Introduction & Methodology
From September 10 to 18, 2019, DHM Research and ReputationUs conducted a survey of Oregonians to assess their experiences and opinions about cybersecurity and corporate reputation.
Research Methodology: The online survey consisted of 562 adults in Oregon and took approximately 12 minutes to complete. This is a sufficient sample size to assess opinions generally and to review findings by multiple subgroups.
Respondents were members of a professionally maintained online panel. Panelists are recruited randomly by telephone. Once becoming members of the panel, they are surveyed on a monthly basis about civic, social and cultural affairs.
A variety of quality control measures were employed, including questionnaire pre-testing and validation. A combination of quotas and weighting by age, gender, area of state, and education were used to match the demographic makeup of Oregon’s adult population.
Statement of Limitations: Any sampling of opinions or attitudes is subject to a margin of error. The margin of error is a standard statistical calculation that represents differences between the sample and total population at a confidence interval, or probability, calculated to be 95%. This means that there is a 95% probability that the sample taken for this study would fall within the stated margin of error if compared with the results achieved from surveying the entire population. The margin of error for this survey is ±4.1%.
DHM Research Background: DHM Research has been providing opinion research and consultation throughout the Pacific Northwest and other regions of the United States for over 40 years. The firm is nonpartisan and independent and specializes in research projects to support public policy making.
Oregonians are increasingly victims of cyberattacks and online fraud.
- To provide context to Oregonians’ experiences, the survey started by asking a series of questions from a national study conducted by Pew Research in 2017. There are striking increases in negative experiences over the last two years.
- 73% of Oregonians now report that they been notified that their personal information, such as an account number, has been compromised. In 2017, just 35% of Americans reported that this had happened to them.
- 56% of Oregonians say that they have noticed fraudulent charges on their debit or credit cards, an increase from 41% in the 2017 study.
- And 41% of Oregonians have received a notice that their Social Security number has been compromised. Just 15% of Americans had reported this happening in 2017.
Oregonians believe banks and healthcare providers protect their customers’ personal information. They find internet and cell phone providers the least trusted.
- 84% of Oregonians are at least “somewhat confident” that their bank effectively protects their personal financial information, and 74% are similarly confident that their healthcare provider will protect their medical information. However, this confidence is not absolute. Much smaller percentages say that they are “very” confident in their banks and healthcare providers (33% and 22% respectfully).
- Oregonians have less confidence in the internet (50%) and cell phone (48%) providers.
When companies are hit by cyberattacks, Oregonians are likely to hold the companies partially responsible.
- Survey respondents were given the following scenario: a large corporation is a victim of a cyberattack that exposed their customers’ financial and personal information. They were then asked to allocate responsibility to the corporation and the hacker. Oregonians said the corporation shared 46% of the responsibility and the hacker 54%.
Companies that are not able to keep personal information secure are at risk of losing their customers.
- More than four in ten Oregonians said that it is “very unlikely” that they would remain a customer of a company—even one that they had been loyal to—if their personal information was stolen to: set up a fake credit card account (48%); shared on the internet (43%); or caused their credit score to decline (41%).
Helping cyberattack victims understand their risk is important when communicating about cyberattacks.
- 70% of Oregonians said that they would be more concerned if their bank or credit union information were “one of hundred” stolen in a cyberattack, compared to 19% who said they would be more concerned if their account information was “one of thousands” stolen.
- Oregonians would also be more concerned by an attack from an American cybercriminal (49%) than by an attack carried out by a foreign government (33%).
Companies that communicate the steps they are taking to upgrade their security procedures are more trusted than those that stay silent about attacks and their security.
- Oregonians in this survey were asked which they would trust more to protect their personal information: a large business that was a cyberattack victim but responded by upgrading its security procedures, or a large business than never said whether or not they have been a victim of a cyberattack. By a margin of 60% to 8%, Oregonians said they would have more trust in a business that was attacked and upgraded their systems than a business that kept quiet about the attack.
- An overwhelming 96% of Oregonians would prefer a corporation acknowledge a cyberattack and offer free credit monitoring even if there was no evidence that their personal information was stolen, rather than the corporation not say anything about the attack so as to not unnecessarily worry their customers.
- Given the fact cyberattacks are on the rise, and most Oregonians have some experience of being a victim, they are likely to assume that large businesses are under threat. This result indicates that rather than trying to minimize or be silent about an attack, a more effective approach for businesses is to acknowledge the threat, be upfront about incidents, and aggressively communicate about what they are doing to continually enhance customer safety.
Oregonians do not want companies or their local governments to pay ransoms to cybercriminals.
- In the last few years, there have been high-profile cyberattacks on businesses and local governments. The criminals freeze access to files and records and demand a ransom to unlock them. The City of Baltimore was locked out of much of their computer systems for weeks, and paid $18 million to rebuild their system, rather than paying a $75,000 ransom demand.
- Oregonians were asked what they would like their local government and their bank to do if they experience this kind of attack. A strong majority do not want their local government (73%) or bank (66%) to pay the ransom.