Successfully reported this slideshow.
Your SlideShare is downloading. ×

SECURITY OF THE DIGITAL NATIVES - English version

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 41 Ad

SECURITY OF THE DIGITAL NATIVES - English version

Download to read offline

The project sets out to study the level of awareness and perception of IT security amongst university students, paying particular attention to the world of mobile devices. The report analyses the answers given by 1012 students from over 15 Italian universities to a multiple-choice questionnaire. The analysis shows that students’ perception of their knowledge is generally wrong and that they are unaware of the risks arising from their behaviour. In view of these risks, a proposal has been made to implement technical and legal measures to reduce future problems deriving from faulty or lax adoption of security measures on their mobile devices.

The project sets out to study the level of awareness and perception of IT security amongst university students, paying particular attention to the world of mobile devices. The report analyses the answers given by 1012 students from over 15 Italian universities to a multiple-choice questionnaire. The analysis shows that students’ perception of their knowledge is generally wrong and that they are unaware of the risks arising from their behaviour. In view of these risks, a proposal has been made to implement technical and legal measures to reduce future problems deriving from faulty or lax adoption of security measures on their mobile devices.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to SECURITY OF THE DIGITAL NATIVES - English version (20)

Advertisement

More from Tech and Law Center (15)

Recently uploaded (20)

Advertisement

SECURITY OF THE DIGITAL NATIVES - English version

  1. 1. 1 SECURITY OF THE DIGITAL NATIVES
  2. 2. 2 Security of The Digital Natives Aim of the study The goal of this survey is twofold: on the one hand the focus is on the awareness and knowledge of the university students trying to understand what is their perception of security compared to their actual knowledge; on the other hand we focus on outlining the threat landscape on the basis of their habits, on the way they use their mobile devices, on the type of data they store and on the operations they perform.
  3. 3. 3 Security of The Digital Natives Who we are Tech and Law Center is an interdisciplinary center promoted by a research group composed of members from Università di Milano, Università di Milano–Bicocca, Università dell’Insubria and Politecnico di Milano. The center projects and events address digital technologies and their interaction with law and society.
  4. 4. 4 Security of The Digital Natives The research team Giuseppe Vaciago Tech and Law Executive Committee Francesca Bosco Tech and Law Executive Committee Valeria Ferraris Researcher Pasquale Stirparo Tech and Law Fellow
  5. 5. 5 Security of The Digital Natives The research team Stefano Zanero Tech and Law Executive Committee Pierluigi Perri Researcher Davide Ariu Tech and Law Fellow Brikena Memaj Tech and Law Member
  6. 6. 6 Security of The Digital Natives Giuseppe Vaciago has been a lawyer of the Milan Bar since 2002 and for the last 10 years his primary focus has been IT Law with a focus on cyber crime. He has assisted many national and international IT companies. He is the author of many publications on cybercrime, including both scientific journals and textbooks, which have been adopted by the University where he teaches. Academically, he received his PhD on Digital Forensics from Università di Milano and he is a lecturer at Insubria University (Varese and Como) where he holds a course on IT law. He has also delivered many lectures and presentations in both Italy and abroad. He attended Fordham Law School and Stanford Law School as a Visiting Scholar to expand his studies in his own particular research area He is member of the executive committee of Tech and Law Center and fellow at the Nexa Center and at the Cybercrime Institute of Koln. Twitter: @giuseppevaciago Lawyer at Milan and Professor of IT Law Partner at R&P Legal Giuseppe Vaciago Giuseppe Vaciago
  7. 7. 7 Security of The Digital Natives Francesca Bosco earned a law degree in International Law and joined UNICRI in 2006 as a member of the Emerging Crimes Unit. In her role in this organization Ms. Bosco is responsible for cybercrime prevention projects, and in conjunction with key strategic partners, has developed new methodologies and strategies for researching and countering computer related crimes. More recently, Francesca is researching and developing technical assistance and capacity building programs to counter the involvement of organized crime in cybercrime, as well as on the legal implications and future scenarios of cyberterrorism and cyber war. Furthermore, she is researching and managing projects on hate speech online and on data protection issues related to automated profiling. Francesca is one of the founder of the Tech and Law Center, she is in the Advisory Board of the Koln Cybercrime Institute and she is currently a PhD candidate at the University of Milan. Twitter: @francibosco UNICRI Project Officer and PhD student at Università di Milano Bicocca Francesca Bosco Francesca Bosco
  8. 8. 8 Security of The Digital Natives Pasquale Stirparo is Digital Forensics Engineer and founder of SefirTech, a company focusing on Mobile Security, Digital Forensics and Incident Response. Prior to found SefirTech, Pasquale was working at the Joint Research Centre (JRC) of European Commission as Digital Forensics and Mobile Security Researcher, with particular interest on the security and privacy issues related to mobile devices communication protocols, mobile malware and cybercrime. He has also been involved in the development of the standard “ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence”, for which he led the WG ISO27037 for the Italian National Body in 2010. Author of many scientific publications, he has also been invited as speaker to several national and international conferences and seminars on Digital Forensics and lecturer on the same subject for Politecnico di Milano and United Nations (UNICRI). Pasquale is Ph.D. candidate at the Royal Institute of Technology (KTH) of Stockholm, holds a MSc in Computer Engineering from Politecnico di Torino and he’s certified GCFA, OPST, OWSE, ECCE. Twitter: @pstirparo Digital Forensics Engineer, Founder at SefirTech Ph.D. candidate at Royal Institute of Technology (KTH) Stockholm. Pasquale Stirparo Pasquale Stirparo
  9. 9. 9 Security of The Digital Natives Chapters of the report LEGAL AND POLICY MAKING CONSIDERATIONS ANALYSIS OF THE QUESTIONNAIRES CONCLUSIONS AND RECOMMENDATIONS TECHNICAL CONSIDERATIONS
  10. 10. Analysis of the questionnaires
  11. 11. 11 Security of The Digital Natives The survey was carried out using a questionnaire containing 60 multiple-choice questions divided into sections related to the different aspects of the issue: practice patterns for smartphones, tablets and laptops; approach to the various networks; and, for all the applications on the devices, the use of passwords, the perceptions of the security risks, and the general interest in and knowledge of the topic. The target population was university students. The administration of the questionnaire was carried out anonymously through the platform “Google Form” from September to November 2013 and it involved over 15 Italian Universities. 1012 questionnaires were collected. These presented responses from a wide range of geographic areas and degree choices (with a good mix of students from both the sciences and the humanities). Methodological remarks
  12. 12. 12 Security of The Digital Natives This group represents the 38,3%. This group represents the 24%. This group represents the 37,4 %. Light users Medium users Heavy users Users Groups The statistical technique helped in identifying 3 well-diversified groups, each one presenting homogeneous characteristics useful to define 3 users’ profiles
  13. 13. 13 Security of The Digital Natives The sample: gender and study Communication Science 8,9 % Law 29,6% Other Faculties 22,2% Computer science and engineering 39,3 % Smartphones and tablet users are 58% male and 42% female, in line with male higher presence in IT studies.
  14. 14. 14 Security of The Digital Natives The use of mobile devices Some preliminary questions aimed at understanding how students use their mobile devices and what they save on the devices. . take photos and videos with their smartphones and tablets 70 % they store personal passwords on their devices. 27,7 % they save contacts/photos and videos 97 % 75 % “always or often” make phone calls, receive text messages/e-mails; browse the web; use Skype, social apps
  15. 15. 15 Security of The Digital Natives The knowledge and fear of risksHow worried they are about the security of their mobile devices 33,4% 5,6% 53% 8%
  16. 16. 16 Security of The Digital Natives The knowledge and fear of risksHow secure they feel when doing these activities with their mobile devices
  17. 17. 17 Security of The Digital Natives Protect mobile devices with PIN number 28,8 %Protect mobile devices with pattern lock 23,9 % Protect mobile devices with password/passphrase 6,6 %Protect mobile devices with biometrics (e.g.voice recognition) 0,6 % The password use and management and the technologies to protect mobile devices
  18. 18. 18 Security of The Digital Natives Technical solutions to protect data in mobile devices 20% of the students do not know what these solutions are and another 20% do not use them. Among the systems used:
  19. 19. 19 Security of The Digital Natives Final question on self assessment How they assess their knowledge on mobile security (%)
  20. 20. Legal and policy making considerations
  21. 21. 21 Security of The Digital Natives Students pay absolutely no attention at all to the password relevant security requirements and they simply use the predictable password Students installs software and applications from unauthorized stores or without giving importance at right of access Mobile device is passed on to someone else, in particular where they are sold as second hand or lent to someone. PASSWORD APPS SHARING Results of the survey and possible scenarios
  22. 22. 22 Security of The Digital Natives of students interviewed save, on their device, pins and passwords used for private services 1 27 % Results of the survey and possible scenarios of students interviewed do not log out after using a service online 40 % of students interviewed very rarely or never check the type of permissions required when downloading an app 53 % of students interviewed use open Wi-Fi systems to connect to the Internet on their mobile device using all types of functions 41%
  23. 23. 23 Security of The Digital Natives of students interviewed do not use a password to protect their mobile device 40% of students interviewed said that, when asked to change their password, the new password that they create takes the form of a minor variation on the previous one 41% is currently using two-factors authentication 5% Password is tiring... It follows that one of the most critical issues to be tackled in the IT field is the fact that users need to be persuaded to use a password that can actually operate to protect their data. Our research in fact revealed that
  24. 24. 24 Security of The Digital Natives Identity Theft – A fragmented scenario 1.Lack of specific legislation on ID Theft 2.Lack of National reporting System on ID Theft 3.Different Penalties from Country to Country Comparative Study on Legislative and Non Legislative Measures to Combat Identity Theft and Identity Related Crime: Final Report”, RAND Europe, June 2011.
  25. 25. 25 Security of The Digital Natives Identity Theft 1.Introduction of an ad hoc Legislation 2.Reinforcement of the collaboration between national investigative bodies via an EU contact Network • Centralized reporting system on EU Basis A good example: CONSAP Project on ID Theft for the following project: Financial, TELCO and Insurance (Legislative decree 64/11)
  26. 26. 26 Security of The Digital Natives The Italian Data Protection Authority focus attention on the correct use of mobile devices with its 'Fatti smart!' ['Be Smart!'] campaign ENISA organize in the next months a cybersecurity championship where university students compete on Network Information Security Challenge Cybersecurity Campaign Initiative
  27. 27. 27 Security of The Digital Natives Security v. Usability 54.5% of the students go onto sites that require authentication via Google or Facebook. This confirms the extent to which usability is a determining factor in terms of the level of trust that a user places in an online service. Usability is the central issue to increase the levels of security of the mobile device
  28. 28. 28 Security of The Digital Natives 1.D. Solove: “Schools are gathering and sharing a mammoth amount of personal data” 2.There is no a clear Security policy for mobile devices in the Italian University 3.Not only the students, but also the Professor are not always aware of cybersecurity risks D. Solove, 5 Things School Officials Must Know About Privacy The Regulation of Mobile Devices in Universities In certain American universities security standards (e.g. HIPAA) are imposed for mobile devices owned by students and university staff (Bring Your Own Device- BYOD) in order to verify their security levels (use of anti-virus software, updates to the operating system and encryption systems)
  29. 29. 29 Security of The Digital Natives Awareness Responsibility Response Ethics Democracy Risk assessment Proposed Solutions and Initiatives Security design and implementation Security management Reassessment
  30. 30. Technical Considerations
  31. 31. 31 Security of The Digital Natives When asked to evaluate their knowledge of mobile security issues, on a scale from 1 to 10, a significantly high percentage of the respondents (55%) graded themselves between 6 and 8. This, however, contrasts with the average percentage of “correct” technical answers of the questionnaire, which was 29%. This discrepancy between perceived knowledge and actual knowledge conveyed through answers to technical questions, was confirmed by the different levels of confidence at the beginning and at the end of the survey. After going through the security questions in the survey, the confidence of university students on their level knowledge falls from 82% of respondents evaluating their confidence above 6 before the survey, to 66% at the end. The possibility of a potential bias induced by the Dunning-Kruger effect should be taken into consideration, which is a cognitive bias in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than is accurate. This bias is attributed to a metacognitive inability of the unskilled to recognize their ineptitude. Awareness, knowledge and (false) perception
  32. 32. 32 Security of The Digital Natives Habits and behaviors that may impact all security aspects, reflecting on all the threats. Habits that involve personal data and potential security and privacy threats. Habits that may have economic consequences (losses) for the individuals. General Identity Theft Economical Security ThreatsThreats that may arise from the students' behavior and habits
  33. 33. 33 Security of The Digital Natives General Security Issues Which concerns how respondents behave with respect to software updates and application permissions 7% Of respondents perform regular updates to both mobile OS and apps 81 % Is the share of iOS devices in the wild outdated for longer than a year 4% of Android in the wild still run the 3 years old Gingerbread version 24% do not regularly update their mobile operating system (OS) or their mobile apps Oddly enough, presence in the market of old mobile OS versions, mainly related to Android phones, is still very high.
  34. 34. 34 Security of The Digital Natives General Security Issues Which concerns how respondents behave with respect to software updates and application permissions 53,8% 25,5% 20,7% Moving to the installation and usage of apps, almost 54% of the respondents never or rarely check the permissions apps require. Such behavior is a dangerous trend that needs to be addressed: overlooking the privileges an app requires increases the proliferation of malware, since users will install and click on “YES” on anything
  35. 35. 35 Security of The Digital Natives of users store their Address Book on their phones equiping it with personal photos and videos96% just 25% of responders regularly log out when done using an app 25% do not use any lock mechanism to prevent non-authorized access to the device 40% claimed to forsake the security features in order to maintain easy access to the device 52 % Identity Theft
  36. 36. 36 Security of The Digital Natives It appears that users very often do not check the permissions required by the apps. This may be due to the fact that on some mobile platforms (Android, Windows Phone) permissions are granted in an “all or nothing” form. This is a dangerous model that trains people to overlook permissions, because they want to install that application not matter what the requisites are. This result becomes more worrisome if linked with the fact that 17% of the respondents install mobile applications from untrusted sources other than the official application markets. These two results together support the proliferation of mobile malware and particularly of the category of “toll fraud”, where the application silently subscribes the user to premium-rate SMS services. Economical Threats & the risk of mobile malware
  37. 37. 37 Security of The Digital Natives What about Secure Development? 8,5% 40,1% 28,2% Among the respondents who declared to develop mobile applications (either for fun or profit), only 28% was following the guidelines for secure mobile programming. 23,2%
  38. 38. 38 Security of The Digital Natives From the questionnaire emerged that the respondents are inclined to regularly update their devices. We can infer from this that they are conscious of the importance of software updates, but also that the procedures to update mobile devices and apps are considerably more intuitive than they used to be in the “desktop” environment. However, this result appears to be in contrast with a some worrisome statistics concerning the number of mobile devices running outdated OSs. The reason of this, we can argue, is that the responsibility of this lies on reasons such as the market policies of carriers and manufacturers and, in the case of the Android platform, even in the extreme fragmentation of the market. Therefore a key role is played by vendors, who should be required to grant software updates for their products for a longer period of time . Proposed solutions and initiativesFrom a Manufacturers and Vendors perspective
  39. 39. 39 Security of The Digital Natives Should allow users to install the applications without being obliged to accept all the permissions required. It has to be possible for users to revoke/grant any single permission at any time, without being compelled to reject the entire application Should provide, alongside the device reset functionalities, the possibility of removing the users’ private data stored within the installed applications in a centralized and straightforward way. Should deliver advanced solutions to ease password management. In fact, although most of the respondents (85%) agree and understand the importance of having a passlock mechanism in place, still most of them struggle to use them. Proposed solutions and initiativesFrom the Mobile Operating System perspective
  40. 40. 40 Security of The Digital Natives Could enforce the use of (strong) passwords, imposing that advanced features of certain applications are enabled only if passwords have been properly configured. A similar approach could be adopted also to enforce the use of non rooted/jailbroken devices. Should be liable in case the application does not implement the security mechanisms required to ensure the adequate storage and transmission of the users’ data. Policies, standards and laws should be introduced that establish the responsibility. Proposed solutions and initiativesFrom the mobile software development companies and individual developers perspective
  41. 41. 41 Security of The Digital Natives Contact Us facebook.com/techandlawcenterinfo@techandlaw.net twitter.com/techlawcenter Tech and Law Center www.techandlaw.net

×