Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 countries on four continents. By investigating influencing factors of misconceptions around eight common security and privacy topics (including E2EE, Wi-Fi, VPN, and malware), we find the country of residence to be the strongest estimate for holding misconceptions. We also identify differences between non-Western and Western countries, demonstrating the need for region-specific research on user security knowledge, perceptions, and behavior. While we did not observe many outright misconceptions, we did identify a lack of understanding and uncertainty about several fundamental privacy and security topics.

1 Introduction

Despite the huge amount of advice for users on staying safe and private online, users’ misconceptions exist across many aspect of digital security and privacy [1, 3, 16, 25, 46]. Users’ misconceptions likely lead to less secure behavior [17, 22], increasing users’ risk to be harmed. Understanding these misconceptions is thus considered an essential factor for providing users with accessible advice tailored to debunk misconceptions and is of critical importance to better educate users about secure online behavior [35, 38]. A multitude of usable security and privacy research focuses on advice, and advice sources [30, 31, 32] as well as on whether and how users are aware of and understand certain security aspects, such as end-to-end encryption or HTTPS [1, 22]. Device usage and usage habits differ worldwide [40], thus misconceptions likely also differ around the world. However, most of the literature on (mis)conceptions focuses on participants from Western countries. See section A for an overview of related work organized by misconception topic and country studied. Although previous work has pointed to differences, particularly between Western and non-Western countries (see section 2), a comprehensive overview of users’ misconceptions across different topics and countries is still missing. Our study aims to fill this research gap by investigating (mis)conceptions around the world and shedding light on the prevalence and factors that influence security and privacy (mis)conceptions. In this paper, we therefore answer the following research questions:

RQ1:

How widespread are misconceptions about digital security threats in various security and privacy-related topics around the world?

RQ2:

What factors influence users’ misconceptions about various digital security and privacy topics?

To address our research questions, we conducted a quota-representative online survey with n = 12, 351 participants in 12 countries from four continents representing 42% of the world’s population (see Figure 2). We cover a variety of cultures and countries differing in their economic status and Internet access. Our country selection was limited to countries for which online panel providers could offer an approximate representative sample. Therefore, the countries researched in this study are China, Germany, Great Britain, India, Israel, Italy, Mexico, Poland, Saudi Arabia, Sweden, the USA, and South Africa. By including countries around the world and various security and privacy-related topics, we shed light on which issues and factors are relevant in which country. We addressed (mis)conceptions for areas like secure communication, secure browsing, device security, and authentication.

Our key findings are:

•

Many users worldwide show neither high rates of agreement nor high rates of disagreement with a variety of digital security misconceptions. This indicates general uncertainty about these topics.

•

Some misconceptions are prevalent around the world, e. g., “It is important for the security of my user accounts to regularly change the password.”

•

Certain security aspects are globally recognized, e. g., the risk of shoulder-surfing.

•

One of the most important factors influencing user misconceptions is the country of residence, with greater differences between Western and non-Western countries.

Collectively, our findings provide a first overview of (mis)conceptions about security and privacy-related topics around the world. We discuss what factors influence the various misconception topics and which misconceptions are most prevalent in different countries.

2 Related Work

A number of previous studies investigated users’ understanding, misconceptions, knowledge, and behavior on digital security and privacy topics, including across different countries. The prior work presented in this section forms the foundation of our survey. Additionally, section 3 includes prior work on which we based certain parts of the questionnaire.

2.1 End User Understanding and Misconceptions

Prior work on user understanding and misconceptions is diverse, with studies researching understanding of the Internet as a whole, and other studies focusing on mental models of specific aspects like HTTPS.

In a qualitative interview study, Kang et al. [16] researched users’ knowledge and mental models of the Internet and how they affect users’ privacy and security decisions. Even though they found differences in mental models for the Internet of laypeople and users with computer science (i. e., technical) background, they could not find a direct relationship between technical background and security measures taken. However, participants with technical background were more likely to secure their connection and scored better on technical knowledge questions regarding privacy. The authors also found a correlation between awareness of threats and the number of privacy protection measures, suggesting that awareness is a better predictor for protective measures than technical background. Additionally, users stated to refrain from using protective actions due to beliefs such as no one is interested in my data. In an interview study with 59 users, Kocabas et al. [20] found that misconceptions about the protection of online accounts are widespread, especially the belief that one cannot do anything to protect their accounts.

In 2009, Klasnja et al. [19] investigated privacy-threatening misconceptions of Wi-Fi users. Their results primarily show that users underestimated the risks of wireless network connections at that time, when HTTPS was not yet widespread and thus spying on private communication was comparatively easy.

In a qualitative interview study, Krombholz et al. [22] found that users confuse encryption and authentication, and underestimate the security benefits of HTTPS. The participants mistook a second authentication factor (e. g., for online banking) as an additional layer of encryption. Users did also not know about security indicators and reported they had never noticed them. In an interview study investigating user perception of end-to-end encrypted communication tools, Abu-Salma et al. [1] also found participants to confuse encryption with authentication. Participants in this study additionally believed that encryption could be broken, especially by the service provider. Participants also perceived both text messages and emails to be more secure than instant messages.

Story et al. [38] researched the adaption and user perception of privacy tools, such as VPN, private browsing, and Tor in the US. They found that most participants were slightly concerned about their privacy but also stated to know how to use privacy tools. They discovered the misconception that these tools protect users from security threats. For example, participants believed that private browsing would prevent hacking, as it would make the device hard to find by hackers. These misconceptions can be harmful, as participants may feel more protected than they are. However, Story et al. also found that users had a certain understanding of privacy tools. Participants correctly stated VPN would “mask one’s IP address.” A study by Wu et al. [46] in which users were exposed to browsing scenarios found that they had misconceptions. Participants believed that private browsing mode would prevent disclosure of geolocation, advertisements, viruses, and tracking by both the websites visited and the network provider.

2.2 Cross-Cultural Studies on Privacy and Security

Previous research has found that perceptions and behaviors regarding security and privacy vary across countries. Recent research on disclosure of study context in CHI article titles [21] revealed that most authors and participants come from Western countries, particularly the United States and Europe. The authors found that the titles of papers explicitly mentioning the country were mostly from non-Western countries. They concluded that results from the US and Europe are considered as the “norm” in our research community, while studies from non-Western countries are viewed as “exotic”. The authors suggest to reconsider these norms.

A study by Wang et al. [44] on privacy attitudes and practices of social network sites (SNS) with users from India, China, and the US found differences in privacy concerns between participants. They found that Indian are the least concerned about their privacy. Even though US participants were most concerned about protecting their privacy, they were least likely to limit the visibility of their information on SNS. Chinese participants showed the greatest desire to restrict visibility.

Sawaya et al. [34] examined security behavior and its predictive factors in an online questionnaire study in seven countries: China, France, Japan, Russia, South Korea, USA and United Arab Emirates. The study found country, income, technical familiarity (a job or degree in technical areas), self confidence, and technical knowledge to be significant predictors for security behavior. Participants’ confidence in computer security-knowledge had a larger effect on users security behavior than their actual knowledge. The authors report less security behavior by participants from Asia (especially Japan) compared to participants from the other countries.

Harbach et al. [13] conducted an online study on smartphone locking behavior across eight countries (Australia, Canada, Germany, Italy, Japan, Netherlands, United Kingdom, United States). The study found that the participants from non-US countries (except for Italy) were more likely to use a secure lock screen. Additional to country, demographic factors like age, and gender were found to be significant predictors for using a lock screen. Older users were found less likely to use a secure lock screen. The authors also found differences in considering data on users smartphones as sensitive between countries. Japanese participants perceived data on their smartphone as more sensitive than participants from other countries. Harbach et al. found the largest deviations from general result patterns in their study for a non-Western country.

In a questionnaire study with computer science students (master’s level) of different nationalities (mostly Finns and Chinese), Chaudhary et al. [5] researched security knowledge and attitudes. Even though all participants were IT students at the master level, they were found prone to security threats and to hold dangerous misconceptions. For example they found students to overlook important security and privacy properties like “correctness of the URL”. Authors furthermore found that students rely on less secure measures, such as the look and feel of a website, when assessing the legitimacy of a website or email.

3 Methodology

Figure 1:

To gain insights into users’ security-relevant misconceptions, concerns and attitudes, we conducted an online survey in 12 countries on four continents, accounting for 42% of the world’s population. Our sample is geographically and culturally diverse, including participants from countries such as Great Britain, Germany, South Africa, Saudi Arabia, or India (see Figure 2 for a complete overview on the surveyed countries). Our goal was to sample about 1,000 participants per country, leading to a total number of n = 12, 351 participants. At the core of our study, we presented participants with statements reflecting common misconceptions about digital security from eight different security-relevant topics such as authentication, device security, or encrypted communication. Figure 1 provides an overview of our methodological approach, which is described in detail in the following sections.

3.1 Topic Selection and Item Generation

In the first step, we identified security threats to users in short workshops with seven interdisciplinary security and privacy researchers. Each researcher listed all digital security threats and advice for users they knew or researched, and we combined and summarized those lists. A subsequent discussion of the topics, specific advice, and threats resulted in a list of digital security and privacy aspects that carry the possibility of (mis)conceptions.

We complemented our workshop results with related research on security threats for users [3], on cybercrime reports of different countries [9, 36, 47], and on advice from experts for users to implement [32]. Based on these threats and this advice, we looked for corresponding literature mentioning user misconceptions on these topics. We focused on studies asking users about their threat models, mental models of digital security and privacy, and their beliefs about security and privacy. We manually clustered the topics identified in the workshops and the literature review into eight broad areas of misconceptions: End-to-end encrypted communication, four aspects related to surfing the Internet (HTTPS, Wi-Fi, VPN, private browsing mode), password and login processes, device security, as well as malware and deception. For each of these eight topics, we based some of our misconception statements on prior research on the respective topic and also included self-generated statements. Prior research, such as the studies by Kang et al. [16], Story et al. [38], and Anell et al. [3] presented a variety of misconceptions and were therefore used as a foundation for different misconception statements across topics. For each topic, we also included correct statements which represented correct functioning of the respective tool or measure, like “When I use a VPN, my internet provider can no longer see what websites I visit.” Based on previous research findings and applying advice on questionnaire design and wording [7, 26, 28], we carefully formulated most of the questions and statements in the questionnaire ourselves.

3.1.1 End-to-end Encrypted Communication.

One efficient measure to protect communication is to implement end-to-end encryption for emails and for messenger services. For this topic, we based our misconception statements mainly on the findings of Abu-Salma et al. [1], targeting especially how and from whom an end-to-end encrypted message is protected. An example statement is: “If messages are end-to-end encrypted, they can also be read by third parties during transmission.” We also included correct statements like: “If my chat messages are protected by end-to-end encryption, then my messages can only be read on my device and by the recipient; nobody else can access and read them in transit.” This topic consisted of nine statements.

3.1.2 HTTPS.

Misconceptions about HTTPS were generated on the basis of studies by Krombholz et al. [22] and Story et al. [38]. We generated five HTTPS-related statements for our questionnaire. Again, we included misconceptions like “If I visit websites that use HTTPS then other people that use my computer cannot see where I have been on the Internet”, as well as true statements about HTTPS like “If HTTPS is used on a website, my Internet provider does not know what I am clicking on the website.”

3.1.3 Wi-Fi.

The misconception statements relating to surfing the Internet with a special focus on Wi-Fi were inspired by the findings by Klasnja et al. [19]. One main threat mentioned by users was the hacking of their computers through Wi-Fi. User also thought that hackers were able to see what the user sees. Although users in this study felt that these actions were not very common, we rely on this study for some of the five misconception statements about Wi-Fi. One example is “When I use a public Wi-Fi, other devices that are also using this Wi-Fi can generally see what data (e. g., passwords, credit card information) I enter on websites.”

3.1.4 VPN.

Our questionnaire also included misconception statements concerning surfing the Internet with special focus on VPN and the Tor browser, as those are effective privacy tools. Story et al. [38] found that users think privacy tools, like VPN, also protect them from security risks. More than half of the users in their study thought VPN’s protect them from hackers gaining access to their devices. Therefore, we included eight misconception statements like “A VPN protects me from unauthorized persons getting access to my device.” Again, we also included true statements such as “Surfing via the Tor network prevents my Internet provider from seeing what websites I visit.”

3.1.5 Passwords and Login Processes.

The digital security topics users are most likely to face are password and login processes, as many devices and services require authentication methods. Therefore, users face a lot of advice and myths relating to secure authentication, not only in a work environment, but also in daily life, i. e., password policies when setting up accounts. We generated 17 statements for this topic. Our statements were inspired by the systematic literature review by Mayer and Volkamer [25]. They identified 23 misconceptions about password security, e. g., that a word from another language or someone else’s date of birth would be a secure password. We based some statements on these findings, e. g., “A date of birth is a secure password as long as it isn’t my own date of birth.”. We also included statements about biometric authentication, as these methods are nowadays widely used. Statements about password managers were included, as they help users to store and generate secure passwords. As for all topics, we also included correct statements e. g., “Password managers generate secure passwords that cannot be guessed, even with technical assistance.”

3.1.6 Device Security.

Under the topic of device security, we subsume measures that users take to secure their various devices, e. g., using anti-virus software and their updating behavior. We based our nine statements for this topic on a variety of papers [3, 20, 25, 32] that reported on measures to secure devices. They, for example, found users to be afraid of physical theft of their devices. One example of our misconception statements is “Even if my laptop is stolen, my data is secure because my user account is protected by a password.” We also included true statements like “To protect the data on my laptop even if it is stolen, a hard drive encryption must be used.”

3.1.7 Malware and Deception on the Internet.

Misconceptions related to malware and deception on the Internet included statements about how malware can be spread and the damage it may cause, but also about phishing and malicious websites. Our 16 malware and deception-related statements were derived from literature about malware myths [45], and from literature on the trustworthiness of websites and user interaction with phishing [8, 18]. One malware myth we integrated is “If I don’t discover anything suspect on my computer, then it is not infected with malware.” Regarding phishing and fake websites, one example statement is “As long as a website looks official, I can enter my login data without concern.” We also included true statements like “Links in emails can lead to fake websites to gather my login data.”

3.1.8 Private Browsing.

We generated six misconception statements related to surfing the Internet with a special focus on private browsing. Some of these statements were based on the misconceptions described by Wu et al. [46]. The authors state that users think that private browsing mode could protect them from, e. g., viruses, advertisements, and tracking. Therefore, one of the statements in our survey is “The private browser mode prevents malware from reaching my device.” Again, we included also true statements like “The private browser mode protects me from other people using my device from being able to track my activities.”

3.2 Questionnaire Design

In addition to misconceptions, our questionnaire asked a number of questions about various aspects of digital security and privacy. The following sections outline and explain only the questions we used for this paper. The complete version of the questionnaire can be found in section B.

3.2.1 Introduction.

At the beginning of our questionnaire, we introduced the topic, our research interest and provided information on data handling and privacy. All participants gave informed consent before proceeding.

3.2.2 Demographics and Internet Usage.

The first part of our questions consists of demographic questions and questions concerning the general Internet usage of participants. Participants were asked what devices they use (Q1, Q2), whether they had been affected by different cybercrimes like malware (Q7), and whether and where they look for information about digital security (Q8). We based question Q7 about cybercrimes on a survey from the BSI (German Federal Office for Information security) [47].

3.2.3 Misconceptions.

The misconceptions outlined in section 3.1 were randomly presented grouped by topic to avoid sequencing effects. Within each topic, the misconception and true statements were displayed in mixed and random order. For each statement participants were asked to indicate their agreement on a five-point rating scale by Rohrmann [33], ranging from “1–fully disagree” “to 5–fully agree.” Additionally, the option “I don’t understand the statement” was available. For each topic, we formed a single misconception score, for which higher values indicate agreement with misconceptions. Thereby, ratings for the correct statements were inverted.

3.2.4 Concerns and Attitudes.

This questionnaire section started by asking participants how important it is to protect themselves from different threats like malware (Q17). We based this measurement on the survey by Story et al. [38] and used a five-point rating scale by Rohrmann [33] ranging from “1–not important” to “5–very important.” Again, the option “I don’t understand the questions” was available.

The next question (Q18) consisted of statements starting with “How concerned are you...” and covered concerns related to the misconceptions. An example statement is “How concerned are you that when using messenger services your messages could also be read by unauthorized persons?” Again we used a five-point rating scale raining from “1–not concerned” to “5–very concerned” and participants were able to answer “I don’t understand the question.”

Question Q19 focused on common attitudes which we grouped into three categories:

(1)

Nobody is interested in my data (e. g., “I am not rich or famous, so nobody is interested in accessing my data.”)

(2)

Encryption (e. g., “Encryption is bad because it is used by hackers and criminals, e. g., for illegal activities.”)

(3)

Digital security is complicated (e. g., “Digital security is annoying.”).

Participants were also asked which measures they use for their digital security, like updates (Q20). We based the queried measures on commonly known security measures and expert advice [32]. We additionally listed a number of different data, e. g., name, address, health data and asked participants to indicate how important it is for them to protect the respective data on the Internet (e. g., from external access and theft-Q21). The response options were again a five-point rating scale that ranged from “1–not important” to “5–very important”.

The next question (Q22) asked participants how likely they believed different groups or individuals were to pose a risk to their digital security, e. g., unauthorized access to their personal data, stalk them online or restrict their access to digital services. We listed groups like family and friends, work colleagues, and officials from [insert country name], such as police, secret services, and the government. The response scale was a five-point scale ranging from “1–not likely” to “5–very likely”. Finally, we asked whether participants had practical experience in the computer science, computer technology, or information technology fields. Answer options were “yes”, “no”, or “prefer not to answer”.

The questionnaire contained a few other questions that will not be discussed further here because they do not fit the research questions of this study (e. g., participants’ communication behavior). The full survey is included in section B.

3.3 Survey Implementation and Panels

To research and understand how experiences, concerns, and misconceptions about security-relevant issues differ around the world, we decided to conduct our representative survey in twelve countries on four continents: China (CHN), Germany (DEU), India (IND), Israel (ISR), Italy (ITA), Mexico (MEX), Poland (POL), Saudi Arabia (SAU), South Africa (ZAF), Sweden (SWE), Great Britain (GBR), and the United States (USA). This list attempts to strike a balance between a wide geographic – and to some extent cultural¹ – diversity and countries amenable to high-quality online surveys. More specifically, the following criteria led us to include the respective countries in our study: China and India are the most populous countries in the world and likewise the countries with the most Internet users [37]. In China in particular, Internet usage in terms of apps and providers differs from other countries, where services from US technology companies often dominate. The populations of Germany, the United Kingdom and the United States are regularly the subject of studies due to their research and university landscapes and are correspondingly well researched. The data collected here are therefore particularly well suited as a baseline and for comparisons with other studies. We included Israel in our study because of its strong cyber security industry and education [2]. Italy, Poland and Sweden are representatives of (Southern, Eastern and Northern) Europe, which is the geographical focus of our study. In addition, the Swedish population is considered to be particularly privacy-conscious [10]. Lastly, we selected Mexico, Saudi Arabia, and South Africa as populous representatives of Latin America, the Middle East, and Africa. All countries surveyed together account for 42% of the worlds’ population.

Figure 2:

We first created a German-language preliminary version of our survey to estimate the processing time and ensure comprehensibility. Based on feedback from a snowball sample of friends, families, and other researchers, we continuously improved the questionnaire. We also conducted a pilot study to test our questionnaire with 100 participants recruited via Prolific. We changed the wording of some statements and improved the questionnaire according to the results of the pilot testing.

We commissioned Kantar Lightspeed, a full-service provider of online surveys that maintains panels world-wide, to conduct our survey including survey implementation and translation, participant recruitment, compensation, and data quality assurance. In the first step, Kantar implemented the German-language version of the survey according to our requirements. Next, a professional interpreter translated the survey into English, and several members of our research team carefully reviewed the translation. The full English-language survey, including all implementation instructions, can be found in section B. Based on the English survey version, the translations into Arabic, Chinese, Hebrew, Italian, Polish, Spanish, and Swedish were then likewise carried out by professional translators commissioned by Kantar.

International surveys pose a number of challenges related to the required translations, e. g., technical terms or different educational systems. We have mitigated these problems by using professional translations, back translation with native speakers (see [13, 34]), and the use of internationally established methods for measuring education, such as the ISCED [41]. For the back translations, we recruited native speakers from our personal and professional circles to read through the survey with a participating researcher and back-translate it into English or German. In the process, all translations proved to be of high quality, so that overall only a handful of translation errors had to be corrected.

Data collection in all twelve countries took place between mid December 2021 and early February 2022. Participants were chosen as a quota-representative sample in terms of age, gender, education, region, and, in the US, ethnicity. Quotas were set by Kantar based on the most recent census data available. Kantar did not disclose the actual participant compensation to us. However, they calculated with costs of € 2.51 (in China, India, Italy, Mexico, Poland, South Africa, UK and USA), € 2.61 (in Germany), € 3.20 (in Sweden), € 3.45 (in Saudi Arabia), and € 5.25 (in Israel) per completee. The compensation to be expected is – at least in some of the countries – below the respective legal minimum wage. Rather, participant compensation appears to be in a similar range to compensation on crowdworking platforms [27]. However, we had no influence on the compensation and according to Kantar these amounts are in line with industry standards. We cannot verify this assertion because we do not have comparative data on compensation for online panelists.

3.4 Quality Assurance and Representativity

The panel provider ensured data quality by removing speeders and participants who clicked certain answer patterns. Speeders were defined as participants answering the survey in less than \(50\%\) of the median answer time. To further increase the quality of the data, we included an attention check question (“This is a control question. Please click on the answer ‘mainly agree’.”) in Q13 and participants who answered this question incorrectly were sorted out.

Kantar provided us with one data set per country. We checked all data sets for complete or partial duplicate entries, word identical answers in open-ended question Q5 or click patterns, but could not detect any anomalies. We then merged the country-specific data sets into a single final data set.

Representativity quotas for age and gender were matched with a maximum discrepancy of 4% for all countries. The quotas for educational representativeness could not be met for China, India, Italy, Mexico, Saudi Arabia, and South Africa because their proportion of the population with a low level of education (ISCED levels 0-2 [41]) is relatively high and it is particularly difficult to reach them via (online) surveys. Region quotas were met with high accuracy for all countries except Israel and Saudi Arabia, for which reliable data were not available in our panel provider’s database. In these two cases, we set and achieved the quotas for the regions using a best-effort approach based on publicly available data.

3.5 Data Analysis

Before starting our analysis, we assessed the “I don’t understand the statement/question” answers per item. For the misconception items (Q9 - Q16) the average frequency of this answer was \(4.3\%\), which is rather low. We thus did not exclude any items based on this assessment. For the subsequent analysis the “I don’t understand this statement/question” answers were excluded. We then started with a descriptive analysis of the misconceptions statements. We calculated mean values and standard deviation for each misconception statement. We also combined the ratings of all misconception statements of one topic, e. g., E2EE (Q9), to one mean value, i. e., one single score per misconception topic. Internal consistency for these scores was satisfactory [4] with all Cronbach’s Alpha values above 0.70, except for E2EE (Q9), see Table 1.

For analyzing factors influencing the different misconceptions, we used the aforementioned misconception scores (Q9–Q16) for each topic as the outcome variable of our analysis. As our model included metric as well as continuous predictors, we used a special form of regression analysis – namely covariance analysis (lm model in R) – as suggested in the literature [23]. For all metric predictor scales consisting of all the sub-questions were calculated. Internal consistency was acceptable [4] to good for these scales with all Cronbach’s Alpha values above 0.80, with only one exception (Q19–encryption; 0.51). For an overview of all values, see Table 6 in section D. We standardized these scales (i. e., all metric values), and the outcome variable for the subsequent analysis. Predictors and corresponding baselines are listed in Table 3 and are explained in section 3.2. For some predicting factors, we grouped several answer options into categories for our analysis:

•

Q1. Device Usage–We grouped answers in four categories, no device usage (baseline), using one of the named devices (few), using two to three devices (moderate), using four to six devices (many).

•

Q7. Experiences–We grouped the answers into two categories, participants with no experiences with cybercrime (no–baseline) and participants having experiences with cybercrime (yes).

•

Q8. Information–We grouped the answers into two categories, participants not seeking information about digital security (no–baseline) and participants looking for this information (yes).

•

Q20. Measures taken–We grouped the measures taken by participants to secure their devices and accounts similar to Q1 in four categories, none (baseline), one to five measures (few), six to nine measures (moderate), ten to thirteen measures (many).

•

Q25. IT Experience–We grouped the answers into two categories, participants being experienced with IT security or related fields (yes) and participants without experience in this field (no–baseline).

Table 1:

N	Misconception Topic	adjusted R²	α
11484	Q9. E2EE Messenger	0.14	0.64
11476	Q10. HTTPS	0.13	0.76
11558	Q11. Wi-Fi	0.10	0.82
11001	Q12. VPN	0.08	0.79
11641	Q13. Password and Login	0.38	0.77
11621	Q14. Device Security	0.30	0.73
11626	Q15. Malware and Deception	0.40	0.81
11391	Q16. Private Browsing Mode	0.16	0.94

Table 1: Misconception scales and covariance model criteria per topic for Q9–16 including number of participants (N), misconception topic, adjusted coefficient of determination (explained variance; adjusted R²), and reliability coefficient Cronbach’s alpha (α).

For the analysis of influential factors for misconceptions, we conducted one covariance analysis per misconception topic (Q9–Q16). We started each covariance analysis with only country as predictor and iteratively included predictors based on their contribution to the model, i.e., their coefficient of determination (R²), starting with the highest one. We included the predictors to the model iteratively based on three model fit criteria: Maximal coefficient of determination (R²), minimal Akaike information criterion (AIC) and ANOVA test (between the two models, with and without the new predictor). The model resulting of these iterations was afterwards compared to a model including all the predictors, using the same criteria. We report the model with the best fit for each misconception topic (Q9–Q16) in Table 3. Therefore, the different models do not consist of the same predictors. Which predictors were excluded, is listed for every model respectively in section C. We used standardization for predictors and outcome variable to compare results across models, thus all reported estimates are standardized.

Results of the covariance models are shown in Table 3. Positive estimates indicate positive influences on having misconceptions, negative estimates indicate a negative influence on holding misconceptions.

3.6 Ethics and Data Protection

Our institution does not have an institutional review board (IRB) nor an ethics review board (ERB) that we could consult for our study. Nonetheless, we followed best practices of user research [43] and data protection guidelines, including the European GDPR. All data protection measures were reviewed and approved by our institution’s data protection office. In addition, Kantar, our panel provider, has committed to abide by the ICC/ESOMAR Code of Conduct, which sets out ethical and professional obligations when conducting (online) surveys [15]. The panel provider signed an agreement with our institution to comply with strict GDPR guidelines for participants in all countries surveyed. We also provided a debriefing document stating reasons why and which of the statements in our survey were true and which represented misconceptions. Due to technical reasons, the panel provider emailed the debriefing to the participants after the survey.

3.7 Limitations

Although we have done our best to include one country for each world region, our country sample is primarily focused on the Eurasian continent. This is particularly related to the availability of high-quality online panels. It is possible that the inclusion of additional countries from Africa, Asia, and Latin America could provide further insight into privacy and security perceptions and behaviors in these areas. For the same reason, we also lack data on different ethnicities for most countries. However, we were able to include representative quotas on ethnicity for the US sample. In addition, it is very difficult to reach older people and people with little education with online panels in general (see [29, 39]) and especially in countries in the global South. Therefore, we could not meet the representative education quotas for a number of countries. While we believe that we have reached and studied a broadly representative sample of Internet users in these countries as well, it may be worthwhile to specifically address the digital security needs of people with lower levels of education again in future studies. Two of the scales included in our survey exhibited less than acceptable internal consistencies (α<0.70, Q19-E2EE and Q9-E2EE). We can only speculate that this may be due to the rather complex, unfamiliar subject matter of these scales for the participants. Because all items were rated as important in our pilot test, we refrained from excluding these scales. However, the lower internal consistencies must be taken into account when drawing conclusions from the corresponding results.

4 Results

In this section, we first describe our sample based on demographic data and device usage. We then briefly compare misconception prevalence per country and finally take a look at the factors that significantly influence misconceptions on the eight different security and privacy relevant topics (see section 3.1).

4.1 Sample Description

In Table 2, we provide demographic information (gender, age, and education) about our participants as well as information on the used devices and median completion times per country. In our sample, smartphones, laptops and PCs as well as tablets were the most used devices with rather similar usage rates across countries. Smart speakers and wearables were much less used, with a tendency of higher usage rates in Asian countries.

Table 2:

	Country
	CHN	DEU	GBR	IND	ISR	ITA	MEX	POL	SAU	SWE	USA	ZAF
	(1025)	(1019)	(1018)	(1018)	(1024)	(1019)	(1045)	(1054)	(1021)	(1049)	(1029)	(1048)
Gender	%	%	%	%	%	%	%	%	%	%	%	%
Female	46.6	49.5	51.1	46.0	49.7	52.0	49.2	50.3	41.5	50.4	51.6	50.2
Male	51.9	49.2	48.3	50.9	44.5	46.7	47.0	44.5	49.8	48.6	46.8	44.6
Other	1.5	1.3	0.6	3.1	5.8	1.3	3.8	5.2	8.7	1.0	1.6	5.2
Age	%	%	%	%	%	%	%	%	%	%	%	%
18–24	9.6	7.4	8.6	19.8	14.1	8.1	19.3	9.8	19.0	11.0	11.0	21.9
25–39	35.1	22.7	25.5	37.8	31.3	20.3	36.3	28.5	54.6	23.3	25.1	40.7
40–54	41.8	27.4	26.7	25.7	24.3	29.6	26.9	24.7	24.0	25.3	27.0	23.8
55+	13.5	42.5	39.2	16.7	30.3	42.0	17.5	37.0	2.4	40.4	36.9	13.6
Education	%	%	%	%	%	%	%	%	%	%	%	%
Low (ISCED 0-2)	8.0	15.4	18.8	3.8	9.2	15.5	30.6	3.4	7.5	9.7	2.6	25.5
Medium (ISCED 3-4)	36.3	51.9	33.3	36.0	34.9	54.3	28.7	58.5	38.8	43.4	40.5	39.7
High (ISCED 5-8)	55.4	32.4	47.7	58.0	54.3	29.9	40.1	37.8	53.1	45.6	55.6	31.6
Other	0.3	0.3	0.2	2.2	1.6	0.3	0.6	0.3	0.6	1.3	1.3	3.2
Q1. Device Use	%	%	%	%	%	%	%	%	%	%	%	%
Smartphone	99.8	92.7	88.8	98.8	96.9	97.7	94.5	96.4	97.8	95.2	88.8	97.8
Tablet	51.6	45.4	50.6	37.5	30.0	52.0	43.0	38.3	45.6	49.2	43.5	34.6
Laptop	72.3	68.7	71.6	76.0	72.0	73.2	59.3	83.6	69.2	73.5	60.4	74.8
Stationary PC	63.1	49.0	37.1	41.9	61.3	54.7	41.9	45.2	42.7	44.7	42.2	30.7
Smart Speaker	36.7	17.8	26.8	36.1	7.1	25.9	22.7	6.2	17.7	12.5	24.5	8.1
Wearable	32.2	14.1	20.1	38.3	16.5	23.2	15.5	25.0	34.9	13.7	16.9	18.4
Completion time	min	min	min	min	min	min	min	min	min	min	min	min
Median	19.5	21.5	19.7	24.8	24.0	22.2	30.2	25.9	24.6	24.2	21.9	32.3

Table 2: Participant demographics. Data for gender, age, education, and completion time in minutes as delivered by our panel provider. Information about participants’ device use was collected in the questionnaire. Ethnicity was collected only for the US by our panel provider (White: 70.3%, African American: 11.5%, Hispanic/Latino: 9.6%, Asian: 6.0%, Other: 2.2%).

4.2 RQ1: Misconceptions Around the World

The descriptive analysis of our misconceptions – to answer RQ1– revealed, that participants around the world are rather unsure about the queried misconceptions. The mean values for all misconception scores (see section 3.2.3) are located around the middle of the scale (“3 – neutral”). However, in the following sections we describe differences between countries and misconception topics and highlight specific misconceptions participants mostly agreed or disagreed to (mean > 4 and mean < 2).

4.2.1 Misconception Scores (Q9–Q16).

For all misconceptions we found moderate agreement, ranging around the middle of the scale with only very slight outliers. Figure 3 illustrates the score mean values for each misconception topic in all surveyed countries. For these score mean values, values closer to five show agreement with misconceptions and mean values closer to one indicate disagreement with the respective misconception topic.

Figure 3:

Across all countries and topics, we observed score mean values from M = 2.51 up to M = 3.51 with standard deviations ranging from SD = 0.29 up to SD = 0.69. These results indicate that participants were more or less unsure about a lot of the posed misconceptions. The rather small standard deviations show that our data is gathered around the mean, hinting at a rather small amount of variation in the participants’ answers. This shows that participants from the same country rated the statements similar. German participants showed the least agreement with nearly all misconception topics, indicating that they least believed the misconceptions, even though most of the values were around the middle of the scale. Participants from China and India indicated the highest agreement with many misconceptions across topics, with some mean values, e. g., Q11 in China, leaning towards agreement (“4 – mainly agree”). We observed the smallest mean value for German participants on the topic of malware (Q15), with a score mean of M = 2.38 and a standard deviation of SD = 0.56. We found the highest score mean with M = 3.51 for Chinese participants and misconceptions relation for Wi-FI (Q11). The misconceptions for Wi-Fi (Q11) got the most agreement across all countries and misconceptions about malware (Q15) got the most disagreement.

4.2.2 Dominant Misconception Statements.

When looking at specific misconception statements, we found participants’ agreement (M > 4) or disagreement (M < 2) to thirteen statements compromising misconceptions as well as correct statements of digital security and privacy tools or concepts.

We closer investigated statements with mean values less than two and greater than four, indication clear disagreement and agreement with those (mis)conceptions.

One misconception that participants from all countries except Saudi Arabia (M = 3.96) agreed with (M > 4) was the importance of changing passwords regularly (Q13-6): “It is important for the security of my user accounts to regularly change the password.” This was an advice given to users for many years, but regularly changing the password only puts a burden on users and does rather not improve security [6, 12, 25], except for when the account is compromised. We see that users still believed that this advice is true even though it is no longer given but rather discouraged. Another misconception participants from all countries agreed to was “My PC can get infected with malware by clicking on a link” (Q15-10) – which is only true in cases of sophisticated zero-click attacks like Pegasus [24] that only aim at single high-value targets. In the vast majority of cases, when browser and operating system are kept up-to-date, clicking on a link is not sufficient to install malware on a computer. Only the download and further interaction with a file would be dangerous. Participants from India agreed (M = 4.05) to the misconception that HTTPS indicates a websites’ trustworthiness (Q10-4), when in fact HTTPS only indicates a secure connection. Participants from other countries (except for Israel, Germany, and the US) also rather agreed to this statement (M > 3.5). We rated this statement as a misconception as even fraudulent websites can set up HTTPS and thus, the user transmits their data over a secure connection to the offenders.

We observed agreement (M = 4.09) from Chinese participants for the misconception statement “When I am connected to a public Wi-Fi, it is easy to infect my device with malware” (Q11-3). We rated this statement as a misconception, as it does not consider the device configuration, like up-to-date anti-malware components, which will protect from being infected with malware. For this statement all other countries also tended to agree with mean values above M = 3.5.

We observed a misconception regarding two factor authentication for participants from Saudi Arabia and Germany, who agreed (M = 4.03, M = 4.10) to the statement “I have to log in to online banking with two processes so that the connection is encrypted, for example, with a password and TAN (transaction number)” (Q13-13). This shows participants misunderstand and confuse encryption and authentication, which was also found by Krombholz et al. [22]. Participants from Saudi Arabia (M = 4.03) as well as from China (M = 4.3) believed that the content of a website reveals potential threats emerging from this website (“Is it more likely to pick up malware from visiting a porn website than visiting a website on the topic of sport” Q15-3).

We also observed disagreement with some misconception statements. Participants from South Africa disagreed (M = 1.83) to the statement that locking ones device is not necessary (Q14-6), indicating that they might think it is necessary security-wise, which is true. German participants disagreed (M = 1.74) to the statement “I can click on attached files without concern for an email that is addressed to me directly.” (15-11), revealing that they were familiar with phishing and the fact that phishing emails can be directly addressed to the recipient. We observed disagreement (M = 1, 87) from German participants to the statement “As long as a website looks official, I can enter my login data without concern” (Q15-12). As malicious websites often imitate real websites to phish people, the look and feel of a website is not a sufficient indication for a real or fake evaluation.

Similar to disagreeing to misconception statements we also observed agreement with true statements (M > 4). Participants from all countries agreed (means ranging from 4.19 to 4.51) to the statement that special characters and numbers lead to increased password security. We rated this statement as true, as generally speaking, the security of a password is enhanced when the number of possible combinations is increased by using additional digits like numbers or special characters. Shoulder-surfing is a security risk participants from all countries were aware of, with highest awareness (agreement values for Q14-1) in Germany, Poland, Sweden, UK, the US, and South Africa. The possibility for unnoticed malware on ones’ device was also familiar to all participants with highest awareness in Germany and Sweden (agreement with Q15-7). The concept of ransomware was somewhat known by all participants (mean values for all countries > 3.5) with highest agreement values in Germany, Israel, and Sweden (Q15-8). We observed the same for the concept of phishing (Q15-16), with mean values for all countries ranging between 4 (China) and 4.4 (Germany).

4.3 RQ2: Factors Predicting Misconceptions

In this section, we report on our results regarding RQ2, showing which factors predict security-related misconceptions. Even though we calculated the covariance models per misconception topic, we ordered results by predicting factors for better comprehension. Due to standardization of the predictors we were able to compare factors across models. All significant predictors with estimates and corresponding significant levels are listed in Table 3. Overall, we observed the highest estimate values for country of residence followed by security measures taken, attitudes regarding privacy and security as well as device usage. The adjusted R² values for every misconception topic are shown in Table 1. Adjusted R² represents the proportion of variance for the outcome variable, that is explained by the predictors (considering the number of predictors). We observed mixed results. For misconceptions regarding passwords and login processes (Q13), device security (Q14) as well as malware and deception (Q15), our prediction factors explained 30% – 40% of variance. For all other topics, however, our predictors only accounted for 8%-16% of the variance.

Table 3:

Predictor	Estimate
	Q9	Q10	Q11	Q12	Q13	Q14	Q15	Q16
	E2EE	HTTPS	Wi-Fi	VPN	Passwords	Device Security	Malware	Priv. Browsing

Age (baseline: 18-24)
25-39	0.07*		0.13***		0.06*			0.17***
40-54			0.20***				-0.11***	0.19***
55+	0.11***		0.22***	0.10**		0.06*	-0.07**	0.27***

Gender (baseline: Male)
Female	0.07***		-0.09***	0.06***	0.04*			0.16***

Education (baseline: High - ISCED 5-8)
Low (ISCED 0-2)			-0.20***		0.07**	0.09**	0.19***	0.13***
Medium (ISCED 3-4)			-0.05*	0.06**	0.04**	0.04*	0.06***	0.08***

Q1. Device Usage (baseline: none)
Few (1)
Moderate (2-3)			0.50**
Many (4-6)	0.38*		0.60***	0.16*

Q7. Experience (baseline: No)
Yes		-0.07***		-0.08***		-0.07***	-0.06***	-0.03**

Q8. Information (baseline: No)
Yes	0.01***	0.13***		0.11***	0.08***	0.11***	0.10***	0.09***
Q17. Prevention	-0.03**				-0.07***	-0.07***	-0.07***	-0.03**
Q18. Concerns	0.10***	0.04**	0.13***	0.09***	0.10***		0.03***	0.06***

Q19. Attitudes
E2EE	0.12***	-0.09***			0.11***	0.02*	0.05***	0.03*
Interest	0.15***	0.21***		0.12***	0.30***	0.36***	0.37***	0.21***
Complicated	0.04**		0.07***		0.09***	0.05***	0.03***

Q20. Measures Taken (baseline: None)
Few (1-5)					-0.16**		-0.09***
Moderate (6-9)			0.14**	-0.15*	-0.30***		-0.34***	-0.17**
Many (10-13)			0.29***	-0.14*	-0.31***	-0.14*	-0.38***	-0.17*
Q21. Data Protection	0.03*	0.06***		0.04***	0.08***	0.11***	0.11***	0.08***
Q22. Potential Attackers	0.10***	0.07***	0.15***	0.05***	0.14***	0.04***	0.05***	0.05***

Q25. Professional IT Experience (baseline: No)
Yes		0.08***		0.04*	0.09***	0.09***	0.05***

Country (baseline: Germany (DEU))
DEU - CHN	0.46***	0.38***	0.23***	0.51***	0.71***	0.79***	0.54***	0.68***
DEU - GBR	-0.11*	0.33***		0.19***	0.23***	0.35***	0.15***	0.18***
DEU - IND		0.72***		0.48***	0.67***	0.84***	1.02***	0.60***
DEU - ISR			-0.12**	0.12*		0.23***	0.11**
DEU - ITA	-0.14**	0.18***	-0.24***	0.19***	0.27***	0.33***	0.19***
DEU - MEX		0.43***	-0.17***	0.41***	0.47***	0.64***	0.73***	0.35***
DEU - POL	0.14**	0.24***		0.31***	0.31***	0.57***	0.47***	0.33***
DEU - SAU	0.17***	0.57***	-0.11*	0.45***	0.53***	0.80***	0.84***	0.67***
DEU - SWE	0.12**			0.18***	0.15***	0.34***	0.10**
DEU - USA	0.12**	0.22***	0.18***	0.35***	0.28***	0.37***	0.23***	0.37***
DEU - ZAF		0.20***	-0.30***	0.51***	0.34***	0.54***	0.52***	0.52***

Table 3: Covariance Analysis per misconception topic. Only significant estimates (rounded to second decimal) are reported. Positive estimates indicate positive influences on having misconceptions, negative estimates indicate a negative influence on holding misconceptions. Significance levels are indicated with stars (*p < .05, **p < .01, ***p < .001). All estimates are standardized (see section 3.5). Sample size, adjusted R² and Cronbach’s Alpha per topic are shown in Table 1.

4.3.1 Country of Residence Predicts Belief in Misconceptions.

Country of residency proved to be the best predictor for the studied misconceptions – indicated by the largest significant estimates (except for Wi-Fi Q11), which showed participants had more (positive estimates) or less (negative estimates) misconceptions compared to participants from Germany.

We observed that Western and non-Western countries differed especially in magnitude of estimates. We found the largest estimates and thus greatest differences compared to Germany, for India, Saudi Arabia, and China.

For almost all misconception topics, except those related to Wi-Fi, the estimates were highest for either Chinese or Indian participants. For misconceptions related to Wi-Fi the highest estimate existed in South Africa. Chinese and US participants were more likely to believe in all misconceptions (positive significant estimates for all topics) than German participants. The same applied to the participants from India, Poland, and Sweden, who were significantly more likely to agree with not all but most of the misconception topics, compared to German participants. For all remaining countries at least one estimate was negative, showing that participants were less likely to believe (certain) misconceptions than German participants. We observed the smallest discrepancy between holding misconceptions for Israeli and German participants (estimates range from − 0.12 to 0.23). We generally found higher estimates for non-Western countries (China, India, Mexico, Saudi Arabia, South Africa) compared to Western countries. Compared to German participants, participants across all other countries were more likely to believe in misconceptions related to malware (Q15), device security (Q14), and passwords (Q13) indicated by higher positive estimates. For the predictor country we observed the lowest estimates for misconceptions related to Wi-Fi (Q11), HTTPS (Q10), and E2EE (Q9). For these topics the least differences existed between Germany and the other countries.

4.3.2 Demographics are Rather Small but Significant Predictors for Misconceptions.

For the demographic predictors age, gender, and education, we observed mixed results with age as a significant predictor for most cases (except for HTTPS) and gender as a significant predictor for only five misconception topics (E2EE, Wi-Fi, VPN, passwords and private browsing). Also the estimates for age were larger compared to gender and education.

Compared to younger participants, participants older than 25 were generally more likely to believe in misconceptions, with slightly larger estimates for older participants than for those between 25 − 39 years. Except for the topics malware and HTTPS, participants older than 25 were more likely to hold misconceptions than participants younger than 25. We observed highest estimates for the topics Wi-Fi and private browsing, with the biggest differences between very young (18-24) and older participants – the highest value was observed for participants 55+ (0.27). Participants older than 40 were less likely to believe in misconceptions regarding malware, compared to the young baseline.

Compared to men, women were more prone to hold misconceptions about E2EE, VPN, passwords, and private browsing. Misconceptions regarding Wi-Fi were found more frequently with men than women. Effects in all cases were – however – small.

Most estimate sizes for education were also rather small, with medium and low education as positive significant predictors for believing in misconceptions across topics, with an exception for Wi-Fi. We found no significant differences in believing misconceptions regarding end-to-end encryption and HTTPS between different levels of education. Participant with less than high education were less likely to believe in misconceptions regarding Wi-Fi. For the other misconceptions (VPN, passwords, device security, malware, private browsing), less than high education was associated with believing more in misconceptions.

For misconception statements related to HTTPS none of the demographic factors were significant predictors.

As shown in Table 2, we also considered device usage a demographic factors. The data showed only a few significant, but rather large estimates for the predictor device usage. Participants who used more than two of the listed devices were more likely to believe in misconceptions related to Wi-Fi than those who used none of the queried devices. Participants who used more than four devices were also more likely to believe in misconceptions regarding E2EE and VPN.

4.3.3 Experience with Cybercrime Predicts Disbelief in Misconceptions.

Our questionnaire assessed participants’ experiences with cybercrime (Q7) as well as their professional IT experience (Q25). Our data showed a positive association of prior cybercrime experience with believing less in misconceptions, whereas professional IT experience was a positive predictor for misconceptions. Prior experience with some sort of cybercrime (all participants indicating experience with at least one type of crime mentioned in Q7), was significantly associated with believing less in misconceptions about HTTPS, VPN, device security, malware, and private browsing. However, the estimate values were rather small (< 0.1). Contrary to this, we found that prior professional experience with IT predicted believing in misconceptions regarding HTTPS, VPN, passwords, device security, and malware, also with small estimates (< 0.1). Familiarity with security or privacy (Q7, Q25) does not predict misconceptions regarding the topics end-to-end encryption and Wi-Fi.

4.3.4 Protection of Devices and Data Predicts Disbelief in Misconceptions.

Questions Q17 and Q21 in our questionnaire both asked how important participants consider protecting their devices and data, e. g., from malware (Q17), and how important it is to them to protect specific data types, e. g., private photos. We found participants, who generally think it is important to protect their devices and data, were less likely to hold misconceptions regarding end-to-end encryption, passwords, device security, malware and private browsing. Participants who found it rather important to secure specific data types online were more likely to believe misconceptions of all topics, except for Wi-Fi. Despite their significance, both estimate values were rather small (< 0.1). Misconceptions regarding Wi-Fi were not predicted by protection importance as estimates for both question Q17 and Q21 are not significant.

4.3.5 Using Countermeasures Predicts Disbelief in Misconceptions.

Taking active measures for more privacy and security, like using end-to-end encryption, will increase users’ digital security and privacy but seeking information on these topics might also do so. Surprisingly, we found that participants who actively seek information on digital security were more likely to believe in misconceptions regarding all topics (except for Wi-Fi), than participants who did not look for this kind of information (baseline). Estimates were slightly higher than those for the aforementioned predictors, ranging from 0.08 (passwords Q13) to 0.13 (HTTPS Q10). However, we observed that using measures to stay safe online was a negative predictor for believing in most of the queried misconceptions, thus participants who took measures were less likely to believe misconceptions than those who did not take any security or privacy measures (baseline). These estimates were in the mid range compared to all estimate absolute values, ranging from − 0.09 to − 0.38. Most differences in believing in misconceptions existed between participants who did not take any security measures and those who took at least a moderate amount (5 or more) of protection measures, with highest negative estimates for the topics passwords (Q13) and malware (Q15). However on the contrary, participants taking moderate or many protection measures were more likely to hold misconceptions related to Wi-Fi (Q11) than those who took no such measures. Taking security and privacy protection measures was not a predictor for holding misconceptions regarding end-to-end encryption (Q9) and HTTPS (Q10).

4.3.6 Thinking Digital Security is Complicated Predicts Belief in Misconceptions.

The questionnaire also included questions on attitudes towards using digital security, that we grouped into three scales, see section 3.2.4 for details. Participants who agreed with more of the attitude statements, were also more likely to believe in misconceptions, regarding all misconception topics, except for the combination of participants having more attitudes related to E2EE and the misconceptions topic HTTPS. Participants who held attitudes like, e. g., end-to-end encryption is only for paranoid people and has more disadvantages than advantages were more likely to hold misconceptions across most topics. However, these effects were rather small, with estimates ranging from 0.03 to 0.12. Participants with these attitudes were less likely to believe misconceptions regarding HTTPS. We observed the highest estimates for attitudes related to third-party-interest in ones data. Participants who did not believe anybody was interested in their data and thus did not consider themselves at risk were more likely to believe misconceptions related to all topics, except for Wi-Fi. Participants who thought securing data and profiles was complicated, also tended to believe most misconceptions, but with smaller effects compared to the aforementioned attitudes (estimates < 0.1).

4.3.7 Being More Concerned Predicts Belief in Misconceptions.

We also queried participants about the amount of concern for different threats like data theft (Q18) and who they considered a risk to their security (Q22). We found that for both, participants who were more concerned and those who thought more groups pose a risk, to be more likely believing in almost all misconceptions. Participants who were more concerned (higher mean value Q18), were more likely to believe misconceptions regarding all topics, except for device security. Compared to other prediction factors, however, the estimate values were rather low (< = 0.1). Similarly, participants who viewed more groups of people (like hackers and companies) as risks for their digital security more likely believed misconceptions related to all queried topics (Q9-Q16), but only with slightly higher estimates (< = 0.14).

5 Discussion

We identified several factors that impact users’ security and privacy misconceptions and provide insights to the prevalence of security and privacy (mis)conceptions around the world. Our systematic analysis of misconceptions can serve as a foundation for research investigating how these misconceptions are formed and how they can be overcome. Our results show that usable security and privacy research in different countries is crucial, as we found significant differences between participants in different countries. Specifically, we found that differences were strongest between Western and non-Western countries.

5.1 Misconceptions

We found rather moderate (dis)agreement with most misconceptions across all countries. Mean values for misconception scores ranged around the neutral middle (3) of our 5-point rating scale. This shows that users are uncertain about many aspects of their digital security and privacy rather than having misconceptions. This could be due to the complexity of the topic, but also due to confusing and unclear information accessible to users. Our covariance analyses supported this interpretation, as seeking information on digital security was a positive factor for having misconceptions across topics.

However, we found clear misconceptions on a number of topics, some of which are present in all countries and others only in some countries. For example, we have found the myth that passwords need to be changed regularly to increase security persists around the world, although security specialists no longer recommend this, but rather advise to change passwords only when the account has been compromised [11, 25]. This misconception can potentially be harmful for users as regular password changes can result in weak passwords or repeated reuse of (weak, i.e., easily guessable) passwords. Thus, user accounts and data are easier to hack. We believe that this misconception exists, as regular password change was recommended for a long time and habit changes are difficult. Furthermore, this advice is probably still given to users (see[25]) and might thus be still prevalent around the world.

Another example for a clear misconception found worldwide is that clicking on a link can be very dangerous and will surely result in an infection with malware. This shows the underestimation or the lack of awareness or knowledge about the security most browsers and modern operating systems have already built in by default. For example, Windows includes an anti-malware component that is active by default and updated automatically, hence only clicking on a link is usually not sufficient to install malware on a computer. Here, the download and further interaction with a file would be dangerous. However, this misconception probably only leads to overcautious behavior, and thus does not put users in more danger. To never click on a link is advice experts recommend for users [32] – probably due to the before mentioned reasons – which might be why this believe is present around the world.

Especially participants from India, but also from other countries (e. g., Mexico, Saudi Arabia and China, to a lesser degree), believe that HTTPS is an indicator for the trustworthiness of a website. This misconception bears the risk of users entering login or bank credentials on a malicious website. Thus, users should be informed that HTTPS only indicates a secure connection and is not an indicator of the trustworthiness or authenticity of a website.

We have also found that participants, especially in Saudi Arabia but also in other countries (with the exception of the US and Sweden), confuse encryption and authentication, thus mistaking a second authentication factor for an encryption layer. Here, our results confirm similar qualitative findings by Krombholz et al. [22] and even conclude that this misconception is geographically widespread. This demonstrates the worldwide demand for sound advice sources and education materials on this topic. As two-factor-authentication becomes more prevalent, services that use this authentication method should educate their users to avoid misconceptions and potential resulting risks.

For some misconceptions topics such as passwords, device security or malware, our model explains more variance than for others, like VPN and Wi-Fi. This could be due in part to irrelevant or missing predictors for these topics, such as for HTTPS (Q10) or Wi-Fi (Q11), where only eight respectively nine of the 14 predictors were significant. Future work could identify which factors better predict (mis)conceptions or knowledge on these topics. Therefore, advice and education could not only target misconceptions, but also target these factors.

5.2 Factors Influencing Misconceptions

The country of residence was the most effective predictor for misconceptions across all topics, except for Wi-Fi. We found especially large differences between German participants and participants from non-Western countries across all misconceptions. The differences of country in its predictive power were somewhat smaller for German participants and those from other Western countries, especially for those from Israel.² This is in line with prior findings, pointing out that the research community should not view results from Western countries as the “norm” and results from non-Western countries as “exotic” [21]. Similarly to other cross-cultural studies on privacy and security (e. g., [13, 34, 44]), our findings on misconceptions show that results differ across cultures and that results from Western countries are rather alike but differ in many cases from those of non-Western countries.

Counterintuitively, we found that participants with technical backgrounds (student, degree, or job in the field of computing), were significantly more likely to believe in misconceptions about HTTPS, VPN, passwords, device security and malware. However, a related study found similar results. When investigating computer science master students’ security knowledge, Chaudhary et al. found that these future IT professionals hold dangerous misconceptions [5]. When studying knowledge of the Internet and security behavior, Kang et al. [16] also did not find technical education to be a predictor for privacy and security behavior. We can only guess that one reason for this might be the great amount of security advice that even IT experts fail to prioritize (see [32]) and thus misconceptions arise. The finding that seeking information on digital security positively influenced believing in misconceptions was also counterintuitive. Again, we assume that this may be due to the confusing amount of security and privacy advice.

Chaudhary et al. also suggest that encounters with threats and crimes might help and predict secure behavior. Similarly, Kang et al. suggests security and privacy behavior to be predictable by experiences. We come to the same conclusion, as experiences with cybercrime were a significantly negative, and thus hindering, predictor for believing in misconceptions across many topics (except for E2EE, Wi-Fi, passwords).

The amount of used devices was a significant predictor for misconceptions related to E2EE, Wi-Fi and VPN, with using more devices positively influenced believing in these misconceptions. The effects of this predictor were comparatively large. This indicates that the more devices people use, the more misunderstandings especially regarding to Wi-Fi security arise. Especially when taking mobile devices in considerations this seem reasonable, as users are warned about using (open) Wi-Fi in locations like coffee shops [32]. Thus, they might be confused about under which circumstances using Internet on their mobile devices is safe and what steps they have to undertake to make it safe.

Kang et al. [16] found a positive correlation between the number of threats participants named and measures they took to stay save and conclude awareness to be a predictor for security measures. We find that the amount (> 0) of security measures taken is a hindering factor for believing in misconception across topics. The result that a greater protection importance for data and accounts was associated with less holding misconceptions points in the same direction. People who want to protect their data and already implement proactive measures are less likely to hold misconceptions. Kang et al. also found that attitudes like “I have nothing to hide” discourage people from taking security measures. We found that attitudes in this direction positively influence believing in misconceptions, across topics, with highest effects for attitudes related to statements such as “nobody is interested in my data.”

5.3 Practical Implications for Future Work

Our results reveal cross-cultural differences in security and privacy misconceptions, with more differences between non-Western and Western countries. Future work should thus investigate these differences and reasons for these differences, as well as conduct studies not primarily in Western countries. Based on these differences, we see the opportunity to study what contributes to effective communication of accurate understanding of security and privacy, as well as what contributes to misconceptions by studying user learning behavior, public outreach and education in those countries where misconceptions were especially low or high.

This future work could make comparisons both across misconceptions, as well as across countries or clusters of similarly-behaving countries. Researching how to debunk specific misconceptions could also be a (future) perspective. This could help users to convert misconceptions into understanding. For example, for debunking encryption misconceptions, Schaewitz et al. [35] recommended trust building measures, like telling users something is encrypted.

6 Conclusion

We reported on a large-scale quantitative online survey of security and privacy (mis)conceptions around the world. We surveyed n = 12, 351 participants in 12 countries on four continents. A key contribution of this paper is an overview of factors that influence misconceptions across security and privacy topics. Regarding these factors, we found country of residence to be the strongest predictor for holding misconceptions. We identified the greatest differences between non-Western and Western countries, demonstrating the need for region-specific research on usable security an privacy. However, while we did find some specific misconceptions to be present across different countries, like the importance of regular password changes for security reasons, we generally did not observe many outright misconceptions. For the large part of misconceptions across topics, we mainly identified uncertainty.

Our work lays the foundation for future work investigating misconceptions of participants per country in more depth and research on how to debunk specific misconceptions. Our results show that it is also important to research (other) factors that might influence (mis)conceptions, like technology readiness or Internet literacy. Thus, advice and educational material could target influencing factors and misconceptions.

Acknowledgments

We want to thank all participants of our study. We would like to thank Annalina Buckmann, Carina Wiesen, Jennifer Friedauer, Maximilian Golla, Oliver Reithmaier, and so many more for their help with this paper. The research was primarily funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CASA – 390781972 and also (partly) by the PhD School “SecHuman – Security for Humans in Cyberspace” by the federal state of NRW, Germany.

A Security & Privacy Studies in Different Countries

Table 4:

Topic	Related Research	Countries
Cross-Cultural Studies on Privacy and Security	(1) Who Is Concerned about What? A Study of American, Chinese and Indian Users’ Privacy Concerns on Social Network Sites [44] (2) Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior [34] (3) Keep on Lockin’ in the Free World: A Multi-National Comparison of Smartphone Locking [13] (4) A Cross-Cultural and Gender-Based Perspective for Online Security: Exploring Knowledge, Skills and Attitudes of Higher Education Students [5]	(1) US, China, India (2) China, France, Japan, Russia, South Korea, the US, and the United Arab Emirates (3) Australia, Canada, Germany, Italy, Japan, Netherlands, the UK, and the US (4) China, Finland, Pakistan, Nepal, Iran, England, Vietnam
Cybercrimes & Threats	(1) Digitalbarometer 2020: Bürgerbefragung zur Cyber-Sicherheit [German] [47] (2) ENISA Threat Landscape 15 Top Threats in 2020 [9] (3) Africa Cyber Security Report 2016 [36]	(1) Germany (2) European Union (3) Africa
Digital Security Measures	(1) 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users [32]	(1) Almost half from US, but also from UK, Germany, Australia, Japan, India, Israel, and South-Africa
Studies focusing on general awareness of users	(1) My Data Just Goes Everywhere: User Mental Models of the Internet and Implications for Privacy and Security [16] (2) Awareness, Adoption, and Misconceptions of Web Privacy Tools [38] (3) End User and Expert Perceptions of Threats and Potential Countermeasures [3]	(1) US (2) US (3) Germany, Italy, Switzerland, and Portugal (all spoke German)
E2EE communication (Q9)	(1) Obstacles to the adoption of secure communication [1]	(1) UK
HTTPS (Q10)	(1) If HTTPS Were Secure, I Wouldn’t Need 2FA- End User and Administrator Mental Models of HTTPS [22] (2) Awareness, Adoption, and Misconceptions of Web Privacy Tools [38]	(1) Austria & Germany, (2) US

Table 4: Relevant studies for our questionnaire and the countries in which they recruited participants. (1/2)

Table 5:

Topic	Related Research	Countries
WiFi (Q11)	(1) When I am on Wi-Fi, I am fearless: privacy concerns & practices in everyday Wi-Fi us [19]	(1) US
VPN (Q12)	(1) Awareness, Adoption, and Misconceptions of Web Privacy Tools [38]	(1) US
Password and Login Processes (Q13)	(1) Addressing Misconceptions About Password Security Effectively [25]	(1) No participants, meta-analysis
Device Security (Q14)	(1) End User and Expert Perceptions of Threats and Potential Countermeasures [3] (2) Addressing Misconceptions About Password Security Effectively [25] (3) Understanding User’s Behavior and Protection Strategy upon Losing, or Identifying Unauthorized Access to Online Account [20] (4) 152 simple steps to stay save online: Security Advice for non-tech-savy Users [32]	(1) Germany, Italy, Switzerland, and Portugal (all spoke German) (2) No participants, meta-analysis (3) Bangladesh, Turkey, and US (4) Almost half from US, but also from UK, Germany, Australia, Japan, India, Israel, and South Africa
Malware and Deception on the Internet (Q15)	(1) “Malware Myth” in Cyberdanger [45] (2) Security education against phishing: A modest proposal for a major re-think [18] (3) Modelling User-Phishing Interaction [8]	(1) The Netherlands, Belgium, Germany, Switzerland, Austria, the United Kingdom, Russia, Spain, Italy, Poland, and the US (2) UK (3) no participants
Private Browsing (Q16)	(1) Your Secrets Are Safe: How Browsers’ Explanations Impact Misconceptions About Private Browsing Mode [46]	(1) US

Table 5: Relevant studies for our questionnaire and the countries in which they recruited participants. (2/2)

B Questionnaire – Survey On Citizens’ Digital Security

Welcome Text Increasing digitalization in all areas of life leads to more and more people being online and shifting processes from the offline to the online world (e. g., with online banking). What are the experiences of Internet users? How do they perceive different risks and security measures? We would like to answer these questions with this study. Based on these insights, we aim to develop need-based offers and materials to increase the digital security of the population. You can provide a valuable contribution with your participation.

Consent – Data Privacy Statement Thank you for your interest in our study.

Purpose: The purpose of the study is to gather Internet users’ experiences of digital security, and how they evaluate various online risks and security measures. Our results will provide a basis for developing communication and training materials that answer people’s questions about digital security, and enable them to manage it. You can provide a valuable contribution with your participation.

Duration: Participation in the study is expected to take 20 minutes. You are not subject to any anticipated risks by participating. Please answer the survey as honestly as possible. You may stop at any time if you no longer wish to participate in the study, as long as you have not submitted your responses or these have not been evaluated.

Data Protection: Your responses to this study are stored in anonymized form in a way which will not reveal your identity. No data will be passed on to third parties. By starting this questionnaire you consent to data collection for the purposes of conducting this study. Your personal data is processed based on Article 6(1)a of the GDPR. You have the right to revoke your consent to the data processing at any time as well as to request information, correction, processing restrictions and deletion of the data stored about you. To exercise these rights, please contact the email address listed below. The responsible supervisory authority is [blinded]. If you have additional questions about data protection, please contact [blinded for anonymous review].

Q0:

Consent. [checkbox]

I confirm that I accept the participation conditions for this study.

Internet Usage First, we would like to ask you some questions about your Internet usage.

Q1:

Which of the following devices to you use in your daily life? [multiple choice]

Smartphones; Static PCs / Desktop PCs; Laptops; Tablets; Voice Assistants or Smart Speakers (e. g., Alexa, Amazon Echo); Wearables (e. g., fitness trackers, smartwatches or other computer technologies that are worn on the body); None of the listed devices [exclusive]

Q2:

Do you have any smart home devices in your household? If yes, what purpose? [matrix question]

Description: The “smart home” area includes all networked devices that you use in your living space. For example, systems that automatically open or close windows, doors and shutters – so-called home automation technology. But smart home also includes household appliances such as refrigerators that keep you informed about their contents or robotic vacuum cleaners. These devices can often be operated from anywhere and many of these devices are connected to the Internet.

Items: Energy and climate (e. g., “intelligent” lights or radiators); Security (e. g., networked alarm systems or video monitoring); Home and garden (e. g., “intelligent” shutters, robotic vacuum cleaners)

Answer Options: Yes; No; I am not sure

Q3:

How often do you use the Internet for the following purposes? [multiple choice]

Items: Online shopping; Ordering services (e. g., booking travel, ordering food, car sharing); Selling goods or services (e. g., through auctions); Researching information and forming opinions (e. g., reading online newspapers); Uploading and sharing personal content you have created yourself (texts, images, photos, videos, music, software); Expressing opinions (e. g., posts on social media, online comments); Online banking; Communication (email, chat, video conferences etc.); Entertainment (e. g., streaming films, music, online games); Official transactions (e. g., ordering an identity card, tax return); Health services (e. g., electronic patient record, virtual doctor appointment); Map services / navigation; Data storage (cloud services)

Answer Options: Never; Less than once a month; Once a month; Several times a month; Once a week; Several times a week; Every day; Several times a day

Q4:

How often do you use the following communication channels? [multiple choice]

Items: Making telephone calls with a land line; Making telephone calls with a smartphone / mobile telephone; Video calls (e. g., Skype, Zoom, Microsoft Teams); Text messaging (SMS); Messenger services (e. g., WhatsApp, Signal); Social media (e. g., Facebook, Twitter, Instagram); E-mail; Online forums and communities

Answer Options: Never; Less than once a month; Once a month;Several times a month; Once a week; Several times a week; Every day; Several times a day

Digital Security Now, we would like to ask you some questions on the subject of digital security.

Q5:

When you think about the subject of digital security, is there anything you are concerned about? [free text]

Description: Please state everything that occurs to you. You are welcome to also respond in bullet points.

Q6:

How familiar are you with the following terms?

Description: For each of the following terms, please state how familiar you are with it.

Items: Malware (viruses, worms, spyware, Trojans); Ransomware (extortion software); Phishing; Spear phishing; Two factor authentication (2FA); Biometric authentication process ; Identity theft ; Data leak / data theft; HTTPS; Hard drive encryption; End-to-end encryption; Transport encryption; Browser; Private browser mode (incognito mode); IP address; URL; VPN (virtual private network); Tor network; Ad blocker; (Love) scam / romance scam on the Internet; Spam; Cloud

Answer Options: I’ve never heard of this; I’ve heard of this but I don’t know what it; I know what this is but I don’t know how it works; I know how this works; I know very well how this works

Q7:

Have you personally been affected by cybercrime?

Description: For each of the following items please state if you have been affected.

Items: Malware such as viruses or Trojans; Phishing (spying on confidential data); Ransomware or extortion software; Cyberbullying; Fraud with online shopping; External access to an online account; Cyberstalking; Data abuse (passing on or sale of personal data such as telephone number, address, bank details); Love scam / romance scam on the Internet

Answer Options: Yes; No; I prefer not to answer this question

Q8:

Where do you look for information on the topic of digital security?

Description: From the following information sources, please select all the ones that you use to inform yourself about digital security.

Items: Print media; Online news; Social media; Radio / podcasts; Television; Friends and family; IT security experts; Consumer center, authorities; Other [free text]

Misconceptions Digital Security Next, you will see a number of statements on the topic of digital security. Please carefully read each statement and state how much you agree with the respective statement.

E2E Messenger

Q9:

The following statements refer to communication with messenger that use end-to-end encryption (e. g., WhatsApp, Signal). [matrix question]

Description: Please read each statement carefully, and indicate how much you agree with each statement.

Items: If my chat messages are protected by end-to-end encryption, then my messages can only be read on my device and by the recipient; nobody else can access and read them in transit; Not even the communication service provider that I use can read my messages if they are protected by end-to-end encryption; If someone has access to my smartphone, then this person can read my messages in the messenger app, despite end-to-end encryption; Because the developers of the messenger service know how the encryption works, they can also read my messages despite end-to-end encryption; The end-to-end encryption in messenger services is not secure because any encryption can be broken; If messages are end-to-end encrypted, they are sent directly from my device to the recipient’s device, without any intermediate steps; If messages are end-to-end encrypted, they can also be read by third parties during transmission; If I send messages with end-to-end encryption, nobody knows when and with whom I am communicating; Messages that are sent over the Internet are easier to read than text messages that are sent via the telephone network.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

HTTPS

Q10:

Next you will see some statements about digital security when surfing on the Internet. Generally an Internet browser (e. g., Firefox, Chrome, Edge, Internet Explorer) is used for this. [matrix question]

Description: Please carefully read each statement and indicate how much you agree with the respective statement. If we mention “HTTPS” for websites, we mean websites that show a lock symbol in the address bar of your Internet browser, like in this illustration: [image]

Items: I can identify a fraudulent website (e. g., a fake online shop that wants to capture my data), because no lock symbol is shown in the address bar of the Internet browser; If HTTPS is used on a website, my Internet provider does not know what I am clicking on the website; HTTPS prevents the website operator from seeing what I am clicking on and viewing on the website; Websites that use HTTPS are trustworthy; If I visit websites that use HTTPS then other people that use my computer cannot see where I have been on the Internet.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Wi-Fi

Q11:

Next you will see some statements about digital security when surfing on Wi-Fi networks. [matrix question]

Description: Please carefully read each statement and state how much you agree with the respective statement.

Items: When I use a public Wi-Fi, other devices that are also using this Wi-Fi (e. g., laptops of other visitors in an Internet café) can see what websites I am visiting; When I use a public Wi-Fi, other devices that are also using this Wi-Fi can generally see what data (e. g., passwords, credit card information) that I enter on websites; When I am connected to a public Wi-Fi, it is easy to infect my device with malware; On a public Wi-Fi, attackers can redirect me to specifically prepared websites and record the data that I enter there; When I use a public Wi-Fi, other devices that are also using this Wi-Fi can also read and change my emails.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

VPN

Q12:

Next you will see some messages about digital security when surfing on the Internet with a VPN (virtual private network). [matrix question]

Description: Please carefully read each statement and state how much you agree with the respective statement.

Items: When I use a VPN, my Internet provider can no longer see what websites I visit; A VPN prevents malware from reaching my device; A VPN protects me from entering my passwords or credit card information on dangerous websites; A VPN protects me from unauthorized persons getting access to my device; A VPN is like end-to-end encryption between the website and my device; When I use a VPN, the VPN provider can see what websites I visit; When I use a VPN, the VPN provider can see in principle what data I enter on a website (e. g., passwords, credit card information); Surfing via the Tor network prevents my Internet provider from seeing what websites I visit.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Login and Passwords

Q13:

Next you will see some statements on the topic of passwords and login processes. [matrix question]

Description: Please carefully read each statement and state how much you agree with the respective statement.

Items: The security of a password is higher if it includes numbers or special characters as well as letters; To increase the security of a password, it is sufficient to replace letters by numbers, for example to replace an “i” with a “1”; To increase the security of a password, it is sufficient to use a word from a different language; A date of birth is a secure password as long as it isn’t my own date of birth; The security of a password only depends on the length of the password; It is important for the security of my user accounts to regularly change the password; Attackers try to guess my password and enter a lot of different passwords manually; Using one strong password to login into different user accounts is perfectly safe; Password managers generate secure passwords that cannot be guessed, even with technical assistance; It is more secure to choose a weaker password that is easy to remember, than to write a strong password down (e. g., a note); This is a control question. Please click on the answer “4 – mainly agree” [validity check]; A password manager that I can use to manage and store all my accounts and passwords is not secure; I have to log in to online banking with two processes so that the connection is encrypted, for example, with a password and TAN (transaction number); If, in addition to entering my password, I have to confirm that I want to login into my email mailbox by mobile phone, it is harder for attackers to get into my email mailbox; Facial recognition to log into my user account is very easy to trick, for example with a photo; If I use, my fingerprint to log in to an Apple or Android smartphone, this is stored with the provider and can be stolen from there; It is easier to steal my fingerprint and use it for authentication on my device than it is to guess my password; Login processes such as fingerprints or facial recognition are imprecise and therefore less secure than passwords.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Security of End Devices

Q14:

Next you will see some statements on the topic of digital security of end devices. [matrix question]

Description: Please carefully read each statement and state how much you agree with the respective statement.

Items: When I enter my laptop password in public, somebody could look over my shoulder and read the password; To protect the data on my laptop even if it is stolen, a hard drive encryption must be used; Even if my laptop is stolen, my data is secure because my user account is protected by a password; Anti-virus software doesn’t only protect my PC from viruses, but also protects my online user accounts from attacks; Regular updates are sufficient to protect my device and my data from attacks; I don’t need to lock devices,such as my laptop, PC, smartphone etc. – when I am not using them, because the screen is dark anyway and nobody can read it; It is safer to send sensitive data via a computer than via a smartphone; The PIN for the SIM card is sufficient to protect the data on my smartphone; Strangers cannot access my smart home devices as long as I use a secure password for them.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Malware

Q15:

Next you will see some statements on the topic of malware and deception on the Internet. [matrix question]

Description: Please carefully read each statement and state how much you agree with the respective statement.

Items: If I don’t discover anything suspect on my computer, then it is not infected with malware; As long as I don’t download anything, my PC cannot be infected with malware (even if I visit a risky website); Is it more likely to pick up malware from visiting a porn website than visiting a website on the topic of sport; As long as I don’t open a file infected with malware, it can’t do any damage; Malware is mostly distributed via USB sticks; If Windows is not installed on my PC, it is more secure from attacks, because attackers do not bother to attack operating systems few people use; Malware can be installed on my device (Laptop/PC) without me noticing it directly; Malware can cause me no longer being able to view my data, having to pay the attackers money to release it; It is sufficient to look at the sender to check the security of emails before opening; My PC can get infected with malware by clicking on a link; I can click on attached files without concern for an email that is addressed to be directly; As long as a website looks official, I can enter my login data without concern; The email could be risky if the sender name and email address are not the same; The text on a link shows me what site you will end up on if you click on it; As long as I know the sender of an email then I don’t have to worry about the email containing viruses; Links in emails can lead to fake websites to gather my login data.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Surfing in Private Browsing Mode

Q16:

Next you will see some statements about digital security when surfing in private browsing mode (also called incognito mode). [matrix question]

Description: Please carefully read each statement and state how much you agree with the respective statement.

Items: The private browser mode encrypts my data; The private browser mode prevents my Internet provider from seeing what websites I visit; The private browser mode protects me from other people using my device from being able to track my activities; The private browser mode prevents malware from reaching my device; The private browser mode has the same protective effect as an ad blocker, that is, advertising is blocked on a website; The private browser mode does not prevent website operators from being able to see my IP address.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Digital Security Concerns Next, you will see a number of statements relating to digital security. Please carefully read each statement and state how much you agree with the respective statement.

Q17:

How important is it to you to prevent... [matrix question]

Items: malware such as viruses or Trojans from reaching your devices (PC, laptop, smartphone)?; your data (such as login data) from being spied on?; you from no longer being able to view your data and having to pay blackmailers money to view your data?; you from being insulted online? (cyberbullying); you from being a victim of fraud, for example, when shopping online?; unauthorized persons from having access to your online accounts?; unauthorized persons from gaining access to your personal data? your digital messages, such as emails, being accessed and read by third parties?; you becoming a victim of cyberstalking?; your passwords from being guessed by unauthorized persons?; your devices (PC, laptop, smartphone) from being spied on?; you from entering your login data on fraudulent websites?; friends or family with access to your devices (PC, laptop, smartphone) being able to see your browser history?; advertisers from being able to see what websites you visit?; the contents of your messages from being read by communication service providers, e. g., the messenger service?

Answer Options: 1 – not important; 2 – a little important; 3 – moderately important; 4 – quite a bit important; 5 – very important ; I don’t understand the question

Q18:

For each of the following statements, please state how concerned you are. How concerned are you... [matrix question]

Items: that when using messenger services your messages could also be read by unauthorized persons?; that the messenger service provider has access to your message contents, such as sent texts or images?; that other people could read your messages despite end-to-end encryption?; that a website could use an illegal mechanism to collect personal information about you?; that when using a public Wi-Fi other devices could see what data (e. g., passwords, credit card information) you enter on websites?; that somebody could track you based on your location?; that somebody could steal your passwords?; that your biometric data could be abused, e. g., your fingerprint to unlock the mobile phone?; that one of your passwords is easy to crack or guess?; that sensitive data on your computer is not secure enough? (e. g., through backups or firewalls); that someone could get the password for your computer by watching you enter it?; that, if your computer is stolen, unauthorized persons could have access to your sensitive data and passwords?; that your computer could be affected by malware and you would no longer be able to open your files because of it?; that your computer could be affected by malware and is therefore no longer usable?; that your computer could be affected by malware and therefore unauthorized persons have access to your data?; that your computer could have a virus that you don’t know about?; that unauthorized third parties could have access to your data?; that networked devices such as voice assistants (e. g., Alexa, Siri) inadvertently gather, store and forward personal data?; that voice assistants, such as Alexa or Siri, inadvertently listen to everything you say?

Answer Options: 1 – not concerned ; 2 – a little concerned ; 3 – moderately concerned; 4 – quite a bit concerned; 5 – very concerned; I don’t understand the question

Q19:

For each of the following statements, please state how much you agree. [matrix question]

Items: I am not rich or famous, so nobody is interested in accessing my personal data;I do not believe that anyone is interested in reading my messages (e. g., emails, chats); I have nothing to hide, therefore it is not important to me whether my messages are encrypted or not; I consciously use communication services (e. g., messenger services) that use end-to-end encryption, because I don’t want unauthorized persons to be able to read my messages; I don’t need strong passwords, because my data is not interesting to attackers; People who use the private browser mode have something to hide. Wi-Fi at home is more secure than public Wi-Fi; Encryption is only for people who are paranoid. Encryption has more advantages than disadvantages; Encryption is dangerous, because I can irretrievably lose my data; Encryption is bad because it is used by hackers and criminals (e. g., for illegal activities); Encryption is useful to ensure protection of personal data; Digital security is complicated; Products with a high level of security are often difficult to use; Secure programs or applications are often difficult to use; Programs and services should be secure. It is not my job to take care of security; Regardless of what I do, I am powerless against skilled attackers and hackers. I don’t want to have to deal with digital security; Digital security is annoying.

Answer Options: 1 – fully disagree; 2 – mainly disagree; 3 – neutral; 4 – mainly agree; 5 – fully agree; I don’t understand the statement

Digital Security Risk and Measures You are almost done! Last but not least, we would like to learn which measures you take to stay safe on the Internet.

Q20:

What measures do you use for your digital security? [matrix question]

Description: Please click on all the measures you use for your digital security.

Items: (Regular) updates of the operating system and other programs; (Regular) backups on an external hard drive; (Regular) backups to the cloud; Anti-virus software; Firewall; Ad blocker; Anti-tracking tools; Password manager; End-to-end encryption for messages; PIN, password or biometric processes to lock and unlock your devices (laptop, smartphone, tablet); Two factor authentication; Tor network; VPN (virtual private network); None [exclusive]

Q21:

How important is it for you to protect the following data on the Internet (e. g., from external access and theft)? [matrix question]

Items: Your full name; Address (home address); Your personal telephone numbers; Your contacts; Your personal photos; Message threads, for example, from chats and emails; Location and movements, e. g., GPS data, your jogging route; The amount of your salary or earnings; ID, such as identity card and driving license; Insurance documents; Delivery notes and invoices; IBAN / BIC and account details; Health data; Biometric data, such as fingerprints; Passwords

Answer Options: 1 – not important; 2 – a little important; 3 – moderately important; 4 – quite a bit important; 5 – very important ; I don’t understand the question

Q22:

How likely is it that the following groups of people pose a risk to your digital security (e. g., unauthorized access to your personal data, stalk you online or restrict your access to digital services)? [matrix question]

Items: Family members; Friends and acquaintances; Work colleagues; Officials from [country] (such as police, secret services and the government); Officials from other countries (such as police, secret services and the government); Private sector companies; Criminals who want to get rich from your data; Hackers who gain unauthorized access to data and devices, for fun.

Answer Options: 1 – not likely; 2 – a little likely; 3 – moderately; 4 – quite a bit likely; 5 – very likely

Demographics Finally, we would like to ask you some more questions about you.

Q23:

What is your gender? [single choice]

Male; Female; Non-binary; Describe yourself: [free text] ; I prefer not to answer this question

Q24:

What is your highest level of education? [single choice]

No school leaving certificate; Secondary school (primary school) or equivalent leaving certificate; High school (O level) or equivalent leaving certificate; A level, vocational high school / general or university entrance qualification; Occupational or vocational training / apprenticeship; Completion of a technical college or administrative or professional academy; Bachelor’s degree; Diploma university course or masters (including: teaching position, state examination, Master’s course, artistic or comparable courses of study); PhD/doctorate; I prefer not to answer this question

Q25:

Do you have practical experience in the informatics, computer technology or information technology fields (e. g., through your job or education background)? [single choice]

Yes; No; I prefer not to answer this question

Q_Hidden: Country [hidden question]

Chinese; German; Indian; Israeli; Italian; Mexican; Polish; Arabian; South African; Swedish; British; American

Q26:

Do you have an immigration background? [single choice]

Description: People with an immigration background are defined as people who were not born as a [country] citizen or who have at least one parent who was not born as a [country] citizen.

Items: Yes, I have an immigration background; No, I don’t have an immigration background; I prefer not to answer this question

Debriefing Thank you very much for participating in our survey. The purpose of the study is to discover what experiences Internet users have had concerning digital security and how they evaluate various risks and measures. Your participation helps us to gain knowledge of this so that need-based offers and materials can be developed to increase the digital security of the population.

C List of Excluded Variables Per Model

•

E2EE (Q9): no variables excluded

•

HTTPS (Q10): gender, education, Q17, Q19 – complicated

•

Wi-Fi (Q11): Q7, Q8, Q17, Q19 – E2EE, Q19 – interest, Q25

•

VPN (Q12): Q17, Q19 – complicated, Q19 – E2EE, Q22

•

Passwords (Q13): no variables excluded

•

Device Security (Q14): no variables excluded

•

Malware (Q15): no variables excluded

•

Private Browsing (Q16): Q19 – complicated

D Reliability Coefficient Cronbach’s Alpha

Table 6:

Misconception Topic	α
Q17. Prevention	0.89
Q18. Concerns	0.96
Q19. Attitudes E2EE	0.51
Q19. Attitudes Interest	0.86
Q19. Attitudes Complicated	0.80
Q21. Data Protection	0.93
Q22. Potential Attackers	0.87

Table 6: Reliability coefficient Cronbach’s alpha (α) for all predictor scales used. Added this table.

Footnotes

We follow the approach of prior work and use country as a proxy for culture [34, 42, 44].

Reflecting on Huntington [14], we consider Israel as very close to the Western world and thus a part of it.

Supplementary Material

MP4 File (3544548.3581410-talk-video.mp4)

Pre-recorded Video Presentation

Download
70.35 MB

References

[1]

Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, and Matthew Smith. 2017. Obstacles to the Adoption of Secure Communication Tools. In IEEE Symposium on Security and Privacy(SP ’17). IEEE, San Jose, California, USA, 137–153.

Crossref

Google Scholar

[2]

Dmitry Adamsky. 2017. The Israeli Odyssey toward its National Cyber Security Strategy. The Washington Quarterly 40, 2 (2017), 113–127.

Crossref

Google Scholar

[3]

Simon Anell, Lea Gröber, and Katharina Krombholz. 2020. End User and Expert Perceptions of Threats and Potential Countermeasures. In IEEE European Symposium on Security and Privacy Workshops(EuroS&PW ’20). IEEE, Genoa, Italy, 230–239.

Google Scholar

[4]

J. Martin Bland and Douglas G. Altman. 1997. Statistics Notes: Cronbach’s Alpha. The BMJ 314, 7080 (Feb. 1997), 572–572.

Crossref

Google Scholar

[5]

Sunil Chaudhary, Yan Zhao, Eleni Berki, Juri Valtanen, Linfeng Li, Marko Helenius, and Stylianos Mystakidis. 2015. A Cross-Cultural and Gender-Based Perspective for Online Security: Exploring Knowledge, Skills and Attitudes of Higher Education Students. International Journal on WWW/Internet 13, 1 (Dec. 2015), 57–71.

Google Scholar

[6]

Sonia Chiasson and Paul C. Van Oorschot. 2015. Quantifying the Security Advantage of Password Expiration Policies. Designs, Codes and Cryptography 77, 2–3 (Dec. 2015), 401–408.

Digital Library

Google Scholar

[7]

Lee Anna Clark and David Watson. 1995. Constructing Validity: Basic Issues in Objective Scale Development. Psychological Assessment 7, 3 (Sept. 1995), 309–319.

Crossref

Google Scholar

[8]

Xun Dong, John A. Clark, and Jeremy Jacob. 2008. Modelling User-Phishing Interaction. In Conference on Human System Interactions(HSI ’08). IEEE, Krakow, Poland, 627–632.

Google Scholar

[9]

European Union Agency for Cybersecurity. 2020. ENISA Threat Landscape 15 Top Threats in 2020. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-list-of-top-15-threats, as of September 15, 2022.

Google Scholar

[10]

Batya Friedman, Kristina Hook, Brian Gill, Lina Eidmar, Catherine Sallmander Prien, and Rachel Severson. 2008. Personlig Integritet: A Comparative Study of Perceptions of Privacy in Public Places in Sweden and the United States. In Proceedings of the 5th Nordic conference on Human-computer interaction: building bridges. Association for Computing Machinery, New York, NY, USA, 142–151.

Digital Library

Google Scholar

[11]

Paul A. Grassi, James L. Fenton, and William E. Burr. 2017. Digital Identity Guidelines – Authentication and Lifecycle Management: NIST Special Publication 800-63B.

Google Scholar

[12]

Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2018. User Behaviors and Attitudes Under Password Expiration Policies. In Symposium on Usable Privacy and Security(SOUPS ’18). USENIX, Baltimore, Maryland, USA, 13–30.

Google Scholar

[13]

Marian Harbach, Alexander De Luca, Nathan Malkin, and Serge Egelman. 2016. Keep on Lockin’ in the Free World: A Multi-National Comparison of Smartphone Locking. In ACM Conference on Human Factors in Computing Systems(CHI ’16). ACM, San Jose, California, USA, 4823–4827.

Digital Library

Google Scholar

[14]

Samuel P. Huntington. 1996. The Clash of Civilizations and the Remaking of World Order (1 ed.). Simon & Schuster, New York City, New York, USA.

Google Scholar

[15]

International Chamber of Commerce and European Society for Opinion and Marketing Research. 2007. International Code on Market and Social Research. https://iccwbo.org/publication/iccesomar-international-code-on-market-and-social-research/, as of September 15, 2022.

Google Scholar

[16]

Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara B. Kiesler. 2015. “My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security. In Symposium on Usable Privacy and Security(SOUPS ’15). USENIX, Ottawa, Canada, 39–52.

Google Scholar

[17]

Markus Keil, Philipp Markert, and Markus Dürmuth. 2022. “It’s Just a Lot of Prerequisites”: A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. In European Symposium on Usable Security(EuroUSEC ’22). ACM, Karlsruhe, Germany, 172–188.

Digital Library

Google Scholar

[18]

Iacovos Kirlappos and M. Angela Sasse. 2012. Security Education against Phishing: A Modest Proposal for a Major Rethink. IEEE Security & Privacy 10, 2 (March 2012), 24–32.

Digital Library

Google Scholar

[19]

Predrag Klasnja, Sunny Consolvo, Jaeyeon Jung, Benjamin M. Greenstein, Louis LeGrand, Pauline Powledge, and David Wetherall. 2009. “When I Am on Wi-Fi, I Am Fearless”: Privacy Concerns & Practices in Eeryday Wi-Fi Use. In ACM Conference on Human Factors in Computing Systems(CHI ’09). ACM, Boston, Massachusetts, USA, 1993–2002.

Digital Library

Google Scholar

[20]

Huzeyfe Kocabas, Swapnil Nandy, Tanjina Tamanna, and Mahdi Nasrullah Al-Ameen. 2021. Understanding User’s Behavior and Protection Strategy upon Losing, or Identifying Unauthorized Access to Online Account. In International Conference on Human-Computer Interaction(HCII ’21). Springer, Virtual Conference, 310–325.

Digital Library

Google Scholar

[21]

Yubo Kou, Colin M. Gray, Austin Toombs, and Bonnie Nardi. 2018. The Politics of Titling: The Representation of Countries in CHI Papers. In ACM Conference on Human Factors in Computing Systems(CHI EA ’18). ACM, Montreal, Quebec, Canada, 16:1–16:10.

Digital Library

Google Scholar

[22]

Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith, and Emanuel von Zezschwitz. 2019. “If HTTPS Were Secure, I Wouldn’t Need 2FA” – End User and Administrator Mental Models of HTTPS. In IEEE Symposium on Security and Privacy(SP ’19). IEEE, San Francisco, California, USA, 246–263.

Google Scholar

[23]

Maike Luhmann. 2015. R für Einsteiger Einführung in die Statistiksoftware für die Sozialwissenschaften (4ed.). Beltz, Basel, Switzerland.

Google Scholar

[24]

Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert. 2018. Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries. https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/, as of September 15, 2022.

Google Scholar

[25]

Peter Mayer and Melanie Volkamer. 2017. Addressing Misconceptions about Password Security Effectively. In Workshop on Socio-Technical Aspects in Security and Trust(STAST ’17). ACM, Orlando, Florida, USA, 16–27.

Google Scholar

[26]

Helfried Moosbrugger and Augustin Kelava. 2012. Testtheorie und Fragebogenkonstruktion(2 ed.). Springer, Berlin, Germany.

Google Scholar

[27]

Jessica Pater, Amanda Coupe, Rachel Pfafman, Chanda Phelan, Tammy Toscos, and Maia L. Jacobs. 2021. Standardizing Reporting of Participant Compensation in HCI: A Systematic Literature Review and Recommendations for the Field. In ACM Conference on Human Factors in Computing Systems (Yokohama, Japan) (CHI ’21). Association for Computing Machinery, New York, NY, USA, Article 141, 16 pages.

Google Scholar

[28]

Elissa M. Redmiles, Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. 2017. A Summary of Survey Methodology Best Practices for Security and Privacy Researchers. Technical Report CS-TR-5055. UM Computer Science Department.

Google Scholar

[29]

Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2019. How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples. In IEEE Symposium on Security and Privacy(SP ’19). IEEE, San Francisco, California, USA, 227–244.

Crossref

Google Scholar

[30]

Elissa M. Redmiles, Amelia R. Malone, and Michelle L. Mazurek. 2016. I Think They’re Trying to Tell Me Something: Advice Sources and Selection for Digital Security. In IEEE Symposium on Security and Privacy(SP ’16). IEEE, San Jose, California, USA, 272–288.

Google Scholar

[31]

Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. 2020. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In USENIX Security Symposium(SSYM ’20). USENIX, Virtual Conference, 89–108.

Google Scholar

[32]

Robert W. Reeder, Iulia Ion, and Sunny Consolvo. 2017. 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users. IEEE Security & Privacy 15, 5 (Oct. 2017), 55–64.

Digital Library

Google Scholar

[33]

Bernd Rohrmann. 2007. Verbal Qualifiers for Rating Scales: Sociolinguistic Considerations and Psychometric Data. Technical Report VQSBR07. University of Melbourne.

Google Scholar

[34]

Yukiko Sawaya, Mahmood Sharif, Nicolas Christin, Ayumu Kubota, Akihiro Nakarai, and Akira Yamada. 2017. Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior. In ACM Conference on Human Factors in Computing Systems(CHI ’17). ACM, Denver, Colorado, USA, 2202–2214.

Digital Library

Google Scholar

[35]

Leonie Schaewitz, David Lakotta, M. Angela Sasse, and Nikol Rummel. 2021. Peeking Into the Black Box: Towards Understanding User Understanding of E2EE. In European Workshop on Usable Security(EuroUSEC ’21). ACM, Virtual Conference, 129–140.

Digital Library

Google Scholar

[36]

Serianu, Limited. 2016. Africa Cyber Security Report 2016. https://www.serianu.com/downloads/AfricaCyberSecurityReport2016.pdf, as of September 15, 2022.

Google Scholar

[37]

Sunil Setti and Anjar Wanto. 2019. Analysis of Backpropagation Algorithm in Predicting the Most Number of Internet Users in the World. Jurnal Online Informatika 3, 2 (2019), 110–115.

Crossref

Google Scholar

[38]

Peter Story, Daniel Smullen, Yaxing Yao, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2021. Awareness, Adoption, and Misconceptions of Web Privacy Tools. In Privacy Enhancing Technologies Symposium(PETS ’21). Sciendo, Virtual Conference, 308–333.

Crossref

Google Scholar

[39]

Jenny Tang, Eleanor Birrell, and Ada Lerner. 2022. Replication: How Well Do My Results Generalize Now? The External Validity of Online Privacy and Security Surveys. In Symposium on Usable Privacy and Security(SOUPS ’22). USENIX, Boston, Massachusetts, USA, 367–385.

Google Scholar

[40]

Łukasz Tomczyk, Maria Amelia Eliseo, Vladimir Costas, Gloria Sánchez, Ismar Frango Silveira, Maria-Jose Barros, Héctor R. Amado-Salvatierra, and Solomon Sunday Oyelere. 2019. Digital Divide in Latin America and Europe: Main Characteristics in Selected Countries. In Iberian Conference on Information Systems and Technologies(CISTI ’19). IEEE, Coimbra, Portugal, 1–6.

Google Scholar

[41]

UNESCO Institute for Statistics. 2012. International Standard Classification of Education: ISCED 2011. http://uis.unesco.org/sites/default/files/documents/international-standard-classification-of-education-isced-2011-en.pdf, as of September 15, 2022.

Google Scholar

[42]

Blase Ur and Yang Wang. 2013. A Cross-Cultural Framework for Protecting User Privacy in Online Social Media. In The World Wide Web Conference(WWW ’13). ACM, Rio de Janeiro, Brazil, 755–762.

Digital Library

Google Scholar

[43]

U.S. Department of Homeland Security. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. https://www.caida.org/publications/papers/2012/menlo_report_actual_formatted/, as of September 15, 2022.

Google Scholar

[44]

Yang Wang, Gregory Norcie, and Lorrie Faith Cranor. 2011. Who Is Concerned about What? A Study of American, Chinese and Indian Users’ Privacy Concerns on Social Network Sites. In International Conference on Trust and Trustworthy Computing(TRUST ’11). Springer, Pittsburgh, Pennsylvania, USA, 46–153.

Google Scholar

[45]

Eddy Willems. 2019. Malware Myths (1ed.). Springer International Publishing, Basel, Switzerland, Chapter 7, 111–121.

Google Scholar

[46]

Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, and Blase Ur. 2018. Your Secrets Are Safe: How Browsers’ Explanations Impact Misconceptions About Private Browsing Mode. In The World Wide Web Conference(WWW ’18). ACM, Lyon, France, 217–226.

Digital Library

Google Scholar

[47]

Armgard Zindler and Carolin Bolz. 2020. Digitalbarometer 2020: Bürgerbefragung zur Cyber-Sicherheit. https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/DE/BSI/Digitalbarometer/Digitalbarometer-ProPK-BSI_2020.html, as of September 15, 2022.

Google Scholar

Cited By

View all

Kunde VNold JHielscher J(2024)"Everything We Encrypt Today Could Be Cracked" — Exploring (Post) Quantum Cryptography MisconceptionsProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688468(125-136)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688468
Zhou MQu ZWan JWen BYao YLu Z(2024)Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)Proceedings of the ACM on Human-Computer Interaction10.1145/36374158:CSCW1(1-26)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637415
Kaufhold MRiebe TBayer MReuter C(2024)‘We Do Not Have the Capacity to Monitor All Media’: A Design Case Study on Cyber Situational Awareness in Computer Emergency Response TeamsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642368(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642368
Show More Cited By

Index Terms

A World Full of Privacy and Security (Mis)conceptions? Findings of a Representative Survey in 12 Countries
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy

Recommendations

The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research Directions
CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

For the past 20 years, researchers have investigated the use of eye tracking in security applications. We present a holistic view on gaze-based security applications. In particular, we canvassed the literature and classify the utility of gaze in security ...
IoT Security & Privacy: Threats and Challenges
IoTPTS '15: Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and Security

The era of the Internet of Things (IoT) has already started and it will profoundly change our way of life. While IoT provides us many valuable benefits, IoT also exposes us to many different types of security threats in our daily life. Before the advent ...
A survey on privacy and security of Internet of Things
Abstract
Internet of Things (IoT) has fundamentally changed the way information technology and communication environments work, with significant advantages derived from wireless sensors and nanotechnology, among others. While IoT is still a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems

April 2023

14911 pages

ISBN:9781450394215

DOI:10.1145/3544548

Editors:
Albrecht Schmidt
LMU Munich, Germany60028717
,
Kaisa Väänänen
Tampere University, Finland60011170
,
Tesh Goyal
Google Research, USA60006191
,
Per Ola Kristensson
University of Cambridge, UK60031101
,
Anicia Peters
University of Namibia, Namibia60072704
,
Stefanie Mueller
Massachusetts Institute of Technology, USA60022195
,
Julie R. Williamson
University of Glasgow, UK60001490
,
Max L. Wilson
University of Nottingham, UK60015138

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 April 2023

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Deutsche Forschungsgemeinschaft

Conference

CHI '23

Sponsor:

SIGCHI

CHI '23: CHI Conference on Human Factors in Computing Systems

April 23 - 28, 2023

Hamburg, Germany

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
2,617
Total Downloads

Downloads (Last 12 months)2,084
Downloads (Last 6 weeks)345

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kunde VNold JHielscher J(2024)"Everything We Encrypt Today Could Be Cracked" — Exploring (Post) Quantum Cryptography MisconceptionsProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688468(125-136)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688468
Zhou MQu ZWan JWen BYao YLu Z(2024)Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)Proceedings of the ACM on Human-Computer Interaction10.1145/36374158:CSCW1(1-26)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637415
Kaufhold MRiebe TBayer MReuter C(2024)‘We Do Not Have the Capacity to Monitor All Media’: A Design Case Study on Cyber Situational Awareness in Computer Emergency Response TeamsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642368(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642368
Menges UHielscher JKocksch LKluge ASasse M(2023)Caring Not Scaring - An Evaluation of a Workshop to Train Apprentices as Security ChampionsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617099(237-252)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617099

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

1 Introduction

2 Related Work

2.1 End User Understanding and Misconceptions

2.2 Cross-Cultural Studies on Privacy and Security

3 Methodology

3.1 Topic Selection and Item Generation

3.1.1 End-to-end Encrypted Communication.

3.1.2 HTTPS.

3.1.3 Wi-Fi.

3.1.4 VPN.

3.1.5 Passwords and Login Processes.

3.1.6 Device Security.

3.1.7 Malware and Deception on the Internet.

3.1.8 Private Browsing.

3.2 Questionnaire Design

3.2.1 Introduction.

3.2.2 Demographics and Internet Usage.

3.2.3 Misconceptions.

3.2.4 Concerns and Attitudes.

3.3 Survey Implementation and Panels

3.4 Quality Assurance and Representativity

3.5 Data Analysis

3.6 Ethics and Data Protection

3.7 Limitations

4 Results

4.1 Sample Description

4.2 RQ1: Misconceptions Around the World

4.2.1 Misconception Scores (Q9–Q16).

4.2.2 Dominant Misconception Statements.

4.3 RQ2: Factors Predicting Misconceptions

4.3.1 Country of Residence Predicts Belief in Misconceptions.

4.3.2 Demographics are Rather Small but Significant Predictors for Misconceptions.

4.3.3 Experience with Cybercrime Predicts Disbelief in Misconceptions.

4.3.4 Protection of Devices and Data Predicts Disbelief in Misconceptions.

4.3.5 Using Countermeasures Predicts Disbelief in Misconceptions.

4.3.6 Thinking Digital Security is Complicated Predicts Belief in Misconceptions.

4.3.7 Being More Concerned Predicts Belief in Misconceptions.

5 Discussion

5.1 Misconceptions

5.2 Factors Influencing Misconceptions

5.3 Practical Implications for Future Work

6 Conclusion

Acknowledgments

A Security & Privacy Studies in Different Countries

B Questionnaire – Survey On Citizens’ Digital Security

C List of Excluded Variables Per Model

D Reliability Coefficient Cronbach’s Alpha

Footnotes

Supplementary Material

References

Cited By

Index Terms

Recommendations

The Role of Eye Gaze in Security and Privacy Applications: Survey and Future HCI Research Directions

IoT Security & Privacy: Threats and Challenges

A survey on privacy and security of Internet of Things

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

HTML Format