Oracle launched “Online Security: A Human Perspective” a report based on research by Foviance which spoke to UK consumers, who regularly use the Internet about their experiences of online security and its impact on their behavior.
The survey covered 550 respondents and the diary study assessed the responses and habits of sub-group of 24 people, asking them about their experiences of real-life online security situations. The focus groups brought this smaller panel together to qualify trends and extract greater detail about the initial findings.
Current consumer attitudes to online security: mixed messages
Consumers appeared to have contradictory attitudes towards online security, with perceptions very much “press-led’ and fueled by assumptions of the potential threats and expectations about their rights.
Consumers continued to list predictable threats, such as malware, spyware, identity theft and 30% said they do not trust central or local Government with their personal data.
Yet when questioned more closely respondents revealed a distinct contradiction between their attitudes and their understanding of the issues. For example, almost a third of survey respondents (30%) do not trust online security measures. When some members of the focus groups raised WiFi as a security threat, others agreed, but detailed questioning revealed a clear lack of understanding.
Indeed the majority of survey respondents (70%) blamed themselves as the primary cause their IT security problems, which suggests they accept their “culpability.’ That said a nearly a quarter (24.9%) blamed the website, brand or technology if they experienced login problems.
The focus groups also revealed consumers showed no desire to understand the mechanics of IT security in more detail and had high expectations about their rights if affected by a security threat.
However, consumers go on to suggest they would not respond favorably to stricter security. Despite two thirds (66%) stating they would be more confident online if websites imposed additional security measures, they were unlikely to accept these measures if it meant the transaction process increased in either time or complexity. In fact, 26% reported that such measures would drive them onto competitors’ sites.
This creates a dilemma for less recognised brands to reassure prospective customers and for larger brands that have been hit by a security issue. How does a company engender trust, which can lead to customer loyalty and potential revenue growth if consumers offer such mixed messages about current security technology?
Cracking the code: balancing security and convenience to avoid bad habits
The answer seems to be that both online retailers and other organisations with an online presence need to demonstrate a greater understanding of instinctive human responses to security. Customers want reassurance, demonstrating this with their buying preference for trusted brands, but they do not want it at the expense of convenience.
Respondents to the research and focus group participants cited a number of frustrations that have led to them abandon online transactions, including being perplexed by username and password selection rules, being forced to wait for an email password reminder and being flummoxed by password reminder questions.
The survey also produced some worrying statistics:
- 72% of respondents have had at least one problem in the past three months alone
- The number one reason for discontinuing a transaction was the process taking too long (48%)
- 38.9% said that a purchase process with too many steps is a barrier to online shopping
- For survey participants that had abandoned a purchase in the last 12 months 16% did so because the transaction took them to another website, such as 3D Secure Way
- 25% of those questionned in the survey admitted to keeping written lists of their online usernames and passwords
- In one focus group a participant admitted to writing passwords on every account statement.
The dangers to online vendors are obvious as consumers are quite prepared to complain to others about their frustrations to others. 8 examples were raised over the course of the focus groups with participants very quick to name the brand. 31% of people surveyed were likely to use a site less frequently if they encountered login problems.
This makes it extremely difficult for online retailers (and for that matter any organisation wishing to interact with its stakeholders via the Internet) to balance security needs against providing a fast and efficient service. For example, there was a point blank refusal to accept the extension of 2-factor security beyond the banking sector on the grounds transactions, which involved smaller sums should not require this technology.
The report offers some guidance with respondents and focus group participants suggesting that they look for “trust signals’ from an online brand, which could include:
- 3rd party certification logos
- Security and privacy policies
- Customer reviews / ratings
- Confirmation page / confirmation email
- Terms & conditions.
A security enabled online world: using security to tip the scales
The research provides clear insights beyond the usual assessment of consumer concerns about IT security to suggest that there are clear benefits for online vendors, whose security approach can help to tip the scales in their favor.
For instance if consumers have to make a risk assessment of two online sites, weighing up the merits of a price-based one against those of a recognized brand, unsurprisingly attitudes to online security tend to drive the consumer to the latter. Furthermore focus group respondents suggested they would be willing to pay a premium for such products and services.
Hence the obvious calculation is that a good approach to security breeds trust, which in turn engenders loyalty that can help to drive revenues.
Consequently Oracle recommends a number of steps that businesses can take to improve the customer experience and foster brand loyalty without compromising security:
Take the onus away from the customer and reassure them: customers are anxious about security and do want online transactions to be protected. As a result, companies should publish highly visible third-party security certification logos, so that customers immediately recognize that each click, transaction or purchase is secure. Businesses should also make their own security and privacy policies highly visible, with customer reviews and ratings on show for visitors to see. In addition, businesses should also confirm all purchases with a confirmation page, followed by a confirmation email.
Build a better user experience by recognizing there are shades of gray: Organizations need to appreciate that the one-size-fits-all approach for assessing the risk of fraudulent activity no longer works. Instead, businesses should assess the varying degrees of risk presented by particular transactions. If we consider that the most likely reason for abandoned transactions is because it is taking too long, then businesses should consider the level of threat versus disruption to the customer.
Stop thinking in terms of a moat and castle – introduce a multi-layered approach: Organisations need to shift the onus of responsibility away from the consumer to encourage online sales. This can be achieved by taking a layered approach, with technology that drives confidence at each level of an online purchase. From the website to the back-end processes and where sensitive customer information is stored, companies can install a mechanism that manages customer information throughout its lifecycle, wherever it resides.
Technology is now available that automates and simplifies the setting and management of IT security policies, which minimises users’ need to clear a confusing variety of security checks. By taking the concern away from consumers, organisations can take positive steps towards building a trusting, long-term relationship with customers. By analysing the origin and nature of incoming transactions, behavioral intelligence and profile information can be gathered to generate a risk score for each transaction, allowing continual assessment of threat levels and the ability to dynamically update policies and respond to new threats.