditional methods of training delivery with 42 percent(N=6064)preferring online training courses and 24 percent in-person courses.Encouragingly,22 percent indicated they would like training delivered through notifications when needed,such as when deciding whether
187、or not to take a specific action.When comparing those who had access to training and those who didnt,participants without access to courses were less likely to prefer online courses(35%)and more likely to prefer timely notifications(24%)than those with access to training(Figure 46).Additionally,17 p
188、ercent of those without access to training stated they didnt need cybersecurity information.ErmFigure 45.“How often are you required to complete training?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants completing mandatory training at w
189、ork or place of education:947,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY TRAININGOnce a yearMore than once a yearWhen something goes wrong(i.e.something bad happens)Both at regular intervals and when something goes wrong0%20%40%60%26%55%5%14%40OH BEHAVE!THE ANNUAL CYB
190、ERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023It seems traditional training methods hold their appeal for many.Almost half(47%)of participants who were employed,whether full-or part-time,preferred online training courses in comparison to in-person training(24%)or having alerts or notifications at th
191、e time they needed them(19%,Figure 47).Some participants(N=592)mentioned they have access to training but wish not to use it.Why?The top reason was lack of time(29%).Meanwhile 18 percent felt they had this cybersecurity thing down already,no need for further improvement(Figure 48).Figure 46.“How wou
192、ld you most prefer cybersecurity training to be delivered?”Figure 47.“How would you most prefer cybersecurity training to be delivered?”by employment.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with access to training:2151,and withou
193、t access to training:3913,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY TRAININGAs an in-person training course
194、In-person training courseAs an online training courseOnline training courseThrough notifications and alerts at the time I need them(e.g.when Im making a decision about whether or not something looks safe,like a link/email)Through notifications/alerts at the time I need themI dont need information ab
195、out cybersecurityI dont need cybersecurity information41OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Figure 48.“What is the main reason you didnt use the opportunity to attend a cybersecurity training course?”Base:US,Canada,UK,Germany,France,and New Zealand based participant
196、s(aged 18+),the total number of participants with access to training but not using it:592,dates conducted:April 13,2023-April 27,2023.Another 16 percent believed cybersecurity training would not effectively reduce their risk of falling victim to cybercrime;some(11%)noted cybersecurity was unimportan
197、t.Were not done just yet,because a further 11 percent of participants said they couldnt access training,with a huge 48 percent giving childcare duties as the primary obstacle.THE MAIN FINDINGSCYBERSECURITY TRAININGI hope my software protects me with regular updates and have also installed a safety p
198、rogram.My fragmentary knowledge of security updates,program possibilities,and cyberattacks is insufficient to feel completely protected!(P9051,Germany)I think it is difficult to obtain total online security as threats are numerous.You have to be very suspicious.(P5598,France).42OH BEHAVE!THE ANNUAL
199、CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023The impact of cybersecurity trainingCybersecurity training courses are beneficial,as long as people can learn from them and apply their learning in practice.So,we asked participants what they learned as part of these courses and whether they had any i
200、nfluence on their online security behaviors.Like last year,we found that recognizing phishing emails steals the spotlight,being covered in 68 percent of training(Figure 49).This was followed by instructions on using strong and separate passwords(57%)and MFA(54%).Every party has its wallflower,and in
201、 this case its backing up data,which got a mention in just 36 percent of courses.Most participants(84%)found cybersecurity training useful or very useful,regardless of whether it was conducted at home or work(N=1888).The usefulness of training at home(M=8.17,SD=1.66,N=739)and at work(M=7.93,SD=1.85,
202、N=1149)environments were very similar on a 10-point scale.Only two percent of those completing training at home and five percent completing it at work/a place of education found the training not at all useful.Additionally,78 percent of participants reported the cybersecurity training as engaging,wit
203、h high engagement ratings for home(M=8.00,SD=1.84,N=739)and work(M=7.56,SD=2.14,N=1149)environments.So,most people were listening,but what happened after the training?We wanted to know if people thought their cybersecurity behaviors had been impacted by training.Compared to last year,the percentages
204、 were slightly lower(6%to 10%for some key behaviors).This was most likely due to the newly added option(i.e.,I already do all these things,so I didnt change anything)coming into play.Figure 49.“Thinking about your last training course,what did you learn about cybersecurity?”Base:US,Canada,UK,Germany
205、,France,and New Zealand based participants(aged 18+),the total number of participants who had attended training courses:1559,dates conducted:April 13,2023-April 27,2023.Multiple-choice question.THE MAIN FINDINGSCYBERSECURITY TRAININGUsing Multi-Factor(or Two-Factor)authenticationIdentifying phishing
206、 messages(e.g.emails,texts).Saving passwords using a password managerInstalling the latest software and app updatesUsing strong and separate passwordsBacking up dataI dont rememberOther54%68%47%44%57%36%4%1%0%20%40%60%43OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023However,ha
207、lf(50%)reported being better at recognizing and reporting phishing messages,37 percent had started using strong and unique passwords,and a third(34%)had begun using MFA(Figure 50).So,yes,training can make a difference.But its important to remember it may also have a limited impact.This is supported
208、by another recent study from NIST.Figure 50.“When you attended training course(s),how did it influence your security behaviors?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants who had attended training courses:1559,dates conducted:April
209、13,2023-April 27,2023.Multiple-choice question.THE MAIN FINDINGSCYBERSECURITY TRAININGI started saving passwords using a password manager(e.g.,in Browser,1Password,Lastpass,iCloud Keychain)44OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Improving training effectivenessTeach b
210、ehaviors,not awarenessSecurity awareness training initiatives need to go further than simply educating people about different cyber security risks.The Security behavior database,or SebDB,can be used to determine the risk outcomes important for your organization,and target the right behaviors to redu
211、ce risk.Design security awareness training for everyone There is no one-size-fits-all approach,training content needs to be personalized.Security training isnt a one-time eventEncourage people to continually improve their cyber hygiene by regularly setting goals and sending nudges and alerts.Also,co
212、nsider providing an on-demand library of security training resources.Here,people can get relevant knowledge whenever they need it.Leverage data and reportingUsing data metrics and insights,you can identify the most significant human cyber risks impacting your organization and cover these in your sec
213、urity awareness training.Grab peoples attentionAn effective security awareness programme will make it clear to people that good cybersecurity is vital and that they have an essential role in enabling this.Dont view people as the weakest linkThis attitude is outdated.And it can undermine the fundamen
214、tal aims of security awareness initiatives.Get everyone involvedWhether youre the CEO or an intern,everyone is responsible for practicing healthy cybersecurity behaviors and contributing to a safer MAIN FINDINGSCYBERSECURITY TRAINING45OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT
215、 2023Cybercrime victimizationIn this section,we explore participants perceptions and attitudes toward being victims of cybercrime.How did they feel about the possibility of falling prey to cybercriminals?And had they experienced any of the three primary types of cybercrimephishing,identity theft,or
216、online dating scamsresulting in the loss of money or data?Cyberbullying gets its own section,because unlike cybercrime,the incidents dont always lead to loss of money or data.Vitally,we take a look at the reporting rates of these crimes and discuss why they tend to be underreported.Attitudes towards
217、 victimizationPerceptions of becoming a victim of cybercrime have increased by seven percent since last year,as half the participants(50%)felt they were potential targets of cybercriminals(Figure 51).Like last year(57%in 2022),most participants(58%)were worried about falling victim to cybercrime.Add
218、itionally,over half(52%)agreed they can help protect others online by staying secure.Figure 51.Participants responses to statements about how staying secure online can help protect others,perceived likelihood of becoming a cybercrime target,and worries about falling victim to cybercrime.Base:US,Cana
219、da,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONI received an email from Costco once.a special offer,and I took them up on it,and within minutes,my debit card
220、was being used.(P469,United States)By staying secure I can help protect others onlineI am likely to be a target of cybercrimeFalling victim to cybercrime is something that worries me52%50%58%28%25%22%17%32%16%60%40%20%0%46OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Cybercri
221、me prevalenceParticipants disclosed 2,047 cybercrime incidents(i.e.,phishing,identity theft,and online dating scams)that had resulted in the loss of money or data.Overall,27 percent of participants disclosed being victims of at least one type of cybercrimewhich had fallen by seven percent from last
222、year.Out of 1,614 victims of cybercrime,the majority had experienced phishing crimes(60%).Overall,phishing incidents were the tricksiest trickster of them all,accounting for the highest proportion of total incidents(47%,Figure 52).In contrast to the previous year,where identity theft held the positi
223、on of the second-highest reported crime type(24%in 2022),closely followed by online dating scams(17%in 2022),this year saw a shift.Online dating scams took the lead,becoming more prevalent(27%of incidents)compared to identity thefts(26%).Like the 80s hit says,love is a battlefield.Its high time we b
224、usted a misconception:Far from making you“cyber-streetwise”,growing up around the internet actually puts you at more risk of getting hit by cybercriminals.Digital natives had the highest numbers of cybercrime victimization.Specifically,43 percent of Gen Zs mentioned losing money or data due to cyber
225、crime,followed by 36 percent of Millennials(Figure 53).As in the previous year,Baby Boomers(15%)reported the lowest numbers of victimization rates,followed closely by the Silent Generation(20%)and Gen Xs(23%).Figure 52.Types of cybercrime incidents.Base:US,Canada,UK,Germany,France,and New Zealand ba
226、sed participants(aged 18+),the total number of cybercrime incidents 2047,dates conducted:April 13,2023-April 27,2023.Figure 53.Victimization by generation.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:5748,dates conducted:April 13,2023
227、-April 27,2023.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONGen ZMillennialsGen XBaby BoomersSilent Gen47OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Millennials take the unenviable crown,reporting the highest proportions of all types of crimes(Figure 54).For instance,44 percent
228、 of victims of online dating scams were Millennials,compared to 22 percent of Gen X and seven percent of Baby Boomers.Millennials also accounted for over a third of phishing(36%)and identity theft(37%)crimes.If not taking into account the Silent Generation(due to the small participant pool),identity
229、 thefts were lowest in Gen Zs(15%)and Baby Boomers(17%)generations.Cybercrime reportingNot on my watch!The reporting rates for all crime types were favorable,with 88 percent of cybercrime victims reporting the incident to someone.This year,only 14 percent of phishing,16 percent of online dating scam
230、s,and eight percent of identity thefts,which had led to losing money or data,went unreported(Figure 55).Figure 54.Cybercrime incidents by generations.Figure 55.Crime reporting frequency by crime type.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of cy
231、bercrime victims:Phishing,911;Online dating scam,541;Identity theft,508(excluding any cybercrime incidents noted by 316 participants from New Zealand,who didnt provide their age),dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+)
232、,the total number of cybercrime victims:Phishing,961;Online dating scam,555;Identity theft,531,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONBeing an honest person,I like to put faith in others and tend to trust everyone until proven wrong.(P533,United States)G
233、en ZMillennialsGen XBaby BoomersIdentity theftSilent GenPhishingOnline dating scamsIdentity theft48OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023This is a mammoth shift from 2022.Back then,31 percent of phishing,42 percent of online dating scams,and 26 percent of identity the
234、fts went unreported.We love to see it.On average,crime reporting rates were consistently high across the generations(ranging from 82%to 92%).The highest rate of unreported cyber crimes occurred in Gen Xs(18%),with the lowest reporting rates for online dating scams(74%).It seems cybercriminals are ge
235、tting away with putting a damper on a little middle-aged romance.A crime in itself.Those who had been victims of cybercrime favored reporting the incident to their bank or credit card company(59%phishing,54%identity theft,and 42%online dating scams,Figure 56).The second most common course of action
236、was to report the incident to the authorities,such as the police.Interestingly,victims of online dating scams also opted to report the incident to the designated person or department at their place of work or education(28%)and to their network/broadband or phone provider(26%).We wanted to dig into t
237、he reasons behind the reporting.Most victims of phishing(50%),online dating scams(39%),and identity theft(39%)reported the incident to relevant authorities because they wanted to prevent it from happening again to themselves or others.And for both phishing(29%)and identity theft(42%)victims,wanting
238、their money back was a key driver for sounding the alarm.Many people stated they knew how and to whom to report phishing scams(49%,Figure 57).Also,identity theft(39%)reporting seemed reasonably straightforward for some,but a quarter(25%)of the victims had to dig deep,finding the reporting process ch
239、allenging but eventually succeeding.Figure 56.Who were the cybercrimes reported to?Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants who had reported cybercrime:Phishing,830;Online dating scam,466;Identity theft,491,dates conducted:April 1
240、3,2023-April 27,2023.Multiple-choice question.My online security provider wasnt given as a choice for identity theft.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONThis is a mammothshift from 2022Bank/credit card companyThe police,or another government agency or organizationThe designated person or depart
241、ment at my work or place of educationMy network/broadband or phone providerMy email or online search provider(e.g.Gmail)The service/application provider where I lost money/dataI told my family,who then took action on my behalfMy online security provider(e.g.Norton,McAfee)59%54%42%28%32%38%17%17%18%1
242、8%26%21%21%24%29%10%11%11%11%13%21%17%28%0%20%40%60%49OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023But the pictures incomplete if we dont also look at those who didnt report.What were their reasons for not doing so?The top cited reasons for phishing incidents were that the a
243、mount of money/data lost was negligible or unimportant to them(19%),and they felt there was no point in reporting as no action would have been taken(18%,Figure 58).Figure 57.Easiness of the reporting process by crime type.Figure 58.Reasons given for not reporting the incident by crime type.Base:US,C
244、anada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants who had reported cybercrime11:Phishing,813;Online dating scam,466;Identity theft,480,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(a
245、ged 18+),the total number of participants who had not reported cybercrime:Phishing,131;Online dating scam,89;Identity theft,40,dates conducted:April 13,2023-April 27,2023.11 Those phishing(N=17)and identity theft scam(N=11)victims who asked a family member to take action were not asked about the eas
246、iness of the reporting process.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONYes,I knew how and to whom to report it toI didnt have the timeI didnt know who to report it toI didnt know how to report itThe process was too much effort(couldnt be bothered)There was no point as no action would have been take
247、nI was too ashamed to have fallen for the scamOtherThe ammount of money/data lost was too small or unimportant to meI forgotYes,even though I didnt know how to do it,it was easy to find outNo,it wasnt easy to do,but I eventually managed to report it49%42%39%32%46%36%19%12%25%0%10%20%30%40%50%50OH BE
248、HAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023When reporting online dating scams,those who didnt report the incident mentioned they were too ashamed for having fallen for the fraud(29%),and some noted there was no point in doing so(15%).A sizable 35 percent of identity theft victi
249、ms who didnt report revealed various other reasons.Most of them said it was because the companies(e.g.,banks)or service providers flagged it and dealt with it directly.CyberbullyingWhen we think about cyberbullying,sharp exchanges on social media most likely come to mind.But make no mistake:Cyberbul
250、lying is a growing threat for individuals and organizations alike.In general terms cyberbullying involves the use of electronic communication to bully,harass,or intimidate someone.The motive?Simply causing the victim to feel emotional distress.Contrary to popular belief,cyberbullying isnt confined t
251、o children and teenagers.It affects people of all ages.And that means cyberbullying has significant implications for cybersecurity.Not only does it compromise mental well-being,but it can also disrupt good cyber hygiene habits.Incident frequencyParticipants reported 921 incidents of cyberbullying.An
252、d,similar to last years data,while no ones immune,theres a strong age pattern.Gen Zs(38%)reported the highest rates of being victims of cyberbullying(Figure 59).The number of cyberbullying incidents declined through the generations,with the Silent Generation noting only four cases(3%)of cyberbullyin
253、g.Figure 59.Victim of cyberbullying by generation.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of cyberbullying victims with generation information 889,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONI had reporte
254、d it to the service provider several times and received no reaction.(P8181,Germany)Cyberbullying is a growing threat for individualsand organizations alikeGen ZMillennialsGen XBaby BoomersSilent Gen38%24%9%5%3%0%10%20%30%40%51OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Repo
255、rting cyberbullying incidentsMany victims reported cyberbullying to various places(Figure 60).The top two options were the police or other authorities(33%)and schools or workplaces(29%).Additionally,31 percent mentioned they talked about it with their peers or family members.Twenty percent of victim
256、s didnt report or mention the incident to anyone.Most cyberbullying victims(85%,N=61212)found the reporting process easy,with only 15 percent finding it complicated but managing to find support eventually.The most common reasons for reporting cyberbullying were to stop the bully(36%,N=734)and they c
257、onsidered it important to notify authorities to prevent it from happening again to them or others(28%).Also,some took action because they wanted to reduce feelings of fear,needed comfort,or felt responsibility to do so.Among the 187 victims who didnt report the crime,36 percent felt there was no poi
258、nt as no action would be taken.They also mentioned not knowing who to report the incident to(15%)and feeling ashamed(15%).Figure 60.Agencies where cyberbullying is reported to.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of cyberbullying victims who
259、reported the incident 734,dates conducted:April 13,2023-April 27,2023.Multiple-choice question.12 This question was asked from those participants who didnt select options I talked about it with my peers/family or No,I didnt mention it to anyone.THE MAIN FINDINGSCYBERCRIME VICTIMIZATIONThe service/ap
260、plication provider(e.g.Instagram)52OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Resilience,reporting,and bullyingOne things clear:helping foster resilience against cybercrimes and cyberbullying is good for business.EducateTrain everyone on how to recognize and avoid phishing
261、 scams,social engineering,cyberbullying and other types of cyber threats.Encourage them to use strong passwords,MFA,and to be wary of suspicious emails or phone calls.Use protectionOffer protection services(e.g.,for identity theft)as a job benefit.These can include credit monitoring,identity guard,a
262、nd insurance coverage if the worst happens.Show people how to report cybercrimesHelp people understand the benefits of reporting incidents and suspected incidents.SupportProvide access to mental health resources and assistance programs.Establish policiesLay out what appropriate online behavior looks
263、 like and the consequences for breaking the rules.Create a culture of respectCelebrate diversity and promote respectful communication and interactions among your team.Have a planHave a plan in place for how to respond.Whatever your plan,make sure that everyone is aware of it and understands their MA
264、IN FINDINGSCYBERCRIME VICTIMIZATION53OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Cybersecurity behaviors and practicesItll come as a surprise to precisely no one that were all rocking at least“a couple”of online accounts.As mentioned previously,almost half(47%)of participan
265、ts are juggling ten or more.So how do they fend off cybercriminals and keep their information,accounts,and devices secure?Remember those five key cybersecurity behaviors we mentioned in the introduction?Well,hang tight,because in this section we examine the topic through the lens of those all-import
266、ant elements:ensuring good password hygiene(i.e.,creation and strength and password management strategies),using MFA,installing the latest device updates,checking messages for signs of phishing and reporting them,and backing up data.Password hygieneLets look at password hygiene through its three sub
267、-behaviors:frequency of changing passwords,creation of strong and separate passwords,and password management strategies.Here,the National Institute of Standards and Technology(NIST)13 guidelines for password hygiene are:Check passwords against breached password lists(e.g.,using the haveibeenpwned14
268、website).Avoid the use of passwords contained in password dictionaries.Prevent the use of repetitive or incremental passwords.Avoid the use of context-specific words as passwords.Increase the length of passwords.Most of these have been reflected in all participating countries and/or regions:NCA15,NC
269、SCs CyberAware16,Get Cyber Safe17,CERT NZ18,and European Union Agency for Cybersecurity(ENISA)19 guidelines for password hygiene.Changing passwordsAdvice to make regular password changes was once gospelbut no longer.Recent updates to the NIST guidelines20 have removed this requirement.The new tune?Y
270、ou no longer need to change passwords frequently,which is excellent news for people who find periodical password change requests annoying and struggle to invent unique,new passwords,like anyone who is not a computer.However,old habits die hard,so we were curious to see how deeply rooted this advice
271、is in our collective password hygiene.13 https:/pages.nist.gov/800-63-3/sp800-63b.html14 https:/ https:/staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/16 https:/www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words17 https:/www.getcybersafe.gc.ca/en/secure-your-a
272、ccounts/passphrases-passwords-and-pins18 https:/www.cert.govt.nz/individuals/guides/how-to-create-a-good-password/19 https:/www.enisa.europa.eu/topics/incident-response/glossary/authentication-methods20 https:/pages.nist.gov/800-63-3/sp800-63b.htmlTHE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTIC
273、ES54OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Our query was simple:How often do people change their passwords for sensitive online accounts?Over a third(34%)responded they didnt change it unless they had to,which was slightly higher(5%)than the previous year(Figure 61).Th
274、is was closely followed by 31 percent who changed it every few months,five percent lower than in 2022.Compared to the previous year,the other percentages either remained the same or had minor changes(1%).But what strategies do individuals use to invent their next digital deadbolt?Turns out theres a
275、rich tapestry of approaches.The good news is,almost half(48%)of participants are creative visionaries,using their own techniques and changing their password(s)to something completely different.However,over a third(35%)were feeling less inspired,only changing a few characters or a word in their passw
276、ords.These figures closely reflect last years results.When examining generational differences,older age groups tend to rely on their own techniques(e.g.,62%of Baby Boomers)in comparison to Gen Zs(34%)and Millennials(35%,Figure 62).Over a quarter(26%)of Gen Zs reported using passwords suggested by we
277、bsites or applications.Also,younger generations appear to engage with more risky password practices,such as only updating characters or a word(37%of Gen Z and 44%of Millennials),in comparison to older generations(27%of Baby Boomers and 26%of Silent Generation).It seems the older generations might ha
278、ve a thing or two to teach whippersnappers about passwords.Figure 61.Password change frequency“How often do you change your passwords?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE M
279、AIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICESWe seem to opt for what is convenient,even ifits a neon-lit invitation to criminals55OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Using unique and separate passwordsMany of us are creatures of habit.We cling to a handful of me
280、morable phrases and merrily recycle them for every login prompt that comes our way.This can be okay if your phrase is robust enough to withstand a bruteforce bashing.But it doesnt mitigate against credential stuffing.We seem to opt for what is convenient,even if its a neon-lit invitation to criminal
281、s.Password creation tacticsReducing risk doesnt have to be rocket science.Building new habits for password creation and management does the job well.Many of the country/region guidelines mentioned earlier recommend using passphrases or“three random words”21 to conjure up formidable fortifications.Wh
282、ats more,recent NIST guidelines22 advise complex passwords dont have to mean swimming in a soup of upper and lower-case letters,numbers,special characters,hieroglyphs,and gang signs.Word.So,back in the real world,how good are we at using unique passwords for sensitive accounts?Figure 62.“What action
283、 do you most often take when changing your password(s)?”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information and excluding those who never or less than yearly change their passwords:4983,dates conduc
284、ted:April 13,2023-April 27,2023.21 https:/www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words22 https:/pages.nist.gov/800-63-3/sp800-63b.htmlTHE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICESI change a character or two on my existing passwordI change a word or twoI u
285、se passwords suggested by websites or applicationsI change my password to something completely different(I have my own technique)I change my password using the passphrase technique(e.g.three random words)0%20%40%60%20%17%26%34%19%14%13%50%14%16%10%13%60%62%3%3%3%1%4%25%19%18%35%13%8%56OH BEHAVE!THE
286、ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023The majority(76%)of participants claimed they knew how to create unique and strong passwords,and they actively did so.Eighteen percent noted they knew how to create strong passwords,but didnt bother to do so.Maybe for the intoxicating thrill of
287、 danger?Who can say.Only six percent mentioned they had no idea how to create unique and strong passwords.So,exactly how do people create their passwords?We asked them to spill the beans about the average length of their passwords and whether they used any personal information or single dictionary w
288、ords when doing so.We spotted something here:Although the length of passwords had somewhat increased,peoples tactics for creating passwords appeared slightly less inventive than last year.PASSWORD LENGTHForty-six percent of participants reported creating passwords between nine and 11 characters long
289、,the same as in 2022.Almost a third(30%)of participants created passwords shorter than this.However,there was a positive change in creating passwords longer than 12 characters.Almost a quarter(24%,N=6064)of participants created long passwords,a promising eight percent increase from last year(2022).T
290、here were some small generational differences.Older participants are more likely to keep their passwords short and sweet(32%of Baby Boomers and 36%of Silent Generation)compared to younger generations(26%of Gen Zs and 28%of Millennials,Figure 63).Figure 63.“How long are the password(s)you usually cre
291、ate?”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICESAlthough the length of passwords had s
292、omewhat increased,peoples tactics for creating passwords appeared slightly less inventive than last yearGen ZMillennialsGen XBaby BoomersSilent Gen57OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023USE OF PERSONAL INFORMATIONAlmost a third(32%,N=6064,an increase of 3%from 2022)r
293、eported including personal informationnames,for instancewhen creating their passwords.This tactic appeared to be more popular with younger generations.Half of Gen Z(50%)and 41 percent of Millennials admitted using names of family members or pets,dates,and places when creating passwords(Figure 64).Pe
294、rhaps its time to change your pets,folks?USING A SINGLE DICTIONARY WORDSimilarly,over a third of participants(34%,N=6064,a 5%increase from 2022)were likely to create passwords using a single dictionary word or someones name,replacing some of the characters with numbers and/or symbols(e.g.,pssw0rd or
295、 Jonth4n).Despite the character-swapping shenanigans,these types of passwords are vulnerable to brute-force dictionary attacks.Younger generations were more likely to use this technique(43%of Gen Zs and 43%of Millennials)than older generations(30%of Gen Xs and 27%of both Baby Boomers and Silent Gene
296、ration,Figure 65).Figure 64.“Do you tend to create password(s)that include references to personal information?For example,names of family members/pets,dates,and places.”by generations.Figure 65.“Do you tend to create password(s)that are made up of a single dictionary word or name,and you replace som
297、e characters with numbers or symbols?For example,pssw0rd,Jonth4n or H0usepl4nt.”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Base:US,Canada,UK
298、,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICES58OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Usi
299、ng separate passwordsA solid 67 percent of participants play it safe by using separate passwords for important online accounts either all of the time or the majority of the time(an increase of 3%from 2022).However,that remaining third(33%)were less frequent with their use of separate passwords(Figur
300、e 66).We were curious about those mavericks who were less likely to use separate passwords for their important online accounts(N=1151).The majority(56%)reported difficulty remembering multiple passwords.Another 21 percent mentioned they only used separate passwords for accounts requiring increased s
301、ecurity.Additionally,15 percent mentioned having separate passwords was time-consuming or required extra effort.Password management strategiesPeople often have multiple accounts and use various tactics to create passwords,but how do they manage them?Preferred password management strategiesWe asked p
302、articipants about their preferred techniques for managing passwords and found the favorite technique was writing passwords into a notebook(31%,a decrease of 6%from 2022).Almost a quarter(24%)of participants reported remembering passwords without storing or writing them down anywhere(Figure 67).Figur
303、e 66.“How often do you use unique passwords for your important online accounts(e.g.,emails,social media,payment-related sites)?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FIN
304、DINGSCYBERSECURITY BEHAVIORS AND PRACTICESAll of the timeThe majority of the timeHalf of the timeSome of the timeNone of the time0%10%20%30%40%38%29%14%14%5%59OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Generally,most people gave browser or stand-alone password managers the
305、 cold shoulder,with only 21 percent of participants actively using them.However,that represents an eight percent increase from 2022.Additionally,three percent of participants admitted resetting their passwords at the login stage,which is a cumbersome management strategy,but not the worst way to do t
306、hings.For Gen Zs(23%)and Millennials(16%),the preferred ways to manage passwords were to store them on the phone as well as just remember them without writing them down(23%and 27%,respectively).Lets get to those generational observations:47 percent of Baby Boomers and 59 percent of the Silent Genera
307、tion used notebooks to record passwords.In comparison,only 18 percent of Gen Z and 19 percent of Millennials did so.Figure 67.Preferred password management strategies.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with multiple password
308、s:5403,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICESI write mine down because if cybercriminals hack your computer,they can get into your password manager.(P3358,United States)I prefer to keep my passwords separate from my computer and phone.There
309、s no way anyone can read my notebook online.I live alone,and no one else can access my computer or notebook.Ive been online for 28 years and had a critical account hacked only once because I had a weak password.(P1122,New Zealand)Save in browser(e.g.Google Chrome)0%10%20%30%60OH BEHAVE!THE ANNUAL CY
310、BERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Use of password manager applicationsBased on the low numbers of password management users,we also asked participants whether they had ever used a password manager(e.g.,LastPass,iCloud keychain,or a browser-based manager).More than half(56%)reported neve
311、r using a password manager,with 31 percent noting they currently use one(Figure 68).Among the 1906 participants who reported using password managers,38 percent used a free stand-alone password manager,and 39 percent used their Internet browser.Only 23 percent had purchased a stand-alone password man
312、ager.Why are password managers still unpopular?We asked those not using a password manager(N=4158)why they hadnt jumped in.The top four reasons align with existing research:1.Too many choices,not enough time.Not knowing which password manager to choose(statement agreed by 46%),known as decision para
313、lysis23.With limited attention and time and the lack of motivation to choose from several providers,people tend to stick with their status quo-i,e.,nothing.Performing a cost-benefit analysis would take effort.2.A lack of trust in password managers(statement agreed with by 39%).Recent news coverage a
314、round the security of password managers has fueled this view.People think password managers are not secure.But despite these compromises,password managers are still considered to be the safest option.3.The cost of purchasing a password manager(statement agreed with by 35%).4.Not understanding how to
315、 use a password manager(statement agreed with by 35%).Simply put,people just dont want to go through the trouble of looking into it,paying for one,or setting it up.Figure 68.Password manager use.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of partici
316、pants:6064,dates conducted:April 13,2023-April 27,2023.THE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICESA password manager means that cybercriminals only need to gain access to one application and voila!They have all your passwords.That is NOT security.(P1376,United Kingdom)23 Schwartz,B(2004).
317、The paradox of choice.Harper Perennial,New York.61OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2023Encouraging password manager useHave researchers uncovered the golden ticket for password manager adoption:catering to the human desire for autonomy and relatedness?People respond
318、positively to a sense of choice and control.So thats likely what any password manager worth its“salt”(see what we did there)should do.Research24 also uncovered the power of sharing.Sharing experiences and being able to invite others elicits those warm and fuzzy feelings of relatedness.Whats more,it
319、seems receiving referrals from others doesnt undermine that sense of autonomy.Instead,it engages people in a decision-making process where they can follow their own preferences.The takeaway here is this:Password managers are great.The main idea we should emphasize is the positive message regarding p
320、assword managers.Not only do they help you craft strong slogans,they also free you from the perpetual dread of forgetting them.That said,we see the frequent news reports of password managers getting hit for six(thats a cricket reference for“walloped”).We know the struggle is real,and we understand w
321、hy people would be skeptical.More assurance from password manager companies wouldnt go amiss,they are still the safest option available for most people.24 Alkaldi,N.&Renaud,K.(2019).Encouraging Password Manager Adoption by Meeting Adopter.Self-Determination Needs.Proceedings of the 52nd Hawaii Inter
322、national Conference on System Sciences.THE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICESStore all its eggs in the same basket.and if access to the managers is cracked,all my access is open to the hacker.(P6917,France)How can you trust who you are giving your information to,its like giving someo
323、ne else the keys to your house.(P1176,New Zealand)The manufacturers are unknown to me.I trust them a little but they are just too expensive for me!The free versions are not fully usable and therefore unusable for me.(P9085,Germany)62OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT 2
324、023Encouraging strong password hygieneNudge peopleResearch has found simply nudging people to create longer passwords(i.e.,by adding the word long into instructions)helps people.Use SSOReduce cognitive burden by using Single Sign-On(SSO)wherever possible.Dont enforce regular password expiryRegular p
325、assword changing harms rather than improves security.Ditch complexity requirements Forcing people to create“complex”passwords is a poor defense against guessing attacks.It places an extra burden on users,many of whom will use predictable patterns(e.g.,replacing the letter o with a zero)to meet the r
326、equired“complexity”criteria.Instead,lean into passphrasesPassphrases are significantly easier to remember than complex passwords.They also hold up significantly longer to brute force attacks.The easier and more convenient security is,the more likely people are to follow it.www.ncsc.gov.uk/collection
327、/passwords/updating-your-approach/www.staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/Applying Multi-Factor Authentication(MFA)Nowadays,MFA has become as ubiquitous as that morning cup of coffee,especially when it comes to guarding sensitive data and online accounts.This
328、year,we added two common terms for MFA to improve its clarity:Two-Factor(2FA)or Two-Step Verification(2SV).This little tweak improved the results from previous years.But heres the kicker:Almost a third(30%)of participants had never heard of MFA(Figure 69).This result was 13%lower than in 2022,showin
329、g some promising progress.Similar to last years report,we found generational differences.A majority of Gen Z(77%)and Millennials(77%)have crossed paths with the concept of MFA(Figure 70).Compared to the previous year,the number of people whove heard about MFA has increased in each generation(between
330、 9%and 19%,with the highest increase for Millennials).However,it is still common for older generations to have no knowledge of MFA(37%of Baby Boomers and 41%of Silent Generation).THE MAIN FINDINGSCYBERSECURITY BEHAVIORS AND PRACTICES63OH BEHAVE!THE ANNUAL CYBERSECURITY ATTITUDES AND BEHAVIORS REPORT
331、 2023Figure 69.“Have you ever heard of Multi-Factor Authentication(MFA)?Also known as Two-Factor or Two-Step Verification.”Figure 71.“Do you know how to use MFA?”Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants:6064,dates conducted:April
332、13,2023-April 27,2023.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants who had heard about MFA:4274,dates conducted:April 13,2023-April 27,2023.Figure 70.“Have you ever heard of Multi-Factor Authentication(MFA)?Also known as Two-Factor or
333、 Two-Step Verification”by generations.Base:US,Canada,UK,Germany,France,and New Zealand based participants(aged 18+),the total number of participants with generation information:5748,dates conducted:April 13,2023-April 27,2023.Among those who knew what MFA was,67 percent knew how it worked and were using it regularly.Twenty three percent reported they either dont use MFA or stopped using it despite