Monthly Archives: July 2018
In which state are consumers most prepared for a cyber attack?
Ponemon Institute is pleased to presents the results of a U.S.-based survey of consumers located in all 50 states and Washington D.C. Survey findings were used to create the Cyber Hygiene Index (CHI) that attempts to measure consumers’ ability to protect themselves from various criminal attacks, especially in the online environment.
The CHI consists of a series of positive and negative survey questions weighted by the relative importance of each question for achieving a high level of readiness.
In the context of this research we define cyber hygiene as an individual’s ability to maintain a high level of readiness in order to prevent, detect and respond to cyber-related attacks such as malware, phishing, ransomware and identity/credential theft. The index provides a score ranging from +37 points (highest possible CHI) to -39 points (lowest possible CHI).
A total of 4,290 respondents were surveyed, which represented a 3.2 percent response rate from a proprietary sampling frame of consumers located throughout the United States. A total of 553 surveys were removed from the final sample because of reliability failure. The state-by-state sample sizes varied from a low of 40 completed surveys in Wyoming to a high of 179 completed surveys in New York.
Figure 1 provides the CHI scores for the top 5 and bottom 5 U.S. states. The bracketed number next to each state is the relative ranking from the most positive score for New Hampshire (re: 4.29) to the most negative score for Florida (re: -6.29).
In this section, we provide an analysis of the CHI and survey findings. The figures summarize the results of our survey. Each chart provides the overall survey response compiled from our total sample of 4,290 U.S. consumers with comparison to the 100 individuals with the most risky responses. We call this group the Bottom 100.
The complete audited research results are presented in the Appendix of this report. We have organized the report according to the following topics:
- The impact of identity theft on cyber hygiene
- The impact of malware and phishing attacks on cyber hygiene
- The impact of a lost device on cyber hygiene
- The impact of password practices on cyber hygiene
- The impact of online behavior on cyber hygiene
- The impact of identity theft on cyber hygiene
Figure 2 shows the percentage of respondents who said they experienced an identity fraud or another identity theft crime over the past 12 months. Our hypothesis is that consumers who experience an identity related crime were less likely to have strong cyber hygiene at the time of the incident.
Figure 3 shows the immediate consequences of the identity theft. As can be seen, both the Overall and Bottom 100 show a similar pattern. The most significant consequence is the decline in credit because of a low FICO score, followed by the misuse or theft of the respondents’ credit or debit cards.
Figure 4 presents respondents’ level of cautiousness resulting from the identity theft incident. As shown, 42 percent of respondents said the incident had a significant impact on their level of caution when connected to the Internet or when sharing their personal information. In sharp contrast, 60 percent of the Bottom 100 said the incident had no impact on their online behaviors.
There are dozens more findings and charts in the report, which you can download for free at this link on Webroot.com.
Who likes long airport lines? For Clear, and airports, frustration is a sales pitch
“Skip the lines! No wait times!” yelled the “Clear” salespeople swarming beleaguered fliers at Sea-Tac airport on Thursday. The standard passenger security screening line wound far down the usual hallway. Travelers who approached slumped their shoulders when it came in view. But all around this frustrated and captive audience were sales staff offering an immediate, easy answer: Sign up for Clear. There’s a free trial. You’ll be escorted to the front of the line! You can’t lose!
Actually, passengers are losing. That long-line alternative costs $179 a year.
What’s Clear? It’s kind of like TSA Pre or Global Entry. Passengers sign up with these services before flying and trade some personal information for a chance at shorter security lines when they get to the airport.
Clear address a a different part of the security screening process, however. It lets fliers use their fingerprints (or their eyes) instead of their IDs when entering security checkpoints. Clear users still go through standard passenger screening — shoes off, etc. For consumers, the main benefit is the chance to skip ahead to the physical screening portion of security checkpoints.
But that chance to cut in line, especially if you are running late, is a pretty compelling offer. Especially when Clear-only lines look so friendly, calm, and inviting, compared to the chaos happening at the other end of the hallway.
It’s understandable for passengers to look at the situation and wonder if the airport is somehow conspiring to nudge fliers to sign up for Clear — especially when you consider that the Port of Seattle, which operates Sea-Tac, gets 10% of Clear gross sales at SeaTac, according to Seattle radio station KOUW.
Are these two entities profiting off of flier misery? Or even orchestrating it? It natural to wonder about that, said aviation expert Will McGee, an airline passenger advocate and author of the book Attention All Passengers.
“It’s like first you create a problem, and then you hit people with a (paid) solution to the problem,” he said.
To be clear, the Transportation and Security Administration sets staffing levels at the nation’s airports using a complex formula based on busy times, not Clear or the Port of Seattle. And TSA often doesn’t do a good job of that. Two years ago, when security lines during summer travel reached crisis proportions, TSA had the fewest number of full-time staffers since its creation.
The agency hired hundreds more agents this year to avoid a repeat, but that’s a drop in the bucket compared to the surge in traffic many airports are experiencing. There were 43 percent more SeaTac passengers in 2017 than five years ago. That means frustrating delays are still common. Airlines like United and Alaska are sending out warnings to passengers, suggesting they arrive a full two hours at the airport before some domestic flights.
Other TSA efforts to stem the problem have seen mixed results. It’s TSA Pre program, which costs $75 for five years, turned out to be too popular with fliers, who now sometimes face long wait lines at airport security, anyway.
Clear says it’s just trying to help. TSA’s failure creates a market opportunity. Clear’s value proposition is simple: Give the firm some biometric information, and you’ll won’t have to pull out your license or passport at the airport. In an instant, you can pass the first part of every airport’s security two-step — the identity verification. Instead, you can skip to the passenger screening.
At the moment, based on the wait-free exclusive Clear lines I saw this week at Sea-Tac, the value is quite real. A spokesman for the company told me most Clear uses pass screening in five minutes.
“It lets you take that extra meeting, or spend more time with family,” the spokesman, who asked not to be named, said.
The firm claims Clear works because it opens up a bottleneck in screening — eliminating the TSA agent who looks at your license, then at your face, and then scribbles on your boarding pass.
In my experience, the bottleneck isn’t in ID verification, however. It’s in screening. You’ll frequently see TSA agents deliberately slow down because the line behind them gets too long. And as far as the added security of biometric identification, that’s questionable. The Clear spokesman told me it was “100% accurate,” a risky claim to make with any technology. Clearly, in one way, it eliminates human error. Repeated red-team tests have shown the failure rate of TSA agents is high. On the other hand, biometric information can be faked, and Clear also eliminates the human element from screening. A well-trained TSA agent can theoretically spot potentially dangerous would-be passengers during those brief human encounters.
I asked Clear if it had any data or studies to back up claims that it genuinely speeds up the screening process — vs. simply creating a kind of airport HOT lane — and the firm hasn’t gotten back to me yet.
I also asked the Port of Seattle to respond to the impression that it is profiting off of passenger’s misery — or somehow might have a hand in making that misery. In a statement, the agency said it has worked with TSA to increase the number of agents, and pointed out that only about 3% of passengers currently use Clear. The agency’s full statement is pasted below.
I’m still awaiting a response from TSA.
I talked to a couple of sales folks at SeaTac and expressed my dismay at this; one conceded that the situation didn’t look good, and he didn’t think the free trial arrangement was ideal. He did say that ultimately, Clear’s partnership with airports is ultimately a good thing for fliers, because it will help fix a clearly over-burdened system.
As often happens in this case, outsourcing government tasks to a private company is a tempting solution. Instead, it’s both a band-aid and an abdication of responsibility.
“The problem is that in many cases airport authorities share much of the blame for security congestion and passenger delays through screening,” McGee says. “They should be working on developing sensible solutions to alleviate such problems for all passengers, not developing for-profit solutions for the few who can and will pay to avoid such messes.”
If you find yourself standing on a long line this summer, being upsold on Clear by hawkers promising a chance to cut in line, it would be worth asking yourself: Do I trust this company long-term with my biometric information? You should also wonder if Clear’s future might look anything like TSA-Pre — it works for early adopters, until it becomes so popular that long lines follow. And naturally, you might also wonder: What if those folks were actually helping with passenger screening instead of giving sales pitches?
Perry Cooper of the Port of Seattle issued this statement to me:
“The TSA and Homeland security determines the staffing assignments for all airports throughout the country. We have worked with our Congressional delegation for the last several years to encourage additional staffing as we’ve been the fastest growing airport in the country over the last five years. The TSA has faced staffing challenges with the boom in the region. They have recently brought in more staff from around the country to help immediately and they have more staff recently hired going through training who expect to be on the job in the next few weeks. In addition, the TSA has worked to get more K9 teams here to Sea-Tac as well. The combination of additional TSA staff and K9 teams helps improve throughput at the checkpoints.
“The Port has increased our efforts in our area of responsibility outside the checkpoints. We hired 8 additional Pathfinders for the summer, and recently approved four more, who help to ‘cue balance’ which means moving people from one line to another.
“For more information, here’s a blog post we’ve put up recently to help walk people through some of the details of checkpoints and what arriving early means in your planning.
“Clear is a trusted traveler product approved by the TSA just like PreCheck. It is used in over 30 airports across the country. The numbers we see going through Clear lanes is about 3% of our monthly total of passengers and does not have an effect on the speed of the general lines. The fee collected is a concessions fees just as any airport would collect from a dining or retail tenant. All of those monies are required to go back into the Airport Improvement Fund which fund amenities at the airport. PreCheck and Clear are provided as choices for travelers to use.”