1. CHAPTER SIX:
2. DISCUSSION
   1. Overview
   2. Analysis
      1. Qualifier to the Study: Increased Level of Internet Adoption Among People Caused the Wide Use of Digital Identity
      2. Qualifier to the Study: People Are Aware of the Composition of Their Digital Identity
      3. Theme 1: Relationship Between Digital Identity Risks and People’s Online Behavior.
      4. Theme 2: Online Platforms Are a Risk to People’s Digital Identity
      5. Theme 3: Tools to Manage Digital Identity Risks
      6. Theme 4: People Want More Transparency and Awareness to Keep Their Digital Identity Secure
   3. Conclusions
   4. Contribution to Academics and Practitioners
   5. Limitations and Future Research

CHAPTER SIX:

DISCUSSION

Overview

The purpose of the study was to answer the research question: “What are the risk perceptions of individuals, between the ages of 55 and 75, with no IT background, pertaining to their digital identity?” The study included the use of the adapted thematic analysis framework to pinpoint the understanding of the voice of the people. In this study, the interview participants consisted of a population of 20 non-IT career-oriented, 55 to 75-year-old individuals.

This chapter details the analysis of the findings from the interviews and how they compare to the findings from the literature review in order to identify gaps or commonalities between the findings of both chapters. This chapter also touches on the unpredicted event’s impact on participants’ behavior and the use of the digital medium. Additionally, it highlights the impact of this study from an industry and academic perspective.

Analysis

Qualifier to the Study: Increased Level of Internet Adoption Among People Caused the Wide Use of Digital Identity

As found in the literature review, the increase in internet usage created a need for digital identity to help enable, facilitate, and manage the use of the digital medium appropriately (Mueller et al., 2006). The themes discovered in the interviews indicate high adoption of the internet among the 55 to 75-year-old age group. Most interview participants expressed that they cannot escape using the internet. With that high level of adoption comes the implied use of digital identity to help manage and facilitate online interactions.

Table 5. Internet Adoption Comparison.

Interpretation. Despite the fact that the known average of only 68% of individuals between the ages of 55 and 75 use the internet (Vogels, 2019), this number significantly increased, as found in this research, due to circumstances when this study was conducted. The national quarantine forced people in this age group to use the internet to maintain social interactions, keep in contact with family and loved ones, and purchase their groceries and other items because most brick and mortar retailers were closed for in-person business.

Qualifier to the Study: People Are Aware of the Composition of Their Digital Identity

From the literature review, the definition of digital identity entails the association of personal identifiers and attributes as well as individuals’ online relationships and interactions (Alashoor et al., 2016; Camp, 2004). This definition was validated; during the interviews conducted for this study, participants indicated that they are aware that their digital identity is a combination of their identifiers and attributes as well as their different online interactions.

Table 6. Digital Identity Composition Awareness Comparison.

Interpretation. The level of awareness from individuals in the interviewed population regarding what constitutes their digital identity and how it is being used is very notable. The established awareness of the composition of their digital identity impacts the way people react to risks associated with it. Identification is the first step in properly mitigating against risks as defined in the NIST CSF (NIST, 2018a). The definition of digital identity enables individuals to have a baseline of what they have that can be compromised and cause harm. Identifying the risks creates an awareness of the weak points to consider when trying to mitigate risk. This awareness of the composition of people’s digital identity is a solid step towards answering one gap found in the literature review regarding the lack of a unified definition of digital identity. This gap in the literature can be clearly answered by defining digital identity as the collection of personal identifiers, personal attributes, and digital relationships and interactions.

Theme 1: Relationship Between Digital Identity Risks and People’s Online Behavior.

The common perspective among people that their digital identity is constantly being tracked by unwanted parties, as uncovered in the literature review (Auxier et al., 2019), was reinforced by the interviews conducted in this study. Interview participants stated they are hesitant and cautious when entering personal information online. Some interview participants mentioned they try to reduce their digital footprint, when possible, to lower the risk of their information being exposed online in the case of a breach. With Phishing attacks and digital identity compromises being on the rise (Sheng et al., 2010), the majority of interview participants stated they were affected by the loss of online personal data or at least know someone who was affected. This personal impact creates the need for increased security to keep people’s data more secure (Woodhouse, 2007).

The results of the interviews in this study indicated that the knowledge and experience about the risks of online interactions and loss of online personal data did not seem to impact or change the behavior of people online. To manage the problems caused by the risks associated with online behavior and establish more trust, a framework found in the literature identifies confidentiality, integrity, and availability as pillars to keep digital identity and online personal data safe to use, easily accessible, and more secure (Katzan, 2011).

The interview participants were concerned about their identity being compromised or stolen to be used in a harmful way that would affect their families and social groups. The risk of losing financial assets was much less concerning to people than their reputational risk. There seems to be a higher degree of faith in the financial institutions taking care of clients and trying to keep their financial assets tied to online accounts secure among the group interviewed for this study. Conversely, as found in the literature review, people tend to forget the online account they have opened as well as the passwords they have created for those accounts (Florencio & Herley, 2007). The fact that people lose track of their online accounts and passwords creates a higher risk from a reputational and financial perspective. Online accounts can be compromised, and the user would not know if that password they had was used with other accounts that might show a higher level of risk attached to them, similar to personal checking accounts or credit lines. These security breaches can also be used by individuals or entities with a harmful intent to create fake personas that mimic other people’s digital identity to cause harm to people in order for the bad actors to achieve their personal benefits and goals (Bélanger & Crossler, 2011).

Most interview participants stated that the risks of online interactions and the potential compromise of their digital identity do not hinder them from fully using the internet. The literature review uncovered that people would do risky things even when they know that it could cause them self-harm (Choi et al., 2020).

Interpretation. People are constantly cautious and wary that their digital identity is at risk of being tracked, misused, and compromised while they use the internet. Those risks manifest in multiple shapes or forms: phishing, social engineering, and other tactics and procedures that criminals use online to steal people’s digital identity. People are concerned about their digital wellbeing from a reputational and financial perspective as well as the safety of their families and social surrounding from the harm caused by online threats. Yet, people seem to disregard the risk, if it causes them an inconvenience or a roadblock to attain their want.

Table 7. Relationship Between Digital Identity Risks and People’s Online Behavior Comparison.

The impact of people disregarding the risks can be very costly, especially if there is no methodical way of evaluating the risk-benefit analysis through a best practice benchmark method that helps people make informed decisions when choosing to overlook the risk identified. With an informed risk-based decision, people can take quick action if any sort of harm was caused by their decision to overlook the risk. People’s online behavior and cognitive ability to identify risk have to be driven by an informative, easy to use framework similar to the best practices guidance that NIST created for organizations to make risk-based decisions regarding their cybersecurity posture, as manifested in the NIST Risk Management Framework (RMF) (NIST, 2018b). The development of a methodology to serve as a benchmark for personal digital identity risk management will help answer the gap found in the literature pertaining to the lack of user centric benchmarks to help manage digital identity risks and establish the proper behavior to manage those risks. This study validated the need for such a framework, which is a needed topic for future research.

Theme 2: Online Platforms Are a Risk to People’s Digital Identity

The literature review uncovered that multiple governments around the world, including the United States and the European Union, passed laws and regulations to protect online personal data and digital identity (Sullivan, 2015). Notably, the GDPR in the EU (Sobolewski et al., 2017) and HIPAA in the United States (HHS, 2015) are laws that resonate with individuals interviewed in this study. Interview participants expressed their familiarity with online privacy rules and regulations. The majority of interviewees stated that they have heard of them but do not know much about their details or what these laws and regulations empower individuals to do. NIST established several frameworks, like the NIST privacy framework (Legal Monitor Worldwide, 2020), to help with awareness and best practices about digital identity and online interaction management. The gap seems to exist in the user-centricity of these frameworks and the appropriate propagation of the awareness of their existence for the average individual to use adequately.

The literature review highlighted that online social platforms are a major contributor to digital identity compromises (Granville, 2018). A significant group of the interview participants in this study stated that online platforms are not being transparent with regards to what information they record and store about their users. The literature review identified that people feel that they are constantly being tracked online (Auxier et al., 2019); this assertion reinforces the finding from the interviews about online companies not being transparent with their users about data they track about them.

The literature review stated that some people’s online data might get sold on the dark web (Kahn et al., 2016). Thus, the interview participants expressed that online companies do not provide user-friendly, informative information if their systems were breached and what users need to know to take appropriate action on the information provided. The interview participants stressed the need for companies to provide user-centric information when communicating with their clients, specifically when there is a breach that caused harm to their systems and the data of their users. To reduce the risk and hold online companies and platforms accountable; governments like the United States and the European Union are taking action against those companies to limit the privacy risks to people’s digital identity (Emont et al., 2018).

Table 8. Online Platforms are a Risk to People’s Digital Identity Comparison.

Interpretation. Online platforms have been known to be a risk to people’s personal data and digital identity. Governments and organizations started establishing laws and rules to help manage the risks of these online platforms. Though many controls have been created as guidance and best practice to help manage that risk, people are still unsure of what to do to help mitigate potential threats. Once a level of awareness and maturity has been reached amongst individuals on how to interact with online platforms, the potential risks caused by these platforms will be attenuated and become more manageable in the case of a compromise or digital identity misuse.

The efforts of reducing the risks to digital identity compromises should also be integrated into the business controls that the online platforms operate with in order to reduce the gap and help people protect their digital identity. The companies operating the online platforms should be more user-centric in their communication and disclosures to their clients, which will help ease people’s concerns and establish more trust in the organizations operating the platforms. This effort will help in increasing people’s risk awareness and ease their concerns regarding their digital identity compromises. The roles of government entities should also not be discounted in setting proper regulations and controls to prevent the harm caused by online platforms; this recommendation addresses a gap found in the literature of laws and regulations being outdated in the United States and needing to be communicated in a user-friendly way to people so that their level of awareness of their rights and government protection is increased. This issue is an important segue into future research on what laws need to be in place and how they need to be presented to support the proper use of digital identity.

Theme 3: Tools to Manage Digital Identity Risks

Most interview participants were aware of the tools and training available to help manage their digital identity and teach them the best practices to keep their online interactions more secure. The gap uncovered in the interviews from the awareness of the availability of tools and training is that the content and utility of those tools are not that well communicated. Interview participants were aware of the tools, but which ones are the best to suit their needs and how to properly use them are missing. The literature review uncovered that multiple hardware and software solutions are constantly being added to the market to try to meet the need of the consumers and help manage and secure people’s digital identity, yet these tools lack usercentricity and streamlined delivery (Choi et al., 2020).

The literature review uncovered that people need proper cybersecurity training to know how to safe keep their data and mitigate some of their online interaction risks (Nurse et al., 2011). Interview participants mentioned that many of them had cybersecurity awareness training, but as cybersecurity threats that cause a major risk to digital identity evolve, the exposure to the training needs to be constant as the risks continuously evolve. The need for the training to be user-centric is also a noticeable request. The interview participants noted several different ways to keep their digital identity secure online. Rarely did consistency exist in the knowledge of what to do to keep their digital identity safe and how. The most consistently stated action was to regularly change their password, which is supported by the literature that people have the tendency to forget their passwords (Florencio & Herley, 2006).

The literature review found that people need a system to keep track of and manage their digital identity and online data (Cooper, 2017). The interviews uncovered that only a small group of participants use a digital tool to manage their online accounts and passwords. The majority of interview participants did not use a digital tool. They still use a pen and paper system.

Table 9. Tools to Manage People’s Digital Identity Comparison.

Interpretation. Many tools and trainings are available on the market that help with digital identity management. The available market tools vary in their value proposition to their users. Tools range from specifically dealing with password management to only focusing on training and user awareness to managing multiple aspects of digital identity. The newer tools offer added functionality, like continuously scanning the internet for user-specific abnormal behavior, which can be beneficial if the information is provided to the end-user appropriately. The problem with the user-centricity of these tools remains a roadblock to their mainstream adoption. Price point and learning curve can also be relevant barriers of wide accessibility to the tools.

With the increase in popularity and advancement of machine learning and artificial intelligence, digital identity management tools might be transformed to be much more user friendly. Removing the human factor of doing the backend analysis and informing the user in real-time to threats affecting their digital identity can significantly reduce risk by increasing the response time to potential threats. Automation in threat responses can help in mitigation and remediation by reducing the impact of compromises on the end-user. This reduction will help people in dealing with the repercussions of a clean up due to a digital identity breach aftermath. The study of the effect of new technologies impacting digital identity management tools can be the right step to reduce the gap created by these tools and training as well as the lack of usercentricity, which is identified as a gap in the literature review.

Theme 4: People Want More Transparency and Awareness to Keep Their Digital Identity Secure

The literature review uncovered that existing tools to manage digital identity and cybersecurity-related training are lacking (Nurse et al., 2011). The interview participants in this study identified several different opinions to keep their digital identity more secure.

Transparency was at the forefront of people’s wish lists. Transparency builds more trust in information systems (Alsaedi et al., 2019). The interview participants also emphasized wanting to know what information is available about them online, and they want to be notified every time someone tries to access their digital identity information. These requests are reinforced by the findings in the literature review that a system to ensure an end to end trust in the digital world is needed (Charney, 2009). To try to satisfy some of the needs discovered, multiple hardware and software solutions similar to LifeLock emerged to help manage and secure digital identity and build trust in the online medium (Cooper, 2017).

Notably, interview participants expressed that they do not know what to look for to keep their digital identity more secure. This gap is where training and awareness about industry best practices need to be provided on a broader, more open scale to anyone wanting the information. Similar to the efforts that the NIST cybersecurity framework tailored for organizations (NIST, 2018a), there needs to be a version of the cybersecurity framework geared towards individuals and best practices with regards to their digital identity and online interactions.

Table 10. People Want More Transparency and Awareness to Keep Their Digital Identity Secure Comparison.

Interpretation. The lack in cybersecurity training and awareness created unmet needs with digital identity users. This lack of awareness sprouted the need for more training, transparency in information systems, and the ability to control digital identity aspects. The increase in awareness with regards to digital identity management leads to a reduction in risks as a result of people being more aware and vigilant. The increase in transparency with online information systems leads to a more robust end-user to end-user confidence as well as trust in authenticity and validity of transactions performed online using people’s digital identity. The end to end trust with information systems using digital identity can be manifested by leveraging distributed ledger technology systems similar to blockchain, that exist for the purpose of promoting end-to- end trust in online transactions as well as transparency and openness in transaction history.

Artificial intelligence can also play a role in reducing the need for training by helping in the automation of some of the actions people have to take to manage the risks pertaining to their digital identity, as well as help in building a robust solution to manage digital identity.

Conclusions

Cybersecurity threats and their impact on people’s digital identity has been a significant topic discussed in the news as well as in social settings. The impact of these threats has affected a great number of people in all age groups. This study focuses on the 55 to 75-year-old age group, as this category of people is close to retirement or already retired; therefore, a notable compromise impacting their digital identity can cause their financial well-being to be tremendously affected as well as cause a major impact on their life and well-being.

The principal investigator of this study has always perceived that risk awareness of individuals is a step in building a more educated population that is resilient to cyber threats. His experience in the cybersecurity industry and dealing with cyber threat mitigation techniques at the organizational level had him concerned about people. In cybersecurity, individuals are considered a weak link in the cybersecurity mitigation ecosystem. Therefore, building awareness among individuals and making the tools and techniques used to help them mitigate the risks in a user-centric way are essential risk mitigation techniques. To help guide the research; the following research question was formulated, “What are the risk perceptions of individuals, between the ages of 55 and 75 with no IT background, pertaining to their digital identity?”

The literature review conducted resulted in seven themes summarized as follows: 1) Increased internet usage, 2) Digital identity definition, 3) Perspectives on digital identity privacy, 4) Privacy risks, 5) Laws and regulations emerged to support online privacy and digital identity, 6) Individuals’ behaviors and habits, 7) Tools and training for digital identity management. The study’s interview questionnaire was derived from these themes to help serve as a guide to conduct the interviews. Twenty interviews were conducted with individuals between the ages of 55 and 75 with non-technical IT backgrounds. The interviews were transcribed and coded following the ATA, which resulted in four themes that answer the research question and a qualifier theme.

The themes from the interviews are summarized as follows, first is the qualifier theme hat talks about high internet adoption and the use of digital identity. The other themes answering the research question are: 1) People accept the risk when it affects their convenience, 2) People are concerned that companies are not being transparent with regards to being good custodians of their digital identity, 3) People are aware of the availability of tools and trainings to help manage the risks, 4) People want more transparency and control over their digital identity to help them ease their concerns of the risks. The themes from the interviews served as a validator to the themes from the literature review.

The interpretations of the findings from the literature review and the interviews give a perspective on the gaps found and are summarized as follows: 1) The unexpected event quarantine forced an all-time high usage of the internet in the 55 to 75 age group, which required people to understand their digital identity and its composition in order to understand the risks associated with it, 2) The fact that people disregard the risks to their digital identity when it affects their convenience demands that there needs to be a methodology to benchmark and assess personal risk, 3) Online platforms have been the cause of many digital identity breaches, which causes governments to intervene to help protect individuals; thus, many laws seem to be outdated or not written in a matter to be understood by a non-specialist and require government intervention to help fix that problem, 4) Most of the tools and trainings on the market that manage digital identity are not user-centric; the rise of machine learning and artificial intelligence can help make these tools more wholesome and robust as well as help reduce the end user impact on their efficacy, 5) The demand for more transparency and awareness from people can be solved by leveraging distributed ledger technologies like blockchain or the use or artificial intelligence by helping people stablish end to end visibility in their interactions using their digital identity.

The implications of this study state that with the increased adoption of digital identity and its usage, individuals need to be aware of the different risks associated with using the online medium and efficient ways to manage these interactions to help facilitate online interactions.

As with any type of new system to be used, there needs to be enough information to help properly utilize the system. Thus, the system needs to be efficient, informative as well as a usercentric personal risk management framework to follow to use and manage digital identity effectively and with low risk. The proper rules and regulations need to be in place to help set the standards and best practices on how to use digital identity and manage it efficiently.

Governments as well as the private sector, need to place more emphasis on end-user controls and protection and communicate it properly to people. Once the laws and regulations are established, user-friendly tools are needed to enable the proper management of digital identity; tools are a great enabler once built successfully around users’ needs while considering their adaptability to help support the rules and the regulations put in place by governments and private industry.

Some new technologies on the market, like blockchain and artificial intelligence, may be an enabler as well as an enhancer of tools that help support end-users in managing their digital identity by simplifying the user’s dependency and automating the processes that help people stay protected.

With the right rules and regulations as well as the proper tools in place, training and awareness become essential in making sure the rules are communicated efficiently and in a userfriendly matter to individuals. They are also important to understanding the different options in tools on the market to help enable compliance with these rules and regulations to enhance the management of digital identity. The distinction between the different tools on the market and their utility to satisfy the specific use cases they were built to support needs to be communicated to the masses to help people choose the tailored solutions they need to keep their digital identity secure.

End users truly need transparency, control, and user-friendliness as characteristics of information systems. Since digital identity is part of information systems, those characteristics are essential and have to be baked in the process of developing mechanisms to help promote, manage, and safe keep people’s digital identity and all of its related information and interactions online.

Contribution to Academics and Practitioners

The themes of the findings in this study as well as the study details generated from the interviews and compared to the literature review, are empirical findings that are useful to individuals and organizations trying to solve the problem of managing digital identity and keeping it secure.

From the perspective of individuals, most study participants expressed their eagerness to learn the study results once the study was complete. The investigator received several requests from interview participants regarding the status of the research and whether the results were generated and ready to be shared. The results of this study will help people understand where they stand with regards to other people in the population studied, individuals between the ages of 55 and 75 with a non-career IT technical background. This information is important for people to see the diversity of perspectives that similar individuals in their studied population have; this information also shows the variety of perspectives generated from different life events and experiences as well as the different level of awareness that individuals have regarding risks pertaining to their digital identity and online interactions.

From an academic perspective, this study sets the foundation for trying to understand people’s perspectives with regards to digital identity risks, which was lacking in the literature review conducted with regards to academic articles and existing research.

Limitations and Future Research

Multiple limitations are associated with this study. The first limitation and a notable one is the fact that this study was conducted during an unpredictable event. When the investigator was preparing to solicit interview participants for the study, the COVID-19 pandemic started and forced people to be quarantined in their homes. This event was a global pandemic that affected the way people interact. As a result, conducting interviews in person, which was the original intent of the investigator, was no longer possible. To generalize this phenomena; it can be considered that any major event, similar to this one, will cause a shift in people’s behavior and make them adapt to certain circumstances, that might force them to be more avid users of the internet.

To accommodate the situation, the investigator transitioned to using video conferencing via Zoom as the medium to conduct the interviews. Even though video conferencing was the best option to keep the study going, this approach made the interviews less personable, where the investigator was not able to read the interviewees’ perspectives similar to what could have been done when interviews are conducted in person. This approach also might have omitted some people who are not users of the internet and would have been part of this study in different circumstances.

The second limitation is the sample population studied; interview participants were from various backgrounds and, in some cases, lived in different countries. Interview participants were recruited from the United States, Canada, and the United Kingdom. People with diverse backgrounds living in different countries and environments do not have consistent perspectives on the risks pertaining to their digital identity, considering the milieus that they live in as well as the rules, laws, and regulations promoted and enforced in three countries with three different types of governance systems and corporate environments.

The third limitation, and an excellent avenue for future research, is the number of participants. In the future, the findings of the themes of this study can be used to build a survey for a significantly larger audience to test the validity of the results in more of a census type of perspective and research. Those types of studies usually involve hundreds of people as part of the targeted population for research and can help validate or prove wrong some of the themes and the findings from this study.

The fourth limitation, and also an excellent venue for future research, is the population interviewed. This population can be expanded beyond non IT career-oriented people between the ages of 55 and 75 to include IT career-oriented individuals in the same age group and compare the difference in the answers between both groups.

The fifth limitation and an intriguing avenue for future research is to generation. This study can be expanded to inter age focused groups. It would be fascinating to see the perspectives of risks pertaining to digital identity in a comparison between the different age groups: Centennials, Millennials, Gen Xers, and Baby Boomers.

Multiple other interesting areas of future research also include studying each of the risks found in the interviews in more depth in details, studying the tools available on the market that help in managing digital identity, and trying to determine their effectiveness as well as generating specific suggestions on how to improve them. Another interesting area for future study is the cognitive ability and mental aspect of technology users and its impact on digital identity, which touches on cognitive ability, information delivery, and processing aligned with the behavioral information system analysis.

Table of Contents

• CHAPTER ONE - INTRODUCTION
• CHAPTER TWO - ABOUT IDENTITY
• CHAPTER THREE - LITERATURE REVIEW
• CHAPTER FOUR - METHODOLOGY
• CHAPTER FIVE - FINDINGS
• CHAPTER SIX - DISCUSSION
• REFERENCES
• APPENDIX A - INTERVIEW SOLICITATION FLYER
• APPENDIX B - IRB VERBAL CONSENT FORM
• APPENDIX C - INTERVIEW QUESTIONNAIRE
• APPENDIX D - IRB APPROVAL EXEMPT FORM
• APPENDIX E - ITRC 2019 DATA BREACH REPORT STATISTICS