Securing the Digital World

New Survey: Consumers Increase Security Expectations in Wake of Password Breaches

May 15, 2017 | by Heidi Bleau |

Several years ago, I was talking to an organization which had recently deployed risk-based authentication on its online customer portal. Based on their business model, I was especially curious to learn why they had selected to add consumer authentication to their website. The answer was simple, "It is a competitive advantage for us."

Fast forward to 2017, and in recalling that statement, it makes more sense to me than ever. You see, this organization was not a bank who would have been crippled with financial fraud losses had their customers' accounts been breached. Instead, a major competitor had just suffered a data breach which had tarnished its brand image. Not only did this organization want to protect its brand, but it wanted to attract new customers. By using security as a core business advantage, the organization started taking customers from its top competitor. The choice was a business-driven security decision.

So the question becomes: What security expectations do consumers have, and what is the impact on business?

Based on a recent survey of more than 2,100 consumers, commissioned by RSA and conducted by Harris Poll, consumers overwhelmingly responded that they want some level of control over how their digital identity is protected, and they even prefer the security to be visible. Among respondents, 93% of consumers agreed it is important to be involved in choosing how their personal information and accounts are protected online, while 91% stated they prefer an online service provider who makes security visible to them.

This is not to say consumers are clamoring for friction during their online activity as there is a fine line between inspiring customer confidence without adding inconvenience. Achieving this delicate balance is often the biggest struggle organizations face when deciding to build security into customer-facing digital channels. When talking to our clients, I more often hear the number one priority for any cybersecurity initiative is customer satisfaction vs. fraud prevention. Some organizations even factor in fraud losses as a cost of doing business, accepting it over the risk of revenue loss resulting from a customer abandoning a transaction.

Despite being driven by regulation, organizations with any large online customer base know they have to provide security at some level and not just because their customers expect it. Password breaches continue to plague popular websites and is top of mind among consumers with 60% of consumers citing the prevalence of password breaches as their top cybersecurity concern.

Consumers are still doing very little to clean up their security hygiene though, according to our survey. Two out of five consumers still write their passwords down on paper, one in four use the same password for most online accounts, and only 28% admit to changing their password following a major password breach. Organizations don't need to be breached directly, however, to feel the effect as this risky consumer behavior can leave them a target for password guessing attacks and account takeover. What are the chances a certain percentage of your customer accounts are at risk when the friendly shop down the road suddenly finds its entire customer database for sale on the Dark Web?

The RSA 2017 Consumer Cybersecurity Confidence Index offers many additional insights including the best (and worst) performers in consumer security, what devices consumers prefer to transact from, and the personal information consumers are most concerned about losing in a data breach. To view the full results, download the infographic and e-book.

Put your consumer hat on for a moment. What are your security expectations?

For additional information, visit or follow us on Twitter @RSAFraud.