Comparing the Mobile Device Security Behavior of

1 downloads 0 Views 131KB Size Report
Jan 16, 2015 - Suggestions include organizational mobile device security policies and mobile device ... need to properly manage the associated security. ..... from markets, with Apple's iPad, Google's Nexus, and Amazon's ... reason for this is that IT people feel more comfortable with technology and they enjoy the free-.
Journal of Information Privacy and Security, 10: 186–202, 2014 Published with license by Taylor & Francis ISSN: 1553-6548 print / 2333-696X online DOI: 10.1080/15536548.2014.974429

Comparing the Mobile Device Security Behavior of College Students and Information Technology Professionals Mark A. Harris Downloaded by [University of South Carolina ] at 09:35 16 January 2015

University of South Carolina

Steven Furnell Plymouth University

Karen Patten University of South Carolina

Mobile devices are now a standard part of both personal and workplace information technology (IT) usage. However, they introduce a variety of security concerns that users are failing to address. This article examines and compares the security preparedness of 227 IT and non-IT college students about to enter the workforce and 83 predominately non-security-focused IT professionals. Results indicate that all groups put their data and connected networks at risk by failing to properly secure their personal mobile devices. Suggestions include organizational mobile device security policies and mobile device security awareness and training for both current and incoming employees.

INTRODUCTION Mobile devices, including smartphones and tablets, have rapidly developed in the past 5 years to the point where they can no longer be ignored by organizations. In 2013, Lookout (2013) predicted people would purchase 1.2 billion mobile devices, surpassing personal computers (PCs) as the most common method for accessing the internet. Overall revenue from market application sales for 2013 was predicted to be 25 billion dollars (Lessin & Ante, 2013). The practice of bring your own device (BYOD), by which people use their own mobile devices for both personal and work-related tasks, is also rapidly increasing. For example, the SANS Institute recently reported 61% of respondent organizations allowed BYOD access to resources (SANS, 2012). Information technology (IT) professionals dealing with the new influx of mobile devices on their networks need to properly manage the associated security. Managing mobile device security is not a simple task and is not being handled adequately in many organizations. A recent study of IT security professionals revealed that 68% of them have © Mark A. Harris, Steven Furnell, and Karen Patten Correspondence should be addressed to Mark A. Harris, IT-ology Tower, Suite 1010, 1301 Gervais Street, Columbia, SC 29201. E-mail: [email protected]

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

187

no way of identifying known mobile device vulnerabilities on their networks (Tenable Network Security, 2012). To quote from the report:

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Nearly all survey respondents said mobile devices present a security threat to their business, yet 67% said they either have no controls in place for mobile device usage on their network, or employees simply ignore existing mobile device usage policies. (p. 1)

Of course, the lack of policy and controls does not represent a problem if usage and behavior with mobile devices are naturally aligned with security and protection. However, the reality of the situation quickly suggests that this alignment is not the case. This article provides evidence of why organizations need mobile device security policies, awareness, and training for their employees. It begins by outlining some of the key threats that apply in the mobile context, with specific focus upon the issues that apply to Android and iOS, which represent the dominant OS platforms in the smartphone and tablet markets. Having examined the security concerns, the discussion then moves on to present evidence that these remain issues significantly unrecognized among the end-user population. This focus is achieved by examining survey evidence from two key groups; namely students and IT professionals. The former represent the next generation of workplace users, as well as representatives of the Generation Y population that has grown up with the technology around them. Meanwhile, the IT professionals represent the current workplace users, and specifically a segment of the population that would be expected to be conversant with IT-related risks. In both cases, however, the findings reveal tangible weaknesses in security behavior and consequently point towards the need for clear policy and related awareness and training if mobile devices are to be used safely in a workplace context.

MOBILE DEVICE INSECURITY As of April 2014 worldwide, Android accounted 49.95% of pocket-size mobile device OSs, such as smartphones, and Apple’s iOS accounted for 23.25% (Statcounter, 2014). For tablets worldwide, iOS accounted for 71.93% and Android accounted for 24.75%. Of the types of devices connecting to the 15 billion websites monitored by Statcounter, the pocket-size mobile devices accounted for 23.53% of all monitored website connections, an increase of 10% compared with the previous year. Tablets accounted for 5.83% of all monitored website connections. In addition to the increased worldwide market share of Android has come an increased concern for security. Android has more serious security concerns with malware, application markets, privacy, and data protection than does iOS. While both Android and iOS have security concerns, Android’s concerns are much more problematic as BYOD devices in an organization. A significant factor here is that the openness of the operating system (OS) and its application market has served to make it the platform of choice for malware writers. However, iOS is not immune from security concerns, particularly if the device is jailbroken. Indeed, one of the biggest threats to organizations is that BYOD devices that have been jailbroken (iOS) or rooted (Android). These actions serve to remove many of the security restrictions originally protecting the device, allowing users more freedom with their device, but also potentially allowing malware more access (Shinder, 2010). One of the largest and fastest-growing threats to mobile device security is malware. Gartner predicts mobile application downloads will reach 139 billion in 2014, up from just 64 billion in 2012 (Gartner, 2014). While malware can be found in both Apple iOS markets and Android

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

188

HARRIS ET AL.

markets, Android malware is growing and spreading much more rapidly. Android malware saw a 600% increase in 2013 compared to the year before and 92% of the known strains of malware targeting mobile devices were for Android (IBM, 2013). In fact, Android now exceeds PCs for malware attacks in the United States (Mansfield-Devine, 2013). Of the malware written in 2013, 98% targeted SMS text messaging (Cisco, 2014). Malware of this type can send text messages in the background without the user’s knowledge. Just more than 78% of Lookout’s 2012 malware detections fell into this category and cost the average user $9.99 a month (Lookout, 2012). Another problem affecting both platforms is fake applications. Fake malware applications look and work like “the real thing” to entice the user to download and install them, but they also contain malicious code that can be used for varying purposes. Security firm Arxan reports that all of the top 100 applications for Android and 92 of the top 100 applications for iOS have fake malware versions available as of mid-2012 (Arxan, 2012). Most fake malware applications are found on third-party application sites, which are easy for Android users to access and more difficult for iOS users to access. Since Android and Apple account for more than 85% of the mobile market and Android is rapidly growing, this article focuses on these two platforms only. Android is an open-source platform where developers can modify the software, create cutting-edge applications, and bring applications to market quickly. Developers are also aided by Android’s available developer tools and a quick “vetting” process. A vetting process should at least include checking the background of the developer and thoroughly inspecting the application for appropriateness, proper software development, and malicious code. However, a problem with the Google Play market is a lax vetting process (Greenberg, 2012). Google has recently attempted to better vet software developers that are known to develop malware, but the vetting process falls far short of Apple’s (Greenberg, 2012). It may also be noted that iOS users are tied to Apple’s own application store unless they jailbreak their device, and thus any software installed on an iOS device should have passed the same vetting procedure. Meanwhile, the vetting process on third-party markets, where Google and Apple have little control can be much worse, such as rogue markets that contain most of the malware (Arxan, 2012). However, not all Android third-party markets are the same and not all vet developers and applications in the same manner as the Google Play market, some are more stringent. For example, Amazon’s App Store for Android has a more stringent vetting process than Google Play (Strohmeyer, 2011) and has a similar vetting model to Apple’s App Store (Lookout, 2011). Android users have the availability of multiple markets with very different levels of security, which can be a major security risk without proper awareness and training. Google has also recently attempted to address malware problems with the Google Play market by scanning new applications for known malware and testing new applications in a simulated environment (Greenberg, 2012). To catch malware downloaded from third-party markets, Google added malware scanning to their Jelly Bean 4.2 version. However, the scanner does not check for modifications to the code after the initial installation, such as can occur when an application updates. This approach is a problem when applications execute new code after installation, which bypasses the application screening process (Greenberg, 2012). Another problem with the Android platform is the availability of multiple carriers and vendors that do not follow a particular standard, leading to old versions of the OS still on the market (Mansfield-Devine, 2012a). As of May 2014, Kit Kat 4.4 was the latest version of Android. However, only 8.5% of the devices on the market had this version (Android, 2014). The previous version, Jelly Bean 4.3, also accounts for 8.5% of the market and Jelly Bean 4.2 accounts for

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

189

18.8%. For devices with the built-in application scanning feature just discussed, only 35.8% have 4.2 or higher. The first version of Jelly Bean, 4.1, accounts for 33.5% of the market, which is now the most popular version on the market and was initially released in July of 2012. Ice Cream Sandwich, which was released in 2011 accounts for 13.4%. Yet older, Gingerbread, which was released in 2010 still accounts for 16.2% of the market. Older versions of the OS pose security risks because they lack many of the security updates present in the current versions. Contrary to Android, Apples latest iOS version 7 has an 88% adoption rate as of May 2014 (Apple, 2014). Adding to the problem of malware vulnerability in the Android platform is the slow rate of user updates when OS and other software patches are available. Research suggests that the time it takes for half of the Android users to update their software is 8 to 10 months and the likelihood they would buy a new device was greater than the likelihood they would update their old device’s software (Mansfield-Devine, 2012a). Patches may still be made available for older OSs when necessary, but users must install the patches to receive the security update. Unlike Android, Apple iOS is a closed OS and is controlled by Apple. Only one manufacturer makes devices for the platform and there is no fragmentation of the OS (Mansfield-Devine, 2012b). Thus, from a security point of view, 88% of Apple users using the latest version of the OS is clearly much better than Android’s 8.5%. Adding to the security of iOS is the App Store, which is controlled by Apple with a strong vetting process for developers and applications. Users must jailbreak their devices in order to access third-party markets outside of the App store, and Apple does not permit jailbreaking. Jailbreaking actually voids the warranty on Apple devices (Kingsley-Hughes, 2013b). However, a large percentage of Apple iOS devices are jailbroken because many people like Apple products, but do not like being limited (Mansfield-Devine, 2012b). In addition, the jailbreaking problem may be getting worse. When the iOS 6.1 version was released in January 2013, 7 million jailbreak downloads occurred in the first four days on the market, which is more jailbreak downloads than ever before (Greenberg, 2013). Jailbroken (Apple) and rooted (Android) devices pose tremendous threats to any organization, and many IT security professionals have called for a ban of all jailbroken and rooted devices on corporate networks (Kingsley-Hughes, 2013a). Wi-Fi is still a problem for mobile devices, just as it is for laptops and wireless PCs. As of 2012, 71% of iOS users and 32% of Android users in the U.S. used both mobile and Wi-Fi networks to access the Internet (Comscore, 2012). Older Wi-Fi protection, wired equivalent privacy (WEP) and Wi-Fi protected access (WPA2), were easily cracked and considered insecure (Bradbury, 2011; Gold, 2011). WPA2, the current standard for protecting Wi-Fi, was considered secure until 2010 when it too became crackable (Gold, 2011). To better secure WPA2 at home, security experts now recommend the use of 20+ digit WPA2 passphrases (Gold, 2011). Experts also recommend the use of virtual private networks (VPNs) versus Wi-Fi in all circumstances, but especially when using public Wi-Fi networks (Gold, 2011). VPNs create an encrypted tunnel between the device and the VPN server for secure data communication. Overall, the strategic plan of Google and Apple in regard to their OS platforms is the reason for the security differences. Apple is more secure because of the control placed on their devices. However, this control makes some users feel like they are being told what to do and how to act with their devices, thus causing some to want to rebel by jailbreaking their devices and removing restrictions. Contrary to Apple is Google, which lets Android users have a lot of freedom in deciding how to use their devices. However, with this freedom comes risk, and thus the reason for the malware problem. This risk is the same risk that Apple users take when they jailbreak their devices.

190

HARRIS ET AL.

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Given these various threats highlighted, plus some wider elements of good security practice, the following is a baseline list of recommendations that mobile device users should follow (with supporting sources cited in each case for readers that may wish to obtain further details). This list is adapted from Harris and Patten (2014), where a more detailed list of security practices was created for small businesses. These security practices apply regardless of whether the device is for personal or business use, but become particularly relevant in the BYOD context where employees are utilizing devices that the organization does not directly manage or control. Companies allowing mobile devices on their networks would clearly be safer if all employees followed these basic recommendations: • If supported by the OS, use encryption to protect data on the device (Federal Bureau of Investigation [FBI], 2013; InfoSec, 2013); • Review and understand Android application permissions (FBI, 2013; InfoSec, 2013); • Use credentials to protect the device from unauthorized physical access (FBI, 2013; InfoSec, 2013); • Install antivirus protection on Android devices (He, 2013; Shih et al., 2008); • Install firewall protection on Android devices (InfoSec, 2013; McAfee, 2012) • Do not jailbreak or root the device (InfoSec, 2013; La Polla, Martinelli, & Sgandurra, 2013); • Try to avoid unknown wireless networks (FBI, 2013; InfoSec, 2013); • When able to configure Wi-Fi access points, use 20+ character passphrases with WPA2 (Gold, 2011) • Perform timely software updates (FBI, 2013; He, 2013); • Do not install illegal or unauthorized software (InfoSec, 2013); • Do not install software from untrustworthy markets (i.e., many third-party markets) (McAfee, 2012); • Back-up data (McAfee, 2012); • Avoid clicking on unknown links (FBI, 2013; McAfee, 2012); • Use remote data wipe if device is lost or stolen (InfoSec, 2013; McAfee, 2012); and • Avoid storing usernames and passwords on the device or in the browser (Coninsync, 2013). Having established some key risks, and what should to be done in response, the discussion now moves on to assess the extent to which such behaviors are found in practice. This assessment is achieved via the examination of survey findings obtained from mobile device users in practice, with studies having addressed both the emerging generation of device users and a more established set of IT practitioners (thus enabling a potential comparison in their respective attitudes and behavior).

METHODOLOGY The data for this study came from two surveys. The primary survey was conducted between early 2012 and the beginning of 2013, and targeted 227 college students in order to compare how their security practices on personal mobile devices compared against some of the expert recommendations listed above. Although the respondents are students, this information is also important for organizations because these students already have or are about to enter the workforce with their mobile devices. The respondents came from three universities, two in the northeast United States

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

191

and one in the southeast. Their professors recruited these students, and the survey was administered and tracked online using a survey management system via the student’s email address. Male students represented 67% of the responses and the average age of the respondent group as a whole was 23 years. Information technology students made up 62% and non-IT students represented the remaining portion. To investigate the possibility that IT students are more technology savvy and may impact the overall results, IT students were also compared to non-IT students. In the fall of 2013, a second survey was issued to a group of 83 information technology professionals that worked for state government in southeast United States. These participants were surveyed with the overall aim of investigating the state of mobile device security within their organizations. However, the survey also investigated how they secured their own personal devices, and utilized a related subset of the questions already answered by the college students. Where the same questions were used, the data are discussed in following text. The IT professionals group averaged 21 years of professional experience, with an average age of 45 years, and again based upon a predominantly male (62%) group. When asked about their IT education, 24% had earned associate’s degrees, 46% bachelor’s degrees, 27% master’s degrees, and none had earned doctorates or equivalent. In addition, 24% had earned at least one IT certification. Respondents held multiple IT positions, with nearly half (49%) reporting that they were IT managers. Meanwhile, 39% were project managers, 20% were systems analysts, and 15% were network administrators. Only 3% reported being in IT security. In this research, IT students, non-IT students, and IT professionals were compared because students and professionals represent different aspects of the workforce that are worthy of investigation. The IT professionals are established users who are expected to be familiar with current information technology as part of their job roles. University students, IT and non-IT, are the next generation workforces and it may be interesting to see if they are emerging with comparable, better or worse, security behavior than the users already in the workforce. IT students would instinctively be expected to have a better background knowledge about how to use the technology, and potentially be more advanced in their use of it, and so better positioned to protect it than their non-IT counterparts, who may be more interested in using the technology and less in securing it.

RESULTS The findings from the survey exercises are summarized and discussed in the subsections that follow, with specific attention being given to the issues of device ownership and usage, the security concerns and safeguards reported by the respondents, and the impacts of related organizational policies and practices. Key results are summarized in table form, although it should be noted that the format varies according to whether certain questions were posed to all of respondent groups in the same manner (and consequently some tables do not include results relating to IT professionals). Device Ownership and Usage The participants were asked if they owned a smartphone, tablet, or laptop/PC, as shown in Table 1. Based on their response, they were asked a series of security questions specific to the

192

HARRIS ET AL.

TABLE 1 Device Ownership by Information Technology (IT) and Non-IT Professionals (Pros) and Students: Smartphone, Tablet, Laptop/Personal Computer (PC) Device

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

IT Pros (n = 83)

93% 28% 97%

76% 30% 99%

86% 29% 98%

93% 83% 100%

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Smartphone Tablet Laptop/PC

TABLE 2 Device Operating Systems (OS) Used by Information Technology (IT) and Non-IT Professionals (Pros) and Students: Smartphone, Tablet, Laptop/Personal Computer (PC) Device

OS

Smartphone iOS Android Tablet iOS Android Laptop/PC Windows Mac OSX

IT Students (n = 152) Non-IT Students (n = 75) All Students (n = 227) IT Pros (n = 83) 49% 48% 56% 33% 82% 17%

55% 34% 73% 23% 81% 18%

51% 43% 64% 29% 82% 17%

48% 46% 59% 34% 84% 14%

devices they owned. This section will discuss the results in relation to some basic security recommendations listed above. A typical smartphone was identified to participants as phones with touch screens that allowed users to download and install applications from markets, with Apple’s iPhone, Samsung’s Galaxy, and Motorola’s Droid as examples. Tablets were identified as wireless portable computers with touchscreens that allowed users to download and install applications from markets, with Apple’s iPad, Google’s Nexus, and Amazon’s Kindle as examples. A typical PC was identified as a personal computer, such as a desktop computer, that has a larger box-like processing unit and large monitor. PCs typically run OSs such as Windows, Mac OSX, or Linux. Laptops were identified as mobile computers that are larger than tablets and typically run PC OSs, like Windows or Mac OSX. Table 1 and Table 2 display the percentage of users from each group that owned smartphones, tablets, or laptop/PCs and what OSs were utilized. Laptops or PCs are owned by almost everyone surveyed, which is not surprising. The only numbers that stand out from Table 1 are that 93% of IT students and professionals own smartphones compared to only 76% for non-IT students. One potential reason may be because IT people are technology savvy and have a higher interest in smartphone technology or owning the latest gadget. The only noticeable trend for device OSs in Table 2 was that IT students and professionals tend to purchase more Android devices than non-IT students. One possible reason for this is that IT people feel more comfortable with technology and they enjoy the freedom Android allows. For example, Android allows for easy installation of third-party market applications, which may attract more technology savvy oriented people. Those that owned devices were then asked to rate their expertise in securing their devices, using a 7-point Likert scale (with higher values indicating greater expertise). Table 3 summarizes the results, noting that this question was not among those posed to the IT professionals group

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

193

TABLE 3 Expertise in Securing Devices by Information Technology (IT) and Non-IT Students: Smartphone, Tablet, Laptop/Personal Computer (PC) Device

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Smartphone Tablet Laptop/PC

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

4.84 4.97 5.36

4.72 4.50 4.82

4.80 4.78 5.16

(however, it is an area in which they would have been expected to rate themselves higher than the average). It is notable that most considered themselves to have more expertise in securing laptops/PCs than the other devices, and this consideration perhaps makes sense given that these devices have been available for many more years and people are more familiar with security, such as updating the OS, virus definitions, and other components. Smartphones and tablets are new technology that are rapidly changing, thus users are not as familiar with security. It also makes sense that IT students would be more comfortable with securing their devices than nonIT students. Again, a more technology savvy person might rate their expertise higher than a non-technology oriented person. Security Concerns and Safeguards When asked how worried they were about their devices being targets for malware, smartphones and tablets led the concerns expressed amongst the students, as summarized in the findings in Table 4 (again, the IT professionals group was not asked this question). Students were least worried about laptops/PCs, which matches well with the previous question about their expertise with security. They were most comfortable with securing laptops/PCs and least worried about malware with their laptops/PCs. The respondents’ greater confidence is likely a reflection of their comfort with the technology and the fact that they have anti-virus protection on their laptops, whereas mobile device technology is new and evolving and antivirus it is still less common. While the overall self-reported level of expertise in securing their devices was on the higher side, the actual level of security told a different story, as summarized by the findings in Table 5. All groups, including the IT professionals, failed to adequately protect their devices with antivirus and firewalls. This supports results from Mylonas, Kastania, and Gritzalis (2013), which found

TABLE 4 Worry by Information Technology (IT) and Non-IT Students About Malware Infecting the Device: Smartphone, Tablet, Laptop/Personal Computer (PC) Device Smartphone Tablet Laptop/PC

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

4.84 4.97 4.20

4.94 4.38 4.18

4.87 4.74 4.19

194

HARRIS ET AL.

TABLE 5 Use of Security Safeguards by Information Technology (IT) and Non-IT Professionals (Pros) and Students: Smartphone, Tablet, Laptop/Personal Computer (PC)

Device

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Smartphone

Tablet

Laptop/PC

∗ Responses

Safeguard

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

IT Pros (n = 83)

Antivirus∗ Firewall∗ Authentication Software Updates Antivirus∗ Firewall∗ Authentication Software Updates Antivirus Firewall Authentication Software Updates

51% 37% 72% 76% 27% 13% 74% 77% 82% 85% 88% 77%

23% 14% 65% 70% 33% 17% 42% 58% 85% 80% 81% 65%

45% 31% 69% 73% 29% 14% 61% 69% 83% 83% 86% 72%

54% 39% 64% N/A 26% 10% 64% N/A 98% 85% 88% N/A

relate to Android users only.

that smartphone security software was poorly adopted and considered non-essential. Antivirus software is the first application that should be installed on a device and there are many free versions available for mobile devices and PCs. While it was not surprising antivirus and firewall software was not properly utilized on smartphones and tablets, it was surprising that antivirus was not installed more on laptops/PCs for the college students. People have a familiarity with PCs should know that antivirus and firewall protection is necessary and available for free. Authentication credentials are considered passwords, phrases, patterns, or other mechanisms needed to access a device. The use of authentication is important to prevent unauthorized physical access to a device, especially if the device is lost or stolen. However, while much better than antivirus and firewall installation, this was still poorly represented amongst the respondents. Given that the mobile devices are frequently lost or stolen (indeed, one in four of the respondents reported having suffered this), it is of clear concern that more than 30% of the student’s smartphones and nearly 40% of student’s tablets required no credentials to access the device. This demonstrates little improvement compared with the results of a 2010–2011 survey that showed nearly 50% of survey participant’s mobile devices failed to utilize authentication credentials (Imgraben, Engelbrecht, & Choo, 2014). The IT professionals did not fare much better, with more than 35% of their smartphones and tablets requiring no credentials. In fact, IT students did as good or better at requiring credentials than did IT professionals for all devices, although still poorly configured. This issue can be more problematic for those that allow their device’s software to store usernames and passwords, such as e-mail and calendar applications (a factor later explored in another question). Software updates are frequently used to patch vulnerabilities within an OS and applications— failing to patch security flaws can lead to extended exposure to the vulnerability, thus increasing risk. It is interesting to observe that this issue was the best-reported category for the newer classes of mobile devices, but the worst for laptops. This finding potentially reflects the relative ease and stability that providers have sought to ensure with the mobile OS.

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

195

TABLE 6 Software Installation by Information Technology (IT) and Non-IT Students: Smartphone, Tablet, Laptop/Personal Computer (PC)

Safeguard

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

Smartphone

Installed minimum 1 application Installed minimum 5 applications Installed minimum 10 applications

98% 86% 72%

100% 86% 69%

98.5% 86% 71%

Tablet

Installed minimum 1 application Installed minimum 5 applications Installed minimum 10 applications

100% 87% 67%

96% 81% 73%

98.5% 85% 70%

Laptop/PC

Installed minimum 1 application Installed minimum 5 applications Installed minimum 10 applications

100% 92% 75%

99% 86% 67%

99.5% 90% 72%

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Device

Since the largest risk to mobile devices comes from malware, a survey question sought to investigate how many applications that users installed on their devices, as summarized by the findings in Table 6. This question was not asked of the IT professionals. The question was asked to demonstrate the devices were actually used to download and install applications, thus potentially exposing the device to application malware. For all devices, nearly all survey respondents installed at least one application, nearly 70% of students installed 10 or more applications, and one in five smartphone users and one in four tablet users installed more than 25 applications. While these numbers demonstrate the installation of applications on all devices from all groups, it was somewhat interesting IT students installed the most applications on laptop/PCs and non-IT students installed the least on laptop/PCs compared with the other devices. Having established the safeguards present on the devices, it was also relevant to consider the way in which the devices were used, particularly in terms of any behaviors that might serve to increase risk. The responses to a set of related questions are summarized in Table 7, and discussed in the paragraphs that follow (noting again that some of the questions were not posed to the IT professionals, and are therefore denoted as N/A in the table). Installing software from third-party markets is especially risky. Most malware and fake applications are found on third-party markets (Arxan, 2012). Nearly one in five smartphone and tablet student participants install applications from third-party markets, so it is especially important that these students maximize protection by fully utilizing antivirus and firewall applications, as well as the other basic security precautions. Jailbroken and rooted devices are considered one of the top security threats to mobile devices. IT students are more than twice as likely to jailbreak or root their devices than non-IT students. Even the IT professionals are more likely to jailbreak or root. Jailbreaking or rooting a device requires some technical savvy that may discourage non-technical people from doing so. The technical savvy of IT students and professionals may indeed lead to more risky behaviors than non-technical people. Given the personal nature of the devices, it is perhaps not surprising to find that many participants use them to store personal data. However, adopting this practice should ideally be

196

HARRIS ET AL.

TABLE 7 Potentially Risky Behaviors by Information Technology (IT) and Non-IT Professionals (Pros) and Students: Smartphone, Tablet, Laptop/Personal Computer (PC)

Device

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Smartphone

Tablet

Laptop/PC

Safeguard Installing software from third-party application markets Jailbreaking or rooting of mobile devices Storing personal data (other than photos and video) Allowing mobile applications to store authentication credentials Installing software from third-party application markets Jailbreaking or rooting of mobile devices Storing personal data (other than photos and video) Allowing mobile applications to store authentication credentials Storing personal data (other than photos and video) Allowing applications to store authentication credentials

IT Students Non-IT Students All Students IT Pros (n = 152) (n = 75) (n = 227) (n = 83) 20%

19%

19%

N/A

31% 72%

15% 54%

26% 66%

21% N/A

40%

35%

38%

38%

18%

15%

17%

N/A

18% 46%

8% 50%

14% 48%

17% N/A

44%

42%

43%

31%

84%

78%

82%

N/A

62%

60%

61%

40%

accompanied by recognition of the increased risk that results from doing so if the device is lost, stolen or otherwise compromised. However, the lack of associated security practices reported in other responses would seem to indicate that this realization is still lacking. Allowing browsers and applications to store credentials may introduce a risk in the event of device loss/theft or malware infection by enabling unauthorized parties to gain access to the owner’s accounts. As such, storing credentials in mobile devices is considered a security risk and should be avoided. Considering the large percentages of participants that failed to properly use authentication credentials, these results show even larger percentages of users allowing credentials to be saved in browsers and applications. A lost or stolen device in the hands of a perpetrator might give easy access to accounts, such as email. All participants were asked if they utilized data wipe software and the summarized findings are displayed in Table 8. Data wipe software can be used to remotely wipe a device clean of data if lost or stolen. While IT students performed better than any other group for mobile devices, including IT professionals, these percentages are alarmingly low considering the frequency these devices are used to store personal data and retain personal credentials to accounts. Of the college students that lost or had their smartphones stolen, one in four did not have a passcode to prevent access to the device. Only half of them had software installed to remotely wipe personal data. Because Wi-Fi access also has major security concerns and should be used with VPNs, questions were asked to investigate the use of Wi-Fi at home, work, and in public, as summarized by the findings in Table 9. More than80% of the respondents use Wi-Fi in public places and nearly

197

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

TABLE 8 Use of Data-Wipe Software by Information Technology (IT) Professionals (Pros) and IT and Non-IT Students: Smartphone, Tablet, Laptop/Personal Computer (PC) Device

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

Smartphone Tablet Laptop/PC

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

IT Pros (n = 83)

57% 39% 26%

28% 31% 29%

47% 35% 27%

44% 23% 10%

TABLE 9 Use of Wi-Fi and Virtual Private Networks (VPNs) by Information Technology (IT) Professionals (Pros) and IT and Non-IT Students: Smartphone, Tablet, Laptop/Personal Computer (PC)

Safeguard

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

IT Pros (n = 83)

Smartphone

Use Wi-Fi on public networks Use Wi-Fi at work Utilized VPNs

81% 57% 16%

84% 55% 15%

82% 56% 16%

N/A N/A 15%

Tablet

Use Wi-Fi on public networks Use Wi-Fi at work Utilized VPNs

77% 41% 18%

76% 64% 27%

77% 49% 21%

N/A N/A 17%

Laptop/PC

Use Wi-Fi on public networks Use Wi-Fi at work Utilized VPNs

74% 49% 40%

78% 45% 29%

76% 47% 36%

N/A N/A 51%

Device

half of them use it at work, but the use of VPNs is very low, especially on smartphones and tablets. Personal VPNs are inexpensive and many are free to students through their universities. Use of Wi-Fi at work was also fairly high, with More than half of students accessing work networks with their smartphones, the same smartphones that previous results determined were not properly secured. Even IT professionals fail to utilize VPNs adequately, with very low utilization on their smartphones and tablets. Questions were also asked about how Wi-Fi was configured at home. At home, only 55% of students reported they used WPA2 encryption and 25% reported they did not know what they used. While WPA2 is crackable, it is still the industry standard and more secure than WPA and WEP. To make WPA2 more difficult to crack, users should use 20+ digit passphrases. Only 7% of student respondents used 20+ digit Wi-Fi passphrases. In finding more interesting results, only 33% of students who jailbroke or rooted their devices had antivirus installed. Jailbreaking or rooting a device removes security and makes the device even more vulnerable to malware, thus antivirus is even more critical. In addition, only 37% of those that installed applications from third-party markets had antivirus installed. Third party markets are the primary source of malware and fake applications. When students were asked about using their mobile devices for work purposes, 74% of smartphone users and 56% of tablet users currently used their devices for job related activities,

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

198

HARRIS ET AL.

such as accessing corporate e-mail. More than78% of them expect to be able to use their personally owned device for work purposes. This should be concerning to organizations since many of the devices these students are using are inadequately secured, as demonstrated with survey results. Regarding security, 74% believe it is the employer’s responsibility to provide security software for BYOD equipment. Not only should employers be aware of insecure devices accessing their networks, they need to be aware that many users expect the employer to take responsibility for securing the devices. Overall, surveyed students poorly secured their mobile devices, which does not bode well for their default security practices when emerging into the workplace. Even worse, the IT professionals surveyed also exhibited poor security practices with their mobile devices. If similar security practices are found with other students and IT professionals, there is a lot of work to be done to rectify the situation. Organizational Policies and Practices The results clearly show that students hold themselves in relatively high regard about securing their devices, but the results also show this is not the case. Both students and IT professionals poorly secured their devices. These results contradict a previous study that demonstrated engineering students were found to be more aware of security risks and more secure than nonengineering students (Tan & Aguilar, 2012). For the organizations, this creates several problems. Incoming employees may come with insecure devices and connect to corporate networks and many from this survey already are. Also, current IT professionals within the organization may also have insecure devices. Organizations need to work to rectify this situation through awareness programs that make current employees, including IT professionals and incoming employees aware of mobile device threats. They then need to be trained on how to protect themselves and the company from such threats. This is particularly important for companies that do not manage mobile devices with mobile device management (MDM) systems, which can force security on user’s devices. By calling for mobile device security awareness and training for both users and professionals, this research complements recommendations from Slusky and Partow-Navid (2012) and He (2013). He (2013) called for enterprises to train users on proper mobile device security and Slusky and Partow-Navid (2012) called for user awareness training that linked knowledge with practice. It is also a good idea to have more frequent mobile device training because of the rapidly changing mobile device landscape. In addition to awareness and training programs, companies also need to create mobile device security policies. All employed survey participants were asked if their companies currently had specific security policies in place for smartphones and tablets. The findings are summarized in Table 10, revealing that the existence TABLE 10 Employers That Have Mobile Device Security Policies in for Information Technology (IT) Professionals (Pros) and IT and Non-IT Students: Smartphone, Tablet Device Smartphone Tablet

IT Students (n = 152)

Non-IT Students (n = 75)

All Students (n = 227)

IT Pros (n = 83)

41% 43%

35% 30%

39% 38%

28% 22%

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

199

of such policies (or at least the awareness of them) is clearly in the minority, with the notable indication that IT professionals are reporting even lower encounters than the employed students. An examination of wider findings reveals that these results are not atypical. Many companies may have security policies already in place, but many lack the specifics on mobile devices. For example, a SANS Institute survey found that only 41% of respondents feel strongly that they have policies to support BYOD (SANS, 2012). Results also indicate that 56% of respondents either did not have a policy regarding mobile devices or had “Sort of” policies. The same study also found that many of those that did have mobile device security policies did not think they were adequate. Less than 50% felt confident they knew what devices or applications were accessing their network resources, and of those, only 49% felt that their current policies covered the basic concerns. Much of the problem with developing policies and managing mobile devices in the enterprise is due to the complex nature of the devices and security management needed to protect them. Specific policies regarding mobile devices need to be created and communicated to employees, and mobile device security awareness should be added to the broader security awareness program. However, even this can represent a challenge, insofar as many companies do not have a security awareness program to begin with (CSI, 2011). Nevertheless, the results clearly show that action needs to be taken if mobile devices are to avoid significantly amplifying the risk to workplace systems and data. Security awareness and training for most employees would involve the first two levels, awareness of the security problem and training to create competent security skills. Users of mobile devices need to be aware of threats and precautions that should be taken and need to have competent skills to secure their devices. Knowing that antivirus, firewalls, and data wipe software should be installed on mobile devices is different from understanding how to install and configure them. Knowing what VPNs are and that they should be used with mobile devices versus Wi-Fi is different from training someone to configure VPNs on mobile devices. The overall message from the survey findings across all respondents is that mobile security practices still have a long way to go before it can be considered that they are being used safely. The threats are already recognized, and are increasing, but we appear to be witnessing the same lag in end-user practices that was seen with the emergence of threats on earlier generations of technology. However, with a greater level of technology-dependence, and pervasive system and data access across the whole range of devices, the need for practices to catch up with the reality of the threat is actually greater than it has been before.

CONCLUSIONS Mobile devices are assuming an ever-more significant role in people’s personal and business lives, with the result that they now enable access to a far greater range of data and services than the devices of the past. As a consequence, they have come to represent a significantly greater risk, both as a result of the impacts that may arise from loss or theft, plus as a consequence of them becoming the specific targets of attack from threats such as malware. This combination of factors underlines the importance of using appropriate security safeguards to protect them, and this in turn depends upon the awareness and buy-in of the user community. The findings presented in the paper have served to highlight a variety of weaknesses in the security attitudes and behaviors of mobile device users. While it may be tempting to assume that

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

200

HARRIS ET AL.

many of the security problems we have faced in the past will diminish as a new, more technologyliterate user base becomes the norm, the survey results provide a clear illustration that this may not be the case. Indeed, the results from the students show that the ability and inclination to protect the technology does not simply come about as a natural consequence of being comfortable in using it. Moreover, the fact that the IT professionals were also unable to report an established level of good practice, suggests that such practices do not naturally come about as a result of longer-term experience either. In terms of limitations, it must be acknowledged that the sample groups were not of uniform sizes or distributions, and that neither of the sample communities (students and IT professionals) can be considered naturally generalizable to a wider population. In addition, it should be recognized that the questionnaire results are representative of a particular point in time. While this characteristic is obviously true of any such survey, it is particularly notable in the context of these results, given the dynamic nature of the topic under study. As the underlying technology advances, the specific findings here will have progressively less validity, as the nature of the devices and applications, and the security perceptions associated with them, continue to evolve still further. Although the sample group for IT professionals was admittedly small (and thus, if generalizable at all, would only be to other state institutions from the home state of these professionals) the fact that it does not reveal notably different findings to those from the students suggests that what we are actually seeing across both groups is an indication of the (lack of) natural inclination towards security-aware behavior. Relatively few of the respondents across any of the groupings had the benefit of policies to guide them, and this may again be linked to the security gaps reported in other areas. What emerges for organizations is a clear message that use of mobile devices has a high likelihood of introducing new threats and increasing their overall level of risk, and as such they need to take a proactive stance in recognition of the fact that their data is likely to be held on mobile devices irrespective of whether they are company-issued, and a BYOD culture may be in operation regardless of whether the organization has adopted a formal position on it. The first step organizations need to take to protect themselves from mobile device security risks is to create a mobile device security policy. A properly developed policy will have management approval and will fit the organization’s mission. The second step is to create an awareness and training program to teach employees about mobile device security and about mobile device security policies. Employees need to be aware of mobile device vulnerabilities and best practices and need to be appropriately trained in order to develop the security skills necessary to properly protect their devices and subsequently adhere to what the policies expect of them. REFERENCES Android. (2014). Platform versions. Retrieved from http://developer.android.com/about/dashboards/index.html Apple. (2014). Developer support center. Retrieved from https://developer.apple.com/support/appstore/ Arxan. (2012). State of security in the app economy: “Mobile apps under attack”. Retrieved from http://www.arxan.com/ assets/1/7/state-of-security-app-economy.pdf Bradbury, D. (2011). Hacking Wi-Fi the easy way. Network Security, 2011(2), 9–12. Cisco. (2014). Cisco 2014 annual security report. Retrieved from https://www.cisco.com/web/offer/gist_ty2_asset/ Cisco_2014_ASR.pdf

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

COMPARING THE MOBILE DEVICE SECURITY BEHAVIOR

201

Comscore. (2012). iPhones have significantly higher rates of Wi-Fi utilization than Android phones in the U.S. and U.K. Retrieved from http://www.comscore.com/Insights/Press_Releases/2012/4/iPhones_Have_Significantly_ Higher_Rates_of_Wi–Fi_Utilization Coninsync. (2013). Why you should avoid saving passwords on your smartphone? Retrieved from http://ww4.coninsync. com/ CSI. (2011). 2010/2011 Computer Crime and Security Survey. InformationWeek. Retrieved from http://reports. informationweek.com/abstract/21/7377/Security/research-2010-2011-csi-survey.html Federal Bureau of Investigation (FBI). (2013). Smartphone users should be aware of malware targeting mobile devices and the safety measures to help avoid compromise. Retrieved from http://www.fbi.gov/sandiego/pressreleases/2012/smartphone-users-should-be-aware-of-malware-targeting-mobile–devices-and-the-safety-measures-tohelp-avoid-compromise Gartner. (2014). Gartner says mobile app stores will see annual downloads reach 102 billion in 2013. Retrieved from http://www.gartner.com/newsroom/id/2592315 Gold, S. (2011). Cracking wireless networks. Network Security, 2011(11), 14–18. Greenberg, A. (2012). Google gets serious about android security, now auto-scans app market for malware. Forbes. Retrieved from http://www.forbes.com/sites/andygreenberg/2012/02/02/google-gets-serious-about-android-securitynow-auto-scans-app-market-for-malware/ Greenberg, A. (2013). Evasi0n is the most popular jailbreak ever: Nearly seven million iOS devices hacked in four days. Forbes. Retrieved from http://www.forbes.com/sites/andygreenberg/2013/02/08/evasi0n-is-the-most-popularjailbreak-ever-nearly-seven-million-ios-devices-hacked-in-four–days/ Harris, M., & Patten, K. (2014). Mobile device security considerations for small- and medium-sized enterprise business mobility. Information Management & Computer Security, 22(1), 97–114. He, W. (2013). A survey of security risks of mobile social media through blog mining and an extensive literature search. Information Management & Computer Security, 21(5), 381–400. IBM (2013). IBM x-force: Ahead of the threat—overview. Retrieved from http://www-03.ibm.com/security/xforce/ Imgraben, J., Engelbrecht, A., & Choo, K. K. R. (2014). Always connected, but are smart mobile users getting more security savvy? A survey of smart mobile device users. Behaviour & Information Technology, 33(12), 1347–1360. InfoSec (2013). InfoSec: Protecting mobile devices. Retrieved from http://www.infosec.gov.hk/textonly/english/yourself/ handheld.html Kingsley-Hughes, A. (2013a). Does jailbreaking or rooting devices, and BYOD mix? Retrieved from ZDNet at: http:// www.zdnet.com/does-jailbreaking-or-rooting-devices-and-byod-mix7000011069/ Kingsley-Hughes, A. (2013b). Should I jailbreak my iPhone? And other jailbreaking questions answered. Retrieved from http://www.forbes.com/sites/adriankingsleyhughes/2012/05/28/should-i-jailbreak-my-iphone-andother-jailbreaking-questions-answered/ La Polla, M., Martinelli, F., & Sgandurra, D. (2013). A survey on security for mobile devices. Communications Surveys & Tutorials, IEEE, 15(1), 446–471. Lessin, J. E., & Ante, S. E. (2013, March 4). Apps rocket toward $25 billion in sales. Wall Street Journal. Retrieved from http://online.wsj.com/news/articles/SB10001424127887323293704578334401534217878 Lookout (2011). Lookout mobile threat report 2011. Retrieved from https://www.lookout.com/resources/reports/mobilethreat-report Lookout (2012). State of mobile security 2012. from https://www.lookout.com/resources/reports/state-of-mobile-security2012 Lookout (2013). 2013 mobile threat predictions. Retrieved from https://blog.lookout.com/blog/2012/12/13/2013-mobilethreat-predictions/ Mansfield-Devine, S. (2012a). Android architecture: Attacking the weak points. Network Security, 2012(10), 5–12. Mansfield-Devine, S. (2012b). Paranoid Android: Just how insecure is the most popular mobile platform? Network Security, 2012(9), 5–10. Mansfield-Devine, S. (2013). Security review: The past year. Computer Fraud & Security, 2013(1), 5–11. McAfee (2012). 10 quick tips to mobile security. Retrieved from http://images.mcafee.com/en-us/advicecenter/pdf/ MobileeGuide_Jan2012.pdf Mylonas, A., Kastania, A., & Gritzalis, D. (2013). Delegate the smartphone user? Security awareness in smartphone platforms. Computers & Security, 34, 47–66.

Downloaded by [University of South Carolina ] at 09:35 16 January 2015

202

HARRIS ET AL.

SANS (2012). SANS mobility/BYOD security survey. Retrieved from https://www.sans.org/reading_room/ analysts_program/mobility-sec-survey.pdf Shih, D., Lin, B., Chiang, H. & Shih, M. (2008). Security aspects of mobile phone virus: A critical survey. Industrial Management & Data Systems, 108, 478–494. Shinder, D. (2010). Pros and cons of jailbreaking or rooting your smartphone. TechRepublic. Retrieved from http://www. techrepublic.com/blog/smartphones/pros-and-cons-of-jailbreaking-or-rooting-your-smartphone/1460 Slusky, L., & Partow-Navid, P. (2012). Students information security practices and awareness. Journal of Information Privacy & Security, 8(4), 3–26. Statcounter (2014). Top 8 mobile operating systems in the United States from Jan 2013 to Jan 2014. StatCounter Global Stats. Retrieved from http://gs.statcounter.com/#mobile_os-ww-monthly-201301-201401 Strohmeyer, R. (2011). Why I get apps from Amazon, not Google. PC World. Retrieved from http://www.pcworld.com/ article/239270/why_i_get_apps_from_amazon_not_google.html Tan, M., & Aguilar, K.S. (2012). An investigation of students’ perception of Bluetooth security. Information Management & Computer Security, 20(5), 364–381. Tenable Network Security (2012). Mobile device vulnerability management flagged as top concern for security professionals in 2012. Retrieved from http://www.tenable.com/press-releases/mobile-device-vulnerability-managementflagged-as-top-concern-for-security