Online trust survey is hard to believe

By Dominic Jones

SURVEYS are good fodder for news organizations and online publications like ours. I see a lot of them and I’d like to write about more of them, but there’s often some reason why I won’t use them.

Perhaps it’s because surveys have become an overused marketing device or PR tactic designed to influence a target audience. Generally, I find that the best surveys come from non-profits, academia and well-known research organizations.

I won’t use a survey if I don’t trust that its conclusions are reliable. Ironically, this happened today when I read a release about web users’ dwindling trust in online banking.

The online survey was paid for by RSA, the online security division of EMC Corp. Of the 200 responses received:

• 82% of people said they’re less likely to respond to an e-mail from their bank because they worry they might be scams.

• Meanwhile, 91% of account-holders are willing to start using new methods if their banks decided to offer stronger security.

• And 69% of respondents said their banks should offer something better than usernames and passwords.

Nothing so far seems unreasonable. People today would and should be concerned about security on the Web.

But it’s what follows next that I don’t get.

Would you like some risk-based authentication with that?

When people in the survey were asked what steps they want their banks to take to improve security, almost three-quarters (73%) preferred “risk-based authentication.”

What is “risk-based authentication”? If you are one of the 74% of people who know please tell me because I’d like to know.

This is how the release explains “risk-based authentication”:

Risk-based authentication involves a behind-the-scenes assessment of the user’s identity based on factors including log-on location, IP address and transaction behavior - which can be supplemented with out-of-band phone calls or secret questions for transactions that are deemed high-risk. Risk-based authentication is designed to provide strong security with minimal impact on the user experience - a concept that resonated extremely well with the survey respondents.

Did you understand that and have a good idea of how it works? I don’t.

So I’m wondering then how the people in the survey know. Why should I believe them that this is what they want when they probably don’t even know what it means?

Making survey look more important than it is

Perhaps all 200 people are online security experts and they all know what “risk-based authentication” is. But according to the release, the survey was an online survey that was sent to “1,678 adults from eight countries,” so it looks as if they’re regular web users.

Actually, it’s worth noting that the company’s release doesn’t mention that only about 200 people respondend. I learned that from a report on the Digital Transactions website I located via Google News.

Now I’m even less impressed because it looks to me like the release is trying to make the survey seem bigger than it actually is.

But I still would like to know what “risk-based authentication” is. I see RSA has a glossary and it defines the phrase thus:

Similar to layered authentication, risk-based authentication requires various levels of proofs, depending on the risk level of the transaction.

This term is used interchangeably for systems where risk assessment is used in two different ways. In some systems, risk assessment is used to determine the stringency of the processes and procedures to enroll and use a particular set of resources. The same credentials will be used in every session but people who need different kinds of resources may use different credentials. A user name and password will be sufficient for some people where others with more access to sensitive information may need a two-factor hardware token, for example.

The second way that risk-based authentication is used is where systems actually require different authentication levels for the same user, based on the specific transaction, not identity. For example, many web services will use a cookie, placed on the browser from an earlier session as a proof of identity for browsing catalogue pages but will ask for a user name and password to make a purchase.

So now it can mean two different things!

One thing I know for sure is that RSA sells online security products and services. So it’s in their interests to highlight the need for greater online protections.

Another thing I know for sure is that I’m not buying these results until I know more. Indeed, I see a lot of surveys that I don’t believe for one reason or another. I believe you have to treat a lot of them with a good dose of skepticism.

How about you, do you see surveys that make you wonder? If you don’t then you’re probably too busy to take a long hard look at the stuff that’s sent to you.

And that’s exactly why marketers and spin doctors continue to do them.

About IR Web Report
Since 2001, we have provided top investor relations departments with leading-edge independent advice based on global research of IR website best practices. IRWebReport.com is 100% independent of the website building, content and hosting industry. (Yes, that includes free lunches and swag!) More about us