May 9, 2007 | Volume 4, Issue 1

Information Security

Can Consumers Get Their Lives Back?

by Timothy Summers

Consumers have been left in the dark in the world of information security and have become extremely vulnerable to many types of malicious entities. While it is commonly believed that consumers do not care about protecting their personal information, this paper explores the psychological explanations behind consumer response to information security.

Introduction

Today, a complete stranger can read your email, look at your bills, spy on your instant messages, and use your credit card without you ever knowing that it happened – welcome to the world of privacy hopes and digital dreams. As consumers become increasingly dependent on the Internet for communications, commerce, and other services, they are put into a multitude of situations where they exchange their personal information for personalized services. Most consumers do not realize that they leave a trail of personal information with each exchange. The information that is left behind can be used to steal a consumer’s identity.

Identity theft is being used in almost every crime committed today, from Al-Qaeda terrorist activities and money laundering, to false citizenship and drug trafficking. This crime has surged enormously in the United States. According to the Identity Theft Resource Center, the average identity theft victim population is about 10 million per year. This means that every minute approximately 19 people become new victims of this crime. Identity theft is also costing the U.S. economy an enormous amount of money – roughly $50 billion annually1.

There are many different causes of identity theft such as data leaks, third-party data loss, misplaced or stolen backup files, and malware programs that steal data.

However, the worse cause, by far, is the lack of consumer vigilance needed to protect their personal information. This leads some experts to believe that consumers are not concerned about protecting their personal information. Is it a lack of concern or a lack of awareness that has increased consumer vulnerability?

Consumer Response

A study done by ChoiceStream found that 62% of the Americans surveyed were worried about giving up personal data to obtain personalized services. This is almost unchanged from 63% in 20052. In 2000, a Business Week/Harris Poll revealed that more than half of all Americans favor some sort of public policy on how personal information can be collected and used on the Internet. It also showed that 35% would not be comfortable with their online actions being profiled, but 82% are not at all comfortable with online activities being merged with personally identifiable information, such as income, driver’s license, credit data, and medical status3. Essentially, this means that while a small population of people objects logging and collecting their online activity, a much larger population does not want the collected information to be cross-referenced with their distinguishable personal data. These findings indicate that different groups of consumers have different ways of viewing information security and the protection of their personal data. Based on behavioral analysis consumers can be categorized into these groups based on their perceptions and ways in which they respond to information security.

According to Dr. Timothy Summers, a respected psychiatrist in the field of psychiatric medicine, there are five primary groups that characterize the behavioral patterns and consumer thought processes about information security.

The Five Consumer Groups

The Denial Group: Concerned about information security, but uncertain about how to respond. It is this type of unawareness about privacy that leads to the denial of pertinent issues. They deny caring about information security because caring and not knowing how to resolve the issue causes uncertainty, fear, and anxiety. As part of a human protection mechanism, this group of people unconsciously denies that they care about a problem or that a problem even exists.

The Avoidance Group: Care about information, but unsure about how to react. It is the lack of knowledge that creates the persistent avoidance of information security related problems. They avoid it to stay away from anxiety. This group avoids talking about the problem and how the problem applies to them because they feel helpless not knowing how to handle the problem.

The Minimization Group: Recognize risks associated with information security; however, they take a very minimalist approach in addressing them. This group is able to minimize the significance of a problem or risk by allowing themselves to accept as truth that they will not be affected. Most often these are the consumers that believe that they will never become a victim of identity theft or any other information security related crimes. In other words, they try to minimize their risk by believing it will never happen.

The Rationalization Group: These people rationalize the situation so that they can feel more secure even though they have not done everything they can to solve the problem. An example of rational behavior in the context of information security could be the person that consistently shreds documents and feels that this is enough to protect their personal information. Very little thought is given to other areas of information security.

The Procrastination Group: These people procrastinate on the issue. They develop plans to protect their information, but continuously delay implementation. For example, organizations recognize the vulnerability of insecure networks, but do not invest in the proper protection right away.

Psychological research shows that consumers, in fact, do care about the protection of their personal information; however, due to a multitude of psychological factors those consumers may or may not take the necessary actions to address their personal information security. In addition, the one thing that the listed consumer groups have in common is that they all underestimate their vulnerability to information security crimes. Consumers have been socialized to trust systems and companies to protect their information.

This socialized trust makes consumers believe that people, businesses, and government entities will not share their information with others. It also disallows consumers to recognize deception when a thief manipulates the established trust between consumers and trusted entities, such as the case with phishing.

Companies Are Not Investing in Information Security

Companies in the United States claim that they are spending an enormous amount of money to protect their customers from data leaks, insider threats, and worst of all, identity theft. According to the Computer Economics 2006 IT Security Study, companies with over $750 million in annual revenues lag behind mid-size firms in relative spending for IT security, adoption rates for security technologies, and deployment of best practices for IT security management. The study also concluded that many companies of all sizes fail to implement a number of basic security best practices. “For example, 65% of all organizations do not provide periodic IT security training for their employees, and 67% do not conduct periodic software audits of desktop computers to ensure that unauthorized programs or content are not present.” The common response given by executives when asked about their IT security was that their security budgets were not adequate enough to provide the level of security and training needed. Most of the IT security spending increases occurred within small to mid-size companies4. The interesting part of this tragic comedy is that while the numbers of information security crimes are increasing, the severity of these crimes is also worsening; yet, most companies are not authorizing more money for IT security.

Many companies may not take the proper steps to protect consumer personal data, but they have made sections of their web sites dedicated to security.

Almost all of the web sites for the major banking institutions have a section containing information on how to reestablishing one’s life after identity theft. There are also many toll free numbers that assist consumers in reporting and preventing such crimes. Some companies have even found a way to profit off of identity theft by offering an “Identity Theft Insurance” service in which the company will reimburse victims for money stolen and provide periodic credit reports. Companies feel that this is enough to keep consumer trust. Thus far, it has. However, to security experts these policies and web disclosures create an illusion of security and give consumers false hopes about their security capabilities. Sooner or later the pennies that companies invest in flimsy privacy insurance plans will surface.

Providing Consumers with the Right Information

When identity theft gets to the point where it takes a large chunk out of the corporate bottom line, companies will take a more active role in getting the right information to consumers. Until then, consumers are on their own or they can read the “security center” section of their bank’s web site for a few pointers. Although it may appear that corporations are the only ones at fault, consumers also play a role in the assurance of information security. Consumers must take it upon themselves to protect their own personal information. In doing so they must recognize that it can only be met with a change in their behavior.

Perhaps companies could introduce new, interactive content that will help consumers take the proper steps to protect their identifiable information. Although new content will not inspire everyone to change, it would reach the people that want to protect themselves.

Conclusion

Can consumers get their lives back? Yes and no. Consumers cannot get back what they have already exposed about themselves; however they can learn to protect themselves for the future. The truth is that consumers do care about protecting themselves. This was proven in Maslow’s hierarchy of need; human beings feel that their personal safety comes second to breathing and eating. Personal safety can mean many different things, but it most definitely includes the protection of the thing most precious to all people—their identity.

Companies should not take all of the blame, but they should take more of an active role in arming consumers to protect themselves against thieves and other entities that may cause harm through stealing personal data. In the end, consumers should not be paranoid about protecting their personal data. They should be vigilant.

1 The Identity Theft Resource Center. Facts and Statistics: Find out More about the nation’s fastest growing crimes. October 2006 from http://www.idtheftcenter.org/factsandstats_1006.pdf

2 Poynter, Ray. “People do not ‘Value’ their Privacy and Security”. The Future Place Blog. January 18th, 2007. from http://thefutureplace.typepad.com/the_future_place/2007/01/people_do_not_v.html

3 Business Week/Harris Poll. Business Week. March 20th, 2000.

4 “The 2006 IT Security Study”. Computer Economics. 2006. from http://www.computereconomics.com/article.cfm?id=1100

About the Author

Timothy Summers

Related Content

Mailing List

Join our mailing list for announcements and updates

Topics

  1. Africa (2)
  2. Arts (1)
  3. Asia (10)
  4. Book Reviews (5)
  5. Development (9)
  6. Economics (12)
  7. Education (17)
  8. Environment (7)
  9. Europe (1)
  10. Gender (5)
  11. Healthcare (16)
  12. Human Resouces and Services (14)
  13. Human Rights (10)
  14. International Organizations (6)
  15. Interviews (12)
  16. Latin America (4)
  17. Middle East (1)
  18. Pittsburgh (5)
  19. Technology (2)