PREPARED BY: ELEMENTAL DATA COLLECTION
POR Number: 013-22
PSPC Contract Number:2L165-230160
Call up number: CW2235377
Award Date: 2022-06-21
Delivery Date: August 2022
Fieldwork Dates: 2022-07-15 to 2022-07-19
PREPARED FOR: COMMUNICATIONS SECURITY ESTABLISHMENT
Ce rapport est aussi disponible en français.
For more information on this report, please contact Communications Security Establishment at: media@cse-cst.gc.ca
The Communication Security Establishment (CSE) commissioned Elemental Data Collection to conduct quantitative research to assess the perceptions of Canadians towards the security attitudes and behaviours of the general population. Online interviews were collected from July 15, 2022, to July 19, 2022, with a sample of 1,000 Canadians, 18 years of age and older.
The following sections outline the methodology used to conduct the study, including the research objectives, sample design and data collection procedures.
Oh, Behave! The Annual Cybersecurity Behaviors and Attitudes Report is an annual research report series that aims to better understand and share insights into people’s security attitudes and behaviors. Previously conducted in the U.S. and U.K., a Canadian survey component is being added for the 2022 survey. This report sheds light on one of the most important aspects of cyber risk - the human factor. This study concentrated on a core cybersecurity behavior:
Using an online survey, CSE wanted to assess the perceptions of Canadians on their security attitudes and behaviours. From the research, the CSE is looking to inform Canadians on the current state of cyber security across the country and to also be able to tailor and support future policy and communication activities of the Canadian Centre for Cyber Security. As well the data will be used to bolster the “Get Cyber Safe” public awareness campaign to continue to raise awareness of cyber security.
The total contract value of this research was $19,100.00, excluding HST.
I hereby certify as a Representative of Elemental Data Collection that the deliverables fully comply with the Government of Canada political neutrality requirements outlined in the Communications Policy of the Government of Canada and Procedures for Planning and Contracting Public Opinion Research. Specifically, the deliverables do not include information on electoral voting intentions, political party preferences, standings with the electorate, or ratings of the performance of a political party or its leaders.
Darcy Zwetko
Partner
Elemental Data Collection Inc.
dzwetko@elementaldci.com
August 9, 2022.
An online survey was conducted with a proportionate stratified sample of 1,000 Canadians, 18 years of age and older. Based on a sample of this size, the overall results are expected to provide results accurate to within ±3.1%, 19 times out of 20 (adjusted to consider sample stratification). Details regarding the methodology are outlined below.
Quotas were set to ensure that the wave of the study would have completes across the country that would allow the CSE to analysis the data on both a national and regional level. The sample frame was geographically proportionate to align the regional results.
| Strata | Completed Interviews | Margin of Error (%) |
|---|---|---|
| Atlantic provinces | 75 | ±11.3 |
| Quebec | 230 | ±6.5 |
| Ontario | 380 | ±5.0 |
| Prairies | 75 | ±11.3 |
| Alberta | 105 | ±9.6 |
| British Columbia | 135 | ±8.4 |
| Total | 1,000 | ±3.1 |
Based on a sample of this size, the results can be considered accurate to within ±3.1%, 19 times out of 20.
The online survey was administered to 1,000 respondents, from July 15th to July 19th, 2022, using computer assisted web interviewing (CAWI) technology. The data collection was carried out by Elemental Data Collection in Ottawa, Ontario. Interviews were conducted in the respondent’s official language of choice. Quotas were set to ensure that the study would target completes proportionate to the stratified regions. The average length of time required to complete an interview was 13.1 minutes.
The sponsorship of the study was kept blind to enhance the ability to reduce bias in the study. All survey respondents were informed that participation is voluntary, and that information collected is protected under the authority of privacy legislation.
In total, 13,000 Canadian respondents were approached. The overall response rate for this survey was 10.6%. This is consistent with typical response rates for online surveys of the general public 18+ conducted over this length of field period. The table below presents the detailed information.
| Online Disposition Table | |
|---|---|
| Total | 13,000 |
| Unresolved (U) | 11,092 |
| In-scope - Non-responding (IS) | 525 |
| Termination | 203 |
| Refusal | 322 |
| In-scope - Responding units (R) | 1,383 |
| Completed Interview | 1,000 |
| Quota Full | 383 |
| Response Rate | 10.6% |
The response rates were calculated using the formula: R=R/(U+IS+R).
Weighting adjustments were applied to the survey data to ensure that the results were representative of the Canadian population aged 18 years of age and older. Specifically, the survey results were weighted by region, gender, and age according to the most recent Statistics Canada census of the population.
The following table presents a breakdown of actual and weighted completions by regional strata.
| Strata | Unweighted Sample Size | Weighted Sample Size |
|---|---|---|
| Atlantic provinces | 75 | 68 |
| Quebec | 230 | 236 |
| Ontario | 380 | 383 |
| Prairies | 75 | 666 |
| Alberta | 105 | 110 |
| British Columbia | 135 | 137 |
| Total | 1,000 | 1,000 |
A non-response analysis was conducted to assess the potential for non-response bias. Non-response is the result of a unit of the sample not participating in the survey—either refusing to take part in the survey (a refusal) or not being reached during the data collection period (non-contact). Non-response results in biases in the survey sample when there are differences between respondents and non-respondents.
To undertake the analysis for this survey, the unweighted sample distribution by gender, age, household income, employment status and level of education was compared to the actual population (based on 2016 Census figures from Statistics Canada).
| Survey Sample (Unweighted) | Population (Census 2016) | % diff (+/-) | Survey Sample (weighted) | |
|---|---|---|---|---|
| 18-34 | 10.83% | 27.36% | -16.53% | 27.42% |
| 35-54 | 31.46% | 34.07% | -2.61% | 34.10% |
| 55+ | 57.71% | 38.57% | 19.14% | 38.48% |
| Male | 49.24% | 48.58% | 0.66% | 48.45% |
| Female | 50.76% | 51.42% | -0.66% | 51.55% |
| No certificate, degree, or diploma | 5.08% | 11.50% | -6.42% | 5.25% |
| High school certificate or equivalent | 22.15% | 23.70% | -1.55% | 20.90% |
| Apprenticeship or trades certificate or diploma | 24.09% | 33.20% | -9.11% | 22.17% |
| University degree, certificate, or diploma | 48.68% | 31.60% | 17.08% | 51.68% |
As is typically found with online surveys in Canada, the final sample over-represents those with higher levels of education. Also consistent with most surveys of the general public, age is a source of sample bias in the survey. As the table indicates, younger Canadians are under-represented and older Canadians are over-represented in the survey sample. The survey results were weighted to address these variations, as well as the sample design for the survey, which was regionally proportionate. Weighting serves to reduce bias should it be present, but not to eliminate it completely. It is very unlikely that this small sampling bias introduced any meaningful bias to the survey results.
In order to ensure that the final survey sample was proportional the current distribution of the Canadian public, the data required a weighting factor to be included. Elemental employed a process called sample balancing (also known as RIM weighting) to ensure that we could adjust the weighting factor to accurately reflect the geographical, gender and age breakouts of the current population distribution.
Q1 How actively do you use the internet?
Few times per month
Once a week
Few times per week
A few times a day
I am always connected
Q2 What is your current employment status?
I work full-time (including self-employment)
I work part-time (including self-employment)
I am a student (not working)
I am a student, but I also work
I am retired
I am unemployed
I do not work due to my disability
I am a homemaker
Q3 How much do you agree with the following statements about cybersecurity?
Please rate your responses on a scale from 1 (strongly disagree) to 10 (strongly agree).
Note survey providers: RANDOMIZE statements & Place headers half way through the survey to remind people which is SD and SA (as with smaller screens they will have to scroll up)
In this section we will ask you about your views and attitudes towards cybersecurity. Please respond to each question as accurately as you can.
I find it easy to be secure when I am online.
Most information on how to stay secure online is confusing.
It is expensive to fully protect myself online.
I am unlikely to be a target of cyber crime.
By staying secure online, I can help protect others from cyber attacks.
Family members rely on me to keep them secure online.
Falling victim to cybercrime is something that worries me.
Losing money over the internet is unavoidable these days.
Having personal details stolen over the internet is unavoidable these days.
I presume my devices are automatically secure.
I often feel overwhelmed by information and, as a result, minimize my actions online.
I do not see the point of trying to protect myself more as my information is already online.
Q4 How much do you rely on other people for help (e.g. friends or family) to perform the following things?
Please rate your responses on a scale from 1 (not reliant at all) to 10 (fully reliant).
Note survey providers: RANDOMIZE statements
Getting advice and information on how to be secure online.
Creating online accounts.
Checking or adding security settings on my device (e.g. PIN or applying Multi-Factor Authentication).
Checking, updating or installing the latest software.
Password recoveries (i.e. if you cannot access your online accounts).
Backing up data (e.g. files and photos).
Helping you to spot potential scams or phishing emails.
Display This Question: If Q2 = I work full-time (including self-employment) Or Q2 = I work part-time (including self-employment) Or Q2 = I am a student, but I also work
Note survey providers: Questions Q5 and Q6 should appear in moving boxes that people can rank from ‘most’ to ‘least’
Q5 In your view, whose main responsibility is to protect your workplace’s online information?
Please drag, drop and order the items below from 1 (“holds top responsibility”) to 7 (“least responsible”).
Please note that your workplace might not have an IT or security department, please assume that these would exist and order them accordingly.
Please rank from 1 (“holds top responsibility”) to 7 (“least responsible”)
The government’s
The organization's I work for
The technology industry’s
My internet service provider’s
My workplace’s Information Technology (IT) department’s
My workplace’s security department’s
Mine
To be shown to all participants (no logic):
Q6 In your view, who is most responsible for protecting your online information?
Please drag, drop and order the items below from 1 (“holds top responsibility”) to 7 (“least responsible”).
Please rank from 1 (“holds top responsibility”) to 7 (“least responsible”).
The government
The app/platform I use
The technology industry
My internet service provider
The company (employer)
My family
Me
End of Block: Opinion on CS
Start of Block: General Cybersecurity
Q7 How do you feel about cybersecurity?
Please rate these statements from 1 (strongly disagree) to 10 (strongly agree).
I feel that staying secure online is...
A priority
Frustrating
Intimidating
Achievable
Not possible
Under my control
Q8 What impact does the media/news have on your views towards cybersecurity?
Please rate these statements from 1 (strongly disagree) to 10 (strongly agree).
They make me scared about my online security.
They make online security seem complicated.
Q9 How confident are you in your ability to identify a phishing email or a malicious link?
1 Not at all confident
2
3
4
5
6
7
8
9
10 Very Confident
Q10 In your opinion, how much do you know about protecting yourself from harmful cyber activity?
Please rate your understanding of the following cybersecurity behaviors from:
1 (I know nothing about this behavior) to 10 (I know a great deal about this behavior)
Note survey providers: RANDOMIZE statements
Using multi-factor authentication.
Identifying phishing emails.
Saving passwords using a password manager.
Installing the latest software and app updates.
Using a strong and unique password.
Backing up data.
Checking emails, texts and social media messages to see whether they are genuine.
Section Header In this section, we will ask you about your experiences of cybercrime. Please respond to each question as accurately as you can.
Q11 Have you ever personally lost money or data due to harmful online activity (e.g. phishing)?
Note to provider: Please add a hover box with the following definition of harmful online activity:
“Cyber criminals trick people into providing information or installing dangerous software in order to steal money or data from them. This is often done via fake emails that appear to be from trusted senders, encouraging people to click malicious links or open malicious attachments (i.e.phishing).”
No
Yes
Display This Question: If Q11 = Yes
Q12 Did you report this to anyone?
If you have lost money/data more than once, please think about the most recent time this happened...
No
Yes
Display This Question: If Q12 = Yes
Q13 Who did you report it to?
If you have lost money/data more than once, please think about the most recent time this happened...
Please select all that apply
Note to provider: multiple option choice
My bank/credit card company/online payment company.
My network/phone/broadband or software provider.
The designated person or department at my work/place of education.
The police or another government agency or organization.
My email or online search provider (e.g. Google).
My online security provider (e.g. Norton, Kaspersky).
To the service/application provider(s) where I lost money/data.
I told my family who then took action on my behalf.
Display This Question: If Q12 = Yes
Q14 What is the main reason why you reported it?
If you have lost money/data more than once, please think about the most recent time this happened...
Note to provider: single option choice
It is important to notify the relevant authorities so this does not happen to me or other people.
I wanted to take action to get my money back.
I wanted the cyber criminals to be caught.
Display This Question: If Q12 = Yes
Q15 Did you find the reporting process easy to do?
If you have lost money/data more than once, please think about the most recent time this happened...
Note to provider: single option choice
Yes, I knew how and to whom to report it to.
Yes, even though I did not know how to do it, it was easy to find out.
No, it was not easy to do, but I eventually managed to report it.
Display This Question: If Q12 = No
Q16 What is the main reason you did not report it?
If you have lost money/data more than once, please think about the most recent time this happened...
Note to provider: single option choice
I did not have the time.
I did not know who to report it to.
I did not know how to report it.
The process was too much effort.
There was no point as no action would have been taken.
I forgot.
I was too ashamed.
I did not have to, it was reported to me (e.g. by my bank).
Q17 Have you ever been a victim of online cyberbullying?
Note to provider: Please add a hover box with the following definition of cyberbullying:
“Cyberbullying takes place over digital devices. It includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation.”
No
Yes
Display This Question: If Q17 = Yes
Q18 Did you report it to anyone?
If you have been a victim of cyberbullying more than once, please think about the most recent time this happened...
No
Yes
Display This Question: If Q18 = No
Q19 What is the main reason why you did not report it?
If you have been a victim of cyberbullying more than once, please think about the most recent time this happened...
Note to provider: single option choice
I did not have the time.
I did not know who to report it to.
I did not know how to report it.
The process was too much effort.
There was no point as no action would have been taken.
I just forgot.
I was too ashamed to have fallen as a victim.
I did not have to, someone reported it on my behalf.
Display This Question: If Q18 = Yes
Q20 Who did you report it to?
If you have been a victim of cyberbullying more than once, please think about the most recent time this happened...
Note to provider: multiple option choice
The police or another government agency or organization.
My network/phone/broadband or software provider.
The designated person or department at my work/place of education.
My email or online search provider (e.g. Google).
My online security provider (e.g. Norton, Kaspersky).
To the service/application provider (e.g. Instagram, Twitter).
I told my family who then took action on my behalf.
Display This Question: If Q18 = Yes
Q21 What is the main reason why you reported it?
If you have been a victim of cyberbullying more than once, please think about the most recent time this happened...
Note to provider: single option choice
It is important to notify the relevant authorities so this does not happen to me or other people.
I wanted to take action to stop it from happening.
I wanted the cyber bully to be caught.
Display This Question: If Q18 = Yes
Q22 Did you find the reporting process easy to do?
If you have been a victim of cyberbullying more than once, please think about the most recent time this happened...
Note to provider: single option choice
Yes, I knew how and to whom to report it to.
Yes, even though I did not know how to do it, it was easy to find out.
No, it was not easy to do, but I eventually managed to report it.
Q23 Have you ever been a victim of an online romance scam?
Note to provider: Please add a hover box with the following definition of a romance scam:
“A romance scam is when scammers adopt a fake online identity to create an illusion of a romantic or close relationship to manipulate and/or steal from the victim. They often use highly emotive requests for money claiming they need emergency medical care, or to pay for transport costs to visit the victim if they are overseas.”
No
Yes
Display This Question: If Q23 = Yes
Q24 Did you report it to anyone?
If you have been a victim of an online romance scam more than once, please think about the most recent time this happened...
No
Yes
Display This Question: If Q24 = Yes
Q25 Who did you report it to?
If you have been a victim of an online romance scam more than once, please think about the most recent time this happened...
Note to provider: multiple option choice
The police or another government agency or organization.
My network/phone/broadband or software provider.
The designated person or department at my work/place of education.
My email or online search provider (e.g. Google).
My online security provider (e.g. Norton, Kaspersky).
To the service/application provider (e.g. the dating website/Instagram/Facebook).
I told my family who then took action on my behalf.
Display This Question: If Q24 = Yes
Q26 What is the main reason why you reported it?
If you have been a victim of an online romance scam more than once, please think about the most recent time this happened...
Note to provider: single option choice
It is important to notify the relevant authorities so this does not happen to me or other people.
I wanted to take action to stop it from happening.
I wanted the scammer to be caught.
Display This Question: If Q24 = Yes
Q27 Did you find the reporting process easy to do?
If you have been a victim of an online romance scam more than once, please think about the most recent time this happened...
Note to provider: single option choice
Yes, I knew how and to whom to report it to.
Yes, even though I did not know how to do it, it was easy to find out.
No, it was not easy to do, but I eventually managed to report it.
Display This Question: If Q24 = No
Q28 What is the main reason you did not report it?
If you have been a victim of an online romance scam more than once, please think about the most recent time this happened...
Note to provider: single option choice
I did not have the time.
I did not know who to report it to.
I did not know how to report it.
The process was too much effort (not bothered).
There was no point as no action would have been taken.
I just forgot.
I was too ashamed to have fallen as a victim.
The amount of money lost was too small.
I did not have to, it was reported to me (e.g. by the police).
Q29 Have you ever been a victim of identity theft?
Note to provider: Please add a hover box with the following definition of identity theft:
“Identity theft is when scammers access enough information about someone’s identity (e.g. name, date of birth, current or previous addresses) to obtain goods or services by deception, such as by opening a bank account or obtaining a credit card or loan.”
No
Yes
Display This Question: If Q29 = Yes
Q30 Did you report it to anyone?
If you have been a victim of identity theft more than once, please think about the most recent time this happened...
No
Yes
Display This Question: If Q30 = Yes
Q31 Who did you report it to?
If you have been a victim of identity theft more than once, please think about the most recent time this happened...
Note to provider: multiple option choice
My bank/credit card company/online payment company.
My network/phone/broadband or software provider.
The designated person or department at my work/place of education.
The police or another government agency or organization.
My email or online search provider (e.g. Google).
My online security provider (e.g. Norton, Kaspersky).
To the service/application provider(s) where my identity was fraudulently used.
I told my family who then took action on my behalf.
Display This Question: If Q30 = Yes
Q32 What is the main reason why you reported it?
If you have been a victim of identity theft more than once, please think about the most recent time this happened...
Note to provider: single option choice
It is important to notify the relevant authorities so this does not happen to me or other people.
I wanted to take action to get my money back.
I wanted the identity thief to be caught.
Display This Question: If Q30 = Yes
Q33 Did you find the reporting process easy to do?
if you have been a victim of identity theft more than once, please think about the most recent time this happened...
Note to provider: single option choice
Yes, I knew how and to whom to report it to.
Yes, even though I did not know how to do it, it was easy to find out.
No, it was not easy to do, but I eventually managed to report it.
Display This Question: If Q30 = No
Q34 What is the main reason why you did not report it?
If you have been a victim of identity theft more than once, please think about the most recent time this happened...
Note to provider: single option choice
I did not have the time.
I did not know who to report it to.
I did not know how to report it.
The process was too much effort (not bothered).
There was no point as no action would have been taken.
I just forgot.
I was too ashamed to have fallen as a victim.
The amount of money lost was too small.
I did not have to, it was reported to me (e.g. by my bank).
Note to provider: Section Header
Cybersecurity training
In this section, we will ask you about your experiences of cybersecurity training. Please respond to each question as accurately as you can.
Q35 Do you have access to cybersecurity advice or training (e.g. at work, school or library)?
Note to provider: single option choice
No
Yes, I have and I have used it.
Yes, I have, but I do not use it.
Display This Question: If Q35 = Yes, I have and I have used it
Q36 Where did you access the training?
Note to provider: single option choice
At home/the library
At work/my place of education
All of the above
Display This Question: If Q35 = Yes, I have and I have used it
Q37 Are you required to complete mandatory training at work/your place of education?
No
Yes
Display This Question: If Q37 = Yes
Q38 How often are you required to complete it?
Note to provider: single option choice
Once a year.
More than once a year.
When something goes wrong or something bad happens.
Both at regular intervals AND when something goes wrong or something bad happens.
Display This Question: If Q35 = Yes, I have and I have used it
Q39 How were the training course(s) delivered?
Please tick all that apply.
Note to provider: multiple option choice
One-off individual learning course (online or in person).
One-off group learning course (online or in person).
Over a period of time on an individual learning course (online or in person).
Over a period of time on a group learning course (online or in person).
Display This Question: If Q35 = Yes, I have and I have used it
Q40 When you attended the training course(s) what did you learn about cybersecurity?
Please tick all that apply.
Note to provider: multiple option choice
Using Multi-Factor Authentication (MFA).
Identifying phishing emails.
Saving passwords using a password manager.
Installing the latest software and app updates.
Using a strong and separate password.
Backing up data.
Checking emails, texts, or social media messages, to see whether they are genuine.
I do not remember.
Display This Question: If Q35 = Yes, I have and I have used it
Q41 When you attended training course(s) how did it influence your security behaviors?
Please tick all that apply.
Note to provider: multiple option choice
I started using Multi-Factor Authentication.
I became better at recognising phishing emails.
I started saving passwords using a password manager.
I started saving passwords to a web browser (e.g. Google).
I started regularly installing the latest software and app updates.
I started using strong and separate password(s).
I back up my data.
I am now checking all messages (emails, texts, and social media) to see whether they are genuine even if sent by someone known to me.
I did not change any of my online security behaviors.
Display This Question: If Q35 = Yes, I have and I have used it And Q36 = At home/the library OR Q36 = All of the above
Q42 You mentioned you attended training at home/at the library. How useful did you find the training provided to you?
How useful did you find the training at home/the library?
1 Not very useful
2
3
4
5
6
7
8
9
10 Very useful
Display This Question: If Q35 = Yes, I have and I have used it And Q36 = At work/my place of education OR Q36 = All of the above
Q43 You mentioned you attended training at work/your place of education. How useful did you find the training provided to you?
How useful did you find the training at work?
1 Not very useful
2
3
4
5
6
7
8
9
10 Very useful
Display This Question: If Q35 = Yes, I have, but I do not use it
Q44 What is the main reason you did not use the opportunity to attend the training course?
Note to provider: single option choice
I did not have time.
I do not think that training will reduce my risk of being a victim of cybercrime.
Cybersecurity is not important to me.
I would not gain anything by completing the course.
I already knew enough about cybersecurity.
I was not able to access the course (online or in person).
Display This Question: If Q44 = I was not able to access the course (online or in person)
Q45 What stopped you from accessing the course? Please choose the main reason.
Note to provider: single option choice
I was unable to access the course site due to my disability.
The course site was too far away for me to access.
I do not understand how online courses work.
I could not afford to access the course.
I could not access the course as I had work or childcare commitments.
Note to provider: Section Header
Cybersecurity behaviors
In this section, we will ask you more questions about the security behaviors
Please respond to each question as accurately as you can.
Q46 Overall, how many sensitive online accounts that hold personal information do you have?
Note to provider: single option choice
Note to provider: Please add a hover box with the following definition Online accounts holding details of your identity, address and bank cards (e.g. payment-related sites, social media accounts and work accounts)
Not sure, I lost count.
20 or more online accounts.
10-19 online accounts.
5-9 online accounts.
2-4 online accounts.
I only have one online account.
Display This Question: If Q46 = Not sure, I lost count Or Q46 = 20 or more online accounts Or Q46 = 10-19 online accounts Or Q46 = 5-9 online accounts Or Q46 = 2-4 online accounts
Q47 How often do you use unique/separate passwords for your important online accounts (e.g. payment-related sites, social media accounts and work accounts)?
Note to provider: single option choice
All of the time (100%)
The majority of the time (75%)
Half of the time (50%)
Some of the time (25%)
None of the time (0%)
Display This Question: If Q47 = None of the time (0%) Or Q47 = Some of the time (25%)
Q48 You mentioned that you rarely, if not at all, use unique/separate passwords for your online accounts.
Note to provider: single option choice
What is the main reason you do not do this?
It is too time consuming to create them.
They are difficult to remember.
It requires too much effort.
I do not know how to create them.
I only use them for accounts where I want increased security.
I only use them when I want to have a private password.
Display This Question: If Q46 = I only have one online account
Q49 How often do you change this password?
Note to provider: single option choice
Never
I do not change it, unless I have to
Every few months
Yearly
Less than yearly
Display This Question: If Q46 = Not sure, I lost count Or Q46 = 20 or more online accounts Or Q46 = 10-19 online accounts Or Q46 = 5-9 online accounts Or Q46 = 2-4 online accounts
Q50 How often do you tend to change your passwords?
Note to provider: single option choice
Never
I do not change them, unless I have to
Every few months
Yearly
Less than yearly
I change some of them more often than others
Display This Question: If Q49 = I do not change it, unless I have to Or Q49 = Every few months Or Q49 = Yearly Or If Q50 = I do not change them, unless I have to Or Q50 = Every few months Or Q50 = Yearly Or Q50 = I change some of them more often than others
Q51 What action do you most often take when changing your password(s)?
Note to provider: single option choice
I change a character or two on my existing password (e.g. Password1! to Password2?).
I change a word or two (e.g. Butterfly1! to Seagull1!).
I change my password to something completely different.
I use passwords suggested by websites or applications (e.g. Google or stand-alone password manager).
I create a new passphrase (e.g. by using three random words).
Q52 Do you tend to create password(s) that include references to personal information (e.g. names, dates and addresses)?
No
Yes
Q53 Do you tend to create password(s) that are made up from a single dictionary word or name, which you have replaced some characters with numbers or symbols (e.g. p@ssw0rd, Jon@th4n, h0us3plant)?
No
Yes
Q54 How long are the password(s) you usually create?
Note to provider: single option choice
Under 6 characters
7-8 characters
9-11 characters
Over 12 characters
Q55 How often do you install the latest updates and software when notified that they are available?
Note to provider: single option choice
Never
Rarely
Sometimes
Very often
Always
Display This Question: If Q55 = Never Or Q55 = Rarely
Q56 Please let us know why you do not update your devices
Note to provider: single option choice
They take too long and it is dIifficult to find the right time to update.
They often interfere with my other software or applications.
My devices are set to auto updates, so I do not need to run any updates myself.
My devices and applications work fine, I do not need to update them.
I do not know how.
Display This Question: If Q55 = Never Or Q55 = Rarely
Q57 You mentioned that you never or rarely install software updates.
Please rate your agreement with the following statements:
"I would install the latest updates and software to my devices, but..."
Note survey providers: RANDOMIZE statements
1 Strongly Disagree
2
3
4
5
6
7
8
9
10 Strongly Agree
...I have no understanding of how to do this.
...I have no confidence in my ability to update my devices.
...I do not have the time to check for the latest updates.
...I do not think it is necessary to install updates if my device works as it is.
...updating devices and installing software will not stop cybercriminals.
...I have to pay for them, I cannot afford them.
...there is little benefit in updating them.
...I do not trust the latest updates and software.
...as far as I know, no one else does this and they are fine.
Display This Question: If Q55 = Always Or Q55 = Very often Or Q55 = Sometimes
Q58 When do you install updates on your devices?
Note to provider: single option choice
I have turned on automatic updates.
After clicking on ‘remind me later’ a few times.
Whenever I am away from my device or during the night.
Q59 Have you ever heard of Multi-Factor Authentication (MFA)?
Note to provider: Please add a hover box with the following definition : Also, known as Two-Factor Authentication (2FA). Both add an extra layer of security to verify a user's identity. Biometrics, security keys, or a unique, one-time code through an app on your mobile device are examples of using 2FA/MFA.
No
Yes
Display This Question: If Q59 = Yes
Q60 Have you ever applied Multi-Factor Authentication to any of your online accounts holding personal information (e.g. email or payment-related website)?
No
Yes
Display This Question: If Q60 = Yes
Q61 Are you still using Multi-Factor Authentication?
No
Yes
Display This Question: If Q61 = No
Q62 What is the main reason you stopped using Multi-Factor Authentication (MFA)?
Note to provider: single option choice
It took too long.
I do not carry my phone with me all the time to be able to verify.
It logged me out of my accounts too many times.
I kept forgetting my verification code(s).
I did not see MFA adding any extra protection.
Display This Question: If Q59 = Yes And Q60 = No Or If Q59 = Yes And Q61 = No
Q63 You mentioned that you do not or have stopped using Multi-Factor Authentication (MFA)?.
Please rate your agreement with the following statements:
I would use MFA, but..."
Note survey providers: RANDOMIZE statements
1 Strongly Disagree
2
3
4
5
6
7
8
9
10 Strongly Agree
...I have no understanding of how to use MFA.
... I have no confidence in my ability to use MFA.
...I do not have the time to use MFA.
...I do not think it is necessary to use MFA if my device works as it should do.
...MFA is too expensive.
...Using MFA will not stop cybercriminals.
...There is no or little benefit for me to use MFA.
...I do not trust MFA software.
...As far as I know, no one else uses this and they are fine.
Q64 How often do you check a message (e.g. emails, texts, or social media messages) is genuine before clicking any links or responding to it?
Note to provider: single option choice
Never
Rarely
Sometimes
Very often
Always
I do not know how to do this
This Question: If Q64 = Sometimes Or Q64 = Very often Or Q64 = Always
Q65 What is the first action you take to make sure a message is genuine?
Note to provider: single option choice
I check the sender’s email address (e.g. ‘From’ line).
I check for unexpected content in the email text.
I hover over the links in the email to check the real destination.
Q66 If someone you know sends you an unusual message with links, how often do you reach out to the person to ask about it before clicking the link?
Note to provider: single option choice
Never
Rarely
Sometimes
Very often
Always
Q67 Do you report any phishing emails by hitting the ‘spam’ or 'report phishing' button?
Note to provider: single option choice
Never
Rarely
Sometimes
Very often
Always
I do not know how to do this
Display This Question: If Q67 = Never Or Q67 = Rarely
Q68 You mentioned that you never or rarely report phishing emails.
Please rate your agreement with the following statements:
"I would report phishing emails, but..."
Note survey providers: RANDOMIZE statements
1 Strongly Disagree
2
3
4
5
6
7
8
9
10 Strongly Agree
...I have no understanding of how to report unusual (phishing) emails.
...I have no confidence in my ability to correctly report phishing messages.
...I do not have the time to report every single phishing and spam message.
...I do not think it is necessary to report phishing or spam as nothing ever happens when I do.
...I have reported phishing, but I still get spam messages.
...Reporting phishing/spam emails has little effect on stopping cybercriminals.
...There is no or little benefit to me to report them.
...As far as I know, no one else does this and they are fine.
...I do not trust phishing reporting software.
Q69 How often do you save your passwords in the browser (e.g. Google or Firefox) when prompted?
Note to provider: single option choice
Never
Rarely
Sometimes
Very often
Always
I do not know how to do this
Q70 Have you ever downloaded a stand-alone password manager application?
No
Yes
Display This Question: If Q70 = Yes
Q71 Are you still using a password manager?
No
Yes
Display This Question: If Q71 = No
Q72 What is the main reason you have stopped using the password manager
Note to provider: single option choice
It required too much effort.
I do not trust the password manager.
I could not access my password manager from other devices.
It was too expensive to keep up.
I kept forgetting my password manager’s password.
I do not see how a password manager adds any value.
It was hard to get into the habit of using it .
Display This Question: If Q72 = I do not trust the password manager
Q73 Please tell us why you do not trust a password manager?
Display This Question: If Q70 = Yes And Q71 = No Or If Q70 = No
Q74 You mentioned that you either stopped using a password manager or do not use one at all.
Please rate your agreement with the following statements:
"I would use a password manager, but..."
Note survey providers: RANDOMIZE statements
1 Strongly Disagree
2
3
4
5
6
7
8
9
10 Strongly Agree
...I have no understanding of how to use it.
...I have no confidence in my ability to use it.
...I do not have the time to add all my passwords into it.
...I do not know which password manager to use.
...I do not think it is necessary to use a password manager as it is not required.
...Using a password manager will not stop cybercriminals.
...I cannot afford to buy a password manager.
...There is no or little benefit to me to using a password manager.
...I do not trust password managers.
...As far as I know, no one else uses one and they are fine.
Display This Question: If Q46 = Not sure, I lost count Or Q46 = 20 or more online accounts Or Q46 = 10-19 online accounts Or Q46 = 5-9 online accounts Or Q46 = 2-4 online accounts
Q75 What is your preferred method of remembering multiple passwords?
Note to provider: single option choice
I write them down in a notebook.
I write them down in a document on my computer (electronic format).
I store them in my phone.
I store them in my email.
I just remember them (without writing them down).
I save passwords in the browser.
I use a password manager application.
Q76 How often do you back up your most important data?
Note to provider: Please add a hover box with the following definition Backing up is the process of copying data for recovery in case the original data is lost or corrupted.
Note to provider: single option choice
Never
Rarely
Sometimes
Very often
Always/my device automatically backs up my data to a cloud service
I do not know how to do this
Display This Question: If Q76 = Never Or Q76 = Rarely
Q77 You mentioned that you rarely or never back up your data.
Please rate your agreement with the following statements:
"I would back up my data (e.g. to an external hard drive or to a cloud) but..."
Note survey providers: RANDOMIZE statements
1 Strongly Disagree
2
3
4
5
6
7
8
9
10 Strongly Agree
...I have no understanding of how to do it.
...I have no confidence in my ability to set this up.
...I do not have the time to back up everything.
...I do not know which cloud service to use.
...I do not think it is necessary to back up my data.
...Backing up my data will not stop cybercriminals.
...I cannot afford to buy an external hard drive or subscribe to a cloud service.
...There is no or little benefit to me in backing up my data.
...I do not trust any cloud service back-ups.
......As far as I know, no one else does this and they are fine.
Note to provider: Section Header
Demographic information
In this final section, we will ask you to fill out some information about yourself. Please respond to each question as honestly and accurately as you can.
Q78 How old are you?
Q79 What is your gender?
Male
Female
Non-binary
Prefer not to say
Prefer to self-describe:
Q80 Which country do you currently reside in?
United Kingdom
United States
Canada
Australia
New Zealand
Other
Q81 What is your highest level of qualification?
Some school/high school credit, no diploma or qualification
Primary/secondary education (e.g. GCSEs/A-levels/High School Diploma/GED)
Trade, technical or vocational training (e.g. BTEC/HND/NVQ Diploma/CTE qualification)
ndergraduate degree (e.g. Associates/Bachelors)
Postgraduate degree (e.g. Masters/PhD)
Professional degree (e.g. MD/DDS/JD)