Have you seen reports about massive increases in cybercrime during coronavirus: ransomware up 90 percent, data breaches up 223 percent? Noticed many major accounts getting hacked on Twitter? If so, you might be feeling a sense of déjà vu. If you were on the Internet in 2009, you would have heard that cybercrime had doubled. You would also have heard about the growth of cybercrime and that police departments were staffing up to stop it.
Most of us probably feel like we’re asked to do a lot to protect ourselves online. Constantly changing passwords, entering two-factor authentication codes to log in to websites, updating our computers, and maybe even running antivirus software. The laundry list of security advice to follow is ever increasing: researchers recently documented over 400 unique pieces of advice about security and privacy available online. To help you stay on top of things, you can even sign up to receive daily security advice emails.
How is it that we’re constantly expending effort on digital security, but cybercrime keeps rising? It turns out, even the security experts giving this advice don’t really know what you should do to stay safe from the crimes reported in those sensational news stories.
The argument for security advice seems clear. In contrast to physical crime, which requires proximity, cybercrime gives attackers global reach. Residents of leafy suburbs in the US don’t usually have to worry about criminal gangs half a world away but cybercrime changes this. The Internet brings criminals from every part of the world into one shared space, hugely increasing the set set of people who might attack you. As security expert Bruce Schneier writes, “In cyberspace, you can set your computer to look for the one-in-a-hundred thousand chance. You’ll probably find a couple dozen every day.” To combat this cybercrime, we’re asked to take on an ever-growing list of security actions to protect our computers and our accounts.
You might presume that there is a large body of evidence showing that if you do what you’re told—use strong passwords, run your antivirus software—you’ll significantly reduce your risk of cybercrime.
Unfortunately, you’d be wrong. Despite the prominence of digital security advice, we know remarkably little about its effectiveness. In medicine, new treatments and healthy behavior recommendations must go through a rigorous set of clinical studies before doctors start making suggestions to patients. Yet, for online security—on which many of us spend more time than on our physical health—there is little such evidence.
Coronavirus has given us an education in the importance of making evidence-based decisions and adjusting those decisions as we learn more. For example, our understanding of which types of gatherings are risky and the importance of wearing masks has changed and adapted in response to new information. Yet, no matter how pressing the need, we won’t release a vaccine, or even recommend mask usage, without unambiguous demonstration of efficacy.
How well do most cyber defenses work? The answer is ‘We don’t know.’ Any time a new possible digital attack is discovered, new recommendations come out to prevent it; even if the probability of that attack taking place is extremely small. For example, in the last six months alone, new lists of security advice have already been produced to help you stay safe from contact tracing scams, stimulus payment scams and unemployment relief scams, despite no known evidence of the prevalence nor longevity of these attacks.
The main source of information about online scams and what to do about them is from security experts. However, recommendations offered by these experts turn out to be inconsistent across time and among experts. Even experts struggle to identify what security advice is most important. Recent research found that 41 security experts asked to rate hundreds of pieces of security and privacy advice ended up categorizing 118 unique pieces of advice as being among the “top five” most important things for people to do to protect themselves!
Ask a security expert about the importance of strong passwords and you are likely to be told about pass-phrases, about the influence of length and composition on the number of guesses an attacker will have to make, and about how many billions of password guesses a computer can make per second. What you will certainly not hear about is any data showing that those who choose stronger passwords do better than those with weak passwords.
Why not? First, we know little about the level of risk individual Internet users face. How likely am I to be the victim of a cybercrime in the next year? The answer is unclear. Why? Because many of the estimates of cybercrime losses cover enterprise rather than consumer costs and attempts to survey consumer losses often have methodology flawed to the point where we cannot trust the conclusions. If you ask any doctor, she could give you a fairly precise estimate of the number of people who will develop cancer in the next year. If you ask any security expert, she would be hard pressed to give you a data-driven estimate of the number of people whose Twitter accounts will be compromised in the same time period.
Second, we have no evidence of how well a given security behavior advised by experts prevents a particular online risk. What we do have is an incoherent and growing collection of actions aimed in the general direction of an amorphous collection of harms.
It turns out that none of us—even security experts—have good data on what we ought to be doing to stay safe online. Now this doesn’t mean we can do nothing, or that ignoring threats is advisable. But, the evidence supporting what we’re supposed to do to stay safe online doesn’t come close to meeting the standards we expect from medicine and other fields. So, you can stop feeling guilty for not listening to every piece of online security advice: you’re not wrong if you suspect that not all of it is necessary. And digital security experts can take this as a call to catch up to data-driven standards of evidence: changing the behavior of billions of people is a lot easier if you come bearing data.