1 Encryption Discovering Reasons Behind its Lack of Acceptance Kendal Stephens LaFleur Department of Computer Science Sam Houston State University Huntsville, TX, United States Abstract encryption is a critical component of data security and privacy, yet many people fail to use it. Prior studies have been performed to find ways to improve existing encryption methods and to develop new ones, in the attempt of providing a program that more people will utilize. Despite these efforts, encryption is still not widely adopted. Our study uses a survey to collect data about users views of encryption and provide us with insight on why many choose not to use it. After analyzing these results, we found that this is not only due to a lack of usability of the encryption programs, but it s also due to the fact that many people do not fully understand encryption. There is a substantial lack of knowledge of what exactly should be encrypted, how to operate encryption programs, and the many threats associated with unencrypted s. Our results are based on the responses of thirty people answering a multiple-choice survey we designed, made up of ten questions dealing with encryption. All survey participants came from a variety of different backgrounds and careers. To the best of our knowledge, this research study is unique and our findings represent the true viewpoints of our participants. Keywords encryption; security; privacy; education I. INTRODUCTION In today s fast-paced, technology-centered world, encryption is becoming more important than ever. Incidences of data leakage and security breaches happen every day, and many of these originate from unencrypted s. According to a recent study done by Cranfield University , an average person receives 63 s per day and sends 34 s per day. This demonstrates the significant role that plays in people s daily lives, and the immense amount of information that is transported this way. People rely heavily on as a form of communication for both personal and work-related matters. Because of this, encryption needs to be used to ensure the security and privacy of any sensitive data or private information sent through s. PGP, S/MIME, and other encryption programs exist, yet many people fail to use them. Because of this, we were motivated to perform this study to determine why exactly these programs are not being used when they play such a critical role in data security. Our research study gathers data from common users to gain insight on their encryption habits and their thoughts on the subject. We collected the data by creating a survey consisting of ten multiple-choice questions, and then we sent it out to thirty people for completion. We wanted to keep the survey concise and to the point. We wanted the questions to be Lei Chen Department of Computer Science Sam Houston State University Huntsville, TX, United States easy to understand so that even the more inexperienced technology users would be able to answer them truthfully and avoid confusion. We kept the survey at ten questions because we feared that making it too lengthy could cause participants to lose interest. We also felt that this study could be expanded further in the future, so for the information that we wanted to look into at this time, the ten questions provided us with the data we needed. This study stands out from prior research in the way that we focused completely on the views and opinions of users, in order to determine exactly why they choose not to use encryption techniques. We learned from our results that many participants feel that encryption programs are difficult and frustrating to use. Many of them are also very uneducated on encryption, including how to use it and why it is important. This seems to have a major impact on the choice to send unencrypted s. Our study first analyzes prior work in the area of encryption, then discusses the methodology and details of our research, and then analyzes results and draws conclusions based on the findings. II. BACKGROUND Many studies have been conducted in the area of encryption to propose and try ways to improve the existing methods. We analyzed prior work in the field to gain more knowledge on what has been studied in the past, what conclusions have been made, and what areas still need further focus and investigation. We wanted to see what valuable findings other researchers had discovered, as well as where other studies had fallen short and needed to be extended upon further. We felt that a strong understanding of past research would help us better direct our own study and see what contributions we should aim to provide. In a study by Poole et al. , the authors discuss how users employ different computer tools and which various characteristics of a technological tool or program affect its usage. They discuss in great detail the use of RFID technologies, and then move on to encryption. They address how the lack of use of encryption programs is commonly due to these applications having poor usability. They also discuss how many people feel that regular use of encryption in s is abnormal and unnecessary. Then they explore how encryption is usually associated with high importance of a message, and people don t use it or feel that it s necessary for smaller scale or less important s. They
2 make the conclusion that the lack of encryption being used today is more due to non-functional aspects than to actual technical difficulties affecting usability. However, they don t offer any solutions for this. This paper is weak in that it doesn t provide any proof or data to back up the assertions, weakening its impact. This influenced us to use a survey and gather data from actual users in order to substantiate our findings and conclusions. In another study, Gabrielson and Levkowitz  discuss the need for more user-friendly encryption tools. They offer a solution that involves a security pattern based upon existing technologies and ideas. Their primary goal is to create a trusted encrypted channel that is easy to use. They discuss their definition of trust and the requirements of their development. A main necessity is that minimal interaction be needed between the user and the application. They discuss their proposed solution in detail, covering functionality and technical aspects. Using their guide for future improvements at the conclusion of the paper, this study could be extended and work could be done to expand their application development. The authors only focus on two different use cases, so improving the proof-of-concept is definitely needed in future work. Payne and Edwards  also look at security applications and flaws in their design. However, they don t really take all of their conclusions about security designs and apply them to encryption to show how it can be improved. This research could definitely be extended upon by looking at the successful security tools and what made them effective and usable, and then discussing how those same aspects could be used in encryption applications to make them more popular among users. In another study, Kainda et al.  develop a security and usability threat model. They identify main factors of usability and security by looking at prior studies, and categorize them into six different groups of security topics. One of these groups is encryption. They discuss how users understanding and knowledge of the application plays a huge role in encryption. They explain how their threat model can be used to analyze different security scenarios. This is a unique study because it takes on a different approach to security usability by creating the threat model, and it provides a great deal of detail and clear explanation. One weakness is that while it does explain how this model can be applied to a scenario, it doesn t provide an example of actually doing so. It could be improved upon by actually applying this to a specific security scenario, and putting specific focus on how it can be used to analyze and improve encryption methods. Abdalla et al.  introduce a development called identitybased encryption with wildcards (WIBE) in their research study. This can be used to send encrypted s to groups of recipients. The authors discuss the history of this concept, which was first introduced in They focus on providing an encryption method to be used when sending s to multiple people of organizational hierarchies, rather than just one single person. They provide details about the syntax and security aspects of this encryption scheme. They go into details on numerous other encryption schemes explored in prior studies that are the basis for WIBE. While this paper provides an immense amount of information, it can be hard to follow with all of the many algorithms given that can distract from the real meaning of the study. It is difficult to understand what these authors are actually contributing. However, this study influenced our study because we learned that we needed to make our work and its contributions clear and concise, so that other researchers in the field can use it to gain knowledge and expand upon in their own studies. Another research study conducted by Dingledine and Mathewson  discusses the network effects of usability on privacy and security. These authors address how encryption requires all participants, including the sender and any recipients, to work together and have an understanding of the process. They list the many ways that difficult to use programs can impair security. They also discuss the issue of privacy and data confidentiality, making usability even more critical when sending s. This is where anonymizing network comes in, which is a technique that basically hides users among users so that they cannot be identified. The authors provide multiple case studies to help readers better understand this. They make conclusions that the success of any security application relies on the behavior of users, and work on network anonymity still needs further work and experimentation. Their study makes contributions by demonstrating the usefulness of anonymity and drawing attention to its need for better design and usability. This study could be taken a step further by exploring ways to improve anonymity based on its flaws found in these case studies, and by gathering data about user habits to really understand their behavior towards this security technique in order to improve its usability. Because of this, we knew it would be beneficial to gather data directly from users in our study, which led us to create the survey. In another study we analyzed, Weisband and Reinig  first discuss user perceptions of privacy and address how people behave as though s are private when in fact they have many vulnerabilities. privacy in organizations is complex and people often have false views of it. Numerous theoretical explanations are given for why users believe it is private. These are based on different things including technical factors, system design, corporate management policies, and social effects. Each of these areas is then discussed in more depth, providing details and examples. Conclusions are made that employers need to provide their employees with more information on their policies and technology security. They also need to gain a better understanding of legal issues dealing with privacy. This study could be very useful for organizations looking to improve the security of their employees and help them understand it better. The only weakness of this study is that it focuses mainly on company , and not on personal/home use. It could be improved by applying these same theoretical explanations and ideas about encryption usability and user perceptions of security to using it for personal matters outside of the
3 workplace. We were sure to include questions in our survey about both workplace and personal use of and encryption methods. The final study we examined addresses the issue of encryption techniques failing to be widely adopted, and authors Adida et al.  present a deployment and adoption process to help solve this problem. They begin by discussing previous key management strategies and then provide some information on their own development in a previous study, Lightweight Public Key Infrastructure (PKI) for authentication. Then they explore how Lightweight PKI could be used for encryption. They address the two main goals of their solution, which are to protect honest domains and users. They go into details about their development, providing all of the technical aspects and algorithms. The authors also provide an example of how messages could be sent between two users, e.g. Alice and Bob, using this technique. They then discuss the flexible deployment options available with lightweight encryption, and give specifics of one scenario with naïve users, and another scenario with more advanced users. They also explore splitting IBE master keys, and what algorithms would be involved with this. Also they go over the ways that untrusted and malicious servers could damage security schemes, and how their method can protect against this. This study explores new ideas and contributes useful and meaningful information that can be used as a step towards making encryption more widely accepted. The fact that they have already used PKI for authentication and it has worked successfully also adds strength to the study, showing that the authors have a great deal of knowledge and background in working with this type of technique. One of their ideas for future work includes user interface considerations. While their research doesn t address this, it seems like an element that would have a large impact on the success of the method and could benefit from further research about user behavior and preferences to create an effective design. While prior work is extensive in the area of encryption, we believe that there are still many avenues to be explored. Our study aims to provide a closer insight on why users choose to encrypt s, or why they don t, and what could be done to influence this. Our study departs from prior works because while they mention the fact that encryption is not widely adopted by users, and address usability concerns with encryption programs, we actually gather information from real users about their specific dealings with encryption programs, and we then apply our findings to offer possible solutions. III. MAIN RESEARCH A. Methodology The basis for our method of data collection centered on wanting to gain honest and true views of average users about their experience with encryption. To do this we created a survey made up of ten multiple-choice questions and then distributed it online to thirty participants. These participants ranged in age from 23 to 56, and they were all employed by a variety of different companies. We did not want to limit our participants to those from a certain workplace or a certain age group, because we wanted contributors with various backgrounds and experiences. We asked them all to answer the questions as honestly as possible, and assured them that all results were to remain anonymous. We chose this approach of gathering data in order to gain answers from many different people to a variety of questions, and have organized results that we were able to analyze and draw conclusions from. While open-ended questions can provide more detailed answers, it can also make it difficult to measure the results logically and make accurate conclusions. With our multiple-choice survey, the results are more clear and conclusive and led to rewarding findings. B. Data Collection A critical part of our research method was determining the specific questions to ask on our survey. We wanted them to be simple yet still provide us with a good understanding of each participant s views on encryption. We began by asking the following question: Do you use methods of encryption? o Yes, only at work o Yes, only at home o Yes, at work and at home o No This question allowed us to determine from the very beginning how many of our participants actually utilized encryption programs, and if that was for work or personal use. All ten questions we asked revolved around the topic of encryption, discussing reasons for not utilizing encryption as well as discussing typical ing habits of participants. Each question was multiple-choice, and answer choices varied from two to four different options. Our variety of questions allowed us to gain a great deal of insight on how users commonly interact with and encryption applications, and how they feel about using encryption. C. Benefits Our research method differs from those in prior studies because it focuses more on the user perspective of encryption and reasons why people are still failing to make use of encryption applications. PGP, S/MIME, and other encryption methods have been available for many years, and many studies have been done to look at new techniques and ways to improve them, but most of those studies have not given attention to users opinions. We strived to focus solely on users views and practices in order to gain the most accurate understanding of what influences their choice in using or not using encryption. While a great deal of prior work has focused on improving technical operations of encryption applications, it won t matter how great a technical designer believes a program to be if users still fail to use it. Our study concentrates on this and tries to determine the main reasons why people are choosing not to encrypt s, both in the work place and at home. Our research method provides us with sufficient results to determine this, allowing us to present new and unique information to the research community.
4 IV. RESULTS Our results come from the data gatherings of surveys with thirty participants. We found that only 57% surveyed actually use encryption, none of which use it only at home. This demonstrates the dire need to determine why people make the choice to not encrypt s, since almost half of our participants fit into this category. With the great amount of sensitive data sent through s, it is essential to understand why people aren t encrypting and what can be done to change this. Figure 1 below shows results for the second question we asked participants. of policies and regulations concerning their company using encryption. This proves that there is definitely a need for education on this subject so that employees understand what is required of them to be in accordance with policies and laws. When looking at satisfaction with the usability of encryption programs, we found that very few people are completely satisfied. Results demonstrating this are displayed in Figure 2 below. Figure 1. Survey results on reasons of not using encryption. From these results, we can see that difficulty of use is the top reason for encryption not being used, followed by users not feeling the need to use it and not understanding how to use it. Usability has always been a major issue with encryption, and this data proves that it is in fact a heavy influence in people s choice to use encryption techniques. Many people also seem to be uneducated on encryption, since a total of 44% of those surveyed either don t understand how to use encryption, or don t feel the need to use it, meaning they aren t aware of the serious risks with sending unencrypted s. A small portion of survey participants felt that cost was the main reason for not using encryption. This also shows unawareness and the need for more education on the matter, since there are many cost-efficient encryption options for both personal and business use. Other questions asked showed that a large majority of participants send personal or sensitive data in s, and a majority also send personal s from their company server at work. We found that only 40% of participants said that management at the company where they work strongly enforces the use of encryption. If it isn t being enforced at work, then many people likely won t see the need to use encryption at all. Managers need to understand the seriousness of data leakage and security breaches that happen so often, and realize that enforcing the use of encryption can help prevent this. There are also many types of data confidentiality laws, some differing by state and some based on the type of sensitive information being sent, such as health records, that requires encryption to be used. Some of the companies choosing not to enforce it may be violating laws and regulations. Only 7% of survey participants feel very informed Figure 2. Survey results on user satisfaction of encryption program. For a program to be successful, users need to feel very satisfied, which is obviously not the case with encryption methods. This seems to be the trend in our results, since many users also named difficulty of use as the top reason for not using encryption. We also found that 37% of those surveyed have tried to open an encrypted on their smartphone. Since smartphones and other mobile devices have become increasingly popular in recent years and many people rely on them to perform work-related tasks, it means that encryption programs will also need to be compatible with these devices. If usability is even more difficult on mobile devices, then users are likely to become more frustrated and reluctant to use encryption methods. While encryption does have many advantages such as ensuring the security and privacy of data, it seems that users believe its disadvantages outweigh those. The lack of an easy-to-use encryption program is definitely a drawback and a large factor in people commonly sending unencrypted s containing sensitive information. V. CONCLUSIONS AND FUTURE WORK From our study and data analysis, we can conclude that the main reasons for people failing to use the available encryption methods is that they lack simple usability, and people lack knowledge on the topic of encryption. A large majority of our participants don t know exactly what should be encrypted in an , and many of them don t understand how to use encryption programs. This highlights the need for education on the subject. We believe a solution to the lack of encryption use might be to provide people with more information on the risks associated with sending unencrypted s, and on the available encryption programs and how they operate. servers could send out information about this to its users, or companies could make it
5 a priority for management to become more educated on the issue and then conduct workshops for its employees to teach them all about how to use encryption techniques. If more people were actually taught how to use it then they would feel more comfortable with it and understand what needs to be encrypted, making them more likely to actually use encryption on a daily basis. Employers should also work harder at strongly enforcing the use of encryption methods and informing employees of the laws and regulations relating to it. This could lead people to finally comprehend the critical need for encryption, which may also drive them to use it at home. When looking at the usability issue, many researchers have already known that encryption programs are difficult to use and work has been done trying to improve them. However, these attempts have not proved very successful since it is still a major issue with users. We believe this could be solved by performing extensive evaluations and surveying users, to determine what exactly they don t like about their current encryption programs. Researchers could also try to learn which specific characteristics users do like about other computer security programs they commonly use. This would be a good avenue of exploration for a future study done in this area. After collecting all of the information from users and having a better understanding of what it is that they precisely need and want in a program, then a technical designer would be more capable of creating a successful encryption program suited to the needs of users. Future studies could also extend upon ours by trying to educate users on encryption through some of our suggested methods, and then observing how that actually impacted their use of encryption. Our study led to useful findings and conclusions but there is always room for further exploration on the critical topic of encryption. REFERENCES  M. Abdalla, J. Birkett, D. Catalano, A. Dent, J. Malone-Lee, G. Neven, J. Schuldt, and N. Smart, Wildcarded Identity-Based Encryption, in Journal of Cryptography, 2011, pp  B. Adida, S. Hohenberger, and R. Rivest, Lightweight Encryption for , in USENIX SRUTI 05: Steps to Reducing Unwanted Traffic on the Internet Workshop, 2005, pp  R. Dingledine and N. Mathewson, Anonymity Loves Company: Usability and the Network Effect, in Proceedings of the Fifth Workshop on the Economics of Information Security, 2006, pp  A. Gabrielson and H. Levkowitz, Reducing Error by Establishing Encryption Patterns, in PATTERNS 2011, The Third International Conferences on Pervasive Patterns and Applications, 2011, pp  R. Kainda, I. Flechais, and A. Roscoe, Security and Usability: Analysis and Evaluation, in ARES 10 International Conference on Availability, Reliability, and Security, 2010, pp  C. Moore, You Are What You Your Inbox, in Cranfield University School of Management Research Briefings, 2011, pp  B. Payne and W. Edwards, A Brief Introduction to Usable Security, in IEEE Internet Computing, 2008, pp  E. Poole, C. Le Dantec, J. Eagan, and W. Edwards, Reflecting on the Invisible: Understanding End-User Perceptions of Ubiquitous Computing, in Proceedings of the 10 th International Conference on Ubiquitous Computing, 2008, pp  S. Weisband and B. Reinig, Managing User Perceptions of Privacy, in Communications of the ACM, 1995, pp APPENDIX Below is the survey we designed and conducted in this research study. Survey Please answer all following questions as honestly as possible. All results will remain anonymous. 1. Do you use methods of encryption? o Yes, only at work. o Yes, only at home. o Yes, at work and at home. 2. If you do not use encryption at work and/or home, what do you think is the reason for you (or your company) not implementing it? o Cost is too high. o Encryption programs are difficult/frustrating to use. o Don t feel the need to use it. o Don t understand how to use it. 3. Do you ever worry about the privacy and security of your s? o Yes, frequently. o Yes, sometimes. o No, never. 4. Do you ever send personal information or sensitive data in s? o Yes, frequently. o Yes, sometimes. o No, never. 5. Do you ever send personal s from work using your company server? o Yes, frequently. o Yes, sometimes. o No, never. 6. Does management at your company strongly enforce the use of encryption? o Yes. 7. Are you aware of policies and regulations concerning your company using encryption? o Yes, very informed of them. o Yes, somewhat informed of them. o No, not at all informed of them.
6 8. If you have used encryption before, how satisfied were you with the program? o Very satisfied. o Somewhat satisfied. o Not at all satisfied. 9. Have you ever tried to open an encrypted on your smartphone? o Yes. 10. Do you know exactly what should be encrypted in an ? o Yes.