The concept of ‘sensitive information’ has a lot of different deﬁnitions, most of them being parts of the laws and regulations of different countries. To sum these deﬁnitions up, information is considered to be sensitive if the loss of its conﬁdentiality or availability has severely undesirable effects on organizations or individuals.
Irrespective of the different conceptual deﬁnitions of ‘sensitive information’, the human factor is the core element dictating what this notion should signify.
This experiment was presented in Virus Bulletin Conference 2013.
Privacy and sensitive information sharing – The Experiment
A sample consisting in 2,100 people from seven different countries was questioned regarding the notion of ‘sensitive information’ and what kind of information they would be willing to disclose to another ‘reliable person’. Respondents were randomly selected from a large database containing more than 150 million records, in order to have the same number of individuals in each subset: 300. The subsets represent the countries the individuals were from: US, UK, Spain, Japan, Lebanon, Romania and Australia. The sex ratio was 1:1, meaning that in each sub-sample, the number of males was equal to the number of females.
The hypothesis: sensitive information sharing vs cultural background and beliefs
The experiment was designed to test some hypothesis:
a) The higher the interviewees’ cultural knowledge, the stricter their attitude/conduct towards privacy.
b) The stricter interviewees’ cultural background, the stricter their attitude about the privacy of their data.
c) The greater the interviewees’ needs for freedom, the less strict their attitude about private information disclosure.
The time frame for this experiment was six months – after six months of discussions, the trust of the participants had been gained, meaning that they started to talk about themselves without restrictions.
At the very beginning of the discussions, the participants in the study were pretty concerned about their personal privacy. But as conversations continued and trust between interlocutors was gradually obtained, anxiety disappeared.
The results : what kind sensitive information has been disclosed ?
The information provided is shown in Table 1.
The results support the three hypotheses: all of them could predict the likelihood of users protecting their sensitive data.
Data privacy : conclusions
While the decision-making process behind private information disclosure is an extremely complicated process, likely to fail unless the right triggers are activated, the virtual world appears to makes it easier in both directions. People are more willing to share because of their suspended sense of risk in the absence of social cues; cybercriminals are better equipped to trick their victims based on what information is made available about potential human sources of authority. A case of ultimate efficiency: beating the regular unwary users with other unwary, but more authoritative users’ weapons.