Email Encryption. Discovering Reasons Behind its Lack of Acceptance



Similar documents
White paper. Why Encrypt? Securing without compromising communications

Lightweight Encryption for

Remote Access Securing Your Employees Out of the Office

Intrusion Detections Systems

Why you need secure

International Journal of Advance Research in Computer Science and Management Studies

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

Information Security Basic Concepts

Network Security - ISA 656 Security

How To Secure Mail Delivery

Data Classification Technical Assessment

DATA LEAKAGE PREVENTION IMPLEMENTATION AND CHALLENGES

Why Johnny Can t Encrypt: A Usability Evaluation of PGP 5.0

Five Tips to Ensure Data Loss Prevention Success

Identity-Based Encryption

Device-Centric Authentication and WebCrypto

PineApp TM Mail Encryption Solution TM

Trust areas: a security paradigm for the Future Internet

Security Software Engineering: Do it the right way

Requirements Engineering: Elicitation Techniques

Context-Aware Role Based Access Control Using User Relationship

How To Protect Your From Being Hacked On A Pc Or Mac Or Ipa From Being Stolen On A Network (For A Free Download) On A Computer Or Ipo (For Free) On Your Pc Or Ipom (For An Ipo

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

DELEGATING LOG MANAGEMENT TO THE CLOUD USING SECURE LOGGING

The Case For Secure

How to Choose the Best Inbox Integration for Salesforce

Notes on Network Security - Introduction

Unleashing your power through effective 360 feedback 1

Security Architectures for Cloud Computing

BYOD: Bring Your Own Policy. Bring Your Own Device (BYOD) is already making a significant impact on the way the private sector works.

EasiShare Whitepaper - Empowering Your Mobile Workforce

End-to-End Encryption for Everybody?

Solutions to Trust. NEXThink V5 What is New?

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

IY2760/CS3760: Part 6. IY2760: Part 6

How To Filter From A Spam Filter

W H I T E PA P E R. Providing Encryption at the Internal Desktop

Chapter 1: Introduction

CISM ITEM DEVELOPMENT GUIDE

ITAR Compliance Best Practices Guide

11 Tips to make the requirements definition process more effective and results more usable

Where is your Corporate Data Going? 5 tips for selecting an enterprise-grade file sharing solution.

SIP and VoIP 1 / 44. SIP and VoIP

Chapter 6: Fundamental Cloud Security

Why You Need Archiving

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Best Practices for DLP Implementation in Healthcare Organizations

On the Limits of Anonymous Password Authentication

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Sharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment

AB 1149 Compliance: Data Security Best Practices

Cloud security architecture

Business Case for Voltage Secur Mobile Edition

Vs Encryption Suites

Why Johnny Can't Encrypt: A Usability Study of PGP

Implementing Transparent Security for Desktop Encryption Users

OAuth Web Authorization Protocol Barry Leiba

A number of factors contribute to the diminished regard for security:

Encryption Services

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

Evaluate the Usability of Security Audits in Electronic Commerce

A Guide To Understanding Your 360- Degree Feedback Results

A Guide to Secure

Introduction to Cryptography

Index Terms: Cloud Computing, Third Party Auditor, Threats In Cloud Computing, Dynamic Encryption.

Privacy 101. A Brief Guide

The State of Mobile Application Insecurity

Pretty Good Privacy (PGP)

INSTANT MESSAGING SECURITY

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

What is Digital Rights Management (DRM) for Documents?

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

Public Key Applications & Usage A Brief Insight

How To Find Out What People Think About Hipaa Compliance

Data Protection Act Bring your own device (BYOD)

Associate Prof. Dr. Victor Onomza Waziri

Transcription:

Email Encryption Discovering Reasons Behind its Lack of Acceptance Kendal Stephens LaFleur Department of Computer Science Sam Houston State University Huntsville, TX, United States kks016@shsu.edu Abstract Email encryption is a critical component of data security and privacy, yet many people fail to use it. Prior studies have been performed to find ways to improve existing encryption methods and to develop new ones, in the attempt of providing a program that more people will utilize. Despite these efforts, email encryption is still not widely adopted. Our study uses a survey to collect data about users views of email encryption and provide us with insight on why many choose not to use it. After analyzing these results, we found that this is not only due to a lack of usability of the encryption programs, but it s also due to the fact that many people do not fully understand encryption. There is a substantial lack of knowledge of what exactly should be encrypted, how to operate encryption programs, and the many threats associated with unencrypted emails. Our results are based on the responses of thirty people answering a multiple-choice survey we designed, made up of ten questions dealing with email encryption. All survey participants came from a variety of different backgrounds and careers. To the best of our knowledge, this research study is unique and our findings represent the true viewpoints of our participants. Keywords email encryption; security; privacy; education I. INTRODUCTION In today s fast-paced, technology-centered world, email encryption is becoming more important than ever. Incidences of data leakage and security breaches happen every day, and many of these originate from unencrypted emails. According to a recent study done by Cranfield University [6], an average person receives 63 emails per day and sends 34 emails per day. This demonstrates the significant role that email plays in people s daily lives, and the immense amount of information that is transported this way. People rely heavily on email as a form of communication for both personal and work-related matters. Because of this, email encryption needs to be used to ensure the security and privacy of any sensitive data or private information sent through emails. PGP, S/MIME, and other encryption programs exist, yet many people fail to use them. Because of this, we were motivated to perform this study to determine why exactly these programs are not being used when they play such a critical role in data security. Our research study gathers data from common email users to gain insight on their encryption habits and their thoughts on the subject. We collected the data by creating a survey consisting of ten multiple-choice questions, and then we sent it out to thirty people for completion. We wanted to keep the survey concise and to the point. We wanted the questions to be Lei Chen Department of Computer Science Sam Houston State University Huntsville, TX, United States shsu.chen@gmail.com easy to understand so that even the more inexperienced technology users would be able to answer them truthfully and avoid confusion. We kept the survey at ten questions because we feared that making it too lengthy could cause participants to lose interest. We also felt that this study could be expanded further in the future, so for the information that we wanted to look into at this time, the ten questions provided us with the data we needed. This study stands out from prior research in the way that we focused completely on the views and opinions of users, in order to determine exactly why they choose not to use encryption techniques. We learned from our results that many participants feel that encryption programs are difficult and frustrating to use. Many of them are also very uneducated on email encryption, including how to use it and why it is important. This seems to have a major impact on the choice to send unencrypted emails. Our study first analyzes prior work in the area of email encryption, then discusses the methodology and details of our research, and then analyzes results and draws conclusions based on the findings. II. BACKGROUND Many studies have been conducted in the area of email encryption to propose and try ways to improve the existing methods. We analyzed prior work in the field to gain more knowledge on what has been studied in the past, what conclusions have been made, and what areas still need further focus and investigation. We wanted to see what valuable findings other researchers had discovered, as well as where other studies had fallen short and needed to be extended upon further. We felt that a strong understanding of past research would help us better direct our own study and see what contributions we should aim to provide. In a study by Poole et al. [8], the authors discuss how users employ different computer tools and which various characteristics of a technological tool or program affect its usage. They discuss in great detail the use of RFID technologies, and then move on to email encryption. They address how the lack of use of email encryption programs is commonly due to these applications having poor usability. They also discuss how many people feel that regular use of encryption in emails is abnormal and unnecessary. Then they explore how email encryption is usually associated with high importance of a message, and people don t use it or feel that it s necessary for smaller scale or less important emails. They

make the conclusion that the lack of email encryption being used today is more due to non-functional aspects than to actual technical difficulties affecting usability. However, they don t offer any solutions for this. This paper is weak in that it doesn t provide any proof or data to back up the assertions, weakening its impact. This influenced us to use a survey and gather data from actual email users in order to substantiate our findings and conclusions. In another study, Gabrielson and Levkowitz [4] discuss the need for more user-friendly encryption tools. They offer a solution that involves a security pattern based upon existing technologies and ideas. Their primary goal is to create a trusted encrypted channel that is easy to use. They discuss their definition of trust and the requirements of their development. A main necessity is that minimal interaction be needed between the user and the application. They discuss their proposed solution in detail, covering functionality and technical aspects. Using their guide for future improvements at the conclusion of the paper, this study could be extended and work could be done to expand their application development. The authors only focus on two different use cases, so improving the proof-of-concept is definitely needed in future work. Payne and Edwards [7] also look at security applications and flaws in their design. However, they don t really take all of their conclusions about security designs and apply them to email encryption to show how it can be improved. This research could definitely be extended upon by looking at the successful security tools and what made them effective and usable, and then discussing how those same aspects could be used in email encryption applications to make them more popular among users. In another study, Kainda et al. [5] develop a security and usability threat model. They identify main factors of usability and security by looking at prior studies, and categorize them into six different groups of security topics. One of these groups is email encryption. They discuss how users understanding and knowledge of the application plays a huge role in email encryption. They explain how their threat model can be used to analyze different security scenarios. This is a unique study because it takes on a different approach to security usability by creating the threat model, and it provides a great deal of detail and clear explanation. One weakness is that while it does explain how this model can be applied to a scenario, it doesn t provide an example of actually doing so. It could be improved upon by actually applying this to a specific security scenario, and putting specific focus on how it can be used to analyze and improve email encryption methods. Abdalla et al. [1] introduce a development called identitybased encryption with wildcards (WIBE) in their research study. This can be used to send encrypted emails to groups of recipients. The authors discuss the history of this concept, which was first introduced in 1984. They focus on providing an encryption method to be used when sending emails to multiple people of organizational hierarchies, rather than just one single person. They provide details about the syntax and security aspects of this encryption scheme. They go into details on numerous other encryption schemes explored in prior studies that are the basis for WIBE. While this paper provides an immense amount of information, it can be hard to follow with all of the many algorithms given that can distract from the real meaning of the study. It is difficult to understand what these authors are actually contributing. However, this study influenced our study because we learned that we needed to make our work and its contributions clear and concise, so that other researchers in the field can use it to gain knowledge and expand upon in their own studies. Another research study conducted by Dingledine and Mathewson [3] discusses the network effects of usability on privacy and security. These authors address how email encryption requires all participants, including the sender and any recipients, to work together and have an understanding of the process. They list the many ways that difficult to use programs can impair security. They also discuss the issue of privacy and data confidentiality, making usability even more critical when sending emails. This is where anonymizing network comes in, which is a technique that basically hides users among users so that they cannot be identified. The authors provide multiple case studies to help readers better understand this. They make conclusions that the success of any security application relies on the behavior of users, and work on network anonymity still needs further work and experimentation. Their study makes contributions by demonstrating the usefulness of anonymity and drawing attention to its need for better design and usability. This study could be taken a step further by exploring ways to improve anonymity based on its flaws found in these case studies, and by gathering data about user habits to really understand their behavior towards this security technique in order to improve its usability. Because of this, we knew it would be beneficial to gather data directly from users in our study, which led us to create the survey. In another study we analyzed, Weisband and Reinig [9] first discuss user perceptions of privacy and address how people behave as though emails are private when in fact they have many vulnerabilities. Email privacy in organizations is complex and people often have false views of it. Numerous theoretical explanations are given for why users believe it is private. These are based on different things including technical factors, system design, corporate management policies, and social effects. Each of these areas is then discussed in more depth, providing details and examples. Conclusions are made that employers need to provide their employees with more information on their email policies and technology security. They also need to gain a better understanding of legal issues dealing with email privacy. This study could be very useful for organizations looking to improve the security of their employees email and help them understand it better. The only weakness of this study is that it focuses mainly on company email, and not on personal/home email use. It could be improved by applying these same theoretical explanations and ideas about encryption usability and user perceptions of email security to using it for personal matters outside of the

workplace. We were sure to include questions in our survey about both workplace and personal use of email and encryption methods. The final study we examined addresses the issue of email encryption techniques failing to be widely adopted, and authors Adida et al. [2] present a deployment and adoption process to help solve this problem. They begin by discussing previous key management strategies and then provide some information on their own development in a previous study, Lightweight Public Key Infrastructure (PKI) for email authentication. Then they explore how Lightweight PKI could be used for encryption. They address the two main goals of their solution, which are to protect honest domains and users. They go into details about their development, providing all of the technical aspects and algorithms. The authors also provide an example of how messages could be sent between two users, e.g. Alice and Bob, using this technique. They then discuss the flexible deployment options available with lightweight encryption, and give specifics of one scenario with naïve users, and another scenario with more advanced users. They also explore splitting IBE master keys, and what algorithms would be involved with this. Also they go over the ways that untrusted and malicious servers could damage security schemes, and how their method can protect against this. This study explores new ideas and contributes useful and meaningful information that can be used as a step towards making email encryption more widely accepted. The fact that they have already used PKI for email authentication and it has worked successfully also adds strength to the study, showing that the authors have a great deal of knowledge and background in working with this type of technique. One of their ideas for future work includes user interface considerations. While their research doesn t address this, it seems like an element that would have a large impact on the success of the method and could benefit from further research about user behavior and preferences to create an effective design. While prior work is extensive in the area of email encryption, we believe that there are still many avenues to be explored. Our study aims to provide a closer insight on why users choose to encrypt emails, or why they don t, and what could be done to influence this. Our study departs from prior works because while they mention the fact that email encryption is not widely adopted by users, and address usability concerns with encryption programs, we actually gather information from real users about their specific dealings with encryption programs, and we then apply our findings to offer possible solutions. III. MAIN RESEARCH A. Methodology The basis for our method of data collection centered on wanting to gain honest and true views of average email users about their experience with encryption. To do this we created a survey made up of ten multiple-choice questions and then distributed it online to thirty participants. These participants ranged in age from 23 to 56, and they were all employed by a variety of different companies. We did not want to limit our participants to those from a certain workplace or a certain age group, because we wanted contributors with various backgrounds and experiences. We asked them all to answer the questions as honestly as possible, and assured them that all results were to remain anonymous. We chose this approach of gathering data in order to gain answers from many different people to a variety of questions, and have organized results that we were able to analyze and draw conclusions from. While open-ended questions can provide more detailed answers, it can also make it difficult to measure the results logically and make accurate conclusions. With our multiple-choice survey, the results are more clear and conclusive and led to rewarding findings. B. Data Collection A critical part of our research method was determining the specific questions to ask on our survey. We wanted them to be simple yet still provide us with a good understanding of each participant s views on email encryption. We began by asking the following question: Do you use methods of email encryption? o Yes, only at work o Yes, only at home o Yes, at work and at home o No This question allowed us to determine from the very beginning how many of our participants actually utilized email encryption programs, and if that was for work or personal use. All ten questions we asked revolved around the topic of email encryption, discussing reasons for not utilizing encryption as well as discussing typical emailing habits of participants. Each question was multiple-choice, and answer choices varied from two to four different options. Our variety of questions allowed us to gain a great deal of insight on how users commonly interact with email and encryption applications, and how they feel about using encryption. C. Benefits Our research method differs from those in prior studies because it focuses more on the user perspective of email encryption and reasons why people are still failing to make use of encryption applications. PGP, S/MIME, and other encryption methods have been available for many years, and many studies have been done to look at new techniques and ways to improve them, but most of those studies have not given attention to users opinions. We strived to focus solely on users views and practices in order to gain the most accurate understanding of what influences their choice in using or not using email encryption. While a great deal of prior work has focused on improving technical operations of encryption applications, it won t matter how great a technical designer believes a program to be if users still fail to use it. Our study concentrates on this and tries to determine the main reasons why people are choosing not to encrypt emails, both in the work place and at home. Our research method provides us with sufficient results to determine this, allowing us to present new and unique information to the research community.

IV. RESULTS Our results come from the data gatherings of surveys with thirty participants. We found that only 57% surveyed actually use email encryption, none of which use it only at home. This demonstrates the dire need to determine why people make the choice to not encrypt emails, since almost half of our participants fit into this category. With the great amount of sensitive data sent through emails, it is essential to understand why people aren t encrypting and what can be done to change this. Figure 1 below shows results for the second question we asked participants. of policies and regulations concerning their company using email encryption. This proves that there is definitely a need for education on this subject so that employees understand what is required of them to be in accordance with policies and laws. When looking at satisfaction with the usability of encryption programs, we found that very few people are completely satisfied. Results demonstrating this are displayed in Figure 2 below. Figure 1. Survey results on reasons of not using email encryption. From these results, we can see that difficulty of use is the top reason for encryption not being used, followed by users not feeling the need to use it and not understanding how to use it. Usability has always been a major issue with email encryption, and this data proves that it is in fact a heavy influence in people s choice to use encryption techniques. Many people also seem to be uneducated on email encryption, since a total of 44% of those surveyed either don t understand how to use encryption, or don t feel the need to use it, meaning they aren t aware of the serious risks with sending unencrypted emails. A small portion of survey participants felt that cost was the main reason for not using encryption. This also shows unawareness and the need for more education on the matter, since there are many cost-efficient encryption options for both personal and business use. Other questions asked showed that a large majority of participants send personal or sensitive data in emails, and a majority also send personal emails from their company email server at work. We found that only 40% of participants said that management at the company where they work strongly enforces the use of email encryption. If it isn t being enforced at work, then many people likely won t see the need to use encryption at all. Managers need to understand the seriousness of data leakage and security breaches that happen so often, and realize that enforcing the use of email encryption can help prevent this. There are also many types of data confidentiality laws, some differing by state and some based on the type of sensitive information being sent, such as health records, that requires email encryption to be used. Some of the companies choosing not to enforce it may be violating laws and regulations. Only 7% of survey participants feel very informed Figure 2. Survey results on user satisfaction of email encryption program. For a program to be successful, users need to feel very satisfied, which is obviously not the case with encryption methods. This seems to be the trend in our results, since many users also named difficulty of use as the top reason for not using encryption. We also found that 37% of those surveyed have tried to open an encrypted email on their smartphone. Since smartphones and other mobile devices have become increasingly popular in recent years and many people rely on them to perform work-related tasks, it means that encryption programs will also need to be compatible with these devices. If usability is even more difficult on mobile devices, then users are likely to become more frustrated and reluctant to use encryption methods. While email encryption does have many advantages such as ensuring the security and privacy of data, it seems that users believe its disadvantages outweigh those. The lack of an easy-to-use encryption program is definitely a drawback and a large factor in people commonly sending unencrypted emails containing sensitive information. V. CONCLUSIONS AND FUTURE WORK From our study and data analysis, we can conclude that the main reasons for people failing to use the available email encryption methods is that they lack simple usability, and people lack knowledge on the topic of email encryption. A large majority of our participants don t know exactly what should be encrypted in an email, and many of them don t understand how to use encryption programs. This highlights the need for education on the subject. We believe a solution to the lack of encryption use might be to provide people with more information on the risks associated with sending unencrypted emails, and on the available encryption programs and how they operate. Email servers could send out information about this to its users, or companies could make it

a priority for management to become more educated on the issue and then conduct workshops for its employees to teach them all about how to use encryption techniques. If more people were actually taught how to use it then they would feel more comfortable with it and understand what needs to be encrypted, making them more likely to actually use encryption on a daily basis. Employers should also work harder at strongly enforcing the use of encryption methods and informing employees of the laws and regulations relating to it. This could lead people to finally comprehend the critical need for encryption, which may also drive them to use it at home. When looking at the usability issue, many researchers have already known that encryption programs are difficult to use and work has been done trying to improve them. However, these attempts have not proved very successful since it is still a major issue with users. We believe this could be solved by performing extensive evaluations and surveying users, to determine what exactly they don t like about their current encryption programs. Researchers could also try to learn which specific characteristics users do like about other computer security programs they commonly use. This would be a good avenue of exploration for a future study done in this area. After collecting all of the information from users and having a better understanding of what it is that they precisely need and want in a program, then a technical designer would be more capable of creating a successful encryption program suited to the needs of users. Future studies could also extend upon ours by trying to educate users on email encryption through some of our suggested methods, and then observing how that actually impacted their use of encryption. Our study led to useful findings and conclusions but there is always room for further exploration on the critical topic of email encryption. REFERENCES [1] M. Abdalla, J. Birkett, D. Catalano, A. Dent, J. Malone-Lee, G. Neven, J. Schuldt, and N. Smart, Wildcarded Identity-Based Encryption, in Journal of Cryptography, 2011, pp. 42 82. [2] B. Adida, S. Hohenberger, and R. Rivest, Lightweight Encryption for Email, in USENIX SRUTI 05: Steps to Reducing Unwanted Traffic on the Internet Workshop, 2005, pp. 93 99. [3] R. Dingledine and N. Mathewson, Anonymity Loves Company: Usability and the Network Effect, in Proceedings of the Fifth Workshop on the Economics of Information Security, 2006, pp. 100 112. [4] A. Gabrielson and H. Levkowitz, Reducing Error by Establishing Encryption Patterns, in PATTERNS 2011, The Third International Conferences on Pervasive Patterns and Applications, 2011, pp. 133 137. [5] R. Kainda, I. Flechais, and A. Roscoe, Security and Usability: Analysis and Evaluation, in ARES 10 International Conference on Availability, Reliability, and Security, 2010, pp. 275 282. [6] C. Moore, You Are What You Email @ Your Inbox, in Cranfield University School of Management Research Briefings, 2011, pp. 1 4. [7] B. Payne and W. Edwards, A Brief Introduction to Usable Security, in IEEE Internet Computing, 2008, pp. 30 38. [8] E. Poole, C. Le Dantec, J. Eagan, and W. Edwards, Reflecting on the Invisible: Understanding End-User Perceptions of Ubiquitous Computing, in Proceedings of the 10 th International Conference on Ubiquitous Computing, 2008, pp. 192 201. [9] S. Weisband and B. Reinig, Managing User Perceptions of Email Privacy, in Communications of the ACM, 1995, pp. 40 47. APPENDIX Below is the survey we designed and conducted in this research study. Survey Please answer all following questions as honestly as possible. All results will remain anonymous. 1. Do you use methods of email encryption? o Yes, only at work. o Yes, only at home. o Yes, at work and at home. 2. If you do not use encryption at work and/or home, what do you think is the reason for you (or your company) not implementing it? o Cost is too high. o Encryption programs are difficult/frustrating to use. o Don t feel the need to use it. o Don t understand how to use it. 3. Do you ever worry about the privacy and security of your emails? o Yes, frequently. o Yes, sometimes. o No, never. 4. Do you ever send personal information or sensitive data in emails? o Yes, frequently. o Yes, sometimes. o No, never. 5. Do you ever send personal emails from work using your company email server? o Yes, frequently. o Yes, sometimes. o No, never. 6. Does management at your company strongly enforce the use of email encryption? o Yes. 7. Are you aware of policies and regulations concerning your company using email encryption? o Yes, very informed of them. o Yes, somewhat informed of them. o No, not at all informed of them.

8. If you have used email encryption before, how satisfied were you with the program? o Very satisfied. o Somewhat satisfied. o Not at all satisfied. 9. Have you ever tried to open an encrypted email on your smartphone? o Yes. 10. Do you know exactly what should be encrypted in an email? o Yes.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information