The boundaries of trust: Privacy and protection in cyberspace
Introduction
Cyberthreats, and the products created to combat them have been around for about 30 years, and in that time a great deal has changed. Across the world, 4.1 billion people are now active users of the internet, well over half the global population – and connected technologies power the world’s economies and critical infrastructures. Protecting this digital world is no longer just about securing IT hardware and software; it is about safeguarding national security and everyday life.
As a result, cybersecurity has moved from the purely technical into the geopolitical and social domains, playing an important role in each. This is raising new questions:
- Should security solutions be subject to deeper checks and controls than other kinds of software products and services?
- If so, should they be classified as critical national security assets, with individual governments taking responsibility?
- Or should it be left to market dynamics and the assumption that the best products and services will prevail? Or to businesses and consumers, allowing them to choose and use the products that are right for them?
To help inform the debate, Kaspersky Lab commissioned research into how consumers and businesses in a number of countries perceive key security issues. The research is not intended to be globally representative, but to provide a snapshot of how people see cybersecurity and its context today. Some of the findings were expected, but others surprised, reassured or worried us, and we particularly wanted to share those with the rest of the security community.
This report summarizes main findings of the research.
Methodology and key findings
The research was undertaken in the US, Germany, France, Italy, Spain and the UK. Respondents were recruited by Research Now and the data was analyzed by Applied Marketing Research Inc., on behalf of Kaspersky Lab. The fieldwork was conducted online in May/June 2018. There were two main sample groups: consumer and business. The consumer group comprised 6,000 respondents (1,000 in each market), all of whom were adults who use computing technology (smartphones, laptops, tablets etc.) with security software installed. The business sample comprised 600 companies (100 in each market) with between 51 and 500 employees, with all respondents holding IT security or related roles.
Key findings
- Companies from Germany are the most trusted overall (92% of businesses and 88% of consumers), followed closely by those from the UK and France, out of a list comprising France, Germany, Italy, Spain, the UK, US, Israel, China and Russia. China and Russia are trusted by half or less.
- 55% of businesses and 66% of consumers say their government should do business with the company that offers the highest quality products or services, even if it is a foreign company – rising to 82%/78% respectively when it concerns areas crucial to national security.
- 87% of businesses and 82% of consumers trust their security provider to behave ethically in the collection and use of their data; yet 65%—78% of businesses and 54%—80% of consumers are worried about the provider accessing their private data, opinions, location or online behavior and sharing this information with foreign entities.
- 45% of businesses and 47% of consumers worry most about protecting their online data from cybercriminals, followed by wanting to protect it from their own national government (businesses 36%, consumers 33%), and foreign governments and companies (businesses 30%, consumers 26%).
- 46% of businesses and 51% of consumers believe a cybersecurity provider should not automatically have to share a user’s private data with the government in matters of national security, but that it should depend on the circumstances.
- Just 38% of businesses and 42% of consumers believe the government should be primarily responsible for their cyber-protection. The most popular answer for consumers was that it was their own responsibility (57%), while businesses chose their IT team (57%).
- For businesses, the most important considerations when choosing a cybersecurity provider are that they operate with honesty, integrity and independently of any government (all 93%), followed by product and service quality and expertise (all 92%). For consumers, the most important factors were the quality and reliability of products (all 92%). Being headquartered in a trusted country mattered to 86% of businesses and 80% of consumers.
National trust maps
Respondents were asked how trustworthy they considered companies from a list of countries. The findings (Fig. 1) show that, overall, everyone has greatest faith in companies from Germany (92% of businesses and 88% of consumers) followed closely by the UK and France, while companies from China and Russia and, in some cases, Israel are less trusted.
In general, consumers and businesses have greater faith in companies from their own country. Among the businesses surveyed, French, German, UK and US respondents all trust their own national companies most. Italians trust UK companies more than Italian companies (by a margin of 1%), and Spaniards trust German companies more than they do Spanish companies (by a margin of 5%). For consumers, the picture is the same, except that Italians trust UK companies more than they do their own (by a margin of 8%) and Spaniards trust German companies more than they do their own (by a margin of 6%).
These findings are not surprising; it is natural for people to trust companies from their own country before those from elsewhere. Trust in companies from other countries was more variable, and there are a number of possible reasons for this, including established national stereotypes, personal experience, media reporting, or awareness of geopolitical and economic tensions involving countries such as Russia and China.
However, the study found that this sense of national trust and mistrust does not automatically apply when it comes to product quality. Here the results suggest that the quality of a product or service is almost always more important than where it comes from.
Q: How trustworthy do you find companies from each of the following countries?
When asked whether their national government should choose the highest quality product or service even if it was not developed by a domestic company, the majority of all respondents agree, including 55% of businesses and 66% of consumers (Fig. 2 and Fig. 3).
Q: Companies my government should do business with – business
Q: Companies my government should do business with – consumers
When it comes to the products and services used in areas that are critical to national security, such as defense, intelligence services and energy, opinions are even stronger (Fig. 4 and Fig. 5). More than four in five business respondents (82%) and almost as many consumers (78%) say their government should use the highest quality available regardless of where it was made.
Q: Who my national government should do business with when it comes to areas that are crucial to our national security – business
Q: Who my national government should do business with when it comes to areas that are crucial to our national security – consumers
The privacy paradox
When respondents were asked specifically about trust in cybersecurity products and providers, an interesting contradiction emerges: the vast majority of consumers (82%) and businesses (87%) trust the integrity of their security provider when it comes to the collection and use of their data (Fig. 6), yet many are extremely worried about the provider accessing their private data, opinions, location or online behavior and sharing this information with foreign entities .
Q: When it comes to the collection and use of my personal information, I trust the antivirus and cybersecurity provider I use to behave in an ethical manner
Respondents were asked how concerned they were about their cybersecurity provider potentially accessing details of their online behaviour and information, including the following:
- Using your personal data for their own purposes
- Sharing your personal data with foreign governments or corporations
- Tracking your online behaviour
- Tracking your location and travel behavior
- Reading your emails and documents
- Gathering your religious and political views
The results show that all potential issues rank surprisingly high (Fig. 7), with concerns about what their provider might be using their data for and who they might be sharing it with topping the list. This suggests that the industry has an important job to do in educating and reassuring users about exactly what kind of information is – and, more importantly, isn’t – collected, and how it is used.
Concerns about what a cybersecurity provider might be doing – all countries
Shadow boxing
Another unexpected picture appears when respondents were asked who they felt they most needed to protect their data from online (Fig. 8 and Fig. 9). The data suggests that when it comes to their online privacy, many people struggle to trust anyone at all.
The top concern is the least surprising: consumers (47%) and businesses (45%) worry most about protecting their online data from cybercriminals.
This is followed for both groups by wanting to protect it from their own national government (consumers 33%, businesses 36%), with keeping it out of the hands of foreign governments and companies coming next (consumers 26%, business 30%). Business respondents also worry about protecting their information from their employer (29%), while consumers worry as much about their family snooping as they do about protecting data from foreign companies/governments (all three of these tying at 26%). Advertisers and even friends are not above suspicion either.
Q: Worries about who might access data – business
Q: Worries about who might access data – consumers
These are not the only findings to suggest the landscape of user trust is more complex and unpredictable than might be expected. Consumers and businesses are also divided about whether cybersecurity companies should agree to share private customer data with their own government in matters of national security (Fig. 10 and Fig. 11).
While the majority of respondents approve, for around half of those surveyed this approval is conditional (46% of businesses, 51% of consumers) and would depend on the circumstances. For 34% of business respondents and 26% of consumers such action would always be acceptable; while for 20% and 23% respectively it would never be acceptable.
Q: In a matter of national security, should my cybersecurity provider share details of a user’s online behavior with the government, if asked – business
Q: In a matter of national security, should my cybersecurity provider share details of a user’s online behavior with the government, if asked – consumers
Taken together, these results shine a new light on the very personal perceptions of risk in cybersecurity. The research then explored how such perceptions influence cybersecurity choices and who businesses and consumers hold accountable for their online protection
Taking charge of cybersecurity
When respondents were asked who they feel is mainly responsible for keeping personal data safe online, most believe it is down to them or their organization (Fig. 12). The majority of consumers say the responsibility rests with them as individuals (57%), while the majority of businesses say it rests with their IT security department (57%). Some 45% of consumers and 43% of businesses say it lies with their chosen cybersecurity provider. To a lesser extent they expect telecoms and internet service providers and online retailers etc. to play their part. Only 38% of businesses, and 42% of consumers consider their government to be responsible for their protection.
Who bears the most responsibility for protecting personal information online?
When it comes to the cybersecurity providers that people and organizations are prepared to trust with their information, the study suggests that the standards for selection are very high.
The things that matter when choosing a cybersecurity provider
When respondents were asked to rate a list of factors according to their importance in selecting an antivirus or cybersecurity provider, they effectively put them all at the top (Fig. 13 and Fig. 14). For business respondents, all but one option came out at more than 90%, the exception being ‘is headquartered in a country I respect and trust’, which is only marginally less important at 86%. Operating with honesty, integrity and independently of any government tops the rankings, followed by product and service quality and expertise. For consumers, it’s the factors relating to product quality and reliability that come top, while the more strategic issues of collaboration, transparency and independence rank slightly further down the list.
What businesses look for in their cybersecurity provider
It is likely that in practice some of these factors will offset each other: for example, if a provider is proven to meet the criteria of integrity, independence and quality, will other drivers, such as location be less of an issue? This is an important question because the cybersecurity landscape is a crowded and competitive one – and it is interesting to see how the long list of ‘ideals’ translates into actual brand trust and perception of industry leadership.
The global cybersecurity landscape
Both businesses and consumers were presented with a list of 17 cybersecurity providers, originating in different countries and including global, more local (to survey respondents), established and emerging brands. Respondents were then asked a series of questions about them such as brand awareness, leadership, trust, and more. It should be noted that respondents were only asked to comment on brands that were already known to them.
The two main findings to emerge from this approach are:
- Industry leadership is not country dependent. The cybersecurity providers classed as leaders by at least a quarter of respondents are, between them, headquartered in seven different countries. Four are headquartered in countries that are not among the nations surveyed. (The leaders include vendors with HQs in the US, the UK and Spain, as well as in Russia, Romania, Czech Republic and Japan.)
- Trust is distributed fairly equally among all the top providers in the list, with the more established brands generally ranking near the top, regardless of their nationality.
Q: Which of the following brands do you consider a leader in antivirus and cybersecurity solutions?
The top five brands for businesses in terms of perceived leadership are:
Provider |
Total (%) |
France (%) |
Germany (%) |
Italy (%) |
Spain (%) |
UK (%) |
US (%) |
---|---|---|---|---|---|---|---|
Company A (US headquartered) |
77 | 79 | 71 | 76 | 74 | 78 | 81 |
Company B (US headquartered) |
71 | 76 | 59 | 71 | 67 | 67 | 85 |
Kaspersky Lab | 70 | 71 | 73 | 74 | 66 | 68 | 66 |
Company D (EU headquartered) |
68 | 77 | 47 | 78 | 69 | 66 | 70 |
Company C (US headquartered) |
66 | 67 | 58 | 70 | 60 | 72 | 70 |
The top five brands for consumers in terms of perceived leadership are:
Provider |
Total (%) |
France (%) |
Germany (%) |
Italy (%) |
Spain (%) |
UK (%) |
US (%) |
---|---|---|---|---|---|---|---|
Company A (US headquartered) |
78 | 70 | 77 | 77 | 82 | 79 | 83 |
Company B (US headquartered) |
67 | 67 | 60 | 71 | 69 | 67 | 69 |
Company D (EU headquartered) |
66 | 81 | 50 | 83 | 80 | 55 | 50 |
Kaspersky Lab | 57 | 54 | 72 | 60 | 58 | 57 | 43 |
Company E (EU headquartered) |
56 | 44 | 43 | 75 | 63 | 62 | 51 |
Fig. 15: The share of businesses and consumers surveyed who say that each of these brands is a leader in cybersecurity – data analysis: Applied Marketing Research Inc. for Kaspersky Lab
Q: Which of the following cybersecurity brands do you trust?
The top five brands for businesses in terms of trust are:
Provider |
Total (%) |
France (%) |
Germany (%) |
Italy (%) |
Spain (%) |
UK (%) |
US (%) |
---|---|---|---|---|---|---|---|
Kaspersky Lab | 58 | 50 | 59 | 54 | 53 | 60 | 70 |
Company A (US headquartered) |
57 | 38 | 53 | 52 | 58 | 64 | 77 |
Company D (EU headquartered) |
57 | 47 | 47 | 54 | 50 | 65 | 77 |
Company C (US headquartered) |
55 | 45 | 48 | 54 | 46 | 61 | 71 |
Company E (EU headquartered) |
53 | 36 | 48 | 49 | 42 | 64 | 77 |
The top five brands for consumers in terms of trust are:
Provider |
Total (%) |
France (%) |
Germany (%) |
Italy (%) |
Spain (%) |
UK (%) |
US (%) |
---|---|---|---|---|---|---|---|
Company D (EU headquartered) |
53 | 49 | 44 | 59 | 56 | 51 | 58 |
Company A (US headquartered) |
51 | 42 | 44 | 48 | 51 | 56 | 64 |
Kaspersky Lab | 49 | 45 | 51 | 53 | 48 | 47 | 52 |
Company E (EU headquartered) |
48 | 37 | 42 | 54 | 46 | 51 | 58 |
Company B (US headquartered) |
47 | 40 | 41 | 46 | 43 | 51 | 59 |
Fig. 16: The share of businesses and consumers surveyed who say that they trust each of these brands – data analysis: Applied Marketing Research Inc. for Kaspersky Lab
Conclusion
There are three main takeaways from this research:
- First, despite the general tendency of people to trust companies from their own country more than foreign ones, when it comes to cybersecurity the country of origin matters less. It’s more about the quality of the products and services.
- Second, the trust landscape is complex and we urgently need to address misperceptions and unfounded concerns in a clear and helpful. As an industry, we should be transparent about exactly what kind of data we need, why we need it, and what we use it for – and what kind of information is never collected and shared. It is important to highlight the strong data protection standards we abide by, such as those implemented through the GDPR.
- Third, the findings suggest that barriers and restrictions are unnecessary in cyber-security: people and businesses want to make their own choices. Our focus should be on working together across borders to support consumers and organizations in making the best security decisions for themselves, thereby building a strong cybersecurity landscape for all.
The journey towards greater clarity and collaboration has already begun. The new Cybersecurity Tech Accord and the Cybersecurity Geneva Convention are two examples, and we have launched our Global Transparency Initiative to provide independent validation of the integrity of our products and processes. Much remains to be done, but it will be done faster and more easily if we do it together.
To get an external view on the results of the survey, Kaspersky Lab shared the research with the Georgia Institute of Technology School of Public Policy. The institute provided the following feedback:
“Conflicts and rivalries between national governments are undermining a wide array of information services, preventing societies from realizing the full benefits of the Internet. This survey addresses the nexus between nationalism, national security and trust in Internet service providers. There are surprising findings regarding consumer and business attitudes towards the role of governments in cybersecurity. For example, it was fascinating to see how many consumers believe that their government should use the best vendor for national security-related capabilities regardless of what country it is from. It was also interesting to see that consumers are more likely to fear their data will be interfered with by their own government than foreign governments.”
Dr. Milton Mueller,
Professor Georgia Institute of Technology School of Public Policy
Internet Governance Project
Kaspersky Lab will continue collecting feedback on the results of the research for a full and comprehensive picture of the issues around the topic of the survey.