IBM Security's 2018 survey of 4,000 adults worldwide found that for the first time in the history of their research, the majority of users say that they'd take extra steps in the name of "security" even if it meant that their usage would be less "convenient."
This is a false dichotomy, of course: having your identity stolen or your email published on the web or your baby monitor turned into a spycam is extremely inconvenient. The few moments you take at the outset to generate a strong, per-site password (which may be laborious to key into mobile devices) or to change some defaults are more convenient than remediating the damage done from a security breach down the line.
So it's fairer to say that users are slashing the time-based discount they assign to security breaches, likely due to a complex set of factors: they or people they know have likely suffered direct harm as a result of breaches; they've updated their threat model to include crimes of opportunity (this being the problem with the attitude that "no one would target me, I'm not rich/special/interesting); and a growing knowledge that security breaches are cumulative, as data from one breach is merged with data from subsequent breaches to unlock more and more ambitious attacks.
I call this "peak indifference," the moment at which the number of people who care about something only goes up because of the irrefutable evidence of danger and harm. Security is a public health problem -- a problem where actions are separated by a lot of time and space from consequences, making hard to assess their impact; and where one person's risk ripples out to affect friends and strangers alike (your email breach includes the private messages all your correspondents have sent to you). Like climate change, tobacco-related cancer and other public health problems where there is a financial interest in maintaining the status quo, information security's progress has been slowed by expensively-sown doubt by companies like Facebook and the ad-tech industry, who insist that there is really no risk to the aggregation of personal information in leaky databases.
As with other public health problems, we are in a race between peak indifference and the point of no return, when it's too late to do anything about it.
Based on findings in the report, people are aware of the data breaches that are happening to companies and consumers alike—with the US leading in terms of people who are aware of data breaches.
"They understand that there's something they can do to prevent it, and they need to secure their accounts," she said. "We figure that could be a reason, especially when it comes to where their money lays. They want to make sure that's more secure."
Consumers prefer security over convenience for the first time ever, IBM Security report finds [Dan Patterson/Tech Republic]