Abstract
Older adults are becoming more technologically proficient and use the internet to participate actively in society. However, current best security practices can be seen as unusable by this population group as these practices do not consider the needs of an older adult.
Aim. We aim to develop a better understanding of digitally literate, older adults’ online account management strategies and the reasons leading to their adoption.
Method. We carry out two user studies (n = 7, n = 5). The first of these gathered information on older adults’ account ecosystems and their current online security practice. In the second, we presented security advice to the same group of older adults facilitated by a bespoke web application. We used this to learn more about the reasons behind older adults’ security practices by allowing them to reflect on the reported security vulnerabilities in account ecosystems.
Results. Our participants are aware of some online security practices, such as not to reuse passwords. Lack of trust in their own memory is a critical factor in their password management and device access control strategies. All consider finance-related accounts as their most important accounts, but few identified the secondary accounts (e.g. emails for account recovery) or devices that provide access to these as very important.
Conclusions. Older adults make a conscious choice to implement specific practices based on their understanding of security, their trust in their own abilities and third-parties, and the usability of a given security practice. While they are well-aware of some best security practices, their choices will be different if the best security practice does not work in their personal context.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Age UK: Computer training courses - it training services, August 2020. https://www.ageuk.org.uk/services/in-your-area/it-training/. Accessed 21 Sept 2021
Age UK: Uncovering the extent of cybercrime across the UK, June 2020. https://www.ageuk.org.uk/discover/2020/06/cybercrime-uk/. Accessed 21 Sept 2021
Alves, L.M., Wilson, S.R.: The effects of loneliness on telemarketing fraud vulnerability among older adults. J. Elder Abuse Negl. 20(1), 63–85 (2008)
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, SP 2012, 21–23 May 2012, San Francisco, California, USA, pp. 538–552. IEEE Computer Society (2012)
Caine, K.: Local standards for sample size at CHI, pp. 981–992. Association for Computing Machinery, New York (2016)
Carpenter, B.D., Buday, S.: Computer use among older adults in a naturally occurring retirement community. Comput. Hum. Behav. 23(6), 3012–3024 (2007)
Crabb, M., Menzies, R., Waller, A.: The user centre. In: History of HCI 2020 (2020)
Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26 (2014)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074 (2008)
Fagan, M., Albayram, Y., Khan, M.M.H., Buck, R.: An investigation into users’ considerations towards using password managers. HCIS 7(1), 1–20 (2017)
Flick, U.: The SAGE Handbook of Qualitative Data Analysis. Sage (2013)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings 16th International Conference on World Wide Web, pp. 657–666 (2007)
Frik, A., Nurgalieva, L., Bernd, J., Lee, J., Schaub, F., Egelman, S.: Privacy and security threat models and mitigation strategies of older adults. In: 15th Symposium Usable Privacy and Security (SOUPS 2019), pp. 21–40. USENIX Association (2019)
Grassi, P.A., Garcia, M.E., Fenton, J.L.: Digital identity guidelines (2017). NIST Special Publication 800-63-3 (2017)
Grassi, P.A., et al.: Digital identity guidelines: authentication and lifecycle management. NIST Special Publication 800-63B (2017)
Grimes, G.A., Hough, M.G., Mazur, E., Signorella, M.L.: Older adults’ knowledge of internet hazards. Educ. Gerontol. 36(3), 173–192 (2010)
Grimes, G.A., Hough, M.G., Signorella, M.L.: Email end users and spam: relations of gender and age group to attitudes and actions. Comput. Hum. Behav. 23(1), 318–332 (2007)
Hammann, S., Crabb, M., Radomirovic, S., Sasse, R., Basin, D.: I’m surprised so much is connected. In: Proceedings 2022 CHI Conference on Human Factors in Computing Systems, pp. 620:1–620:13 (2022)
Hammann, S., Radomirović, S., Sasse, R., Basin, D.: User account access graphs. In: Proceedings 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1405–1422 (2019)
Haque, S.T., Wright, M., Scielzo, S.: A study of user password strategy for multiple accounts. In: Proceedings Third ACM Conference on Data and Application Security and Privacy, pp. 173–176 (2013)
Harbach, M., Fahl, S., Yakovleva, P., Smith, M.: Sorry, I don’t get it: an analysis of warning message texts. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 94–111. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41320-9_7
Hornung, D., Müller, C., Shklovski, I., Jakobi, T., Wulf, V.: Navigating relationships and boundaries: concerns around ICT-uptake for elderly people. In: Proceedings 2017 CHI Conference on Human Factors in Computing Systems, pp. 7057–7069 (2017)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)
Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: IEEE Symposium Security and Privacy, SP 2012, pp. 523–537. IEEE Computer Society (2012)
Knowles, B., Hanson, V.L.: The wisdom of older technology (non)users. Commun. ACM 61(3), 72–77 (2018)
Lee, N.M.: Fake news, phishing, and fraud: a call for research on digital media literacy education beyond the classroom. Comm. Educ. 67(4), 460–466 (2018)
Martin, N., Rice, J.: Spearing high net wealth individuals: the case of online fraud and mature age internet users. Int. J. Inf. Secur. Priv. (IJISP) 7(1), 1–15 (2013)
McDonald, N., Schoenebeck, S., Forte, A.: Reliability and inter-rater reliability in qualitative research: norms and guidelines for CSCW and HCI practice. Proc. ACM Hum. Comput. Interact. 3(CSCW), 1–23 (2019)
Moncur, W., Waller, A.: Digital inheritance. In: Proceedings RCUK Digital Futures Conference. ACM, Nottingham (2010)
National Cyber Security Centre: Improve your online security today. https://www.ncsc.gov.uk/cyberaware/home. Accessed 21 Sept 2021
National Cyber Security Centre: Password administration for system owners. https://www.ncsc.gov.uk/collection/passwords/updating-your-approach. Accessed 21 Sept 2021
Nicholson, J., Coventry, L., Briggs, P.: “If It’s important it will be a headline”: cybersecurity information seeking in older adults, pp. 1–11. Association for Computing Machinery, New York (2019)
OFCOM: Adults’ Media Use & Attitudes report 2020/21. https://www.ofcom.org.uk/research-and-data/media-literacy-research/adults/adults-media-use-and-attitudes. Accessed 21 Sept 2021
Pearman, S., et al.: Let’s go in for a closer look: observing passwords in their natural habitat. In: Proceedings 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 295–310 (2017)
Pearman, S., Zhang, S.A., Bauer, L., Christin, N., Cranor, L.F.: Why people (don’t) use password managers effectively. In: 15th Symposium on Usable Privacy and Security (SOUPS 2019), pp. 319–338. USENIX Association, Santa Clara (2019)
Peek, S.T., et al.: Older adults’ reasons for using technology while aging in place. Gerontology 62(2), 226–237 (2016)
Pilar, D.R., Jaeger, A., Gomes, C.F.A., Stein, L.M.: Passwords usage and human memory limitations: a survey across age and educational background. PLOS ONE 7(12), 1–7 (2012). https://doi.org/10.1371/journal.pone.0051067
Ray, H., Wolf, F., Kuber, R., Aviv, A.J.: Why older adults (don’t) use password managers. In: 30th USENIX Security Symposium, USENIX Security 2021, pp. 73–90. USENIX Association (2021)
Redmiles, E.M., Liu, E., Mazurek, M.L.: You want me to do what? A design study of two-factor authentication messages. In: 13th Symposium on Usable Privacy and Security, SOUPS 2017. USENIX Association (2017)
Sears, A., Hanson, V.L.: Representing users in accessibility research. ACM Trans. Access. Comput. 4(2) (2012)
Shay, R., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. 18(4), 13:1–13:34 (2016)
Simons, J.J., Phillips, N.J., Chopra, R., Slaughter, R.K., Wilson, C.S.: Protecting older consumers 2019–2020: a report of the federal trade commission to congress (2020). https://www.ftc.gov/reports/protecting-older-consumers-2019-2020-report-federal-trade-commission. Accessed 21 Sept 2021
Stobert, E., Biddle, R.: A password manager that doesn’t remember passwords. In: Proceedings 2014 New Security Paradigms Workshop, pp. 39–52 (2014)
Tennant, B., et al.: eHealth literacy and web 2.0 health information seeking behaviors among baby boomers and older adults. J. Med. Internet Res. 17(3), e70 (2015)
Tracy, S.J.: Qualitative Research Methods: Collecting Evidence, Crafting Analysis, Communicating Impact. Wiley, Oxford (2019)
Vroman, K.G., Arthanat, S., Lysack, C.: “Who over 65 is online?” Older adults’ dispositions toward information communication technology. Comput. Hum. Behav. 43, 156–166 (2015)
Wang, C., Jan, S.T., Hu, H., Bossart, D., Wang, G.: The next domino to fall: empirical analysis of user passwords across online services. In: Proceedings Eighth ACM Conference on Data and Application Security and Privacy, pp. 196–203 (2018)
Wash, R., Rader, E., Berman, R., Wellmer, Z.: Understanding password choices: how frequently entered passwords are re-used across websites. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 175–188 (2016)
Acknowledgments
We are grateful to Karen Renaud for her excellent suggestions on how to improve the paper and the anonymous reviewers for the careful reading and helpful comments. We would also like to thank all members of the Bytes and Blether group at the University of Dundee that took part in this work.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Interview 1 Script
Demographic
-
1.
What is your age bracket? (a) 60–69 (b) 70–79 (c) 80–89 (d) 90–99 (e) 100+
-
2.
What sex would you classify yourself as? (a) male (b) female (c) transgender (d) non-binary (e) other (f) prefer not to say
-
3.
What is/was your occupation
-
4.
How do you personally rate your technological literacy?
Finding Information Security Advice
-
1.
How important do you think it is to be secure online?
-
2.
How do you decide what your online security practices are?
-
3.
Do you face any challenges implementing online security for your situation?
-
4.
How do you prefer this type of information being presented to you?
Day to Day Security
-
1.
What do you do to keep yourself secure online? – Why?
-
2.
Are you worried about your online security? – Why?
-
3.
What do you wish was easier regarding online security?
Account Ecosystem. I will now ask you questions about your account ecosystems. For each item you introduce you will give it a nickname such as Social1, Password2 or EmailOL. This is so that you can protect your privacy and not disclose any of your passwords. Please do not share any sensitive information such as passwords and PINs. We can revisit questions you have answered.
-
1.
What devices do you use to access the internet?
-
(a)
For each device give it a nickname. (Examples: Laptop1, WorkPhone2)
-
(b)
What are the login methods and things you need to access it?
-
i.
Give a nickname for each entity needed or refer to the nickname that entity was given if already mentioned in the interview.
-
ii.
Is this method a recovery method for this account?
-
i.
-
(c)
Can you view messages and notifications on this device when it is locked?
-
(d)
Are there any comments you have on this device you would like to share?
Repeat (a)–(d) for every Device.
-
(a)
-
2.
Do you use password managers to access any of your accounts?
-
(a)
Give each password manager a nickname. (Examples: PM1, Manager1)
-
(b)
What are the login methods and things you need to access it?
-
i.
Give a nickname for each entity needed or refer to the nickname that entity was given if already mentioned in the interview.
-
ii.
Is this method a recovery method for this password manager?
-
i.
-
(c)
Do you have open sessions (logged in permanently) with this password manager?
-
i.
For each open session assign a nickname for each entity or refer to the nickname that entity was given if already mentioned.
-
i.
-
(d)
Are there any comments you have on this password manager you would like to share?
Repeat (a)–(d) for every password manager.
-
(a)
The sub-questions 2(a)–2(d) are also asked for each of the Questions 3–9, replacing “password manager” by “account”.
-
3.
What email addresses do you have access too?
-
4.
What social media accounts do you use to stay connected?
-
5.
What accounts do you have to access your online finances? What social media accounts do you use to stay connected?
-
6.
What accounts do you use for online shopping? What social media accounts do you use to stay connected?
-
7.
What accounts do you use for entertainment? What social media accounts do you use to stay connected?
-
8.
What accounts do you use for gaming? What social media accounts do you use to stay connected?
-
9.
Are there any more accounts or items you feel we have missed? What social media accounts do you use to stay connected?
-
10.
Look over the passwords you mentioned.
-
(a)
How secure do you think your password is?
-
i.
Strong = A password created by a password manager.
-
ii.
Average = A password you made yourself that you consider strong.
-
iii.
Weak = A password you made yourself that you consider weak or one that does not fit in the other two categories.
-
i.
-
(b)
What are the login methods and things you need to access this password?
-
i.
Give a nickname for each entity needed or refer to the nickname that entity was given if already mentioned in the interview.
-
ii.
Is this method a recovery method to access this password?
-
i.
-
(c)
Are there any comments on this password you would like to share?
Repeat (a)–(c) for every password in this category.
-
(a)
B Interview 2 Script
Checking the Participants Awareness of Their Security
-
1.
What did you think was the most important part of your account ecosystem?
-
2.
Are you aware of any account security vulnerabilities you may have?
-
3.
Which of your accounts do you think are the most important to keep secure?
-
4.
Are you aware of anything you can do to improve your account security?
Reflections
-
1.
Were there vulnerabilities found within the analysis based on a security practice that you originally thought secure?
-
2.
Are there any practices you currently do you thought were not secure but disproved by the analysis?
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Abraham, M., Crabb, M., Radomirović, S. (2022). “I’m Doing the Best I Can.” . In: Parkin, S., Viganò, L. (eds) Socio-Technical Aspects in Security. STAST 2021. Lecture Notes in Computer Science, vol 13176. Springer, Cham. https://doi.org/10.1007/978-3-031-10183-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-10183-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10182-3
Online ISBN: 978-3-031-10183-0
eBook Packages: Computer ScienceComputer Science (R0)