The project sets out to study the level of awareness and perception of IT security amongst university students, paying particular attention to the world of mobile devices. The report analyses the answers given by 1012 students from over 15 Italian universities to a multiple-choice questionnaire. The analysis shows that students’ perception of their knowledge is generally wrong and that they are unaware of the risks arising from their behaviour. In view of these risks, a proposal has been made to implement technical and legal measures to reduce future problems deriving from faulty or lax adoption of security measures on their mobile devices.
2. 2
Security of The Digital Natives
Aim of the study
The goal of this survey is twofold: on the
one hand the focus is on the awareness
and knowledge of the university students
trying to understand what is their perception
of security compared to their actual
knowledge; on the other hand we focus on
outlining the threat landscape on the basis
of their habits, on the way they use their
mobile devices, on the type of data they
store and on the operations they perform.
3. 3
Security of The Digital Natives
Who we are
Tech and Law Center is an interdisciplinary
center promoted by a research group
composed of members from Università di
Milano, Università di Milano–Bicocca,
Università dell’Insubria and Politecnico di
Milano. The center projects and events
address digital technologies and their
interaction with law and society.
4. 4
Security of The Digital Natives
The research team
Giuseppe Vaciago
Tech and Law
Executive
Committee
Francesca Bosco
Tech and Law
Executive
Committee
Valeria Ferraris
Researcher
Pasquale Stirparo
Tech and Law
Fellow
5. 5
Security of The Digital Natives
The research team
Stefano Zanero
Tech and Law
Executive
Committee
Pierluigi Perri
Researcher
Davide Ariu
Tech and Law
Fellow
Brikena Memaj
Tech and Law
Member
6. 6
Security of The Digital Natives
Giuseppe Vaciago has been a lawyer of the Milan Bar since 2002 and for the last 10
years his primary focus has been IT Law with a focus on cyber crime. He has
assisted many national and international IT companies. He is the author of many
publications on cybercrime, including both scientific journals and textbooks, which
have been adopted by the University where he teaches. Academically, he received
his PhD on Digital Forensics from Università di Milano and he is a lecturer at
Insubria University (Varese and Como) where he holds a course on IT law. He has
also delivered many lectures and presentations in both Italy and abroad.
He attended Fordham Law School and Stanford Law School as a Visiting Scholar to
expand his studies in his own particular research area
He is member of the executive committee of Tech and Law Center and fellow at the
Nexa Center and at the Cybercrime Institute of Koln.
Twitter: @giuseppevaciago
Lawyer at Milan and
Professor of IT Law
Partner at R&P
Legal
Giuseppe Vaciago
Giuseppe Vaciago
7. 7
Security of The Digital Natives
Francesca Bosco earned a law degree in International Law and joined UNICRI in
2006 as a member of the Emerging Crimes Unit. In her role in this organization Ms.
Bosco is responsible for cybercrime prevention projects, and in conjunction with key
strategic partners, has developed new methodologies and strategies for researching
and countering computer related crimes.
More recently, Francesca is researching and developing technical assistance and
capacity building programs to counter the involvement of organized crime in
cybercrime, as well as on the legal implications and future scenarios of
cyberterrorism and cyber war. Furthermore, she is researching and managing
projects on hate speech online and on data protection issues related to automated
profiling.
Francesca is one of the founder of the Tech and Law Center, she is in the Advisory
Board of the Koln Cybercrime Institute and she is currently a PhD candidate at the
University of Milan.
Twitter: @francibosco
UNICRI Project
Officer and PhD
student at Università di
Milano Bicocca
Francesca Bosco
Francesca Bosco
8. 8
Security of The Digital Natives
Pasquale Stirparo is Digital Forensics Engineer and founder of SefirTech, a
company focusing on Mobile Security, Digital Forensics and Incident Response.
Prior to found SefirTech, Pasquale was working at the Joint Research Centre (JRC)
of European Commission as Digital Forensics and Mobile Security Researcher, with
particular interest on the security and privacy issues related to mobile devices
communication protocols, mobile malware and cybercrime. He has also been
involved in the development of the standard “ISO/IEC 27037: Guidelines for
identification, collection and/or acquisition and preservation of digital evidence”, for
which he led the WG ISO27037 for the Italian National Body in 2010.
Author of many scientific publications, he has also been invited as speaker to
several national and international conferences and seminars on Digital Forensics
and lecturer on the same subject for Politecnico di Milano and United Nations
(UNICRI). Pasquale is Ph.D. candidate at the Royal Institute of Technology (KTH)
of Stockholm, holds a MSc in Computer Engineering from Politecnico di Torino and
he’s certified GCFA, OPST, OWSE, ECCE.
Twitter: @pstirparo
Digital Forensics
Engineer,
Founder at
SefirTech
Ph.D. candidate at
Royal Institute of
Technology (KTH)
Stockholm.
Pasquale Stirparo
Pasquale Stirparo
9. 9
Security of The Digital Natives
Chapters of
the
report LEGAL AND POLICY
MAKING
CONSIDERATIONS
ANALYSIS OF THE
QUESTIONNAIRES
CONCLUSIONS AND
RECOMMENDATIONS
TECHNICAL
CONSIDERATIONS
11. 11
Security of The Digital Natives
The survey was carried out using a questionnaire containing 60 multiple-choice questions divided into
sections related to the different aspects of the issue: practice patterns for smartphones, tablets and
laptops; approach to the various networks; and, for all the applications on the devices, the use of
passwords, the perceptions of the security risks, and the general interest in and knowledge of the topic.
The target population was university students. The administration of the questionnaire was carried out
anonymously through the platform “Google Form” from September to November 2013 and it involved
over 15 Italian Universities.
1012 questionnaires were collected. These presented responses from a wide range of geographic areas
and degree choices (with a good mix of students from both the sciences and the humanities).
Methodological remarks
12. 12
Security of The Digital Natives
This group represents the 38,3%.
This group represents the 24%.
This group represents the 37,4 %.
Light users
Medium
users
Heavy users
Users Groups
The statistical technique helped in identifying 3 well-diversified groups, each one presenting
homogeneous characteristics useful to define 3 users’ profiles
13. 13
Security of The Digital Natives
The sample: gender and
study
Communication Science 8,9 %
Law 29,6%
Other Faculties
22,2%
Computer science and engineering 39,3
%
Smartphones and tablet users are 58% male and 42% female, in line with male higher presence in
IT studies.
14. 14
Security of The Digital Natives
The use of mobile devices
Some preliminary questions aimed at understanding how students use their mobile devices and what they save on the
devices. .
take photos and
videos with their
smartphones and
tablets
70
%
they store personal
passwords on their
devices.
27,7
%
they save
contacts/photos
and videos
97
%
75
%
“always or often”
make phone calls,
receive text
messages/e-mails;
browse the web;
use Skype, social
apps
15. 15
Security of The Digital Natives
The knowledge and fear of risksHow worried they are about the security of their mobile devices
33,4%
5,6%
53%
8%
16. 16
Security of The Digital Natives
The knowledge and fear of risksHow secure they feel when doing these activities with their mobile
devices
17. 17
Security of The Digital Natives
Protect mobile
devices with PIN
number
28,8
%Protect mobile
devices with pattern
lock
23,9
% Protect mobile devices
with
password/passphrase
6,6
%Protect mobile devices with
biometrics (e.g.voice
recognition)
0,6
%
The password use and management and the
technologies to protect mobile devices
18. 18
Security of The Digital Natives
Technical solutions to protect data in mobile
devices
20% of the students do not know what these solutions are and another 20% do not use them. Among the
systems used:
19. 19
Security of The Digital Natives
Final question on self assessment
How they assess their knowledge on mobile
security (%)
21. 21
Security of The Digital Natives
Students pay
absolutely no attention
at all to the password
relevant security
requirements and they
simply use the
predictable password
Students installs
software and
applications from
unauthorized stores or
without giving
importance at right of
access
Mobile device is
passed on to someone
else, in particular
where they are sold as
second hand or lent to
someone.
PASSWORD APPS SHARING
Results of the survey and possible
scenarios
22. 22
Security of The Digital Natives
of students
interviewed save,
on their device,
pins and
passwords used for
private services 1
27
%
Results of the survey and possible
scenarios
of students
interviewed do not
log out after using a
service online
40
%
of students
interviewed very
rarely or never check
the type of
permissions required
when downloading an
app
53
%
of students
interviewed use open
Wi-Fi systems to
connect to the Internet
on their mobile device
using all types of
functions
41%
23. 23
Security of The Digital Natives
of students interviewed do not use a
password to protect their mobile device 40%
of students interviewed said that, when
asked to change their password, the new
password that they create takes the form
of a minor variation on the previous one
41%
is currently using two-factors
authentication 5%
Password is tiring...
It follows that one of the most critical issues to be tackled in the IT field is the fact that users need to be
persuaded to use a password that can actually operate to protect their data. Our research in fact revealed
that
24. 24
Security of The Digital Natives
Identity Theft – A fragmented
scenario
1.Lack of specific legislation on ID Theft
2.Lack of National reporting System on ID
Theft
3.Different Penalties from Country to
Country
Comparative Study on Legislative and Non Legislative
Measures to Combat Identity Theft and Identity
Related Crime: Final Report”, RAND Europe, June
2011.
25. 25
Security of The Digital Natives
Identity Theft
1.Introduction of an ad hoc Legislation
2.Reinforcement of the collaboration between
national investigative bodies via an EU contact
Network
• Centralized reporting system on EU Basis
A good example: CONSAP Project on ID Theft for the following
project: Financial, TELCO and Insurance (Legislative decree
64/11)
26. 26
Security of The Digital Natives
The Italian Data Protection Authority focus attention on the correct use of mobile devices with its 'Fatti
smart!' ['Be Smart!'] campaign
ENISA organize in the next months a cybersecurity championship where university students compete on
Network Information Security Challenge
Cybersecurity Campaign
Initiative
27. 27
Security of The Digital Natives
Security v. Usability
54.5% of the students go onto sites that require
authentication via Google or Facebook.
This confirms the extent to which usability is a
determining factor in terms of the level of trust that
a user places in an online service.
Usability is the central issue to increase the levels
of security of the mobile device
28. 28
Security of The Digital Natives
1.D. Solove: “Schools are gathering and sharing a
mammoth amount of personal data”
2.There is no a clear Security policy for mobile devices in
the Italian University
3.Not only the students, but also the Professor are not
always aware of cybersecurity risks
D. Solove, 5 Things School Officials Must Know About Privacy
The Regulation of Mobile Devices in
Universities
In certain American universities security standards (e.g. HIPAA) are imposed for mobile devices owned
by students and university staff (Bring Your Own Device- BYOD) in order to verify their security levels
(use of anti-virus software, updates to the operating system and encryption systems)
29. 29
Security of The Digital Natives
Awareness Responsibility Response
Ethics Democracy Risk
assessment
Proposed Solutions and
Initiatives
Security
design and
implementation
Security
management
Reassessment
31. 31
Security of The Digital Natives
When asked to evaluate their knowledge of mobile security issues, on a scale from 1 to 10, a
significantly high percentage of the respondents (55%) graded themselves between 6 and 8. This,
however, contrasts with the average percentage of “correct” technical answers of the questionnaire,
which was 29%.
This discrepancy between perceived knowledge and actual knowledge conveyed through answers to
technical questions, was confirmed by the different levels of confidence at the beginning and at the end
of the survey.
After going through the security questions in the survey, the confidence of university students on their
level knowledge falls from 82% of respondents evaluating their confidence above 6 before the survey, to
66% at the end.
The possibility of a potential bias induced by the Dunning-Kruger effect should be taken into
consideration, which is a cognitive bias in which unskilled individuals suffer from illusory superiority,
mistakenly rating their ability much higher than is accurate. This bias is attributed to a metacognitive
inability of the unskilled to recognize their ineptitude.
Awareness, knowledge and (false)
perception
32. 32
Security of The Digital Natives
Habits and behaviors that may impact all
security aspects, reflecting on all the
threats.
Habits that involve personal data and
potential security and privacy threats.
Habits that may have economic
consequences (losses) for the individuals.
General
Identity Theft
Economical
Security ThreatsThreats that may arise from the students' behavior and habits
33. 33
Security of The Digital Natives
General Security
Issues
Which concerns how respondents behave with respect to software updates and application
permissions
7% Of respondents
perform regular
updates to both
mobile OS and
apps
81
%
Is the share of iOS
devices in the wild
outdated for longer
than a year
4% of Android in the
wild still run the 3
years old
Gingerbread
version
24%
do not regularly
update their
mobile operating
system (OS) or
their mobile apps
Oddly enough,
presence in the
market of old mobile
OS versions, mainly
related to Android
phones, is still very
high.
34. 34
Security of The Digital Natives
General Security
Issues
Which concerns how respondents behave with respect to software updates and application
permissions
53,8%
25,5%
20,7%
Moving to the installation and usage of apps,
almost 54% of the respondents never or rarely
check the permissions apps require. Such
behavior is a dangerous trend that needs to be
addressed: overlooking the privileges an app
requires increases the proliferation of malware,
since users will install and click on “YES” on
anything
35. 35
Security of The Digital Natives
of users store their Address Book
on their phones equiping it with
personal photos and videos96%
just 25% of responders regularly log
out when done using an app
25%
do not use any lock mechanism to
prevent non-authorized access to the
device
40%
claimed to forsake the security
features in order to maintain easy
access to the device
52
%
Identity Theft
36. 36
Security of The Digital Natives
It appears that users very often do not check the permissions required by the apps. This may be due to
the fact that on some mobile platforms (Android, Windows Phone) permissions are granted in an “all or
nothing” form.
This is a dangerous model that trains people to overlook permissions, because they want to install that
application not matter what the requisites are.
This result becomes more worrisome if linked with the fact that 17% of the respondents install mobile
applications from untrusted sources other than the official application markets.
These two results together support the proliferation of mobile malware and particularly of the category of
“toll fraud”, where the application silently subscribes the user to premium-rate SMS services.
Economical Threats & the risk of mobile
malware
37. 37
Security of The Digital Natives
What about Secure Development?
8,5%
40,1%
28,2%
Among the respondents who declared to
develop mobile applications (either for fun or
profit), only 28% was following the guidelines for
secure mobile programming.
23,2%
38. 38
Security of The Digital Natives
From the questionnaire emerged that the respondents are inclined to regularly update their devices. We
can infer from this that they are conscious of the importance of software updates, but also that the
procedures to update mobile devices and apps are considerably more intuitive than they used to be in
the “desktop” environment.
However, this result appears to be in contrast with a some worrisome statistics concerning the number of
mobile devices running outdated OSs.
The reason of this, we can argue, is that the responsibility of this lies on reasons such as the market
policies of carriers and manufacturers and, in the case of the Android platform, even in the extreme
fragmentation of the market.
Therefore a key role is played by vendors, who should be required to grant software updates for their
products for a longer period of time .
Proposed solutions and initiativesFrom a Manufacturers and Vendors perspective
39. 39
Security of The Digital Natives
Should allow users to install the applications without being obliged to accept all the permissions
required. It has to be possible for users to revoke/grant any single permission at any time, without being
compelled to reject the entire application
Should provide, alongside the device reset functionalities, the possibility of removing the users’ private
data stored within the installed applications in a centralized and straightforward way.
Should deliver advanced solutions to ease password management. In fact, although most of the
respondents (85%) agree and understand the importance of having a passlock mechanism in place, still
most of them struggle to use them.
Proposed solutions and initiativesFrom the Mobile Operating System perspective
40. 40
Security of The Digital Natives
Could enforce the use of (strong) passwords, imposing that advanced features of certain applications
are enabled only if passwords have been properly configured. A similar approach could be adopted also
to enforce the use of non rooted/jailbroken devices.
Should be liable in case the application does not implement the security mechanisms required to ensure
the adequate storage and transmission of the users’ data. Policies, standards and laws should be
introduced that establish the responsibility.
Proposed solutions and initiativesFrom the mobile software development companies and individual developers
perspective
41. 41
Security of The Digital Natives
Contact Us
facebook.com/techandlawcenterinfo@techandlaw.net twitter.com/techlawcenter
Tech and Law
Center
www.techandlaw.net