Before you read the report, test your cybersecurity knowledge by taking the interactive quiz. The short quiz tests your knowledge of questions recently asked in a national poll. After completing the quiz, you can compare your score with the general public and learn more about the terms and topics in each question.
In an increasingly digital world, an individual’s personal data can be as valuable – and as vulnerable – to potential wrongdoers as any other possession. Despite the risk-reducing impact of good cybersecurity habits and the prevalence of cyberattacks on institutions and individuals alike, a Pew Research Center survey finds that many Americans are unclear about some key cybersecurity topics, terms and concepts. A majority of online adults can identify a strong password when they see one and recognize the dangers of using public Wi-Fi. However, many struggle with more technical cybersecurity concepts, such as how to identify true two-factor authentication or determine if a webpage they are using is encrypted.
This survey consisted of 13 questions designed to test Americans’ knowledge of a number of cybersecurity issues and terms. Cybersecurity is a complicated and diverse subject, but these questions cover many of the general concepts and basic building blocks that cybersecurity experts stress are important for users to protect themselves online. However, the typical (median) respondent answered only five of these 13 knowledge questions correctly (with a mean of 5.5 correct answers). One-in-five (20%) answered more than eight questions accurately, and just 1% received a “perfect score” by correctly answering all 13 questions.
These are the key findings from an online survey of 1,055 adult internet users living in the United States conducted June 17-27, 2016.
Cybersecurity knowledge varies widely by topic and level of technical detail
Of the 13 questions in the survey, a substantial majority of online adults were able to correctly answer just two of them. First, 75% of online adults can correctly identify the strongest password from a list of four options. The correct password in this case is the password that does not contain words in the dictionary; does contain letters, numbers and symbols; and has a combination of both upper and lower case letters. A similar share (73%) is aware that if a public Wi-Fi network is password protected, it does not necessarily mean that it is safe to perform sensitive tasks, such as online banking, using that network.
Meanwhile, around half of internet users are able to correctly answer several other questions in the survey. Some 54% of internet users are able to identify examples of phishing attacks. Similarly, 52% correctly say that turning off the GPS function of a smartphone does not prevent all tracking of that device (mobile phones can also be tracked via the cellular towers or Wi-Fi networks to which they are connected).
Additionally, 49% of internet users know that Americans are legally entitled to get one free copy of their credit report annually from each of the three major credit bureaus. This issue is not specifically related to any technical aspects of cybersecurity, but cybersecurity experts recommend that anyone who uses the internet for financial or other sensitive transactions regularly check their credit reports to discover evidence of identity theft or other kinds of fraud. A similar share (48%) can correctly define the term “ransomware.” This refers to criminals accessing someone’s computer, encrypting their personal files and data, and holding that data hostage unless they are paid to decrypt the files.
Americans’ practical understanding of email and Wi-Fi encryption is also relatively mixed: 46% of internet users are able to correctly identify that the statement “all email is encrypted by default” is false. Some email services do encrypt users’ messages, but this is not a standard feature of all email services. At the same time, 45% correctly identify the statement “all Wi-Fi traffic is encrypted by default on all wireless routers” is also false.
Public knowledge of cybersecurity is lower on some relatively technical issues
Internet users’ understanding of the remaining cybersecurity issues measured in the survey is lower – in some cases dramatically so. For instance, 39% of internet users are aware that internet service providers (ISPs) are able to see the sites their customers are visiting while utilizing the “private browsing” mode on their internet browsers. Private browsing mode only prevents the browser itself, and in some cases the user’s computer or smartphone, from saving this information – it is still visible to the ISP. And one-third (33%) are aware that the letter “s” in a URL beginning with “https://” indicates that the traffic on that site is encrypted.
Meanwhile, just 16% of online adults are aware that a group of computers that is networked together and used by hackers to steal data is referred to as a “botnet.” A similar share (13%) is aware that the risks of using insecure Wi-Fi networks can be minimized by using a virtual private network, or VPN.
Lastly, cybersecurity experts commonly recommend that internet users employ “two-factor” or “multi-factor” authentication on any account where it is available. Two-factor authentication generally requires users to log in to a site using something the user knows (such as a traditional password) along with something the user possesses (such as a mobile phone or security token), thus providing an additional layer of security in the event that someone’s password is hacked or stolen. But when presented with four images of different types of online login screens, just 10% of online adults are able to correctly identify the one – and only one – example in the list of a true multi-factor authentication process. In this case, the correct answer was a picture of a login screen featuring a temporary code sent to a user’s phone that will only help them login for a limited period of time. Several of the other answer options illustrated situations in which users were required to perform a secondary action before accessing a page – such as entering a captcha, or answering a security question. However, none of these other options are examples of two-factor authentication.
A significant share of online adults are simply not sure of the correct answer on a number of cybersecurity knowledge questions
Although the share of online adults who can correctly answer questions about cybersecurity issues varies from topic to topic, in most cases the share providing an actual incorrect answer is relatively small. Rather, many users indicate that they simply are not sure of the correct answer to a large number of the questions in this survey.
At the low end, around one-in-five online adults indicate they are not sure how to identify the most secure password from a list (17%), how to identify multi-factor identification (18%) or whether public Wi-Fi is safe for sensitive activities (20%). At the high end, a substantial majority of internet users are not sure what purpose a VPN serves (70%) or what a botnet does (73%). There are also a number of other questions in this survey where “not sure” responses are markedly more common than incorrect answers. These include the definition of ransomware, whether or not email and Wi-Fi traffic are encrypted by default, whether private browsing mode prevents ISPs from monitoring customer activity and how to identify whether or not a webpage is encrypted. In fact, there is only one question on the survey – how to identify a multi-factor authentication screen – for which a larger share of respondents answer incorrectly than indicate they are not able to answer the question at all.
Those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly
Internet users’ knowledge of cybersecurity varies by several demographic factors. The most consistent differences are related to educational attainment.
Those with college degrees or higher answered an average of 7.0 of the 13 questions in the survey correctly, compared with an average of 5.5 among those who have attended but not graduated from college and an average of just 4.0 for those with high school diplomas or less.
Roughly one-quarter (27%) of those with college degrees answered 10 or more questions correctly, compared with 9% of those who have attended but not graduated from college and just 4% of those with high school diplomas or less.
On all 13 questions in the survey, there is at least an 11 percentage point difference in correct answers between the highest- and lowest-educated groups. And there are four questions with a difference of 30 percentage points or more between the highest- and lowest- educated groups. These include whether or not Wi-Fi traffic is encrypted by default on all wireless routers (a difference of 34 points); what “https://” in a URL refers to (32 points); whether or not all email is encrypted by default (32 points); and the definition of ransomware (31 points).
Cybersecurity knowledge also varies by respondent age, although these differences are much less dramatic than the differences pertaining to educational attainment. Indeed, on a number of these questions internet users age 65 and older are just as knowledgeable as those ages 18 to 29. For instance, older and younger users are equally likely to be able to identify a phishing attack, identify the most secure password from a list and know how many free credit reports Americans are entitled to by law. However, younger users score higher on certain questions – such as whether “private browsing” mode prevents ISPs from tracking users’ online activities (a 27 point difference) or whether turning off the GPS feature on a smartphone disables all tracking of that device (a 23 point difference).
Overall, 18- to 29-year-olds correctly answered a mean of 6.0 out of 13 questions, compared with a mean of 5.0 among those 65 and older.