Consumers Prefer Security Over Convenience For the First Time Ever, IBM Security Report Finds

A new study by IBM Security surveying 4,000 adults from a few different regions of the world found that consumers are now ranking security over convenience. For the first time ever, business users and consumers are now preferring security over convenience. From a report: TechRepublic spoke with executive security advisor at IBM Security Limor Kessem to discuss this new trend. "We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts...people actually would go the extra mile and will use extra security," Kessem said. Whether it's using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

Not that it really matters...

[supremebob]

Because you know that some dumbass in the home office is storing their admin passwords in cleartext for everyone to see.

The security auditors always focus on things like crazy password policies and front end security scans, but it's always something stupid like what I mentioned above that screws it up for the rest of us.

Re:

[Tom]

Security auditors generally follow a script and the scripts are generally badly written. There are a lot of us security experts out there who have a wider perspective, who knew long before the 2017 NIST about-face that traditional password policies are bullshit, and who smile politely when the security auditors come.

And if some dumbass stores the admin password in cleartext, or writes it on a post-it, then there's a 90% chance that your password policy is to blame.

Really?

[Obfuscant]

This is the result of a survey. They asked people. Only 4000 of them. And who knows what the question was?

The answers are meaningless -- actions speak louder than words. What these survey takers have done is found the right question to ask that 4000 people knew the "right" answer to, and they got the "right" answer even if it didn't match reality. It's called "push polling". The only true way to say that people prefer security over convenience is by counting the number of people who actually USE security

Re:Really?

[drinkypoo]

(. No system can guard against user stupidity.)

Users sometimes do stupid things. If you don't account for that, you are failing.

Re:

[postbigbang]

Users DO do stupid things. They're users.

And now, so many organizations have been breached, public, private, corporate, even small operations that people try to think about security because:

Most everyone in the USA (I'll take my home country as an example) knows someone who's credit info has been snarfed (Equifax), military security/secrets info (OPM breach), health (how many insurers and hospitals now?) that it's almost impossible to be an American without having the taint of having your privacy for sale s

Re:Really?

[geekmux]

For example, I am right now trying to recall the password for a gmail account. I can't remember when I created the account, I don't remember the only password the account has ever had so I can't tell them what one of the old passwords was, and even though I enter the code they send me by email they refuse to believe I am me. Right now, security is getting in the way of getting something done.

They gave you multiple ways to protect yourself from security getting in the way, and the system is the problem?

Hope this clarifies how much your "example", isn't.

Re:Really?

[Obfuscant]

They gave you multiple ways to protect yourself from security getting in the way,

If you don't remember the password, asking for the password doesn't protect you from the security. Do you remember when you created every account you have? And why bother sending a "secret code" to another email address if you're just going to ignore it? Those are the three ways they give me.

Most of the "in the way" is the fact that the web page just hangs after you enter the code. So yes, that's their problem. Otherwise, I said "getting in the way", not whose fault it wasn't working was.

Re:

[uvajed_ekil]

If they're looking at this as an either/or question, they're doing it all wrong from the start. Of course most people are educated enough now that they expect some level of security without expecting it to be completely invisible. The trick is figuring out how obtrusive it can be before people will abandon it, and minimizing the user input and slowdown, without a need to completely eliminate either.

Re:

[ShanghaiBill]

Only 4000 of them.

I generally agree with what you wrote, but not this. A sample size of 4000 people is PLENTY. There are a lot of things you can do to make surveys and polls more accurate, like ensuring the respondents are representative of the population, and asking unbiased questions, but "asking more people" makes very little difference.

Asking a few dozen people would have got them within 5% of the "real" answer, and a few hundred would have an error of less than 1%. So asking 4000 people is way overkill. The problems

BS

[Anonymous Coward]

I've worked with end users for 25 years. Security over convenience? 100% BULLSHIT. Not a chance.

Re:

[geekmux]

I've worked with end users for 25 years. Security over convenience? 100% BULLSHIT. Not a chance.

Exactly. Security has never been a priority over convenience, and asking 4,000 people sure as shit isn't proof.

Re:BS

[umghhh]

It means something still if public sentiment changes. Even if the difference between what people do and they say is huge if what they now say changes this much the chances are the masses move a bit and some less reckless and more competent of us will maybe prevail few % points more often than before. OC that will not be enough even if it is move in proper direction but better than nothing.

What they say

[plopez]

versus what they will do. Anyone can say they prefer A over B. But when the time comes will they really choose A. There are many companies out there that have been burned when market research said one thing, but what the customer did was something else. I guess what it comes down to is marketing and advertising. A fear campaign would work. Maybe.

They will finally stop using IE 6?

[jfdavis668]

Does this mean people will move on from Windows XP and IE 6? About time.

If this were true

[OrangeTide]

Then people wouldn't use the same damn password on most of their accounts.

Re:

[skids]

...and demand SSO solutions from the IT department. If the trend ever does really reverse, we'll see requests for separating password realms from users... and then end up with an even more complicated SSO solution to accommodate that functionality since apparently so many of them neglected to think to implement that feature in their rush towards "one password that works everywhere."

Oh, BTW, TFA needs to get a clue. SMS texts are not a NIST approved 2FA mechanism [fortune.com] anymore, for good reason.

complete bullshit

[gravewax]

complete and utter bullshit. They will happily say that in a survey but when push comes to shove the majority choose convenience over security. this applies to passwords, device configurations and just about any aspect where their is an option that allows convenience.

Re:

[gravewax]

The problem is they ARE NOT in the mindset. They simply know what to say on a survey or think they are really in the mindset. In actuality while they care about security it simply is not as important as having an easy to remember password or being able to access that phone faster to get to their urgent game/tweet/facebook post. I would truly love people to actually get it and would celebrate if they did but I work in security every day and I see people even in IT and security that don't get it. convenience

Never believe what people say.

[petes_PoV]

Some 74% of respondents said that they would use extra security

I'll believe this when that actually start doing it.

People in surveys say all sorts of things. What they actually do is often entirely different. And what they will do in the long term is entirely different again.

Actually

[Brockmire]

They asked a guy named Bob Consumers and he thought security should be more important than convenience. Bob Consumers is an only child.

allies, not enemies

[Tom]

Been preaching this for 10+ years: Usability and security are allies, not enemies.

If your usability is good, your users make less mistakes, which leads to less unintentional issues.
Phishing is largely a usability thing. I have a couple slides about that, the very short version is that all the info you need to spot a phishing mail is typically hidden, while all the info that lures you in is prominent.
Proper decision making by users can be guided through usability, to prevent them from doing stupid things.
Use

Re:

[Obfuscant]

Been preaching this for 10+ years: Usability and security are allies, not enemies.

"Usability" is not "convenience". Convenience and security truly are enemies; usability and security are orthogonal concepts.

You can have a website with the best UX in the world, but if the access controls to get there are inconvenient, users will often opt for more convenience in place of security.

I could PGP sign every piece of email I send from my tablet. The UX is there. It's not convenient, so I don't. (Set up a key pair, publish the right half, teach all my corespondents how to decrypt it, etc. None

Sure.

[rsilvergun]

And they like a bold, rich roast [youtube.com] too (Yeah, it's Malcolm Gladwell, but the ideas aren't his so it's all good).

Re: First time ever

[Zero__Kelvin]

That is an incredible analogy fail. What you are talking about is security vs no security. A correct analogy would be do they prefer a lock that is easier to use and trivial to bypass over one that is slightly harder to use but nontrivial to bypass. That being said the study only tells us what they say, not what they do. Ask any Christian if they prefer to go to Heaven or Hell and they will say Heaven. An analysis of their behavior will often uncover an incongruence however.

Re: What two-factor??

[Zero__Kelvin]

That is because you don't know what two factor means.

dysfunctional child

[bigtreeman]

I used to be a dysfunctional child and now prefer reduced functionality caused by tight security. Privacy Badger is my latest ally in fighting 'the man'.
When you get to a web page full of blanks that doesn't make a lot of sense you get to realise how much we are being taken for a ride.
Pictures, videos, tables can be tracking us, they used to be called viruses.
Now it is just accepted as normal for companies to automatically provide us with what we want to experience.

18 trackers

[bigtreeman]

Your link to TechRepublic also leads to 18 potential trackers
and yes, my blocking broke the video which probably says no more than the text.

Can blind people have a preference of color?

[Anonymous Coward]

If the people with preferences do not have the ability to assess if their preferences are being met, they will still use shitty products.