5 years of shifting cybersecurity behavior

Online security is built through routine decisions made across devices and accounts. People choose how to create passwords, how often to reuse them, and how much effort to invest in protecting personal data. The National Cybersecurity Alliance and CybSafe’s Oh, Behave! The Cybersecurity Attitudes and Behaviors Report: 2021–2025 follows those patterns over five years, drawing on responses from more than 24,000 adults and documenting how attitudes and behaviors shift over time.

“Five years of data tell a very different story than a single year ever could,” said Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance. “People understand cybersecurity risks better than they did five years ago, but the behaviors that actually reduce risk are becoming harder to sustain. As an industry, we need to do a better job connecting the risks people hear about to the specific actions that protect them. This research helps us see where that disconnect exists and how we can better support secure habits in real life.”

‘Overall, how many online accounts do you own that hold personalinformation?’ (Source: National Cybersecurity Alliance and CybSafe)

Rising belief in personal control and shared responsibility

Belief in the value of personal cybersecurity has increased over time. A larger majority agree that staying secure online is worth the effort. More respondents describe security as achievable, and more say it is under their control. These measures reflect a population that views digital protection as part of everyday responsibility.

Expectations of technology providers have also grown. A rising share of respondents say apps and platforms should help protect user information. Responsibility is seen as shared between individuals and service providers, reflecting participation in digital systems where data moves between services and devices.

Reports of confusion and overwhelm have increased during the same period. Perceived cost appears more often as a structural barrier. A larger share of respondents express security fatalism, defined in the survey as belief that efforts are pointless because data is already online. The findings document rising confidence in the value of security and rising reports of strain within the same time frame.

Password behavior reflects mixed consistency

Password length has shifted upward during the survey window. Longer passwords appear more frequently than in earlier years, and mid length passwords remain widely used. Shorter passwords continue to account for a portion of responses.

Password construction patterns remain consistent. Inclusion of personal information in passwords has increased. Use of single dictionary words with character substitutions remains common. These techniques appear alongside longer password strings, showing that length and structure evolve separately.

Use of unique passwords for important accounts shows variation in consistency. More respondents report using unique credentials all of the time than in the early years of the survey. Another segment reports using unique passwords only half of the time. The survey also identifies respondents who rarely or never use unique passwords.

Among those who rarely or never use unique passwords, difficulty remembering multiple credentials stands out as the primary reason. Some respondents reserve unique passwords for accounts they consider higher risk. Memory demands and prioritization influence how credentials are managed across accounts.

These patterns indicate awareness of recommended practices. Execution varies across individuals and account types.

Connectivity and account management

Internet engagement has intensified during the period covered by the survey. A larger proportion of respondents describe themselves as always connected. Online interaction remains embedded in work, communication, commerce, and entertainment.

Account distribution has shifted in recent years. The share of respondents reporting very high numbers of online accounts has declined. The combined share managing double digit account counts has also moved downward. The most common account range remains concentrated in a smaller cluster of active accounts.

These movements reflect ongoing adjustment in how individuals organize their digital footprint. The survey records changes in connectivity and account volume without assigning cause, capturing how patterns change within everyday use.

Cybercrime victimization reaches new levels

The broader environment in which these behaviors occur includes elevated exposure to cybercrime. By 2025, cybercrime victimization reached 44%, the highest level recorded in the five-year dataset.

This measure reflects respondents who report experiencing some form of cybercrime during the study window. The increase in victimization appears during the same period in which belief in the value of security strengthened and reports of confusion and overwhelm increased.

The survey does not link victimization to specific behaviors. It documents both the prevalence of cybercrime experiences and patterns in daily security practices across the population. These measures describe the operating conditions under which individuals make security decisions.