Next Article in Journal
About Rule-Based Systems: Single Database Queries for Decision Making
Next Article in Special Issue
Identifying Privacy Related Requirements for the Design of Self-Adaptive Privacy Protections Schemes in Social Networks
Previous Article in Journal
Citizen Science on Twitter: Using Data Analytics to Understand Conversations and Networks
Previous Article in Special Issue
Password Managers—It’s All about Trust and Transparency
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 12
Issue 12
10.3390/fi12120211
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Risk Perceptions on Social Media Use in Norway

by
Philip Nyblom
1,*,†,
Gaute Wangen
2,*,† and
Vasileios Gkioulos
1,*
1
Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, NTNU–Norwegian University of Science and Technology, 2815 Gjøvik, Norway
2
IT Division, Digital Security Section, NTNU–Norwegian University of Science and Technology, 2815 Gjøvik, Norway
*
Authors to whom correspondence should be addressed.
These authors contributed equally to this work.
Future Internet 2020, 12(12), 211; https://doi.org/10.3390/fi12120211
Submission received: 15 October 2020 / Revised: 17 November 2020 / Accepted: 23 November 2020 / Published: 26 November 2020
(This article belongs to the Special Issue Security and Privacy in Social Networks and Solutions)
Browse Figures
Review Reports Versions Notes

Abstract

:
Social media are getting more and more ingrained into everybody’s lives. With people’s more substantial presence on social media, threat actors exploit the platforms and the information that people share there to deploy and execute various types of attacks. This paper focuses on the Norwegian population, exploring how people perceive risks arising from the use of social media, focusing on the analysis of specific indicators such as age, sexes and differences among the users of distinct social media platforms. For data collection, a questionnaire was structured and deployed towards the users of multiple social media platforms (total n = 329). The analysis compares risk perceptions of using the social media platforms Facebook (n = 288), Twitter (n = 134), Reddit (n = 189) and Snapchat (n = 267). Furthermore, the paper analyses the differences between the sexes and between the digital natives and non-natives. Our sample also includes sufferers of ID theft (n = 50). We analyse how account compromise occurs and how suffering ID theft changes behaviour and perception. The results show significant discrepancies in the risk perception among the social media platform users across the examined indicators, but also explicit variations on how this affects the associated usage patterns. Based on the results, we propose a generic risk ranking of social media platforms, activities, sharing and a threat model for SoMe users. The results show the lack of a unified perception of risk on social media, indicating the need for targeted security awareness enhancement mechanisms focusing on this topic.

1. Introduction

Identity theft and account hacking are significant security threats in the digital era. Today’s societies are deeply interconnected and reliant on digitally offered services with most of the peoples’ everyday dealings, including banking and their payments, happening online and via mobile devices. Have I been pwned (https://haveibeenpwned.com/ Visited Oct 2020) is an online database comprising leaked credentials for accounts claiming to consist of over 10 billion usernames and passwords.
The consequences and effect propagation of identity theft are further intensified when considering the potential for social engineering through social media (SoMe) misuse. In the past, a multitude of hacked SoMe accounts have been exploited to disseminate lies, spearhead phishing campaigns, request and process illegitimate payments and even influence the stock markets. A well-known case of a high profile SoMe account that was hacked could be Skype’s Twitter account back in 2014 (https://www.theverge.com/2014/1/1/5264540/skype-twitter-facebook-blog-accounts-hacked), that was employed by the attackers to post a tweet with the text “Do not use Microsoft emails...”.
Given the plethora of relevant attack vectors and the probable direct impact on the general population, it is essential to establish suitable awareness campaigns to enhance the security posture of the society and lessen the impact of such attacks, as discussed by Al-Charchafchi et al. [1] who reviewed threats against information privacy and security in social networks. The initial step in this direction is to analyse how people perceive the risk they are exposed to when using SoMe and assess the impact of specific indicators (such as age and sex) when evaluating such risks. Such an analysis must be undertaken taking into account the national or regional context, such as ICT (Information and Communication Technologies) penetration, digital preparedness and acceptance metrics, avoiding unfounded generalisations across borders or groups. Thus, national and regional studies can offer a suitable mapping of the current societal security posture, preparedness and resilience, as well as suitable metrics to establish enhancement methods.
Accordingly, in this study we focus on the Norwegian population, measuring public risk perception on the use of SoMe, reviewing what people freely post and how an attacker can exploit this content, also focusing on how being a victim of identity theft affects a posteriori risk perception and usage patterns. This study was motivated by the fact that the Norwegian society is highly digitised, steadily achieving growing Digital Economy and Society Index (DESI) scores for the past years while consistently being evaluated above the EU average, with a 2020 score of 69.5 against an EU average of 52.6.
SoMe are extensively utilised while being an open platform where people tend to over-share. This over-sharing might cause break-ins, a stolen identity, stalking and more, physical or virtual consequences. For example, houses being targeted while people are on holiday or accounts being hijacked by an attacker using social engineering. The security risk might not be the primary thought of people when posting information online, even though they might volunteer more information than one might think is prudent, had they shared the same information in real life/in person.
The Norwegian data authority defines identity theft as: Identity theft is when someone obtains, possesses, transfers, uses or appears as the rightful holder of an identification card or the personal information of a person to commit financial fraud, fraud or other crime, while the Norwegian punitive law §202 stipulates:
a fine or imprisonment of up to 2 years, the person who unjustifiably takes possession of another person’s identity card, or acts with another’s identity or with an identity that is easily confused with another’s identity, with the intention to obtain an unjustified gain for himself or another, or inflict another loss or disadvantage.
Additionally, this paper examines variations in risk perceptions between digital natives and non-natives, where digital natives are defined as people born after 1987 [2]. The contributions of this article are:
  • Investigate the following areas in sharing habits and exploitation for ID theft on SoMe in Norway.
    (a)
    Are there differences in security routines between Digital natives and non-natives?
    (b)
    Are there differences in security routines between genders?
    (c)
    Does having suffered ID or account theft change security routines?
  • Investigate how people perceive the risk of ID theft on SoMe.
    (a)
    Differences in risk perceptions across popular SoMe platforms (Facebook, Twitter, Reddit and Snapchat)
    (b)
    Are there differences in risk perceptions between digital natives and non-natives?
    (c)
    Are there differences in risk perceptions between genders?
    (d)
    Does having suffered ID or account theft change risk perceptions on sharing habits?
  • How does ID theft occur and what are the consequences?
As detailed in the research questions above, the included SoMe platforms are Facebook, Twitter, Reddit and Snapchat. A brief description of these services is a follows (worldwide user estimates were collected from Oberlo.com for October 2020): Facebook is a social media platform that offers the opportunity to mostly vet who may see things about you and who can see your posts. Some information are not private by default, like friends list and information about the account holder. Facebook has 2.7 billion users. Twitter is a micro-blogging service where everything that is posted there is public by default. How one connects on Twitter is by actively choosing to follow different people. Compared to Facebook, where both parties have to actively accept becoming friends, one can follow whoever they want on Twitter without them having to say yes or no. The platform has a character count maximum of 240 characters, to keep the posts (tweets) short. Twitter is estimated to have 340 million users worldwide. Reddit is a social media that is more anonymous by nature, while very few subscribers use their name on their Reddit profiles. Reddit is partitioned into different subreddits where people can come together as various parties interested in the same thing; for example, there are subreddits for cats, politics and games. With how Reddit is structured there is a risk for Echo chambers to be formed, where people of the same thought keep agreeing to each other. Reddit is estimated to have 430 million users. Finally, Snapchat is a picture sharing service, where images one sends also get deleted after a set amount of time, and after the recipient has viewed an image, it gets deleted. If the recipient takes a screenshot of the image that they receive, the sender of the message receives a notification. Snapchat is estimated to have 230 million users worldwide.
A recent study by Studen [3] investigated social media as a cultural and economic phenomenon, exploring their expected future developments through an international two-stage Delphi study. The study indicates that enhanced interaction on platforms, as well as platform diversification is expected, promoting social media as the predominant news distributor, also increasing their societal and psychological impact. Our principal contribution is knowledge regarding the risk perceptions concerning ID theft using SoMe platforms, and how users perceive the risk of conducting certain activities on the surveyed platforms. Our paper outlines which information assets the participants deem worthy of protection and what they fear on SoMe. Our paper proposes a novel threat model for SoMe users derived from the results. Finally, we go in depth into how ID theft occurs, and the suffered and perceived consequences of suffering a security breach.
We have structured the remainder of this article as follows: The following section presents related work focusing among others on the areas of risk perception, ID theft and social media. Section 2 presents the methods used for this study discussing the instrument and the processes used for recruitment, data collection and analysis. Section 3 presents the sample demographics and discusses the representativity of the sample. Furthermore, Section 4 contains the complete analysis of the results, separating them into three major categories, firstly referring to routines, then risk perception and finally, risk perception alterations after suffering identity theft. Section 5 summarises the results and discusses the research questions. Lastly, we present the conclusions, which provide key takeaways and close the paper. The conclusions also include research limitations, impacts and recommendations for future research.

2. Related Work

There are multiple studies on risk perception, compromised accounts and SoMe, in this section we will explore some of these works to give the reader a better impression of the foundations for the development of this paper.
Several studies focus on the foundations of risk perception measurement: Slovic, Fischhoff and Lichtenstein [4] explored risk perception and explained that people, when asked about the risk of something, rarely have any data readily at hand to help them calculate the risk. With the lack of data to use as a reference, people usually end up using heuristics when assigning risk. These heuristics create misalignments between the actual risk and the perceived risk, that experts should try to close when discussing risk with a layperson. Additionally, Alhakami and Slovic [5] explore how risk and benefit relate to each other. They observed that if the perceived risks were high, the perceived benefits would be perceived as low, and something that is perceived to have high benefit is commonly perceived to have low risk. The authors asked psychology students to rate how risky something was towards the US. The students could rate the risks on a scale from 1—not at all risky, to 7—very risky. They found that in fact, perceived risk and perceived benefit correlate to each other. Furthermore, Slovic et al. [6] examined how experience changes how we perceive risk, and how heuristics change how a person perceives the risk of an event. They mention how risks can be perceived by a person in two different ways which they have from Loewenstein et al. [7]; one is the rationale system, meaning how people rationally react to risk, this would be the common understanding of risk consequence times likelihood. The other way he mentions we react to risk is the emotional reaction when an event happens. Loewenstein mentions that researchers should take into account such an emotional reaction to risks. Worth mentioning are the findings by Gustafsod [8], who wrote a paper about how men and women perceive risk differently. The findings document the existing around gender differences and risk perception. Most papers he saw that tackled risk perception had a quantitative method where you ended up with females having a higher perceived risk. He talks a bit about how the power relations between males and females on how women often fear crime and that this stems from fear of male sexual violence.
Other ground breaking work within the measurement of risk perception focus on the “Risk compensation model” by Adams [9]; the “presentation of risk information” and the “Availability of risk information” discussed by Kahneman [10]; the psychometric based “Expressed risk preferences” and the “Affect in risk perception” [11] which evaluates the affect of heuristic in judgments of risks and benefits.
Accordingly, it becomes clear that a variety of theoretical and empirically supported approaches have been developed in order to support the understanding of how risk perceptions may be shaped, as discussed by Paul van Schaik [12], whose study motivates further efforts into identifying the determinants of people’s behaviour towards cyber risk on the Internet. Furthermore, Yixin Zou [13] conducted a survey investigating the acceptance of commonly recommended online safety practices (on security, privacy and identity theft protection), establishing both discrepancies and the respective reasons for non-compliance.
Another aspect that may influence risk perception is security awareness. Focusing on rural Norway, an earlier stydy by Gunleifsen et al. [14] researched security awareness, perceptions and the culture of participants from rural Norway. They collected the sample from a broadband subscriber list and had n = 945 with 76% males and an average age of 56 years. The authors surveyed attitude toward IT, knowledge, risk evaluations, trust in authorities, training preferences and compare risk-evaluations with their online behaviour. The results show that the level of security awareness is highly subjective and that training programs and security awareness campaigns are both needed and requested by end-users. The risk perception part of Gunleifsen et al. measures confidence in the ability to judge what is safe or not in cyberspace, and how much the participants worry about certain abuse scenarios.
Additionally, like the study presented in this article, what happens to people after having been victims of identity theft is explored in the paper by Golladay and Holtfreter [15] where they explore the health detriments, and the emotional harms that being a victim of identity theft, can cause. They found that, for example, age impacts the emotional response of a victim where older people get affected more than younger people. In a broader scope, a report by Newman [16] discusses various aspects of ID theft, including its various types, victims demographics and the typology of the offenders, also including an analysis regarding the various costs of ID theft at the financial, personal and societal levels. This report, that has been funded by the U.S. Department of Justice, explicitly recommends future research on routine activities and decisions that lead to the victimisation of individuals, in order to identify vulnerable populations and identify behavioural patterns that may lead to effective interventions.
Additionally, a wide variety of studies has explored specific aspects of ID theft, focusing on specific target groups, application domains and technologies, or sectors.
Jagatic et al. wrote a paper [17] where they tried to see if knowing the person who sends a phishing link affects the trust in the link provided, this was done by emailing different students at Indiana University where they spoofed the sender of the emails, to create more trust towards the phishing link and site provided by an attacker. They found that people were much more likely to click and expose their information if they provided the phishing link this way. They created one control group and one where they spoofed the email, the control group had a 16 percent success rate, while the spoofed email one had a 72 percent success rate, showing that trust in the sender makes a big difference in a successful phish. Milne, Rohm and Bahl [18] looks at how consumers protect their personal information on the internet regarding the threat of identity theft and seeing if there are any predictors for the level of online protection is practiced. This study was done using three different surveys using multiple different demographics across the US. The surveys had some questions built upon the “best practices” for ensuring data privacy by the Centre for Democracy and Technology (2003). This paper was inspiring to look at for how they researched identity theft. One question they asked were if people “Refused to give information to a website because you felt it was too personal”.
Furthermore, Thomas et al. [19] had a year-long study where they explored exposed credentials and the match rate with google accounts. They had three datasets they used for the leaked credentials during the study, one from just usual credential leaks, one from phishing kits and the last one from keyloggers. They found that from the credential leaks they looked at, there was a match rate of 6.9%, The phishing kits had a match rate of 24.8% and the keyloggers match rate was 11.9%. The match rate they talked about was still active and usable credentials. Finally, Nyblom et al. [20] used a root cause method to find out what the root cause of compromised accounts were at a university. They found that one of the most significant contributors to compromised user accounts had been the reuse of credentials on different sites which made up 42% of the hacked accounts, the next was password strength at 25%, malware at 19% and phishing at 10%. As discussed earlier, these studies, although they may appear fragmented, are targeted by design to specific target groups, indicators or technologies, narrowing the scope and allowing the construction of a more complete and detailed picture regarding the determinants of human behaviour towards cyber risk.
Ur and Wang [21] constructed a framework for what a user of social media should ask themselves, to have the users from a diverse set of backgrounds have a good enough privacy according to their culture. One layer in the framework was a legal layer, and here, the social media could ask themselves if they are compliant to for example European law, like the General Data Protection Regulation (GDPR).
Focusing on social media, the paper by Such and Cirado [22] explores not just the privacy implications of one person sharing information about him or herself, but includes people getting information disclosed about themselves from others posting information on social media platforms. The paper also shows several coping strategies for how one can and should share information on social media, and what the major drawbacks these coping strategies might have. It also proposes some different strategies that can be used when posting multi-party privacy-related posts. A similar study to this one was conducted by Schaik et al. [23], which measured risk perceptions of security and privacy in online social networking. The study applied psychometric methods to survey 201 Facebook users from the UK. Their primary findings was that the concern was highest for information-sharing related to privacy. An additional aspect that has been examined in the literature is specific strategies to protect the privacy of users, and potential impact of integrating privacy policies on the information-sharing behaviour of the users. Damion et al. investigated this aspect [24], by analysing 51 papers on SoMe privacy, concluding that despite the user concern on ID theft and third party access to their information, integrated privacy policies do not directly affect the users information sharing behaviour. A variety of studies focus on the security implication of social media as platforms and also specifically their use, such as the study by Wu [25] who reviewed social media security risks and existing mitigation techniques, and the book by Gonzales [26] that draws a much broader picture on online activity, including aspects related with the collection, storage and use of data, the management of intellectual property and online activism.
Looking at what are the best practices for people to protect their social media account, we looked at a public advisory company called NorSIS and Nettvett which are governmental owned companies in Norway, that strive for cybersecurity awareness for the public and small/medium enterprises. Of their recommendations for how one can reduce the risk on ID theft when using the internet, one of their recommendations is for people to not give away personal information to unknown people on the internet, without the person giving away information being the one who instigates the information transfer (https://nettvett.no/forebygge-identitetsverdi/). Nettvett also has some preventative measures for people who are exposed to blackmail on social media, in their list they suggest hiding friends lists, hiding the profile from search engines and making sure that the profiles timeline is just visible to friends (https://slettmeg.no/seksuell-utpressing-pa-nett/).
There has been a lot of original works done on risk, risk perception and risk awareness that this study builds on. We usually define risk as the consequence and probability of something happening, but this definition might be a bit too narrow for when measuring risk in laypeople. As Slovic mentioned [27], the heuristics of a person has an impact in how they perceive and rate risk. Bickerstaff K. [28] mentioned that most risk perception studies at the time had been conducted mostly in with questionnaires, but that more recently more studies had used or supplemented their quantitative data with qualitative data. There does not seem to be many papers written about the risk perception of people in social media and especially how people perceive the risk of a compromised social media account. We want to contribute in filling this gap, by asking people about how they perceive the risk, what they think a compromised social media account can be used for and the experiences of people who have had their accounts compromised.
This study builds upon our earlier results at [29] which focused on evaluating the conceptual models used by security experts when developing security solutions targeted towards the general public, [2] which focused on analysing the security awareness divergences of digital natives across Norway and two other European countries, [14] that focused on evaluating the security awareness within the rural Norwegian population, and [20] which focused on identifying the root cause of compromised accounts at Norwegian university. These studies are complementary to each other, and to other national reports [30], aiming to solidify a more clear understanding on the cyber security culture of the Norwegian society.
Furthermore, the literature study has revealed two aspects of risk perceptions that have not been addressed: Several studies measure risk perceptions on one SoMe platform [12,23], but they have made no comparisons of risk perceptions between services. Additionally, while ID theft and account compromise have received some attention [17,18,19,20], we did not find any studies on how suffering ID theft changes risk perceptions.
The results of these initiatives are of National interest, since they provide a more clear understanding regarding the current status of cybersecurity awareness, thus allowing for enhancements on the content (e.g., general, introductory, comprehensive), format (e.g., promotional, informational, enforcing) and delivery types of enhancement programs. Furthermore, the results are also of a wider interest, as Norway is one of the most highly digitised counties in the world, with significant penetration of information and communication technologies, while still operating within the wider European context. Thus, providing future perspectives, as digitization progresses across the continent.

3. Method

In this chapter, we will describe the applied research strategies. There are many ways one can go about researching risk perception and risk awareness of people. This study aimed to gather data about the risk perception of ID theft in the Norwegian population and therefore needed a broader sample. Additionally, one of the research questions aimed to gather data from people who had suffered ID theft.
The data collection went from May to June 2020.

3.1. Instrument

As seen in the related work section, one of the most common approaches to measure the risk perception of people is using a questionnaire [5]. Questionnaires allow us to reach out to and sample a broader part of the population. The questionnaire used for this project builds on previous work on how to measure people’s risk perception and followed Milne, Rohm and Bahl [18]. It contained questions based on the current best practice advice from a trusted authority on how not to get one’s identity stolen. Additionally, we followed NorSIS advice and guidelines on how to prevent identity theft. (NorSIS is an independent organisation and partner to the government, businesses and research facilities in the subject of cybersecurity. https://nettvett.no/forebygge-identitetsverdi/) Quality assurance was done through multiple testing rounds with representatives from the sample demographic to ensure appropriate wording and measurements.
The questionnaire totalled 30 primary questions, a summary of the questionnaire with surveyed topics, number of questions, target group and objectives is seen in Table 1, and the whole instrument is available in Appendix A. The survey started with four demographic, two self-assessment and three questions to establish the respondent’s social media presence. These initial questions were all mandatory. Furthermore, the remaining questions asked the respondent about various security routines, risk perceptions and ID theft. We designed the questions regarding security routines to gauge the respondent’s susceptibility to ID theft. We designed seven questions as matrices with rating scales for multiple variables, e.g., question 6: How much do you care about [...] (1) IT in general, (2) Information security, (3) Privacy. These were designed with ordinal scales.
The design of the survey was such that some answers triggered specific follow-up questions. The most significant break-off point in the questionnaire was when the respondents were asked whether they ever had their accounts hacked. If the answer was “Yes” (Hacked group), they were asked seven additional questions specifically about the ID theft incident, see question 21 in Table 1. If the respondents answered no (not hacked), they were asked one question regarding ID theft (Q29).

3.2. Recruitment and Data Collection

The recruitment strategy aimed at recruiting both from the general population together with people that had suffered from ID theft. We limited the sample population to only include Norwegians, and the online questionnaire was only available in the Norwegian language. For sample control, we conducted the sampling with three copies of the questionnaire distributed on three different platforms. To recruit from the sample population that had suffered ID theft, we were allowed to distribute the questionnaire through Slettmeg.no, which is a service for helping people that have suffered ID theft and other cyber incidents. To obtain a sample from the generic population, we distributed a second questionnaire through Facebook and Twitter, and the third on the Norwegian Reddit forums. Furthermore, we attempted to recruit the respondents from Slettmeg.no who had suffered ID theft for in-depth interviews. However, from the limited pool of compromised accounts, only two people answered the further inquiry.

3.3. Data Analysis

The compared groups in this study are the sexes (male/female), age and hacked groups. We have also split the collected ages into digital natives and non-digital natives; as there might be a difference in how the digital natives perceive risk on social media. Gkioulos et al. [29] defined digital natives as people born between 1987 and 1997. We classified participants younger than 31 as digital natives, and those above as non-natives, to comply with this definition as much as possible for the available sample. When analysing differences between the sexes, we left the group that had chosen ‘’prefer not to answer” out because of the low number of respondents that chose this option, with only five people being in the group. We sorted the hacked/not hacked group using question 21 in the survey.
To process the results of the questionnaire, we applied a variety of statistical data analysis methods available through the IBM SPSS software v2.0. A summary of the statistical tests used in this research is as follows:
Firstly, each variable was analysed separately, looking at trends and distribution with histograms and descriptives. Furthermore, we performed bivariate analysis and ANOVA on age, gender and hacked groups to investigate differences. We treated “No” as zero and “Yes” as one in the analysis for binary-type questions. We also performed a Pearson correlation with the data on how much people care about IT, information security and privacy to see if this had any effect on how people perceive risk. A thing to note is that the use of ANOVA or other bivariate methods for analysing ordinal nonlinear data has been criticised for not being normally distributed. Norman [31] wrote a paper about different aspects of tension for when one can use ANOVA or other bivariate analysis, and used earlier studies to back up that there is little to no reason not to use bivariate analysis on nominal data such as Likert and rating scales, small sample sizes or data that do not follow a normal distribution. Following Norman, the analysis in this paper uses the mean and the ANOVA to illustrate differences between groups. However, we have also included the median as good practice.
For analysis of the free text questions, the answers were grouped up together according to common characteristics to allow for quantification. For example, synonyms such as “extortion” and “blackmail” were grouped together in the analysis. Each answer was counted separately in the cases where a respondent gave multiple answers to the question.

4. Demographics and Sample Description

This section describes the sample demographics and discusses representativity. The number of answers from the different questionnaires is: Slettmeg N = 24, Facebook/Twitter N = 198 and Reddit N = 107. Table 2 shows the response rate. The questionnaire was distributed to 123 customers of Slettmeg from April to May 2020. Reddit and Facebook were actively shared and posted for two weeks in May 2020. The number of possible respondents for Facebook consists of the number of friends from the people who shared the questionnaire. We approximated the number of people who had this information visible using the number of shares and average Facebook friends per share, Table 2. We rounded the number to the closest hundred. For Reddit, the table shows the number of members of the Norwegian subreddit r/norge, and the number of users that are usually online.

4.1. Sex, Age and Digital Natives

Table 3 illustrates that sex distribution varies greatly between the different platforms where the questionnaire was distributed. For example, the sample collected from Reddit has a very skewed sex distribution, with most of the people on the platform being male (88%). The sample from Facebook has 38% women, and the sample from Slettmeg has 54% women. This brings the total distribution to 68% men and 30% women in the sample. Comparing the sex distribution to the Norwegian population as a whole from Statistics Norway (SSB) (https://www.ssb.no/statbank/sq/10036277), we get to have 50.19% males in the age 18 years or older and 49.81% females 18 years or older, as of 2020. The dataset is biased towards males with an over-representation of 17%.
The age distribution from the respondents can be seen in Figure 1 (numbers in Table 3). The numbers have an over-representation of people in the age group 21–30 from Facebook, Twitter and Reddit, this group also totals 54% of the sample. The Slettmeg-survey is more evenly distributed within the age groups. The second biggest group is 31–40 (20%) followed by 41–50 (11%).
We split the age groups into two to investigate the digital natives-hypothesis [2], where natives are people born after 1987, see Table 4. The gender distribution within the groups is 71% males and 27% females in the digital natives group and 65% males and 35% females in the non-native group.

4.2. Further Sample Description

Norway comprises eleven counties, the distribution from the sample compared to the Norwegian population from SSB (https://www.ssb.no/statbank/sq/10036698) is visible in Figure 2. The difference between the population and the sample can mostly be seen with Oslo and Innlandet being over-represented, and Viken, Agder and Rogaland being under-represented.
Figure 3 shows the educational level of the respondents of the questionnaire; the Slettmeg questionnaire is not a part of these statistics because the educational level was not asked there. Compared to the education level in the rest of the population, the respondents of the questionnaire have, in general, a higher level of education. SSB writes that 36.6% of the Norwegian population has higher education, compared to our sample where 79% reported to have higher education.
The people who participated in the questionnaire used the social media shown in Table 5. Since every person may use multiple social media platforms, the total amount displayed in the table exceeds the number of respondents of the questionnaire. From the table, we can see that there are at all ages, over 65% of people using Facebook as a social media platform. The numbers for Facebook keep climbing the older people get; with most of the other social media having a reverse distribution from Facebook. At least down to around the 21–30 demographic, which peaks in all the other named social media platforms. The age group that has the highest percentage of people using another social media platform than the ones named is the 41–50 group.
The respondents of the questionnaire were also asked about how often they post on social media, as presented in Table 6. From the table, we can see that 53% of people post on social media more rarely than once a month. A total of 22% post at least once every month on social media, 14% post around 0–5 times in a week. This shows that most people use social media kind of passively, with 89% posting less than once a week.

4.3. Self-Assessment

We asked the respondents to rate their IT skills on a scale from 1—Very poor to 4—Expert. Figure 4 shows that only one person rates his IT skills as “Very poor”. Furthermore, we can see that from both the questionnaire distributed on Reddit and Facebook/Twitter that around 15% of the respondents ranked their IT skill level at 2, this is in contrast to the questionnaire distributed on Slettmeg, where approximately 55% of people chose the same. For all three, around 40% chose that their IT skill was at a 3, and about the same amount of people placed their skill level at 4. From the Reddit and Facebook/Twitter questionnaire, zero people placed themselves at highly skilled in the Slettmeg distributed questionnaire. That Slettmeg has such different values here could come from who decides/needs to use their service.
In Table 7, we can see how much people care about IT, information security and privacy: IT generally has a lower number of people caring about it. Information security and privacy are pretty similar in people’s enthusiasm towards the subject. However, the respondents seem to care more about privacy.
There were no differences between the natives and non-natives in the self-assessment; however, there were differences between both the sexes and having been hacked, illustrated in Table 8: Where the respondents who had been hacked had a significantly lower perception of their generic IT competence. We see similar results for the females in the sample regarding IT competence, information security and privacy.

5. Analysis and Results

The results are split into three major categories: Firstly, we analyse the differences regarding security routines on social media. Secondly, we investigate the risk perceptions of conducting different activities. Finally, we describe the risk perceptions of those who have suffered ID theft and the consequences they suffered. For each subsection, we describe the results for the groups as a whole, before describing the differences between the three groups (age, sex and ID theft).

5.1. Security Routines on Social Media

We present the security routines within the topics update practices, password habits, privacy settings and visible information.

5.1.1. Update Practices

We asked the respondents about their updating routines for the units they use to browse social media. Figure 5 shows that less than 52% of participants owned a tablet device, while 93% owned a PC/Mac and 99% of the respondents had a smartphone. We can see that most people update their devices as soon as they receive a notification about updating. Only 6% of the participants postpone system updates. The recommended frequency of how often one should update their devices is as soon as a patch is available, according to the Norwegian National Security Authority (NSM) (https://www.dn.no/teknologi/teknologi/datasikkerhet/microsoft/innlegg-sla-pa-automatiske-oppdateringer-unnga-datainnbrudd/2-1-654083). Windows has a monthly security patch that goes out on a Tuesday also known as, patch Tuesday, so for pc/mac about 88% of people are probably up to date or at most one month behind.
There were no differences between the natives and non-natives, genders or having experienced account theft when it comes to updating practices.

5.1.2. Password Habits

Passwords are what most services use to authenticate a person and give them access to their account on the site. Back in 2017, Thomas et al. [19] found that just from data leaks, 7.5% of credentials were still active and usable. We can see from the answers in Table 9 that the respondents probably coincide with the number from Thomas et al. with 3% using the same password everywhere and 9.4% using the same everywhere, but applying 2-factor authentication if it is available. A total of 28.6% of the sample use variations of the same password on different sites to keep the passwords unique.
There were no differences between natives and non-natives regarding password habits. There were differences between the sexes, where males seemingly have better password habits than females, Table 10.

5.1.3. Privacy Settings

In the questionnaire, the respondents were asked if they had changed their privacy settings. A total of 301 people said that they had changed their privacy settings to reduce exposure, and 28 people had left them as is.
Regarding the changing of privacy settings, we also asked to what degree that they had limited the visibility of their account N = 329, Figure 6. As seen in the figure, most people have limited the visibility of their information to a high degree. Furthermore, the one thing that people have tried to limit the most seems to be who can see their contacts, with about 84% of people rating their degree of limiting their contact visibility to 3 or 4. For all the different privacy increasing measures that can be done there seems that at the least 55% of people chose 3 or 4 as the degree that they had tried to limit visibility on their profiles, with stopping search engines from showing the profile as the least “important” one.
Furthermore, when comparing the groups we find that the group that has suffered account hacking score consistently lower on all variables regarding visibility on social media, Table 11. Additionally, there are significant differences between natives and non-natives when we compare privacy settings on the variables contact info and posts with the natives having stricter settings. There are also differences between males and females on friends and followers (p = 0.05) and profile visibility to search engines (p = 0.006), with males having stronger restrictions on these variables.

5.1.4. Visible Information

We asked the people who answered the questionnaire what information they have visible on their social media platforms; the results can be seen in Table 12. It seems like the majority of the participants (58.5%) have chosen to hide as much information about themselves as possible. As we can see, even though sexual orientation is classified as sensitive personal data by Norwegian legislation (https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/behandlingsgrunnlag/veileder-om-behandlingsgrunnlag/spesielt-om-sarlige-kategorier-av-personopplysninger-sensitive-personopplysninger-og-unntak/), people still have this information visible on their social media profile, in this case, 8.3% of the respondents.
There were only marginal differences between the natives and non-natives when we compare visible information. Non-natives are slightly more public with their email addresses (p = 0.04) and phone numbers (p = 0.06). The results also show that females also share information more openly about relationships (p = 0.02) and family members (p = 0.01), but the average scores for these two are still low, Table 13.

5.2. Risk Perceptions

One of the questionnaire’s primary purposes was to measure risk perceptions while conducting certain activities and utilising social media. The questionnaire did not ask all the participants the same questions about all the different social media platforms; we did this not to tire out the respondents of the questionnaire. For example, we did not include the risk perception questions about Reddit on the questionnaire distributed on Facebook/Twitter, but we measured perceptions about Reddit for users of the service. For the analysis of the questions regarding the risk perception on social media, the N values for the platforms are as follows: Facebook N = 288, Twitter N = 134, Reddit N = 189, Snapchat N = 267, with a total of 329, illustrated in Table 14.
We document exact overlaps between use of SoMe services in the Appendix B, Table A1. A summary of the overlap in the sample is that having a Facebook account moderately correlates with having an Instagram (Pearson = 0.33) and a Snapchat account (Pearson = 0.34), there is also a moderate correlation between the two latter services (Pearson = 0.3). The survey was primarily designed around sharing on Facebook, Twitter and Snapchat, so participants recruited from these platforms were not asked about risk perceptions regarding sharing on Reddit. For Reddit, the numbers used in the analysis are shown in the parenthesis (n = 107) in Table 14. Some of the categories are too small to draw conclusions about significance, especially females (11) and hacked users (13) on Reddit.

5.2.1. Risk Perceptions on Social Media Posting

We asked the respondents about how they perceived risk when they posted various types of information on their social media accounts using the following rating scale: 1—Very low, 2—Low, 3—High and 4—Very High. Table 15 illustrates the results for all activities and platforms. The X-axis shows the count and percentage per answer per service. The right-hand side of the table shows a summary results in the form the mean for comparison. The total average for topic-line is the average of all the SoMe platforms for a topic for comparison of the total.
The results show that very few think posting images is a high-risk endeavour, all four services have a median of 2—Low. Unsurprisingly, sharing photos on Snapchat is perceived to have the lowest risk being primarily a picture sharing service. Both Reddit and Snapchat have about 20% more respondents perceiving the risk of posting images as very low.
An example that has been seen is people having their houses broken into while on holiday, while it is uncertain that thieves use open sources to find victims or not, the threat is there and easily visible. We therefore attempted to gauge how people perceive the risks that can come from posting about a holiday on social media. As we can see from the figure, the perceived risk goes higher with the highest perceived risk from Twitter users, where they placed about 60% as high or very high. Reddit and Snapchat seem to have a lower perceived risk than Facebook and Twitter; this might stem from the more direct form of interaction with Snapchat and the more anonymous interaction with on Reddit.
Furthermore, pet names is a piece of information often used in security questions and we attempted to gauge how people perceive the risk of posting about something that very likely could show up as a security question on one of the services that they use. The results in Table 15 show that the Reddit and Twitter participants had the highest average with 25–27% perceiving the risk as high or very high. The interesting part about this question is that it could be a security question that someone in a household uses. Even though the risk of compromise may be limited for the person posting such information on social media, it may be the answer to a security question of another person from the same household.
Another common activity on SoMe is to share content that the poster thinks is funny. The perceived risk of posting or sharing something humorous is highest on Twitter where 11% rate it as high and 2% at very high. Both Snapchat and Reddit have their very low perceived risk at around 50%.
A common activity on SoMe is to share a news story with or without a comment. Table 15 shows how people perceive risk when sharing this information. Here, the combined high and very high comes to about 19% at the most (Twitter); this shows that very few people perceive the risk of sharing or posting news as high or very high. Between 52 and 59% rate the risk as low on Twitter and Facebook, 39% for Reddit and 47% for Snapchat, which is also the average and median. Between 48 and 53% perceive the risk as very low on Snapchat and Reddit.
Political opinion is considered as sensitive personal data in Norway. We asked the question about people posting or sharing something political to gauge if people find that exposing their political beliefs on social media can be risky/damaging. The results show that the users of Twitter and Facebook have the highest perception of risk with 43–48% rating it as high and or very high risk, both having the same average. Reddit is again quite far behind the other two social media with only is 22% on high or very high, this might again be because of the more anonymous nature of the Reddit as a social media.
Debating on social media can be risky, especially if one holds a political opinion that goes against the majority. In these cases, there is a real risk of cyber bullying and harassment.
The perceived risk of participating in a debate can be seen in Table 15. From the figure, it seems like quite a lot of people perceive that participating in a debate on social media comes with high risk (15–40%) or very high risk (4–18%). Reddit here has the lowest perceived risk of the three social media users based on what was asked, while Facebook and Twitter are considered a lot riskier by the participants, both with an average of 2.6.
Snapchat was not considered an appropriate platform to share a political opinion or a debating platform and was left out of the survey for these two variables. However, we included one feature specific to Snapchat: We asked how people perceive the risk when using Snapchat’s geographic location service, Snapmap. Snapmap shows on a map where users were the last time they used Snapchat if they have this service activated. Figure 7 shows that the majority of the participants perceive snapmap as high risk (36%) or very high risk (26%). Which was also the information that was considered being the riskiest to share by the participants, with an average of 2.8.
To obtain a result regarding which platform and activity is considered riskiest by the participants, we have aggregated the data in Table 16 averaging the result. The results show that Facebook and Twitter are perceived to be the riskiest platforms for sharing, while Snapchat and Reddit are perceived to have a lower risk. Furthermore, we see that using Snapmap is perceived as having the highest risk, followed by participation in debate, posting about vacations and sharing political opinions.

5.2.2. Categorical Analysis of Risk Perceptions when Sharing on Social Media

We found that there were no differences in risk perception between the digital natives and non-natives considering all of the variables. Nor did having been hacked or suffering an ID theft influence the results. However, the differences in risk perceptions we found were between the sexes. Considering image posting, females consistently score higher than males across the Twitter, Reddit and Snapchat platforms, Table 17. The differences are minor and the median is the same, but the pattern is visible in the data. Females consider the risk to be higher for all platforms.
Furthermore, when we analysed the remaining variables, we found seven more where females rank the risk as significantly higher than the males, Table 18. While the aforementioned results are the ones with significant differences, females only score higher on 4 out of the 26 variables where we measured risk perceptions (Table 15). Three are regarding pictures of pets on Facebook, Twitter and Reddit, while the final one is posting about holidays on Facebook. The difference in these four is also marginal.
If we further examine the perceived risk of participating in a debate on social networks, we can see that one gender has a higher perceived risk than the other, Figure 8 illustrates the difference between groups for Facebook. Doing an ANOVA analysis on genders and risk perception on debates on both Facebook and Twitter gives us a p = 0.02. Other than fitting with the pattern of women rating the risks higher, the difference on Reddit is smaller and insignificant with p = 0.1.

5.2.3. Perceptions on Information Exploitation in ID theft

The participants in the questionnaire were asked how they rate to what degree they thought that different information could be used to perform identity theft with the alternatives: 1—Very small degree, 2—Small degree, 3—Large degree and 4—Very large degree. The results can be seen in Table 19 where we have used the average to rank the information assets according to each other. The one piece of information that would people thought would let an attacker perform an ID theft was account and password details with 80.9% of people rating it as to a very large degree. In second place, we have debit/credit card numbers with 77.4% on very large degree. When we asked this question, we were just considering the front-facing numbers, but people might have thought I meant all the numbers on the card. We can see that over around 66% of people perceive social security numbers as a very large degree in regards to the information risk value, even though the social security number is not classified as sensitive data in Norway, and should, in theory, not let attackers abuse your identity by itself. How people rated the rest of the information points asked can be seen in Table 19.

5.2.4. Differences in Perceptions on Information Exploitation in ID Theft between Groups

When comparing the groups, we find multiple differences. Starting with comparing the digital natives and non-natives, we find that there is a difference in how they perceive the risk, Table 20. The non-natives consistently rank the five information assets in the Table as higher risk of abuse than the natives. The largest difference between the groups is the view of date of birth, where the medians also differ. Two other information assets ranked higher by the non-natives are credit card numbers and passwords. The differences in the answers can be seen in Table 20, and it shows that about 9% of the digital natives think that the room for abuse is minimal if someone knows their debit/credit card numbers, similar to 10% for the account information and passwords.
When comparing the sexes, the same pattern emerges as previously detected: The males and females perceive the risks quite similarly, but females rank all the 11 variables as slightly riskier than males. The significant differences are listed in Table 20. The biggest difference is for the bank account number, followed by email address and date of birth. Another interesting finding is that those who reported having suffered ID theft, reported the information assets full name and email address as higher than the rest of the sample.

5.2.5. Susceptibility to Phishing

The questionnaire had a section that attempted to measure susceptibility to phishing. The narrative that was presented was a typical malicious Facebook messenger message, and we asked how they would perceive it coming from typical social circles. The message that was shown to the respondents can be seen in Figure 9. Table 21 shows how people reported to react to the phishing message when asked if they would click it. The results show that this type of phishing can be expected to get between 8% and 15% hit rate of people clicking these kinds of links. With 6.1% of people saying they might click the link if it is sent from close family, it is 4.1% from a family member, 4.1% from a friend and 1.3% from acquaintances. Furthermore, if we examine the maybe answers, we also see that these are lower for the acquaintances than for the others. The numbers might be lower than what is expected with this being self-reported, but that would probably skew the numbers towards the lower end of the scale, and the success rate might be higher.
We found no differences between the sexes or age groups for these variables, but for the group that had suffered ID theft reported to be more trusting of messages received from family and close family. Even though the ID theft group represents only 15% (48 of the 314 total) of the sample, they are over-represented in both the yes and maybe categories for both the Family and the Close family variables. Only 5 out of 13 of the yes answers in the family and 6 out of 19 in the close family variable are from the hacked-group, 38% and 31%, respectively. The differences are visualised in Figure 10 where each bar on the x-axis counts as 100% to illustrate the difference.

5.3. The Consequences of ID Theft

There are many ways to use a hacked social media account. From the questionnaires distributed, the number of people that have experienced being hacked can be seen in Table 22. As we can see from the table, 14.3% of the respondents of the questionnaire have been hacked and got their accounts back, 0.9% have been hacked and have not got their account back and 84.8% of people have not experienced having their account on social media compromised. Table 23 shows the demographics of the 50 participants that have suffered ID theft, where there are 52% males and 48% females and 64% and 36% non-natives. There were no clear patterns regarding age in this group, but when we consider sexes, the distribution of the sample as a whole was 30% females and for the hacked account group it was 48% indicating an over-representation for this group. Theses respondents that had experienced being hacked got some further questions about their experiences from having their accounts compromised.

5.3.1. Reason for Compromise

We asked the respondents how they thought they got their account compromised with alternatives. Table 24 shows what people thought were their reasons for compromise N = 47. The hacked option represented the broadest category and was chosen by 15 respondents. It is hard to know if the reason to compromise is the reuse of a password or a weakness in the platform used.
The questionnaire also had higher granularity options, and a written option: The results show that eight people, or about 17% of the people had their accounts compromised because of falling for a phishing scheme. Two people chose the Shared the password with someone in my close relations as the cause, both of these happened to a digital native. For the people who chose other, one wrote that he had his account compromised by a Keylogger, one had been compromised through brute force attack and the last one attributed the hacked account either to a keylogger or a remote access tool. Nineteen (40%) answered that they did not know how it happened.

5.3.2. Consequences of Social Media ID Theft

We asked the respondents about the consequences they had suffered because of the ID theft. The question had a free text open answer, and we have categorised and quantified the overall answers in Table 25. The main result is that 65% of the respondents were not able to attribute or find out exactly why their account was hacked and did not suffer any consequences. The respondents had difficulties answering how their accounts had been abused. When they managed to attribute what the hackers did, it was usually because they used the account for spam (10%) or phishing (8%). To be more specific, 10% of people experienced the consequence that their account was used to send out spam messages, and 8% of people had the account send out phishing messages or that the account was used in other phishing campaigns. A total of 5% experienced blackmail from the compromise; the hacked account contains much personal information, especially if one uses the social media as their primary chatting application, which an attacker can use to blackmail the owner of an account. Another re-occurring topic in the answers is that several who got hacked were quick to regain control of the account: several of the written responses detail that the ID theft had negligible consequences because it got detected immediately primarily through a “log on from new device” email notification. This security mechanism allowed them to respond quickly to the event and mitigate the consequences.
Analysing the sample, none of our respondents suffered very serious consequences from the ID theft, such as for example, being swindled for large sums of money or being severely exposed or harassed online. However, the sample does contain descriptions of serious consequences: One respondent describes being locked out from her Facebook and Instagram accounts, both of which were corporate accounts. She also got exposed online through the hack and describes the experience as traumatising. The consequence was that she locked down her accounts and stopped her online initiatives. Another respondent had his account abused by the hacker for buying and selling items. The respondent did not detail his answer beyond writing that “It created problems for me.” Account lockout with the additional workload to regain control described as the primary consequence.
The group who answered that they had not experienced having their social media profile hacked was asked how they thought a compromised social media account could be abused. This was a voluntary question which received 197 answers, whereof some respondents answered multiple consequences which were counted individually. Table 26 shows that 40 respondents answered impersonation/ID theft as the consequence of a compromised social media account, here the users talked about their profile being used for malware spreading or other nefarious acts that tries to portray the hacker as them. Typically referred to as a masquerade attack in the literature. Manipulation is people talking about either the account used for sharing of propaganda or sharing of fake news.
Active account abuses such as spam (26), spread malware (23) and phishing (17) follow as the most commonly perceived consequences. These are instances where the attacker abuses the hijacked account to attack others. Further down the list, we find consequences such as swindling and blackmail which are primarily motivated by financial gain. Another interesting perceived consequence for financial gain is follower farming, where the attackers gather multiple compromised accounts on a given SoMe platform and sells followers to potential buyers who are looking to increase their following.

5.3.3. Activated Measures

We asked the respondents who had had their social media account compromised what measures they had implemented to increase the security of their account post-compromise; the controls implemented can be seen in Table 27. The question about measures implemented let them choose more than one option; that is why the total number of controls exceeds the N = 47 people who had their accounts compromised. Not all the security measures I asked about are current best practices in information security like periodic password changes, that NIST is now not recommending companies to require. From Table 27, we can see that the most popular measure to apply is 2-factor authentication 32, and notification on suspicious behaviour 29. After that comes starting to use passwords longer than 12 characters 22 and having the firewall turned on 15. A total of 13 people started changing their passwords regularly, 11 started using an anti-virus and 9 people took other measures. Five people have changed their passwords to a password shorter than 12 characters.
One respondent commented on the efficiency of two-factor authentication: “I approximately get two text messages each month about log in attempts at Facebook using my username and password, but they can not get in because I have activated two-factor authentication...”
The people that chose the option that they were changing their password regularly were asked with what regularity they change their passwords. From the Table 28, we can see that most of the people who have incorporated regular password changes into their security practices change their passwords every third month. Seven people started changing their passwords every third month, while three people decided that once a month was the appropriate time for regular changes. One person went with more frequently than once a month; one person went with every six months and one person changes their password yearly.

6. Summary of Findings and Discussion

In this section, we discuss the findings with regards to the research questions, starting with sharing habits and exposure to ID theft. We discuss the findings on risk perceptions of ID theft on SoMe. We also discuss the differences and similarities between the analysed groups to answer the outlined hypothesizes. Finally, we discuss the findings regarding how ID theft occurs and the consequences of said event.

6.1. Sharing Habits and Exposure to ID Theft on Social Media in Norway

We started by exploring the update practices for the sample and found that the majority of the respondents updated their devices when asked by the operating system. Moreover, very few waited longer than two months to update their devices. For the generic assessment of password security, we also found that only 3% chose the weakest alternative “I always use the same password for everything”, while 29% used a password rule with small variations of a password on different sites. Using different passwords and enabling multi-factor authentication are both considered strong practices. There were no differences between the groups in this area.
The results were similar when we examined the limitations and restrictions the respondents put on the visibility of their account information, where the results show that the majority of the respondents put limitations on what they share on their profile. Between 54 and 84% of the answers fell into either 3 or 4, where the latter means as strict limitations as possible. Furthermore, we found that 58% had hidden everything that they could when we asked what information they had visible on their SoMe platforms. The results show that the sample as a whole was security-aware.
When we examined differences between the groups, we found differences between the digital natives and the non-natives in the analysis: The digital natives had stricter privacy settings on contact info and their SoMe posts. We also found this pattern when we examined the information the groups had visible on their profile, whereas non-natives were slightly more public with their contact information such as email addresses and phone numbers. Contact information is generally viewed as public information in Norway and is commonly listed in the Yellow pages; the personal risk assessment of sharing this information might be reduced over time.
Considering the differences between the sexes on the sharing issues, we found differences between males and females on sharing their friends list and their profile visibility to search engines. The pattern here was that males had stricter privacy settings. Furthermore, the results also showed that females share information more openly and share about relationships and family members. However, the scores for these variables were still low, and the differences were that females were slightly more open on their privacy settings and visible information.
The group we were the most curious about was those who had suffered ID theft, and how this affected the security routines. When we analysed limitations on SoMe information, the group that had suffered ID theft scored lower on average across all of the five measured variables (Table 11). Although the difference was minor in three of the five variables, the pattern was evident for this group. A hypothesis for future work could be to examine the relationship being exposing information and the risk of ID theft.

6.2. Risk Perceptions of Social Media Use

When we examined the risk perceptions of social media usage, we started by analysing the risk perceptions of posting various pieces of information on SoMe. The survey design was such that choosing a specific SoMe triggered questions about it. We compared the actions on Facebook, Twitter, Reddit and Snapchat. As an aggregated result, we found that the respondents considered Facebook and Twitter to be riskier than Reddit and Snapchat. This results might be due to Twitter being an open platform where everyone can read content unless one has strict privacy settings. However, the information on Facebook is arguably less accessible than Twitter as it has more protection by default than Twitter, but the results have these two close together. The risk perceptions of conducting activities on these two services follow each other closely (Table 15), except posting about vacation, which is deemed a somewhat higher risk on Twitter than Facebook.
Reddit does not use real names by default and provides a level of anonymity for its users. This feature is likely the reason that it received the lowest overall risk score across all the measured variables except posting pictures and pets with names. Images can contain quite a bit of metadata which can be abused to figure out information about the camera and where the picture was taken (geo-tagging). This information can be used for stalking purposes, and one could figure out if the device that has taken a photo is vulnerable to some exploit, if the model and make are vulnerable. Information also become mostly public once it is posted on the forum. We assume that there are many highly competent IT users on Reddit, and the combination of these issues might be the reason why posting pictures is perceived as risky by the Reddit users. A note on sharing information shared about pets is that it, in some cases, easily can be abused to break security questions. In our comparison, Reddit has the lowest overall risk.
Examining Snapchat shows that it is close to Reddit in the overall score. Generally, sharing information on Snapchat is deemed to have a low risk by our participants. However, Snapchat also has the riskiest function, which was Snapmap. Snapchat also provides a level of anonymity on a username level, but using it for sharing pictures severely weakens the anonymity of the service. Snapchat has the lowest risk score for posting pictures, which makes sense as it is primarily a picture sharing service. Snapchat allows for strict control of who gets to see the shared information and, to the user, the data seems to disappear after a brief period. These are likely explanations of why Snapchat is deemed more secure as a whole. However, is there grounds for considering Snapchat as more secure for posting pictures than the other services? There are some further answers in the data to this question: Considering the results in Table 15, each activity is ranked according to the platform on which it is conducted. Table 16 provided the aggregated results of both platforms and activities. Considering the activities, we can induce the information assets and threats for each and propose a threat model, Table 29. For example, if the main concern is stalking or burglary, the Snapmap would be the riskiest service as it reveals the location to potential stalkers and burglars. Expanding on the burglary risk, the secondary asset at risk would be valuables located at the property. Participating in an online debate is considered to be risky by our participants. This activity often reveals the political opinion of the debater, and this information is, in many cases, considered as sensitive personal information.
Furthermore, a debater exposes himself/herself to the public, and controversial opinions can have severe consequences if one gets targeted by the mob. Sharing a political opinion is similar to participating in debate, but often with less exposure. Our sample deemed these two activities as equally risky. Sharing a news story was mostly considered a benign activity by the respondents; however, most SoMe users have encountered the spreading of fake news online. Sharing news stories can also reveal political opinions.
From the categorical analysis of the issue, we found that females consistently rank risks higher for the majority of the measured activities. This finding is consistent with previous work on risk perception between men and women, where women express far greater concern than men about risks and hazards [8,32].
When asked to what degree specific information assets could be abused for ID theft, there were three that were ranked higher than others: account information and passwords, credit card numbers and social security numbers.
There were differences between the digital natives and non-natives, where the non-natives ranked five information assets as higher risk of abuse. These five included the three overall highest risk assets mentioned earlier. There can be several causes for this difference. Given that a portion of the natives are in their early twenties, they might not have as much capital at risk when considering abuse of credit card numbers. The value of account information and passwords may also increase over time, with the non-natives having accumulated more wealth, responsibility and higher risk. Understanding of technology may also be a factor in risk perception as better understanding of systems should lead to a more calibrated risk judgment. Previous studies have shown that natives tend to have increased confidence regarding technology [2].
The difference between sexes are consistent with the previous results in this paper, as females rank all of the 11 variables as slightly riskier than males. An interesting finding is that the group that had suffered ID theft or account hacking ranked the variables full name and email as more risky. This information is generally considered open, but having suffered an incident seems to change the perception of this issue.
We also attempted to measure susceptibility to phishing attacks presenting the respondent with a common attack method employed in SoMe. This task attempted to measure how trust influence decision making in SoMe. The task hypothesizes that a message from an acquaintance has a lower probability of being clicked than from a person in close social circle. The results show differences, but more than 84% of the respondents answered no for all four options. The probability of clicking the link was highest if received from the close family group (6%), which is a low number, but high enough for these scams to succeed. If between 1 and 5% click the link and get compromised, these attacks will propagate quickly through SoMe. Our results also show that the group that had suffered ID theft were more trusting, which adds to the trend for this group of having slightly weaker security controls.
These differences of risk perceptions are a potential path for future work.

6.3. How does ID theft Occur and What are the Consequences?

This study had 50 participants who reported to have had their accounts compromised. This group ranked their IT competence as significantly lower than the remaining group (Table 8). The results showed that as a cause of compromise, the majority chose either the do not know (19) or the hacked (15) option. The hacked option is too broad to draw any conclusions. However, a phishing attempt had fooled eight, and two reported to have shared their password with someone in their close relations as the cause. Keyloggers (malware) had compromised two participants, and one participant wrote that a brute force password cracking attack was the cause.
The hacked account group consisted of 52% males and 48% females, which indicated an over-representation of females in this group compared to the sample as a whole. However, not if we compare to the Norwegian population as a whole. The group of 50 is not large enough to draw any conclusions, but this finding also aligns with previous work in Nyblom et al. [20] where the hacked account owners also had an over-representation of females. Furthermore, comparing to the results in Nyblom et al., we find that phishing and malware infections are common causes. Weak password security is a re-occurring topic in account hacking, and we see varying practices within this area as well. Two respondents had gotten compromised by telling the password to someone. However, if we take into account the results from Thomas et al. [19] and Nyblom et al. [20], in which both had password reuse as a common cause, we can assume that a large portion of the hacked group too got hacked through password reuse.
The majority of the respondents did not suffer any severe consequences from the compromise. The most severe was an abuse of corporate accounts followed by psychological consequences and a withdrawal of SoMe. Additionally, one participant had his account abused for buying and selling. Table 25 illustrates that compromised SoMe accounts have a broad potential for misuse. Spamming and phishing were the two most frequent forms of abuse. Both are a form of impersonation where the attacker exploits the SoMe account to distribute messages. Spamming is a way for the hacker to try to exploit the trust between two parties for financial gain, while phishing leverages the trust to harvest more credentials or credit card information. Two accounts were abused for blackmailing.
Although we were only able to interview two sufferers of ID theft, we found that in one case, the hacker used their business account on social media to buy ad slots on the platform. There can be big money in scam ad campaigns for hackers (https://www.cnet.com/news/your-hacked-facebook-account-may-be-bankrolling-scam-ad-campaigns/).
Of the more severe consequences, three people found their accounts to be inaccessible after they got hacked, it is probably challenging to ascertain whether it was the social media platform that deleted or closed down their account because of suspicious behaviour, or if it was the hackers that were performing some denial of service.
The presented findings align with the findings from asking the participants who had not suffered an ID theft what they thought would be the consequences, Table 26: Impersonation was a major concern, followed by spamming, spreading malware, phishing. Stealing money, swindling and blackmailing were also among the perceived consequences. Destroying reputation was also a commonly perceived consequence. The results illustrate that the majority of the participants were aware of the risks posed by ID theft.
The results also document that several of the respondents benefited from having the notifications of new logins feature enabled. This mechanism allowed for a swift response to the compromise and mitigation of potential consequences.

7. Conclusions

This paper has focused on the Norwegian population, exploring how people perceive risks arising from the use of SoMe, focusing on the analysis of specific indicators such as age, sexes and differences among the users of distinct social media platforms. Some differences across the examined indicators were noticeable, most notably, that the group that had suffered ID theft had weaker security controls which may have increased their exposure in the first place. Furthermore, the results document differences in risk perception when using the four different SoMe platforms, where Reddit and Snapchat are considered as safest, and Facebook and Twitter as most risky. The riskiest activity on SoMe is considered to be using the Snapmap followed by debate participation. Additionally, there were consistent differences between males and females, where females consistently ranked the risks as higher. There were no differences between the age groups considering SoMe activities, but non-natives ranked the risk of sharing the most critical information assets as higher. Finally, considering our sample, having suffered ID or account theft did not influence risk perceptions on performing SoMe activities, but the participants perceived higher risk of sharing certain information assets. To summarise, the measured security routines in the sample were generally healthy, and the majority of participants seemed to have a sufficient understanding of security risks and awareness.

7.1. Study Implications

This paper explored the areas regarding different SoMe platforms and how people perceive risk when doing different activities on SoMe. It also looked at this issue in context with people who have had their accounts compromised. The study documents that the study participants consider uttering their political positions and participating in debates as very risky. This issue was prevalent on Facebook and Twitter, and especially females considered this as a high-risk activity. SoMe are political arenas, but our results document that many citizens dread participating because of the possible ramifications. Future research should study the implications of this finding in-depth, possibly together with the effects of cyber-bullying.
Our study further implies that suffering an ID theft changes risk perception within certain areas: such as valuing personally identifiable information like full name and email higher. We found the most significant differences when we looked at the sexes, where females generally perceived higher risk than males. This finding might imply that fewer females participate in discussions on SoMe platforms. Although the difference in risk perception between sexes is well-known, how it impacts participation in discussion and debates is not widely studied.
One of the measures that people chose to activate to secure their account were notifications on suspicious behaviour. Our results also showed that several who had their SoMe accounts compromised managed to take actions due to login notifications quickly. They managed to take mediating action before the hackers could do any noticeable harm. An implication here is that time is of the essence when dealing with hacked accounts and being able to regain control quickly is important for damage limitation. This finding was unexpected and warrant further research into the efficiency of account security mechanisms.
If we look at the proposed threat model for the different risks around sharing, we saw that Snapmap was the risk that people perceived as the worst, followed behind by debating, posts about vacation and sharing political opinions. We deduced that stalking, burglary, harassment and bullying were the primary concerns of the participants. This assessment needs further validation studies and can be used for understanding the risk perception of the user in future designs.
The study shows that some SoMe platforms are seen as higher risk than others, by their users. Facebook and Twitter have the highest aggregated risk, and are both quite a bit above Snapchat and Reddit. Both Twitter and Reddit are generally open SoMe platforms where everyone can see each others posts. The implication from this is that the privacy a closed SoMe like Facebook offers does not reduce the perceived risk when compared to a more open platform like Twitter, where everything is open and no invitation is needed.

7.2. Limitations

Although we do not know what the real demographic looks like for Norwegian SoMe users, we have some clear biases in the sample: 75% of the sample comes from the age group 21–40. The age distribution is highly skewed towards the younger generations. The majority of the sample was also males (68%). These two over-representations are most likely an effect of the participant recruitment strategy that utilized Facebook and Twitter through social media profiles to sample the general population. Many people from the age groups of the authors (20–40) answered the survey, which reflects the social network demographic and outreach of the authors. This difference might stem from a sampling bias caused by most of the sampling happening trough our social media network and receiving help with sharing the questionnaire from our existing network. The respondents also have a higher than average educational level, which might skew the risk perception a bit if a lot of the people who answered the questionnaire might have a more straight forward understanding of risk, with risk solely being consequence times probability of an event happening; like Slovic [27] mentioned, there are differences in how laypeople and experts define risk. The discrepancy in counties compared to that of Norway in large probably will not impact the later answers because how people use social media is probably the same across the country. The sample has a representation from all the Norwegian counties, with a slight over-representation from the central/eastern counties. We do not expect county representation to have any impact on the results as the expected variance in culture is negligible.
The over-representation of males was not perceived as an issue in the analysis as the data contained answers from 99 females which is a large enough sample to conduct analysis. Furthermore, the age groups were split into digital natives and non-natives as this provided large samples for testing. Optimally, the results would have contained enough respondents for each age group to test for significance. Furthermore, another issue that needs to be discussed is the low response rates which are inherent to similar studies. Thus, although the number of responses is sufficient for the purposes of this analysis, we do notice a low response rate, down to 0.08% for Reddit, which are indicative of the difficulties to establish engagement with the general population.

7.3. Future Work

We mentioned some possible venues for future work under limitations; besides, we propose the following venues: Figure out if some hacked social media accounts are being used for different things than others. For example, are most Twitter accounts used to mass follow different accounts, or are they mostly used to spread propaganda if the user has many followers? Another reason to hack a Facebook account to be able to buy ads to spam people, or is it the main thing hackers try to do is send out spam/phishing messages to people.
Another venue could be if and how risk perception influences willingness to share their opinion and self-censorship, considering the consequence of participation as higher than the reward. How much does the perceived risk stifle them from saying their opinion, and is there any way to reduce this high perception of risk to make for a healthier debate climate? To get some more insight into this, one could ask people to rate how anonymous they find the given social media. This could have been an interesting data point that could have shone some more light on why some things are perceived as less risky than others. This point might have given some insight into why some social media platforms perceive the risk of posting/sharing as lower than others.
Additionally, more knowledge can be gathered regarding account abuse: In this study, we attempted to get insight into this with the questions about consequences. However, if the account had a more hostile takeover, where the name and picture got changed to phish or gain street cred, these consequences can have slipped peoples mind because the consequences were not necessarily connected to them anymore. We failed to get enough ID theft sufferers into an interview, but this is still an interesting venue for further research.
More research could also be done in the risk perception and security routines of hacked users. The questionnaire shed some light onto this demographic. However, recruitment could have been better, and this aspect would have benefited from some qualitative interviews, where one could really prod at how their security routines look.
It could also be interesting to explore the reasons for the discrepancy in risk perception between the hacked and non-hacked population: is there a special reason for why people who had been hacked had a lower perception of risk? Was it because they were hacked, or was the hacking a product of their low perceived risk?
Another point of interest could also be to look into why there is a difference between natives and non-natives in what information they perceive to have the highest risk associated with it.

Author Contributions

Conceptualization, P.N., G.W. and V.G.; methodology, P.N., G.W. and V.G.; formal analysis, P.N. and G.W.; investigation, P.N., G.W. and V.G.; data curation, P.N. and G.W.; writing—original draft preparation, P.N., G.W. and V.G.; writing—review and editing, P.N., G.W. and V.G.; supervision, G.W. and V.G. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Acknowledgments

Authors acknowledges the contributions made by NorSIS and Slettmeg.no by lending their resources to our disposal. We also thank everybody who helped distribute the questionnaire and recruit participants. We also want to thank the participants who took the time to participate in our study. Finally, we thank the anonymous reviewers for help with improving the paper.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. Questionnaire

Futureinternet 12 00211 i001 Futureinternet 12 00211 i002 Futureinternet 12 00211 i003

Appendix B. Additional Material

Table
Table A1. Overlap between users and services.
Table A1. Overlap between users and services.
Facebook Instagram Twitter Reddit TikTok Snapchat
NoYesNoYesNoYesNoYesNoYesNoYes
CountCountCountCountCountCountCountCountCountCountCountCount
FacebookNo41032920212393832219
Yes0288882001751131381502592940248
InstagramNo328812008634368411644179
Yes920002091091001041051812821188
TwitterNo2017586109195096991801541154
Yes2111334100013444901171721113
RedditNo213836104964414001251523117
Yes3915084105999001891721739150
TikTokNo38259116181180117125172297059238
Yes32942815171517032329
SnapchatNo2240412141212339593620
Yes1924879188154113117150238290267

References

  1. Alqattan, Z.N. Threats Against Information Privacy and Security in Social Networks: A Review. Adv. Cyber Secur. 2020, 1132, 358. [Google Scholar]
  2. Gkioulos, V.; Wangen, G.; Katsikas, S.K.; Kavallieratos, G.; Kotzanikolaou, P. Security awareness of the digital natives. Information 2017, 8, 42. [Google Scholar] [CrossRef] [Green Version]
  3. Studen, L.; Tiberius, V. Social Media, Quo Vadis? Prospective Development and Implications. Future Internet 2020, 12, 146. [Google Scholar] [CrossRef]
  4. Slovic, P.; Fischhoff, B.; Lichtenstein, S. Facts and fears: Understanding perceived risk. In Societal risk Assessment; Springer: Berlin/Heidelberg, Germany, 1980; pp. 181–216. [Google Scholar]
  5. Alhakami, A.S.; Slovic, P. A psychological study of the inverse relationship between perceived risk and perceived benefit. Risk Anal. 1994, 14, 1085–1096. [Google Scholar] [CrossRef]
  6. Slovic, P.; Finucane, M.L.; Peters, E.; MacGregor, D.G. Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality. Risk Anal. 2004, 24, 311–322. [Google Scholar] [CrossRef]
  7. Loewenstein, G.F.; Weber, E.U.; Hsee, C.K.; Welch, N. Risk as feelings. Psychol. Bull. 2001, 127, 267. [Google Scholar] [CrossRef]
  8. Gustafsod, P.E. Gender Differences in risk perception: Theoretical and methodological erspectives. Risk Anal. 1998, 18, 805–811. [Google Scholar] [CrossRef]
  9. Adams, J.G.U. Risk homeostasis and the purpose of safety regulation. Ergonomics 1988, 31, 407–428. [Google Scholar] [CrossRef]
  10. Kahneman, D. Thinking, Fast and Slow; Macmillan: New York, NY, USA, 2011. [Google Scholar]
  11. Finucane, M.L.; Alhakami, A.; Slovic, P.; Johnson, S.M. The affect heuristic in judgments of risks and benefits. J. Behav. Decis. Mak. 2000, 13, 1–17. [Google Scholar] [CrossRef] [Green Version]
  12. Schaik, P. Risk perceptions of cyber-security and precautionary behaviour. Comput. Hum. Behav. 2017, 75, 547–559. [Google Scholar] [CrossRef] [Green Version]
  13. Zou, Y.; Roundy, K.; Tamersoy, A.; Shintre, S.; Roturier, J.; Schaub, F. Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, Honolulu, HI, USA, 25 April 2020; pp. 1–15. [Google Scholar]
  14. Gunleifsen, H.; Gkioulos, V.; Wangen, G.; Shalaginov, A.; Kianpour, M.; Abomhara, M. Cybersecurity Awareness and Culture in Rural Norway. In Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019); University of Plymouth, Centre for Security, Communications and Network Research (CSCAN): Plymouth, UK, 2019; pp. 110–121. [Google Scholar]
  15. Golladay, K.; Holtfreter, K. The Consequences of Identity Theft Victimization: An Examination of Emotional and Physical Health Outcomes. Vict. Offenders 2017, 12, 741–760. [Google Scholar] [CrossRef]
  16. Newman, G.R.; McNally, M.M. Identity Theft Literature Review. 2005. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.216.6852&rep=rep1&type=pdf (accessed on 25 November 2020).
  17. Jagatic, T.; Johnson, N.; Jakobsson, M.; Menczer, F. Social phishing. Commun. ACM 2007, 50, 94–100. [Google Scholar] [CrossRef]
  18. MILNE, G.R.; ROHM, A.J.; BAHL, S. Consumers’ Protection of Online Privacy and Identity. J. Consum. Aff. 2004, 38, 217–232. [Google Scholar] [CrossRef]
  19. Thomas, K.; Li, F.; Zand, A.; Barrett, J.; Ranieri, J.; Invernizzi, L.; Markov, Y.; Comanescu, O.; Eranti, V.; Moscicki, A.; et al. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 1421–1434. [Google Scholar]
  20. Nyblom, P.J.B.; Wangen, G.; Kianpour, M.; Østby, G. The Root Causes of Compromised Accounts at the University. In Proceedings of the 6th International Conference on Information Systems Security and Privacy; SciTePress: Setúbal, Portugal, 2020. [Google Scholar]
  21. Ur, B.; Wang, Y. A Cross-cultural Framework for Protecting User Privacy in Online Social Media. In Proceedings of the 22nd International Conference on World Wide Web; ACM: New York, NY, USA, 2013; pp. 755–762. [Google Scholar] [CrossRef]
  22. Such, J.M.; Criado, N. Multiparty Privacy in Social Media. Commun. ACM 2018, 61, 74–81. [Google Scholar] [CrossRef]
  23. Van Schaik, P.; Jansen, J.; Onibokun, J.; Camp, J.; Kusev, P. Security and privacy in online social networking: Risk perceptions and precautionary behaviour. Comput. Hum. Behav. 2018, 78, 283–297. [Google Scholar] [CrossRef] [Green Version]
  24. Mitchell, D.; El-Gayar, O. The effect of privacy policies on information sharing behavior on social networks: A Systematic Literature Review. In Proceedings of the 53rd Hawaii International Conference on System Sciences, Hawaii, HI, USA, 7–10 January 2020. [Google Scholar]
  25. Delerue, H.; He, W. A review of social media security risks and mitigation techniques. J. Syst. Inf. Technol. 2012, 14, 171–180. [Google Scholar]
  26. Gonzalez, D. Managing Online Risk: Apps, Mobile, and Social Media Security; Butterworth-Heinemann: Oxford, UK, 2014. [Google Scholar]
  27. Slovic, P. Trust, emotion, sex, politics, and science: Surveying the risk-assessment battlefield. Risk Anal. 1999, 19, 689–701. [Google Scholar] [CrossRef] [Green Version]
  28. Bickerstaff, K. Risk perception research: socio-cultural perspectives on the public experience of air pollution. Environ. Int. 2004, 30, 827–840. [Google Scholar] [CrossRef] [PubMed]
  29. Gkioulos, V.; Wangen, G.; Katsikas, S. User Modelling Validation over the Security Awareness of Digital Natives. Future Internet 2017, 9, 32. [Google Scholar] [CrossRef]
  30. Malmedal, B.; Røislien, H.E. The norwegian cyber security culture. Norsis Rep. 2016. Available online: https://norsis.no/wp-content/uploads/2016/09/The-Norwegian-Cybersecurity-culture-web.pdf (accessed on 25 November 2020).
  31. Norman, G. Likert scales, levels of measurement and the “laws” of statistics. Adv. Health Sci. Educ. 2010, 15, 625–632. [Google Scholar] [CrossRef] [PubMed]
  32. Barke, R.P.; Jenkins-Smith, H.; Slovic, P. Risk perceptions of men and women scientists. Soc. Sci. Q. 1997, 78, 167–176. [Google Scholar]
Futureinternet 12 00211 g001 550
Figure 1. Comparison of age distributions, in %, for the different social media.
Figure 1. Comparison of age distributions, in %, for the different social media.
Futureinternet 12 00211 g001
Futureinternet 12 00211 g002 550
Figure 2. Comparison of municipality distributions, in %, the population based on data from Statistics Norway (SSB) vs. the questionnaire N = 305.
Figure 2. Comparison of municipality distributions, in %, the population based on data from Statistics Norway (SSB) vs. the questionnaire N = 305.
Futureinternet 12 00211 g002
Futureinternet 12 00211 g003 550
Figure 3. Comparison of education distributions, in %, of the Norwegian population based on data from SSB vs. the questionnaire N = 305.
Figure 3. Comparison of education distributions, in %, of the Norwegian population based on data from SSB vs. the questionnaire N = 305.
Futureinternet 12 00211 g003
Futureinternet 12 00211 g004 550
Figure 4. Comparison of self-reported IT skill, in %, for the different questionnaires N = 329. 1 was very little skilled, and 4 was highly skilled in IT.
Figure 4. Comparison of self-reported IT skill, in %, for the different questionnaires N = 329. 1 was very little skilled, and 4 was highly skilled in IT.
Futureinternet 12 00211 g004
Futureinternet 12 00211 g005 550
Figure 5. Shows in percentage how often respondents of the questionnaire update their devices. Mobile N = 313, PC/Mac = 311, Tablet = 306.
Figure 5. Shows in percentage how often respondents of the questionnaire update their devices. Mobile N = 313, PC/Mac = 311, Tablet = 306.
Futureinternet 12 00211 g005
Futureinternet 12 00211 g006 550
Figure 6. “I limit as much as possible who can see my ... on social media”, answering “1” means no limitation on visibility, “4” means strict limitation on visibility and “0” means I do not know.
Figure 6. “I limit as much as possible who can see my ... on social media”, answering “1” means no limitation on visibility, “4” means strict limitation on visibility and “0” means I do not know.
Futureinternet 12 00211 g006
Futureinternet 12 00211 g007 550
Figure 7. Shows how people perceive the risk of using Snapmap.
Figure 7. Shows how people perceive the risk of using Snapmap.
Futureinternet 12 00211 g007
Futureinternet 12 00211 g008 550
Figure 8. Shows how women and men perceive the risk of participating in debate on Facebook.
Figure 8. Shows how women and men perceive the risk of participating in debate on Facebook.
Futureinternet 12 00211 g008
Futureinternet 12 00211 g009 550
Figure 9. Example of Norwegian phishing message that has been circulating from hacked Facebook accounts and sent to people on their friends list.
Figure 9. Example of Norwegian phishing message that has been circulating from hacked Facebook accounts and sent to people on their friends list.
Futureinternet 12 00211 g009
Futureinternet 12 00211 g010 550
Figure 10. Susceptibility to clicking phishing messages coming from a family member sorted on those having suffered ID theft.
Figure 10. Susceptibility to clicking phishing messages coming from a family member sorted on those having suffered ID theft.
Futureinternet 12 00211 g010
Table
Table 1. Summary of the questionnaire: No of questions per topic, target group and measurement objective per question group.
Table 1. Summary of the questionnaire: No of questions per topic, target group and measurement objective per question group.
Q nrTopicNo. of 
Questions		Target
Group		Measurement Objective
1–4Demography4AllSample tendencies, categories and biases
5–6Self-assessment2AllPerceived competence and interest in
security related topics
7–9Social media presence3AllMeasure social media presence and activity
for determining later questions
10Security routine1AllMeasure update practices for owned devices
(Smartphone, PC/Mac, Tablet)
11Scenario assessment1AllRisk perception and trust in social circles
12Risk perception1Facebook
users		Risk perception when conducting different
activities on Facebook
13Risk perception1Twitter
users		Risk perception when conducting different
activities on Twitter
14Risk perception1Reddit
users		Risk perception when conducting different
activities on Reddit
15Risk perception1Snapchat
users		Risk perception when conducting different
activities on Snapchat
16Security routine1AllPassword security
17–19Security routine3AllRisk exposure through security and privacy
settings on social media accounts.
20Risk perception1AllRisk perception on abuse of shared information.
21ID theft1AllDetermine of the respondent ever had
his/hers account hacked
22–28ID theft6HackedDetermine how the ID theft occurred, suffered
consequences, post-incident security routines.
29ID theft1Not hackedAwareness of and thoughts on ID abuse
30Quality assurance1AllFeedback on the questionnaire
Table
Table 2. Table showing answer rate with how many possible respondents there were on the platforms.
Table 2. Table showing answer rate with how many possible respondents there were on the platforms.
Number of Possible UsersAchievedPercent
Facebook/Twitter43001984.6%
Reddit Sub followers online users133,0001070.08%
1200 8.9%
Slettmeg1232420%
Table
Table 3. Age and sex distributions sorted on recruitment platforms.
Table 3. Age and sex distributions sorted on recruitment platforms.
Facebookand Twitter Reddit Slettmeg
NRow N%Col N%NRow N%Col N%NRow N%Col N%Tot NTot%
Age<21422.20%2.0%1266.70%11.2%211.10%8.30%185.5
21–3010860.3%54.5%6636.9%61.7%52.8%20.8%17954.4
31–404263.6%21.2%2030.3%18.7%46.1%16.7%6620.1
41–502569.4%12.6%719.4%6.5%411.1%16.7%3610.9
51–601568.2%7.6%29.1%1.9%522.7%20.8%226.7
61–70350.0%1.5%00.0%0.0%350.0%12.5%61.8
>70150.0%0.5%00.0%0.0%150.0%4.2%20.6
Total198 107 24 329100.0
SexMan12053.3%60.6%9441.8%87.9%114.9%45.8%22568.4
Female7575.8%37.9%1111.1%10.3%1313.1%54.2%9930.1
No answer360.0%1.5%240.0%1.9%00.0%0.0%51.5
Table
Table 4. Comparison of the number of digital natives and non-natives, sorted on gender and ID theft.
Table 4. Comparison of the number of digital natives and non-natives, sorted on gender and ID theft.
Male Female No Answer
CountLayer N%CountLayer N%CountLayer N%
Digital NativeHacked account?Yes206.10%123.60%00.00%
No11936.20%4112.50%51.50%
Non-nativeHacked account?Yes61.80%123.60%00.00%
No8024.30%3410.30%00.00%
Table
Table 5. The table shows the number of people who use the different kinds of social media. The first number is the number of respondents in that age group and the percentage is the percentage of people in the age group that use a given social media platform.
Table 5. The table shows the number of people who use the different kinds of social media. The first number is the number of respondents in that age group and the percentage is the percentage of people in the age group that use a given social media platform.
AgeFacebookInstagramTwitterRedditTikTokSnapchatOtherN
Younger than 211266.7%1266.7%1161.1%1477.8%633.3%1477.8%316.7%18
21–3015687.2%11664.8%7340.8%12167.6%1810.1%15888.3%2212.3%179
31–405989.4%3857.6%2537.9%4162.1%34.5%5380.3%710.6%66
41–503391.7%2672.2%1644.4%1130.6%38.3%2775.0%822.2%36
51–602090.9%1359.1%836.4%29.1%29.1%1254.5%29.1%22
61–706100.0%466.7%116.7%00.0%00.0%233.3%116.7%6
Older than 702100.0%00.0%00.0%00.0%00.0%150.0%00.0%2
Total288 209 134 189 32 267 43 329
Table
Table 6. The table shows how often the respondents of the questionnaire post on social media. The total here is missing about 18 people, due to an unexpected error with the questionnaire.
Table 6. The table shows how often the respondents of the questionnaire post on social media. The total here is missing about 18 people, due to an unexpected error with the questionnaire.
CountPercentage
More seldom16553%
1–3 times a month6922%
0–5 times a week4314%
6–10 times a week186%
11–15 times a week10%
16–20 times a week31%
More often than 20 times124%
Total311
Table
Table 7. Comparison of self reported interest in IT in general, information security and privacy. The data are presented with the number of answers for each option and the percentage for the answer N = 329. 1 was caring very little, and 4 was caring a lot.
Table 7. Comparison of self reported interest in IT in general, information security and privacy. The data are presented with the number of answers for each option and the percentage for the answer N = 329. 1 was caring very little, and 4 was caring a lot.
ChoiceCountPercentage
IT generally1 Caring very little92.70%
27823.70%
310732.50%
4 Care a lot13541.00%
Information security1 Caring very little61.80%
23911.90%
314845.00%
4 Care a lot13641.30%
Privacy1 Caring very little41.20%
24413.40%
313340.40%
4 Care a lot14845.00%
Table
Table 8. Self-rating differences between the self-assessment categories.
Table 8. Self-rating differences between the self-assessment categories.
CategoryNMeanStd. DevStd. Error95% CI MinMaxSig.
Hacket? LowerUpper
IT competenceYes502.90.7350.1042.693.1124
No2793.290.7280.0443.23.3814
Total3293.230.7420.0413.153.31140.001
Sex
IT competenceMale2253.450.6470.0433.373.5424
Female992.690.6650.0672.552.8214
Total3243.220.7410.0413.143.3140
Information securityMale2253.330.7320.0493.243.4314
Female993.070.7180.0722.933.2114
Total3243.250.7370.0413.173.33140.003
PrivacyMale2253.330.7490.053.233.4314
Female993.190.7240.0733.053.3414
Total3243.290.7430.0413.213.37140.127
Table
Table 9. Peoples answers on what their passwords habits are like N = 329.
Table 9. Peoples answers on what their passwords habits are like N = 329.
Do You Use the Same Password on Social Media as on Other Sites?CountPercentage
I always use the same password for everything103.00%
I use the same password for everything but 2fa where possible319.40%
I use small variations of a password on different sites9428.60%
I always use different passwords5516.70%
I use different passwords and 2fa where possible13942.20%
Table
Table 10. Differences in password habits between sexes.
Table 10. Differences in password habits between sexes.
I Use the SameI Use the SameI Use VariationsI Always UseI Always Use Different
PasswordPassword Everywhere, But of the Same PasswordsDifferentPasswords and Enable 2FA
EverywhereEnable 2FA When Possibleon Different SitesPasswordsWhen It Is Possible.
CountRow N%CountRow N%CountRow N%CountRow N%CountRow N%
Digital Native63.00%147.10%6030.50%3115.70%8643.70%
Non-native43.00%1712.90%3425.80%2418.20%5340.20%
Table
Table 11. Differences in privacy settings between sufferers of account hacking and the remaining sample. “I limit as much as possible who can see my … on social media”.
Table 11. Differences in privacy settings between sufferers of account hacking and the remaining sample. “I limit as much as possible who can see my … on social media”.
BeenNMeanMedianStd. DeviationStd. Error95% CIUpperMinMaxSig.
Hacked? Lower
ProfileYes502.631.1950.1692.262.9404
No279331.0050.062.893.1204
Total3292.9431.0450.0582.833.06040.012
Contact infoYes502.9441.30.1842.573.3104
No2793.2741.0840.0653.143.404
Total3293.2241.1240.0623.13.34040.057
PostsYes502.7431.2420.1762.393.0904
No2793.0231.0580.0632.893.1404
Total3292.9831.090.062.863.09040.097
Friends andYes502.5431.3580.1922.152.9304
followersNo2792.8331.1580.0692.72.9704
Total3292.7931.1930.0662.662.92040.112
Profile visibilityYes502.0221.3170.1861.652.3904
to search enginesNo2792.4631.4610.0872.292.6304
Total3292.421.4470.082.242.55040.046
Table
Table 12. Shows how many people have what kind of information visible and the percentage based on the number of total respondents on the questionnaire 329.
Table 12. Shows how many people have what kind of information visible and the percentage based on the number of total respondents on the questionnaire 329.
Visible InformationCountPercentage
Email address4419.2%
Home town14563.3%
Phone number2611.4%
Picture of me and my family7432.3%
Political standing156.8%
Relationship6126.6%
Family members4519.7%
Sexual orientation198.3%
I don’t have the overview3515.3%
Have hidden everything that I can13458.5%
Table
Table 13. What information do you have visible to the public on your profile?
Table 13. What information do you have visible to the public on your profile?
CategoryNMeanStd. DevStd. Error95% CIUpperMinMaxSig.
Lower
EmailDigital Native1970.10.3030.0220.060.1401
Non-native1320.180.3870.0340.120.2501
Total3290.130.3410.0190.10.17010.04
Phone noDigital Native1970.060.230.0160.020.0901
Non-native1320.110.3190.0280.060.1701
Total3290.080.270.0150.050.11010.06
RelationshipsMale2250.150.3590.0240.10.201
Female990.260.4420.0440.170.3501
Total3240.190.3890.0220.140.23010.02
Family membersMale2250.10.3040.020.060.1401
Female990.210.4110.0410.130.2901
Total3240.140.3430.0190.10.17010.01
Table
Table 14. Overview of categories distributed on the use of services.
Table 14. Overview of categories distributed on the use of services.
Facebook Twitter Reddit Snapchat
NoYesNoYesNoYesNoYes
DigitalNativeNative291681138462135 (78)25172
Non-native1212082507854 (29)3795
SexMale3818712410161164 (94)53172
Female29770297821 (11)891
No answer141414 (2)14
HackedYes104033173020 (13)1238
accountNo31248162117110169 (94)50229
Table
Table 15. Differences in risk perception when posting various information on social media.
Table 15. Differences in risk perception when posting various information on social media.
Very Low Low High Very High
Topic CountN%CountN%CountN%CountN%Mean
Post picturesFacebook5519.10%16858.30%5519.10%103.50%2.1
Twitter2216.40%8563.40%2216.40%53.70%2.1
Reddit3936.40%3129.00%2422.40%1312.10%2.1
Snapchat10639.70%12747.60%2810.50%62.20%1.8
Total222 411 129 34 2.0
VacationFacebook238.00%12844.40%9733.70%4013.90%2.5
Twitter107.50%4432.80%5843.30%2216.40%2.7
Reddit3936.40%3129.00%2422.40%1312.10%2.1
Snapchat6524.30%13851.70%4416.50%207.50%2.1
Total137 341 223 95 2.3
Pets with namesFacebook9733.70%14751.00%3311.50%113.80%1.9
Twitter3626.90%6548.50%2619.40%75.20%2.0
Reddit3532.70%4340.20%2018.70%98.40%2.0
Snapchat12446.40%12044.90%176.40%62.20%1.6
Total292 375 96 33 1.8
Humorous contentFacebook8930.90%16456.90%279.40%82.80%1.8
Twitter4029.90%7656.70%1511.20%32.20%1.9
Reddit5955.10%4340.20%21.90%32.80%1.5
Snapchat12948.30%11944.60%155.60%41.50%1.6
Total317 402 59 18 1.7
Share news storyFacebook9231.90%15052.10%4013.90%62.10%1.9
Twitter3022.40%7959.00%2216.40%32.20%2.0
Reddit5753.30%4239.30%65.60%21.90%1.6
Snapchat12948.30%11944.60%155.60%41.50%1.6
Total308 390 83 15 1.8
Share political opinionFacebook3712.80%12744.10%9834.00%269.00%2.4
Twitter1813.40%5238.80%5037.30%1410.40%2.4
Reddit4239.30%4239.30%1816.80%54.70%1.9
Total97 221 166 45 2.3
Participate in debateFacebook249.10%9736.60%9736.60%4717.70%2.6
Twitter1511.50%4232.10%5340.50%2116.00%2.6
Reddit4844.90%3936.40%1615.00%43.70%1.8
Total87 178 166 72 2.4
Use SnapmapSnapchat269.80%7728.90%9535.70%6825.60%2.8
Table
Table 16. The aggregated average risk perceptions sorted from high to low for the platforms and issues.
Table 16. The aggregated average risk perceptions sorted from high to low for the platforms and issues.
PlatformAverage
Twitter2.24
Facebook2.17
Snapchat1.91
Reddit1.85
Topic
Snapmap2.8
Participate in debate2.4
Post about vacation2.3
Share political opinion2.3
Post pictures2.0
Pets with names1.8
Share news story1.8
Humorous content1.7
Table
Table 17. Differences between sexes when posting things on social media.
Table 17. Differences between sexes when posting things on social media.
Post ImagesCategoryNMedianMeanStd. Dev.Std. Error95% CIUpperMinMaxSig
Lower
FacebookMale18722.040.6910.0511.942.1414
Female9722.110.7760.0791.962.2714
Total28422.060.720.0431.982.15140.4
TwitterMale101220.6930.0691.862.1414
Female2922.240.5770.1072.022.4613
Total13022.050.6740.0591.942.17140.09
RedditMale9421.870.8830.0911.692.0514
Female1122.450.820.2471.93.0114
Total10521.930.8910.0871.762.11140.04
SnapchatMale17221.660.6430.0491.561.7514
Female9121.950.8350.0881.772.1214
Total26321.760.7270.0451.671.84140.02
Table
Table 18. Differences in risk perceptions between groups on “How do you perceive risk when you conduct the following action on SoMe?”.
Table 18. Differences in risk perceptions between groups on “How do you perceive risk when you conduct the following action on SoMe?”.
Topic NMedMeanStd. DevStd. Error95% CIUpperMinMaxSig
Lower
Post about vacationSnapchatMale17221.990.8060.0611.872.1214
Female9122.210.8760.0922.032.3914
Total26322.070.8350.0521.972.17140.05
Post pictures ofFacebookYes4021.60.7090.1121.371.8314
pets with names No24821.90.7670.0491.81.9914
Total28821.850.7650.0451.771.94140.02
Post pictures ofSnapchatMale1721.51.560.6130.0471.471.6613
pets with names Female9121.780.80.0841.611.9514
Total26321.640.690.0431.561.72140.01
Share a newsTwitterMale10121.910.6940.0691.772.0514
item Female2922.210.6750.1251.952.4614
Total13021.980.6980.0611.862.1140.04
Share humorousSnapchatMale17211.490.5870.0451.41.5814
content Female9121.820.7390.0771.671.9814
Total26321.60.6620.0411.521.68140
Participate inFacebookMale17622.530.8610.0652.412.6614
public debate Female8532.80.8840.0962.612.9914
Total26132.620.8760.0542.512.73140.02
Participate inTwitterMale9922.490.9080.0912.312.6814
public debate Female2832.930.7160.1352.653.2114
Total12732.590.8850.0792.442.75140.02
Table
Table 19. “To what degree do you think that your shared information can be abused in an ID theft?” N = 327–329.
Table 19. “To what degree do you think that your shared information can be abused in an ID theft?” N = 327–329.
Info AssetRankingCountColumn N%Average
Full nameVery small4513.70%
Small15647.60%
Large8927.10%
Very large3811.60%
Total328100.00%2.4
Phone numberVery small3510.70%
Small12237.20%
Large12337.50%
Very large4814.60%
Total328100.00%2.6
EmailVery small3310.10%
Small12839.10%
Large11635.50%
Very large5015.30%
Total327100.00%2.6
Social Security NumberVery small206.10%
Small267.90%
Large6519.80%
Very large21866.30%
Total329100.10%3.5
Date of BirthVery small288.50%
Small12738.70%
Large12036.60%
Very large5316.20%
Total328100.00%2.6
Home AddressVery small288.50%
Small13942.40%
Large10832.90%
Very large5316.20%
Total328100.00%2.6
Bank account numberVery small329.80%
Small4915.00%
Large6921.10%
Very large17754.10%
Total327100.00%3.2
Credit card numberVery small206.10%
Small123.70%
Large4212.80%
Very large25477.40%
Total328100.00%3.6
Health informationVery small257.60%
Small8626.20%
Large9529.00%
Very large12237.20%
Total328100.00%3.0
Account info and passwordsVery small113.30%
Small175.20%
Large3510.60%
Very large26680.90%
Total329100.00%3.7
Table
Table 20. Categorical analysis of risk perceptions on information sharing.
Table 20. Categorical analysis of risk perceptions on information sharing.
Age groupNMedMeanStd. DeviationStd. Error95% CIUpperMinMax
Lower
Social Security NumberDigital Native19743.370.9530.0683.243.514
Non-native13243.60.740.0643.473.7314
Total32943.460.880.0483.373.56140.02
Date of BirthDigital Native19622.480.8190.0592.372.614
Non-native13232.780.8850.0772.632.9314
Total32832.60.8580.0472.512.7140.002
Bank account numberDigital Native19643.111.0740.0772.963.2614
Non-native13143.330.9320.0813.173.4914
Total32743.21.0230.0573.083.31140.055
Credit card numberDigital Native19643.510.9310.0663.383.6414
Non-native13243.770.60.0523.673.8814
Total32843.620.8230.0453.533.71140.004
Account info & passwordsDigital Native19743.590.8260.0593.473.714
Non-native13243.840.4920.0433.763.9314
Total32943.690.7210.043.613.77140.002
Sex
Phone numberMale22522.480.8610.0572.372.614
Female9832.70.8640.0872.532.8814
Total32332.550.8670.0482.462.65140.036
EmailMale22322.440.8570.0572.332.5514
Female9932.780.840.0842.612.9514
Total3222.52.540.8640.0482.452.64140.001
Date of BirthMale22422.50.8310.0562.392.614
Female9932.820.850.0852.652.9914
Total32332.590.8490.0472.52.69140.002
Home AddressMale22422.490.8470.0572.382.614
Female9932.70.8630.0872.522.8714
Total32322.550.8560.0482.462.65140.046
Bank account numberMale22433.051.0490.072.923.1914
Female9843.520.8760.0893.343.714
Total32243.21.0210.0573.083.31140
Hacked?
Full nameYes5022.580.9710.1372.32.8614
No27822.330.8350.052.232.4314
Total32822.370.860.0482.272.46140.056
EmailYes4932.80.9350.1342.533.0614
No27822.520.8530.0512.422.6214
Total32732.560.870.0482.472.65140.039
Table
Table 21. Who the respondents thought they might get tricked into clicking a link if they received it from. N = 314.
Table 21. Who the respondents thought they might get tricked into clicking a link if they received it from. N = 314.
AnswerCountPercentage
AcquaintanceYes41.30%
No28992.00%
Maybe216.70%
FriendYes134.10%
No26985.70%
Maybe3210.20%
FamilyYes134.10%
No27587.60%
Maybe268.30%
Close familyYes196.10%
No26484.10%
Maybe319.90%
Table
Table 22. Shows the number of people who have had their account hacked.
Table 22. Shows the number of people who have had their account hacked.
CountPercentage
Have you been hacked?Yes4714.30%
No27984.80%
Yes, but I have yet
to receive my account back		30.90%
Total329100.00%
Table
Table 23. Demographics of users who had suffered ID theft and account hijacking.
Table 23. Demographics of users who had suffered ID theft and account hijacking.
<2121–3031–4041–5051–6061–70>70Total
Male2182031026
Female1114521024
Total32965520
Table
Table 24. Stated reasons of account compromise. N = 47.
Table 24. Stated reasons of account compromise. N = 47.
Believed Reasons of CompromiseCount
Phishing8
Shared the password with2
someone I have relations with
Hacked15
Other3
No/don’t know19
Table
Table 25. Shows categorized reasons for compromise from text answer in the questionnaire. The reasons have been grouped a bit together with other similar consequences N = 40.
Table 25. Shows categorized reasons for compromise from text answer in the questionnaire. The reasons have been grouped a bit together with other similar consequences N = 40.
ConsequenceCountPercentage
No known consequence2665%
Spam410%
Phishing38%
Blackmail25%
Link sharing13%
Account deleted13%
Lost permanent access13%
Used to increase follower count13%
Malware13%
Table
Table 26. Grouped open answers that a compromised account can be used for. N = 205.
Table 26. Grouped open answers that a compromised account can be used for. N = 205.
Uses for a Compromised AccountCount
Impersonation/ID theft40
Spam26
Spread malware23
Phishing18
Manipulation17
Steal money/swindle15
Blackmail14
Destroy reputation14
Nothing/little12
Misuse of content on the platform11
Don’t know8
Follower farming4
Gain access to other things3
Table
Table 27. Measures users who have had their accounts compromised have activated to help mitigate a new compromise. N = 47.
Table 27. Measures users who have had their accounts compromised have activated to help mitigate a new compromise. N = 47.
MeasuresCount
Activated 2 factor authentication32
Activated notification on
suspicious behaviour from the account		29
Changed password to a password
12 characters or longer		22
Have the firewall turned on15
Stared changing passwords regularly13
Use anti-virus11
Other9
Changed password to a password
shorter than 12 characters		5
Table
Table 28. Shows how often the people who had decided to use regular password changes as a control changes their passwords. N = 13.
Table 28. Shows how often the people who had decided to use regular password changes as a control changes their passwords. N = 13.
Password Change FrequencyCount
Every third month7
Every month3
More frequent than once a month1
Every six moths1
Every year1
More infrequent than every year0
Table
Table 29. Proposed threat model for social media (SoMe) activities.
Table 29. Proposed threat model for social media (SoMe) activities.
TopicRisk ScoreExposed InformationThreat
Snapmap2.8Location and whereaboutsStalking/Burglary
Participate in debate2.4Political views, opinions, standpointsHarassment and bullying
Post about vacation2.3Location and whereaboutsStalking and burglary
Share political opinion2.3Political views, opinions, standpointsHarassment and bullying
Post pictures2.0Personal informationID theft / Exposure
Pets with names1.8Personal informationID theft/Account hijack
Share news story1.8Political views, opinions, standpointsBeing manipulated/Fake news
Humorous content1.7Political views, opinions, standpointsHarassment and bullying
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Nyblom, P.; Wangen, G.; Gkioulos, V. Risk Perceptions on Social Media Use in Norway. Future Internet 2020, 12, 211. https://doi.org/10.3390/fi12120211

AMA Style

Nyblom P, Wangen G, Gkioulos V. Risk Perceptions on Social Media Use in Norway. Future Internet. 2020; 12(12):211. https://doi.org/10.3390/fi12120211

Chicago/Turabian Style

Nyblom, Philip, Gaute Wangen, and Vasileios Gkioulos. 2020. "Risk Perceptions on Social Media Use in Norway" Future Internet 12, no. 12: 211. https://doi.org/10.3390/fi12120211

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop