CHAPTER FIVE - FINDINGS

CHAPTER FIVE:
FINDINGS
1. Overview
2. Findings from the Interviews

CHAPTER FIVE:

FINDINGS

Overview

This chapter illustrates the findings from this study based on the literature review that led to the creation of the questionnaire, which supported the qualitative interviews conducted with the target population of 20 individuals between the ages of 55 to 75 with no technical information technology background. By using the adapted thematic analysis framework for this study, the four themes illustrated in the diagram below emerged. The underlying data that led to the creation of the themes are explored in detail in this chapter.

Figure 11. The Four Major Themes from the Interviews.

Findings from the Interviews

Qualifier to the Study: High Internet Adoption and Use of Digital Identity

The interviews with the 20 individuals between the ages of 55 to 75 led to the finding that there is a high degree of internet adoption among the interviewed population. Considering this study was conducted during unusual circumstances when people were forced to socially distance and stay home, more people who were not usually active online had to adapt to the use of the technology to facilitate their daily lives while forced to stay home. A notable amount of people who, in normal circumstances, would not have shopped online or participated in social events via video conferencing were forced to learn the technology considering the circumstances.

Normally, only 68% of individuals between the ages of 55 and 75 use the internet (Vogels, 2019). However, digital adoption was near historic levels during this study, as discovered in the interviews, based on the need to connect to the internet to stay connected with the rest of the world during the unusual circumstances that affected this study.

There was also a high level of awareness amongst the interview participants that their digital identity is composed of multiple components. Interview participants were aware that their digital identity is composed of their personal information as well as their behavior and relationships online.

Most people 55 to 75 are active online. Examining the data gathered from the 20 interviews, the investigator found that 35% of study participants were not as active and only spent between one to four hours a day online.

Compared to 65% of study participants who were active but got divided almost evenly between the two categories: 1. four to six hours, which comprised 30% of the interviewees, and 2. six to twelve hours, which comprised 35% of the interviewees. The latter category includes the power users that spend most of their day connected online. Time spent connected online includes the use of email, messaging apps, connecting with friends, social media usage, and surfing the web.

Quoting participants from the two ends of the spectrum, one of the less active interviewees stated: “Online, including, research, emails, stuff like that. I would say, three to four hours.” One of the more active study participants stated: “I just wondered if it’s like so out of 24 hours Yeah, my gosh, probably, like eight to ten hours, connected online.”

Online Accounts

Most of the people didn’t remember all the online accounts they used in the last 5 to 10 years. The majority of study participants did not readily know how many online accounts they had created in the last 5 to 10 years.

Sixty-five percent of the interviewees had more than 20 online accounts. Without having exact figures, the participant with the highest number of accounts stated that they easily have 100 accounts, if not many more, that they could not recall. Conversely, only 35% of the interviewees estimated that they have less than 20 online accounts, with the lowest number of online accounts identified by an interviewee being approximately five accounts. Study participants still had a hard time remembering all their online accounts, even with the help of the tools they use to help manage their accounts.

All interviewees stated they have at least one email account, if not multiple. One of the interviewees stated: “You know, I guess none of us can escape email. And I have three different email accounts.” Another interviewee mentioned that the unpredicted event forced her to adapt to the digital world and have more of a formal digital identity presence. She stated that “I’m truly not an IT person, you know, because of the Coronavirus because of this COVID- 19, I’ve been forced to get online because everything is being done by streaming and by YouTube and Facebook and Zoom.”

Social media. Regarding social media, 65% of study participants stated they used some sort of a social media platform, whether Facebook, Instagram or LinkedIn, for business use to promote their businesses or personal use to keep up with their families and loved ones. The individuals who did adopt social media had more of a risk acceptance attitude or did not think about it much. The 35% of participants who did not use social media were not comfortable using the platform due to privacy concerns and worrying that their data would be lost or stolen, as it was a common thing happening with these platforms.

One of the interviewees who did not want to adopt social media stated that “The only thing I have is WhatsApp to chat with the family that’s it. The rest, I don’t trust it because when I read the fine prints for them for Facebook or other stuff to say, we have the right to share information with other study participants, so I said No, thank you. None of the social media accounts.” Another person stated that not using social media is the concern of their digital identity being compromised. They said, “Some of that is mental. It’s a concern with identity theft, but not learned yet how to really negotiate this environment without being compromised.” One of the study participants who adopted social media stated that “I am comfortable with using it because that’s the way of life now.”

Online banking. Going through the interviewee’s answers about online banking, it seems that there is high adoption of 85% between study participants actively monitoring their credit cards online as well as paying their bills directly from their bank accounts. The 15% minority who was not actively using online banking systems provided to them by their banking institutions prefer to use manual transactions, like cash, where it is available, as well as mailingphysical checks to pay their bills. They remained committed to this acquired behavior even after the unpredicted event’s quarantine was fully implemented.

The investigator noticed that the unpredicted event was a big driver for participants to increase their adoption of the digital medium and become accustomed to making financial transactions online. One person stated, “I don’t know. I was reluctant at first to switch over to online accounts. But, um, so I’m sure I had fewer, and then now I’ve kind of embraced it completely. So, most of my accounts are online now.” This response indicated that this person embraced using the internet and the use of the digital world.

Online purchases. The majority of the study participants were forced to rely on purchasing items online due to the unexpected global event. Those purchases ranged from grocery store items through websites like Instacart to buying clothes and various household items via Amazon.com, Walmart.com, and others. An interviewee stated that “I signed up for Instacart when we all got locked down to get my food delivered,” which illustrates that the lockdown pushed study participants to use the internet for purchasing their essentials more and more.

Digital identity includes online personal data as well as online interactions. When asking study participants if they knew what constitutes their digital identity, most intervieweesacknowledged that their digital identity encompasses online personal data, online interactions associated to their behavior online, their affiliation to online groups, and how those groups interact with other groups as well. The interview participants recognized that their online personal identifiers, like name, address, phone number, birthday, were just a part of their digital footprint and digital identity. One interviewee stated, “Well, I probably would just say things like addresses, birthdate, email accounts.” Another person described digital identity as “Everything that I do maybe on the internet or all the information about owning, like credit card, my social insurance, I guess, my behavior or where do I go which sites.”

As individuals increase their adoption of the internet, and awareness about their digital identity matures, further exploration of their risk awareness and tolerance is needed to understand their behavior. This first section in the themes from the findings serves as a qualifier for the study. Theme 1 below touches upon what people know and how they perceive cybersecurity threats relating to their digital identity.

Theme 1: People Accept the Risk When It Affects Their Convenience

Accept the risk as it is part of life right now, especially when the convenience outweighs the risks. Interviewees expressed that they are hesitant or cautious when entering personal information online. Multiple study participants expressed their discomfort in providing various websites with their personal information. One study participant stated: “My comfort level deals with how well I trust, and I know the brand, okay in that company.” Another participant stated: “I was comfortable inputting my information in only because I specifically use American Express. They have a lot more reps and warrants that basically protect the consumer.”

Study participants expressed that one of their risk mitigation techniques against having their online data being compromised is to try to reduce their digital footprint when possible. One study participant stated: “I do my little bit of my homework as far as trying to be sure the site I’m on has some measure of safety or encrypted side or selective with who I will give that information to online.” Study participants consider that accepting the risk when it is convenient to then is acceptable as interacting online is considered part of their way of life. One study participant stated: “When I purchase stuff online, I have to put my information online, I have to do it. It’s not really a choice to provide my information online.”

Most study participants have been or know someone who has been affected by an online data breach. Reviewing the majority of study participants’ responses, 85% of the study participants, either experienced a data breach and loss of online personal data themselves, or they knew somebody affected by some sort of a breach. Whether it is a financial institution, a credit agency, or a large hotel chain, most of the responses received by the investigator indicated a level of awareness regarding breaches happening to prominent companies online. Only 15% of respondents believe they were never affected or did not know first-hand someone affected by an online breach. Their level of awareness of online breaches is rather high, considering what they read in newspapers and magazines and/or what they hear on the radio or see on TV.

One study participant stated: “I remember a work colleague lost her identity through her income tax. And so, she just shared that with me, but not in detail. Mostly, I was just left with the amount of frustration and work it was to try to straighten it out with the IRS.”

Study participants’ online behavior was not affected by experiencing or knowing about cybersecurity breaches. Though the majority of the study participants mentioned theywere exposed to some sort of an online breach, only 15% of the respondents mentioned that it affected the way they behave online. Eighty-five percent of the respondents stated that online behavior did not change even though they were exposed or heard of companies being breached online and losing millions of people’s personal information. One interview participant stated:“This was four years ago. I was not as aware of such things as I am now. And it was one of those from out of the country that actually when I clicked it, it just zapped my whole computer. And then it came up, click this, and we will link it will put you back in and then it said give us $2,000,you know, all of that. It was really was a mess. But yeah, that I really learned a lot from that one experience.”

Study participants’ concern about their online reputation. There seems to be a consensus among 55% of the interviewees around their concern for their online reputation. The risks relating to online presence and reputation being compromised mattered specifically to individuals who are socially active and frequently interact with groups of people or if their actions influence the behavior of people around them. They might be influential in their societies due to their economic status or their jobs; some notable examples are company owners, presidents, or teachers. Those types of individuals are very concerned about being affected by a digital identity compromise due to the negative consequences that might cause their job or social surrounding.

One interview participant stated: “If someone zeroes in on you as an individual and decides they’re going to go for it, it’s very hard to resist. I mean, you know well, I’m aware of the, of the dark web and the data that’s available on each and an individual. And I’ve, I’ve heard of demonstrations where people you know, type in your name, and then they say, this is what we know about you today. And you know, it’s like a big spreadsheet, isn’t it? There’s your name, and then you’ve got address, passport number, blah, blah, blah, across the top, and it’s just frightening. The data is out there. That’s the thing. And if someone decides you’re the one they’re going to get, it’s very hard to resist it.”

The other 45% of study participants did not have a concern, have not thought about it much, had no major concerns due to their limited online interactions, or simply accept the risk. One interview participant, when asked if he has any concerns, replied: “No, not at all.”

People seem to trust their financial institutions to protect them and their money. Online financial transactions seemed to have significantly increased during the quarantine. Out of the 20 people interviewed, 55% do not have any financial risk concerns. Out of that population, the majority who did not express that they had financial concerns, either do not actively bank online or the opposite is true; they frequently bank online but have significant faith in their financial institutions to take care of their money and safely keep it. One interview participant stated: “The bank just gives you your money back, they somehow absorb the losses.” Another interview participant stated: “American Express has a lot more reps and warrants that basically protect the consumer. You know, if there is any kind of fraud, you can file something, and they will take it off your bill. I mean, most credit cards have that policy.”

Conversely, 45% of participants who did have financial concerns got exposed to some sort of financial compromise. That compromise might have represented itself in several forms. Most notably, a couple of the interviewees were scammed in the form of an online phishing attempt or got their credit card stolen from one of their online accounts and used in a malicious way. One interview participant stated: “Credit cards or bank accounts, No, I don’t think I’ve actually opened them online. I’ve just had them opened in the brick and mortar.”

Cybersecurity risks are not a deterrence. Despite all the cybersecurity hacks, breaches, and various cybersecurity risks that affect the use of digital identity, 80% of the people interviewed stated that those risks are not keeping them away from using the internet to their liking. One interview participant said: “No, I have used the internet for everything that I want to use it for. They (the risks) are not keeping me from using it (the internet). They are making me more conscious of the things that I am doing. I am reasonably comfortable.”

Only 20% of the people interviewed expressed their concern about all the risks that come with their online interaction and its impact on their digital identity, which keeps them from fully using the internet to the level they want. One of the interviewees stated: “Some of my friends, they don’t write letters. If I knew how to use Facebook and other electronic media properly, I would keep in touch. So, I am out of touch with them because I don’t use Facebook, and the same applies to my classmates. I am afraid I don’t know how to use that without being victimized.”

Theme 1 covered the awareness of participants of the threats that impact them and people around them as well as ignoring the risks when they affect their convenience. Theme 2 addresses people’s concern that companies that manage online platforms are not being good custodians of their digital identity.

Theme 2: People Are Concerned That Companies Are Not Being Transparent with Regards to Being Good Custodians of Their Digital Identity

Companies are not providing details about data breaches. Most people interviewed in this study were not very happy with what companies provide them as far as user-friendly information regarding cybersecurity breaches. Specifically, 65% of the interviewees said that companies do not provide them with user-friendly, simplified communication about what happened and what they should do about cybersecurity breaches that affected their users. One study participant stated: “They are tracking data on how I shop, or how I go to a particular website to check something, I don’t get that kind of information, don’t get that kind of feedback on anything.”

A small group, about 20% of the interviewed population, said they were happy with the information provided by those companies that were breached. Out of that 20%, only 10% thought the information was helpful; the other 10% stated that the information was provided, but it was not very hopeful, so they didn’t know what to do with it or what actions to take as a consequence of those cybersecurity breaches. One study participant stated: “I think they can be transparent, but they haven’t been proactive.”

The remaining 15% of the people interviewed did not have much to say about companies’ disclosures, or they simply did not know what to look for, which creates a gap in the diffusion of adequate information by the companies to keep people better informed.

One interview participant stated: “If they did, I don’t know what to look for, to be honest.”

There is a high level of familiarity with the existence of online privacy rules, laws, and regulations. When asked about privacy laws and regulations, 85% of people interviewed said they heard of online privacy laws as well as rules and regulations that govern online interactions and the minimization of the invasion of people’s digital privacy. They were also aware that many companies had disclosure agreements associated with most of the creation of new online accounts as well as a regularly updated set of guidelines that define the way a company deals with people’s personal data stored on their systems. Notably, the level of awareness of the content of those disclosure agreements, as well as the rules of engagement defined by those privacy laws, is still mysterious for most of the people interviewed.

One interview participant stated: “Oh, yeah, I mean do I know exactly what they are? No. but I am aware that there are some laws or rules but not specifically, exactly what they are.” Another interview participant stated: “I know a little bit about it, I guess, to be honest. The fact that probably 99.9% of people never read much of it. It was written by lawyers and is so complex that even that becomes open to interpretation by another lawyer or judge.”

A small number of people, represented by 15% of the interviewed population, never heard of online privacy laws or any other rules and regulations that provide guidelines for best practices of online interactions and knowledge of people’s rights with regards to company’s storing of their data online. One interview participant stated: “I don’t know much, I have never read anything about them, I am just minding my own business.”

Companies are not transparent with people’s personal data withheld or shared online. Of the 20 people interviewed, 40% believe that companies are not being transparent or forthcoming with them regarding client’s personal data being tracked and stored on their systems. Or, they believe the information provided is not presented in a way that an average person can understand it. From the people interviewed, approximately 35% did not know what to look for or to ask companies about their data. Twenty-five percent of the interviewed population believe that companies are being transparent with them; some of them believe they just do not know what to look for in that information, but the companies are doing their part.

One study participant stated: “You get letters from banks that say this is what we do and retain from your information, and you get your annual statement. Does anybody really read that?”

Another study participant stated: “I don’t feel that they are open about it, the fact that you can ask Siri to search for something and all of a sudden somehow it knows. Yeah, I don’t think anybody is transparent of all of that big data stuff that is going behind the scenes, that everybody is sharing with everybody else.”

People want companies to be more transparent. Of the 20 people interviewed, 10% believe that companies need to be more transparent with regards to personal information data withheld on their systems. Thirty-five percent of participants want more user-friendly information and disclosures, so they feel more at ease while dealing online with companies. Ten percent of the interviewed population does not want more details from those companies, as it is not something relevant for them. Thirty-five percent of people interviewed say they do not have enough education about what to look for, which creates a gap in communication in the disclosure of the proper information relevant to people. The last 10% of people interviewed expressed that they are interested in transparent details from organizations doing business online; these people tend to be users of third party tools, similar to LifeLock, to manage their online information; these platforms or tools provide them with a level of details that the original company they deal with does not usually provide.

One of the participants, when asked if companies are being transparent with regards to personal data, answered: “Oh, no, absolutely not, and I know that I know if they did. I didn’t recognize it for what it was.” Another participant was content with the information companies send her; she stated that: “They frequently will send me this is what we do with the information we gather from you, get that and read it. This will be usually when I have ordered online, they will tell me, and this is what we do with the information that we gather from you.”

Theme 2 highlighted participants’ concerns that companies are not being forthcoming and good custodians of their digital identity. Theme 3 covers participants’ awareness of tools and training that help manage their digital identity risks to try to reduce the risks and damage that companies may be causing to their digital identity.

Theme 3: People Are Aware of the Availability of Tools and Training to Help Manage the Risks

Awareness to keep digital identity secure. When asked what actions to take to keep their online identity more secure, 20% of the interview participants did not know what actions to take or what to do. The rest of the interviewees had different thoughts of things to do to keep their digital identity more secure. Forty percent of the participants said they change or would like to change their password more frequently. Participants described other notable actions, like researching companies before doing business with them online or only dealing with reputable organizations. Trying to minimize their digital footprint was another notable idea. An important action to take is to be more cautious about clicking on links from untrusted or unsolicited emails, also known as phishing emails, that the hackers use as a way to steal people’s information off of their computers or various online accounts. Only providing information to companies a person solicits intentionally is also another way of making sure information does not get in unwanted hands. People also mentioned that they would like to regularly take training to see how hackers have evolved to try to steal their information and stay more aware. The last group of actions involves taking care of the technology used to access the internet, like the use of password managers and other various available tools, clearing cookies and browser history regularly, limiting the use of public Wi-Fi, and setting up monitoring alerts on most financial accounts used regularly.

One interview participant stated: “I wish somebody would tell me something more than what I am being told right now. But gosh, all I know is don’t click it. Don’t do it. And well, maybe that is all I need to know, I don’t know. I would like to have a little bit more explanation of what’s going on and how to avoid the problems.” Another interview participant stated: “I keep my financial data off the internet, not on the computer as much as possible. Anything that is a legal document, I try to handle outside of the electronic environment.” A third interview participant stated: “I don’t know what I should do.”

People’s awareness of tools and training. There was a significant amount of awareness amongst people interviewed regarding the availability of platforms to help keep the digital identity more secure. Seventy-five percent of people mentioned that they know of various software tools that help them use the internet more securely or are aware of some sort of training platform to help them stay abreast of those cybersecurity risks.

One of the interview participants stated: “Two-factor authentication, and then there is a text to my cell phone with a digital password to enter.” Another interview participant stated: “Once a year, we have to go through it [Cybersecurity awareness training], and if there are some issues during the year, that might be an update to the training.” Another participant stated: “I personally use a password manager, just to keep the passwords for the different accounts I have because some accounts I don’t use for a long period of time.”

Conversely, 25% of the population interviewed had no idea what relevant tools or training are available to help them manage their digital identity privacy and security.

People’s exposure to cybersecurity training. Most participants had some sort of cybersecurity awareness training, mainly due to their current or previous professions. Eighty percent of the interviewees said that they had cybersecurity training at some point as part of their jobs, compared to 20% that said that they were not exposed to any type of cybersecurity training. One study participant mentioned: “My workplace participates in a program called security mentor. So, you’re expected, and I think about once every month, you will get a training video that you have to take and complete.”

Cybersecurity training is helpful. Thirty-five percent of the people interviewed thought that training is helpful to keep them informed or would like to have the training to be betterinformed. They believe that training is the first step in building awareness. Ten percent of people mentioned that they would like to be exposed to training, whereas another 10% did not care about being trained.

Forty-five percent of participants expressed a desire for training to be more user-centric and relevant so that they can apply what they have learned. One interview participant stated:“That [Cybersecurity awareness training] has been very helpful reminding me of some things that I knew and then learning some safety measures.”

Low adoption of password management tools. From the interviewed population, 45% did not use any system, manual or electronic, to keep track of their accounts and passwords. Twenty-five percent used a paper system to keep track of their accounts and passwords, whether through sticky notes or on a special notebook. Thirty percent only adapted some sort of an electronic methodology for tracking, whether through a password manager or an encrypted password file.

One study participant stated: “I have an electronic system, an Excel sheet, and I have it password-protected.” When asked about password management tools, another study participant stated: “I do not know of any, and no one ever mentioned it to me.” One study participant stated:“Some of them I keep track of on paper, the rest I guess mentally without writing them down.”One study participant mentioned: “Apple keeps track of that. I have been using their software to keep track of things for a long time.”

Theme 3 highlighted participants’ awareness of management tools that help minimize their digital identity risks, which leads to Theme 4. The following theme addresses participants’ demand for more transparency and control over their digital identity from the companies they deal with online in order to ease their concerns about the potential risks these companies cause.

Theme 4: People Want More Transparency and Control Over Their Digital Identity to Help Them Ease Their Concerns of the Risks

People want more transparency and control over their online digital data. Regarding unmet needs to keep their digital identity more secure, the interviewees wanted training and awareness about the options available and what to look for to keep their digital identity more secure. Thirty percent of participants want more transparency from companies they deal with online as well as control over their online data. This transparency and control would allow them to give access permission to their online personal information selectively. One interview participant stated: “I think if there was something that would tell me what a hacker would know about me. What’s out there that people can use.” Another interview participant stated:“Transparency over my information out there, when it is readily available, will be helpful.”

Thirty percent of study participants would like more awareness and information about their options for protecting their online data as well as general information on best practices of how to be a good online citizen. This option can be in the form of training that highlights best practices and industry standards while maintaining user-centricity in the delivery of the information. One interview participant stated: “I would like to have more training to know what’s going on, why it’s going on, and what I need to do to respond.”

The remaining 40% of the people interviewed did not know what to look for or felt they do not have enough information to know what kind of unmet needs they should be seeking. This gap in knowledge connects to the problem of awareness that people have to know their options and how to think about the process. One interview participant stated: “I don’t know. Maybe I don’t know enough to know. I have done everything that I can think of; I read every article I can find. I listen to the experts to give me advice. I don’t know if that is enough.”

Solutions desired geared towards transparency and more control. Various ideas about desired solutions emerged from study participants; most responses focused on more transparency and control of their digital identity. Five percent of the interviewees would like a feature to use various websites in incognito mode. Another 5% of the interviewees wanted a way to mask their real credit card information while conducting transactions online. Thirty-five percent of the population expressed a desire for a tool to provide more transparency and control. Thirty percent of the interviewees wanted a tool for digital identity management that includes accounts and passwords management. Thirty-five percent of interviewees would like a tool that tells them what information is on the internet regarding their personal information; they also want the tool to notify them of any unauthorized use of their digital identity attributes somewhere online. Thirty percent of the interviewed population did not know what to look for and would like a higher level of awareness to make an informed decision.

Notably, a couple of individual requests requested that the tool provide a universal username and password to authenticate their digital identity, which should eliminate the level of complexity in accessing different online accounts. One study participant stated: “I definitely think it should have a password component because the whole idea of having a different password for every site is just too daunting.” One interview participant echoed a desire for that solution: “I wonder if having a universal username that we could use everywhere would be helpful.” Another participant mentioned: “It would be helpful if it would notify you if someone actually used your name or your address somewhere on the internet that you are not aware of.”

Theme 4 focused on interview participants’ demand for transparency and control over their digital identity and wish list of possible solutions to ease their concerns. The four themes derived from the interviews using the ATA led the investigator to identify findings that were intriguing to explore and interpret. The next chapter compares the findings from the literature review with the findings from the ATA applied to the interviews. Also, it highlights the investigator’s interpretations of this study.