Achievement unlocked: How behavioral science transforms device security
12th January 2023
Why this security no-brainer gets pushback, and what you can do about it
Last time we looked at why dirty password habits are so persistent. This time we’re taking stock of locks—or a lack thereof. Be it PIN, pattern, or biometrics, a lock screen is a cybersecurity cornerstone.
It’s the most basic of security measures. And with remote and hybrid working environments, paired with people’s ever-growing collection of portable devices, it’s more important than ever.
Because if they’re not securing their devices, they’re opening themselves—and your organization—up to security risks like data theft and identity theft.
What are we up against?
Safe to say, not everyone is making the right choices with their devices.
Take your colleague, Tony, for instance. He locks his house every morning before leaving for work. Locks his car when he heads for the office. And even locks his shed full of old lawnmowers.
But Tony doesn’t lock his smart phone.
It’s clear that Tony’s receptive to security messaging. He already has some good security habits, and he’ll adopt one more, with a little nudge in the right direction.
While Tony’s behavior is concerning. It’s just as concerning as people that do lock their devices, but use simple PINs like 1-2-3-4 or their birth year.
And that’s because people just don’t think a cyberattack is something that would ever happen to them. But shoulder-surfing and smudge attacks are more common than most would like to believe.
The science part
A recent study looked at screen lock behaviors and perceptions, how long it took to create security information, and how memorable it was. The researchers also looked at how long it took to log in, how often login attempts were successful, and whether screen size made a difference to screen lock functions.
Here are a few thought-provoking insights:
People spend an hour every month (about two minutes a day) to unlock their devices. On average, that’s only 2.9% of their overall screen time.
Out of the nearly 3,500 situations the participants were asked to consider, shoulder-surfing was considered a potential risk in just 11 of them.
Size matters: people found it quickest to use a pattern on a tablet, and a PIN on a phone.
Patterns are better remembered than PINs. This is because it’s easier to remember an image than a string of numbers.
12 percent of people write down their password in order to remember it.
3 in 4 people choose difficult patterns (e.g. 8-1-6-4-3) over easy patterns (e.g. 1-2-3-6-5). 90 percent of people opted for a difficult PIN instead of an easy one.
Crucially, another recent study showed a short, informative video explaining the risks of unauthorized access to people who didn’t lock their devices. And it worked. Just this simple intervention changed their behaviors.
So, what does all of this mean for your security strategy?
If 75 percent of people are choosing difficult patterns over easy ones, it means they’re willing to make some extra effort if it keeps data safe, and they just need some support, education and encouragement.
A lot of people forget their logins. So, encourage biometrics and password managers.
Don’t overlook simple interventions like raising awareness through a short video.
You can read more about how using lock screens links to security risks on SebDB.
Or, if we’ve got you thinking about influencing behaviors across the board, why not take a look at our whitepaper on behavior change.