Mobile Phone Brand Categorization vs. Users’ Security Practices

— In the present paper, we correlated the brand of mobile phone to users’ security practices, statistically processing a large pool of the responses of 7172 students in 17 Universities of 10 Eastern and Southern Europe countries. Users show different behavior in an array of characteristics, according to the brand of the mobile phone they are using. As such, there is a categorization of areas, different for each brand, where users are clearly lacking security mind, possibly due to lack of awareness. Such a categorization can help phone manufacturers enhance their mobile phones in regards to security, preferably transparently for the user. It can also allow mobile phone resellers to implement specific security awareness programs for their clients.


INTRODUCTION
Mobile devices are becoming a critical component of the digital economy, a style statement and useful communication device, a vital part of daily life for billions of people around the world.There exist dozens of different brands, overlapping in public's coverage of communication needs.Given their ubiquitous presence, mobile phones are used from both experienced and security savvy users as well as from people that do not pay that much attention to security issues.All of them must be protected from unauthorized third party access to their data and from economic frauds.Since users' alone can't cope with this task, operators and handset manufacturers have to take extra security measures.Starting from manufacturers, they must provide better designed and more security hardened phones.Operators, on the other hand must effectively protect their networks.Both can further educate users.
As this paper reveals, users exhibit different levels of knowledge in regards to security depending on the brand of the phone they are using.This can possibly be explained because certain brands are more appealing to different classes of users (i.e.depending on age, sex, financial status etc).As such, the mere knowledge of the brand alone (which is possible for the operator to know without users' intervention), can provide valuable information.This diversity in security knowledge is apparent not only in subjective answers but also in the specific answers they provide to questions testing their practices.Certain brand users need proper training and education more than others in order to mitigate the increased security risks they face due to their ignorance.Thanks to the statistical process concluded in this work, these specific user categories can easily be pinpointed.In the rest of the paper, in Section II, related literature is examined.The methodology used for the survey is described in Section III.Results are presented in Section IV, closing with conclusion and future work in Section V.

II. RELATED WORK
Although there have been quite many theoretical studies concerning mobile services and mobile phones, a significant means for investigating and understanding users' preferences is asking their opinion via specific questioning techniques.The vast majority of these surveys indicate the growing importance of mobile phones in everyday life and the increased popularity of new features [1].
In any case, the security of mobile phones is proven not to be adequate in many research papers [2] [3].Modern smart phones, specifically, are vulnerable to more security risks [4].There also exist several survey studies in this direction.Some of these surveys studies focus on mobile phone's security issues [5][6] while others on mobile phone services, touching also security issues [7].
A survey [8] published in November 2008 focused on mobile phones security issues and in which degree these issues concern the users.The conclusion was that a major part of the participants are extremely concerned about security and don't want any of their private data to be available to 3rd party unauthorized users.Furthermore, users are interested in mobile services adoption only if the prices are low and the security framework tight enough [9].
Despite the importance of security in the given field, cyber security and safety education is left out from the educational system [10].Users, in turn, do not know if their phones are secure or not [11].

III. METHODOLOGY
A very useful evaluation method for surveying user's practices is the use of multiple-choice questionnaires (i.e. in person delivery or e-mail questionnaires) [12] [13].Our survey was conducted using in-person delivery technique, with a total of 7172 respondents participating in this survey.This method was selected from other alternatives because is more accurate and has a bigger degree of participation from the respondents (e-mail questionnaires usually are treated as spam mail from the respondents plus there is the risk of misunderstand some questions).Data entry took place using custom software [14].
The target group of the survey was university students from ages mostly 18-26, incorporating both younger and older youth segments because these ages are more receptive to new technologies.Since they are still studying, it would be easier to participate in security education programs, possibly implemented in Universities.
As stated in the introduction, we correlated students' answers to the brand they are using.Since there was a bias in the demographics (mainly in age and in less extent to age) we normalized the values for the investigation of their correlation to the brand.This was accomplished by using weights according to the participation of these groups in the whole sample

IV. RESULTS
The questionnaire was divided in two parts.In the first part participants were asked demographic questions including gender, age and field of studies.In the second part we introduced security knowledge and practice questions.In the following sections we present the results of the brand categorization in regards to the security knowledge and practices of respective users.All of the findings presented are statistically significantly (Pearson's Chi-Square).

A. Demographics and hardware
53% of the participants were females and 47% were males.Weighting the sample's responses to overcome this minor bias, we noticed that Samsung and LG have a greater penetration in women (Figure 1).

B. Security specific questions
Our fundamental research questions were whether students are informed about how the options and the technical characteristics of their mobile phones affect their security and, secondly, how safe they consider communication using mobile phones.Students answered subjectively those two questions.We further used some objective questions in regards to security practices (noting IMEI-International Mobile Equipment Identity, using PIN-Personal Identification Number, using password protected screen saver, using antivirus, taking backups).This way, we were able to conclude whether their subjective answers are actually in pace with the objective facts.

www.etasr.com Androulidakis and Kandus: Mobile Phone Brand Categorization vs Users' Security Practices
Answering the question "Are you informed about how the options and technical characteristics of your mobile phone affect its security?", the majority of students (30.8%) states that they are "moderately" informed about security options and characteristics while a large 15.8% believes that they are "not at all" informed.The specific brand distribution is shown in Figure 4. We proceeded to weighting the responses with the following weights: Very Much: 4, Much: 3, Moderately: 2, Not much: 1, Not at all: 0 and then divided by the number of occurrences, in to get an arithmetic value to better compare the results (Figure 5).That proved that LG and Samsung users are mostly in need of security education since they scored the least in the 0-4 scale (1.74 and 1.73).Nokia (1.85) is around the total mean (1.86).iPhone and Ericsson users are the most informed ones (1.97 and 1.95).Continuing with a general question about how "safe" users feel the mobile phone communication is, the majority (36.9%) replied "moderately" followed by 28.6% "much".On the other hand, some 21.36% felt not too much or not at all sure they are safe.The specific brand distribution is shown in Figure 6.Weighting with the same scale (0-4), we got the results of Figure 7.We can see that iPhone users are the ones that are most 'suspicious' in regards to how safe they consider mobile phone communication.Sharp users are the more relaxed ones.Leaving aside the subjective answers of the previous two questions, we moved into more objective questions, to test the security practices of students.In Figure 8, we can see that contrary to other users, Sharp users are more aware of their phone's IMEI.At the same time, half of LG and Nokia users do not even know what it is.Focusing on the subset of users that are aware of IMEI, we plotted the ratio of users that have written it down to users that have not written it down vs. the brand.Sharp was the only brand that had a ratio of more than one (more yes than no).IMEI is very significant because if the phone is ever stolen, using this serial number the provider can (in theory, not always implemented in practice) block access to the stolen phone effectively mitigating stealing risks.Knowledge of this feature would possibly help 51.3% of the whole sample who unfortunately had their phone stolen once or more.Similarly high percentages are noted by other studies too [15] [16].It is well interesting to note that Sharp users that are most actively noting down their IMEI, were indeed the ones that had mostly their phone lost or stolen in the past (Figure 10).

www.etasr.com Androulidakis and Kandus: Mobile Phone Brand Categorization vs Users' Security Practices
Proceeding to PIN code, users, as expected, are actively (67.2%) using it.It is rather surprising however that Sharp users, that had the most incidents of lost/stolen phone are the ones least using it (Figure 11), despite the fact that they had the best behaviour in noting down IMEIs.
Only a small percentage of 14.7% uses screen-saver password.26.3% of them do not even know if their phone has such an option.That leaves 85.3% of users without a screen saver password protection, and their phones ready to be manipulated by "malicious" hands.An attack can take place in a few minutes by downloading specific software to the phone; this is why it is not enough to protect the phone only by PIN but also by a screen saver password.Sorting by ignorance (Figure 12) we see that Motorola and Sharp users are the least informed regarding this feature.As expected, iPhone users are downloading far more than other users and mostly applications (Figure 13).
Given the rising downloading trends, a mobile phone Antivirus will soon be needed.For the moment (Figure 14), 20% of iPhone owners are using such a product, while for all brands the dominant answer is that users do not know if such a product exists for their phone.It was not possible to test what kind of antivirus users mentioned, since for iPhone there is no specific antivirus available, but rather applications that can help the security but not actually "scan" the phone for viruses.So the 20% percentage is probably lower.This finding should anyway lead manufacturers to collaborate with software vendors in order to incorporate antivirus in the phones without users' intervention.Luckily, organizations, in contrast to home users, show an increase in mobile phone antivirus tools usage [17].
Closing our survey, the issue of backup was examined (Figure 15).iPhone users are again the most cautious ones.Nokia users exhibit a very high percentage (almost 60%) in the category that never performs a backup.It is clear that for such a category of users automated tools should undertake the process of backup.

V. CONCLUSION AND FUTURE WORK
As this survey proved (using Pearson's Chi Square), users can be grouped in well defined categories according to the brand of the mobile phone they are using, correlated to an array of demographic and security practices characteristics.
Among the findings of this survey we focus on the most interesting ones:

•
Nokia users are the ones that are least taking backups.
It seems that iPhone users represent a well informed part of the sample.Unfortunately given their small number, the image from the general user behaviour is not that positive.
Using the results provided, manufacturers can immediately take advantage of this categorization, enhancing the security features of their phones.There is also arguably need for better software and better designed user interfaces.Enhancing users' security knowledge would lower their fear of communication insecurity, leading to increased mobile phone usage.

APPENDIX
The Questionnaire used

Fig. 2 .
Fig. 2. Brand distribution Most of the respondents, in turn, were aged 18-26 (75%).Normalizing again, in order to overcome the bias in ages, we got the distribution of Figure 3. Nokia, Sony-Ericsson and Samsung have almost uniform distribution among ages, with the first two being slightly more preferred by younger segments.Motorola and iPhone were mainly preferred by older youth segments.

Fig. 13 .Fig. 14 .Fig. 15 .
Fig. 13. Brand vs. downloading Do you have Bluetooth: (A Switched on and visible, B Switched on and invisible, C Switched off, D don't know the difference between visible and invisible, E My phone doesn't have Bluetooth, 15) Do you lend it to others?(A Never, B Only for a while and if I am present, C Yes) 16) Do you "download" software to your phone?(A I don't know if my mobile phone can download, B No, C mostly Ringtones/Logos, D mostly Games, E mostly Applications) 17) Do you use Antivirus software in your phone?(A Doesn't have the ability, B Don't know if there is such product for my phone, C I know there is but I don't use D Yes) 18) Do you store important passwords in your phone (eg Credit cards passwords, ATM passwords)?(A No, B Yes and "encrypted", C yes, without encryption) 19) How often do you create backup copies of your phone's data?(A Never, B >3 times per month, B 2-3 times per month, C Once per month, D Less often) 20) Do you keep sensitive personal data into your phone (photos/videos/discussion recordings)?(A Yes, B No) 21) How safe do you consider communication through mobile phones?(A Very Much, B Much, C Moderately, D Not too much, E Not at all) 22) Are you informed about how the options and technical characteristics of your mobile phone affect its security?(A Very Much, B Much, C Moderately, D Not too much, E Not at all)