Linköping University Electronic Press
Upphovsrätt
Detta dokument hålls tillgängligt på Internet – eller dess framtida ersättare – från
publiceringsdatum under förutsättning att inga extraordinära omständigheter
uppstår.
Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner,
skriva ut enstaka kopior för enskilt bruk och att använda det oförändrat för
icke-kommersiell forskning och för undervisning. Överföring av upphovsrätten vid en
senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av
dokumentet kräver upphovsmannens medgivande. För att garantera äktheten,
säkerheten och tillgängligheten finns lösningar av teknisk och administrativ art.
Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i
den omfattning som god sed kräver vid användning av dokumentet på ovan
be-skrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form
eller i sådant sammanhang som är kränkande för upphovsmannens litterära eller
konstnärliga anseende eller egenart.
För ytterligare information om Linköping University Electronic Press se
för-lagets hemsida http://www.ep.liu.se/.
Copyright
The publishers will keep this document online on the Internet – or its possible
replacement – from the date of publication barring exceptional circumstances.
The online availability of the document implies permanent permission for
anyone to read, to download, or to print out single copies for his/her own use and
to use it unchanged for non-commercial research and educational purpose.
Subsequent transfers of copyright cannot revoke this permission. All other uses
of the document are conditional upon the consent of the copyright owner. The
publisher has taken technical and administrative measures to assure authenticity,
security and accessibility.
According to intellectual property law the author has the right to be mentioned
when his/her work is accessed as described above and to be protected against
infringement.
For additional information about the Linköping University Electronic Press
and its procedures for publication and for assurance of document integrity, please
refer to its www home page: http://www.ep.liu.se/.
Linköpings universitet
Institutionen för datavetenskap
Final thesis
Users Perceptions on Computer Intrusion
by
Aria M. Soltani
LIU-IDA/LITH-EX-G--16/061--SE
2016-08-31
Supervisor: Anna Vapen
Examiner: Nahid Shahmehri
Abstract
This thesis is built on the hypothesis that the average computer user has very little understanding regarding computer intrusion. Due to the prevalence of computers in our day and age, the prospect of users lacking even basic knowledge regarding something a user is at risk of encountering almost daily is worrying. This thesis presents the discrepancies between how computer intrusion occurs and how the average user believes computer intrusion occurs. It does this by conducting a series of qualitative interviews with interviewees having wide ranges of experience and knowledge regarding computer intrusion, quantifying their answers, and comparing the data to existing statistics on the topic.
This thesis found that the average user does indeed understand very little about computer intrusion. When asked how they believe it occurs, they in general either gave very vague answers and were unable to elaborate, or gave answers that correspond to a movie or TV show stereotype of computer hacking, with nerdy hackers rapidly tapping on their keyboards causing their computer screens to flash with bright colors and fancy graphics. Furthermore, this thesis also found that even in users who had extensive experience working within IT or with computing, a clear lack of knowledge in many areas could be observed.
Additionally, this thesis also managed to reach some additional interesting conclusions based on the data gathered that were not originally the goal of the survey, such as the fact that many users seem to be far more susceptible to phising on social media as compared to email, and that users completely misunderstand the motives of people who perform computer intrusion.
Acknowledgements
I would like to thank Nahid Shahmehri for taking the time and effort to be my examiner. My supervisor, Anna Vapen, whom had invaluable advice and suggestions which significantly improved the quality of this thesis. I would also like to thank my friends who helped proof-read this thesis, and Lysator, the academic computer club at Linköping University, which provided me with excess amounts of fika (for non-Swedes; google it), a place to work and an all-around friendly, helpful atmosphere. Also, I would like to thank Pokémon Go, since it allowed me to approach strangers in a not too awkward manner and request interviews. And finally, my thanks go out to everyone who took the time to allow themselves to be interviewed by me, without them this thesis would not exist.
Aria M. Soltani Linköping September 2, 2016
Contents
1 Introduction 1 1.1 Motivation . . . 1 1.2 Problem Formulation . . . 2 1.2.1 Delimitations . . . 2 2 Theory 3 2.1 A Brief Overview of Security Engineering . . . 32.1.1 Information Security . . . 4
2.2 Statistics on Computer Intrusion . . . 5
2.3 The Hollywood Stereotype . . . 5
2.4 How Computer Intrusion Occurs . . . 6
2.4.1 Social Engineering . . . 6
2.4.2 Types of Attackers and Motivations . . . 6
2.5 Interview Technique . . . 7
3 Method 8 3.1 Initial Planning . . . 8
3.1.1 Planning the Interviews . . . 8
3.1.2 Finding the Right Interviewees . . . 8
3.2 Designing the Interview Template . . . 9
3.3 Conducting the Interviews . . . 10
3.4 Compiling the Results . . . 11
3.4.1 Determining Knowledge Levels of Interviewees . . . 11
4 Results 13 4.1 Main Statistics . . . 14
4.2 Additional Interesting Findings . . . 16
5 Discussion 20 5.1 Regarding the Method . . . 20
5.1.1 Source Criticism . . . 21
5.2 Analysis of the Results . . . 21
5.2.1 Additional Related Work . . . 22
5.2.2 Flaws in the Study . . . 22
5.3 Potential Further Work . . . 23
6 Conclusions 24
Bibliography 25
1
|
Introduction
This thesis work aims to identify how the average layman thinks computer intrusion occurs, and how these assumptions may differ from how computer intrusion actually occurs. By being able to answer these questions, one paves the way for a great deal of potential future analysis and discussion regarding the topic of contemporary computer security. Primarily regarding common mistakes of the average individual, and how we may eventually fill the knowledge gaps discovered in the average user.
1.1
Motivation
This thesis is built around the hypothesis that the average user understands very little about the underlying security of computers which nowadays almost everyone uses daily. We believe someone who has no or very little education in a computing or engineering field has very little understanding of computer security, and as a result, how to properly protect themselves from computer intrusion. Moreover, there is another added factor in modern film and media pushing for a stereotypical image of ’the hacker’, and generally perpetuate an incorrect idea of ’hacking’, and in turn computer intrusion. If the average user believes computer intrusion occurs in one way, securing himself as such, he is gravely vulnerable when it occurs in another way which he has neglected to guard himself against. This applies to companies and organizations as well. Previous research shows that companies don’t fully grasp what threatens them. A study performed by A. Gupta and R. Hammond show that companies listed insider access abuse, the most prevalent source of IT attacks, as their lowest concern[1].
Some examples of negligence are Dustin (re-sellers of IT-products) and a case that can be considered a bit more serious, The Bangladesh Central Bank. In the case of Dustin, passwords were stored in clear-text and employees of the company could at any time see these passwords, which is considered bad practice. For example, this allows a disgruntled former employee to not only access the accounts of their costumers at will if the employee saved their passwords, but also potentially use those passwords to try and access accounts on other sites where the user may have used the same password. Furthermore, should the database leak or be breached, the attacker would instantly have access to all of the unencrypted passwords. With the case of the Bangladesh Central bank, it was revealed that the bank had no firewall and was operating off a 10$ second hand network when they were hacked. The SWIFT1 software that was used to make payments was compromised, and in the end the hackers
got away with 81$ million [2, 3]. These cases were able to take place because the people in charge were either uninformed or misinformed regarding computer intrusion, or, perhaps even worse, simply did not care. In the end, it is the costumer of Dustin and the bank who end up being put at risk, and these risks can be mitigated by better understanding computer intrusion. Unfortunately, security, even when presented in a relatively easy-to-understand form, is seemingly unmanageable for untrained users [4].
One motivation for a study such as this is that by being able to identify general flaws in individuals’ knowledge, you can more easily remedy them. By identifying which behaviours and misconceptions that exist you can analyze their repercussions, and use this as a basis for future improvements. A large company most likely has a chief technical officer or a head of computer security working for them that knows how to keep their systems safe and secure, but a smaller company, perhaps one that’s just starting, comprised of only a few average users, may make the same mistakes an individual makes regarding the computer security of the company. A smaller company in this case being one that perhaps has not yet fully grasped the importance of its information security, or doesn’t quite have the resources yet to hire a professional that can assist them with their security. If a company has its integrity compromised, it may not only lose money, but also its reputation. A recent example of this is when an electronic sign in Malmö, Sweden, was compromised and started displaying pornography. This lead to the municipality and the company they hired to receive heavy criticism, and one can imagine the company will lose
1
Society for Worldwide Interbank Financial Telecommunication
CHAPTER 1. INTRODUCTION
a significant amount of costumer confidence [5].
Previously an ’average user’ was mentioned. For the purposes of this thesis, an average user is defined as someone who spends some time on the computer on a day to day basis, without having any profound knowledge of its inner workings, possessing little to no experience working within an IT or computer science related context. The average user would be familiar enough with modern technology to use a smartphone and it’s applications, most likely does so on a daily basis, and utilize similar functions on a personal computer such as word processing applications or a web browser, primarily for the purposes of entertainment.
1.2
Problem Formulation
The intent of this thesis work is to identify how the average layman thinks computer intrusion occurs, and how (if) that differs from how computer intrusion actually happens. We believe that many people have gotten the idea that computer intrusion occurs in the way that modern Hollywood makes it appear, with some nerdy hacker typing rapidly on a computer keyboard breaking through firewalls and encryption until getting to his target, whereas our hypothesis is that it has more to do with insider abuse, post-it notes on the laptop with the password written on it, phishing and social engineering. The aim of this thesis is to gather enough data via qualitative interviews which will produce a result that displays these differences, should they exist, as clearly as possible, so as to open up for further analysis within the topic.
Having well rounded, yet reasonably limited questions to answer are very important for any project, and as such we have attempted to summarize the goals in the form of two concise questions;
• How does the average user think computer intrusion occurs?
This is the core of this thesis work. This question needs to be answered in order for the second question to be asked:
• How does the average users idea of computer intrusion differ from how computer intrusion actually occurs?
By attempting to answer this question we can find the flaws in knowledge within the perceptions of the average individual, which in turn opens up to a lot of interesting analysis.
Another important issue that needs to be addressed before we can attempt to answer the two questions above is how we define computer intrusion. In the frame of this thesis work the definition we have chosen to go by is that computer intrusion is: "An incident of unauthorized access to data or an automated information system" [6]. This can be anything from someone using a backdoor in a computer system to someone working within healthcare, having access to a patients files, not being allowed to read them, but doing so anyway. Additional examples include phising, spoofing, clickjacking and social engineering.
1.2.1
Delimitations
In order for the scope of this thesis work to be limited and kept within a reasonable scale, certain delimitations are required. This thesis made used interviews and searching for pre-existing statistics as a method to attempt to collect as much information is possible, then compiled this information in excel sheets in order to compare the gathered information to statistics on actual computer intrusion in an attempt to answer both questions formulated earlier. This thesis refrained from analyzing the implications of the answers too deeply, and mainly focused on gathering information to answer the first question, and after that, used those results to help answer the second. Due to time constraints, a time frame was chosen (more on this time frame in chapter 3) during which to gather the relevant information via interviews, after which the information gathering process was halted, fortunately with a large enough sample size.
2
|
Theory
Before going into the method, a brief explanation of the underlying concepts and theory is required in order to give a basic understanding of the terminology used and concepts referred to in this thesis. Not only of the computer security aspect of it, but also to explain the theory behind the interviews and the interview technique it is based on.
2.1
A Brief Overview of Security Engineering
The subject of security engineering is very broad and complex, and cannot be realistically covered fully in the confines of this thesis. However, a brief overview is required in order to emphasize its importance in the context of this thesis work. Both computer and information security fall under the umbrella of security engineering, which can be summarized as being "about building systems to remain dependable in the face of malice, error, or mischance" [7].
Computer and information security, in their contemporary state, are heavily intertwined. According to the NIST Glossary of Key Information Security Terms, Computer Security refers to "Measures and controls that ensure
confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated." And Information Security refers to "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.". We are primarily interested in
information security, as computer security mainly concerns assets [8, 9].
Before the problem of data security evolved over the years with the introduction of computer networking, computer security was an issue of protecting the physical machine from theft or damage to the hardware, information or to prevent any disruption of service. However, with the evolution of remote terminal access, remote communications and networking, securing only the physical machine is no longer considered sufficient security [10, 7]. During the ’80s, the personal computer started to become a widespread commodity available in most homes, and during this time the security problem evolved to start encompassing malware such as viruses as well. After this, in the ’90s, focus started to shift towards networks, and eventually the people maintaining these. These humans, as we will discuss later in section 2.4.1, and their workstations, are the weakest link in regard to the security of a personal computer and the data stored on it. In a modern workplace the security officers have to ensure that the users, in their interactions with outside networks through web browsers, social media sites, digital media players and etc. are protected from the risk of importing malware into their systems [11].
CHAPTER 2. THEORY
Figure 2.1: Timeline illustrating the evolution of data security
2.1.1
Information Security
Information security evolved from the early field of computer security, and can be summarized as the protection of assets that use, store, or transmit information from risk [12]. Within information security (and computer security), the CIA-triangle of Confidentiality, Integrity and Availability are often referenced. Protecting confi-dentiality is making sure your information does not end up in the wrong hands. Integrity refers to the accuracy and trustworthiness of the data, making sure it has not been tampered with. Availability refers to the data actually being available when needed. Ensuring availability includes, but is not limited to, performing hardware maintenance to keep servers running, and implementing safeguards against attacks such as DDoS to make sure that the data is available when needed [13, 14].
One constant issue within security engineering and by extension information security is ease of access versus security. The only way to be fully secure is to unplug all your devices. In general, higher levels of security tend to reduce ease of access and use [15]. A classical example is the password problem, where a password that is too short can be brute forced, and if the user chooses a long and complex password, normally the user will either choose one that is vulnerable to dictionary attacks, or, even worse, write it down on a post-it note and stick it on his/her laptop. Users, however, have a tendency to choose passwords that are easier to remember rather than passwords that are difficult to crack. The password complexity problem could be summarized as: "Choose a password you can’t remember, and don’t write it down". Another aspect of it is economical. It may be more lucrative for a company to simply allow computer intrusion and pay for reparation rather than implementing safeguards against the intrusion [7, 16]. One example are companies that allow transactions without the user having to type in a CVC/CVV/CVV2 number for the credit card, having determined that the revenue gained by making transactions easier outweigh the cost of fraud and chargebacks.
Other than passwords, other methods of authentication also have their own respective strengths and weaknesses. Passwords are classified as knowledge-based authentication, as it is based on something the user knows. Aside from this there is also possession-based authentication which is based on something the user has, and biometric-based authentication, which is biometric-based on what the user is. Possession-biometric-based authentication, such as a keycard obviates the need for a user to remember a password, but comes with the drawback of being an object that can be stolen or duplicated. Biometric-based authentication have a high level of security as they don’t require the user to carry an item or recall anything, but are technically complex and expensive. They also come with some level of inaccuracy as a user biologically changes over time and may be similar to another user, causing false matches or incorrect rejections [17].
2.2. STATISTICS ON COMPUTER INTRUSION
2.2
Statistics on Computer Intrusion
IT related crime has increased significantly in recent years. From 1995 to 2000, in Sweden, it increased by 55% within private and governmental sectors. That meant in 2000 that approximately every fourth organization has at some point been affected [18]. In 2012, again in Sweden, crime across all categories rose by only 1%, but seen from 2007 to 2012, computer intrusion reports increased by 35% each year [19]. In 2013 twice the amount of cases of computer intrusion were reported as compared to the precious year [20]. Preliminary statistics for the year 2014 show that computer intrusion in Sweden went down by 28% compared to 2013 [21].
From the statistics, computer intrusion, at 39%, was the second most common type of IT related crime after viruses/malwares with almost 240 cases a year. These cases of computer intrusion include manipulation, deletion and theft of data and/or software. Modification of websites and netbus/sniffer software, and more [21, 18, 20, 19]. Another source, the Swedish Internet Foundation, found that 30% of internet users (in Sweden) had been encountered phising in some form, 18% had encountered some form of malware that had infected their machines, 6% had been scammed when purchasing something online and 2% had had their credit card information stolen [22].
Regarding the types of attacks organizations specifically end up being the victim of, the Computer Security Institute conducted a survey asking its community how it had been affected by network and computer crime in the prior year. The most frequent type of computer security incident, they found, were viruses, followed by insider abuse at second place which also was the most costly type of incident. They also found that 68% of organizations they surveyed a formal security policy, and 18% said they were developing it. Furthermore, almost half of the organizations stated they spend less than 1% of the security budget on awareness training [23].
There is, however, some hidden statistics behind this. It is not too uncommon for companies to attempt to mask the fact that they ever had any security flaws, as Apple or Wolksvagen has done [24, 25, 26]. Or, even more serious, hiding the fact that they have been hacked either until caught or until the company feels it can properly react to the fallout, as TalkTalk were accused of as early as last year [27]. In general, companies tend to act in an unsatisfactory manner when it comes to reporting their breaches [28]. According to the Computer Security Institute Crime and Security Survey conducted in 2005, the most common reason an organization chose to not report computer intrusion to law enforcement, at 43 %, was due to negative publicity which they feared would hurt their stocks or image. The second most common reason at 33 % was fear of competitors using the situation to their advantage. Furthermore, 16 % of organizations were unaware of law enforcement interest in the subject [29].
2.3
The Hollywood Stereotype
Just as a chain is only as strong as its weakest link, a security system is only as strong as its weakest link. The issue here is what is presented as the weakest link. In many films or tv shows the act of computer intrusion is misrepresented. In Jurassic Park (1993) or Hackers (1995) where computer intrusion is shown as some form of abstract graphical interface which only the initiated can understand, or another example being movies such as Swordfish (2001) where it is simply shown as rapid typing on the keyboard [30]. Modern examples of over the top ’hacking’ include Die Hard 4 (2007) and House of Cards (started airing 2013). The weakest link in a modern security system are the users themselves [31], and this is something that is very underrepresented.
Not all Hollywood depictions are inaccurate. Recent examples include Dredd (2012) which displays an Nmap1
version scan against TCP port 22 and perhaps more famously in the Matrix Reloaded when Trinity uses Nmap to find a vulnerable SSH server, and then uses the SSH1 CRC32 exploit (in depth knowledge of this exploit not relevant to this thesis) to hack the city’s power grid [32]. Further examples of films with somewhat realistic depictions of computer intrusion include the German film ’who am i’ (2014) and the tv show ’Mr. Robot’ (2015), both of which display examples of social engineering, exploiting previously mentioned weakest link. In the context of this thesis, the Hollywood stereotype of hacking refers to the portrayal of unrealistic computer intrusion in popular culture, such as, but not limited to, the less realistic examples above.
1
https://nmap.org/
CHAPTER 2. THEORY
2.4
How Computer Intrusion Occurs
Regarding the motives behind acts of computer intrusion, people performing these types of crimes tend to be driven by political or financial gain, or the base human motivators of curiosity and revenge. Curiosity in the form of someone who simply wants to see how far he can get, and revenge, for example, in the form of a disgruntled former employee. The method of attack will vary depending on the attacker and the motive. Someone attacking a bank with the goal of finding a way to steal money will most likely have a more thought out and complex method of attack as compared to someone just poking around out of boredom. Methods include probe and scan; where you attempt to gather information regarding the system and its vulnerabilities prior to an attack. Attempting to discover a legitimate users credentials to access the system via his account. This is made worse if said user has privileges within the system that the attacker can then exploit. Account credentials can be accessed via a number of means such as trying to guess the password or more commonly some method of social engineering, such as
spoofing or phishing; where you pretend to be someone else over the internet (via email or such) in order to trick
the target into revealing either their credentials or information that can be used to obtain their credentials [14, 33]. Aside from targeted attacks, there are also the more common cases of simply being exposed to a virus, worm, trojan horse or a malicious cookie which was simply playfully invented by someone who had no actual target in mind. Previously mentioned back doors, brute force and dictionary attacks, DDoS targeting the Availability aspect of the CIA triangle, sniffer software, social engineering and so on [12, 34].
2.4.1
Social Engineering
Defined as “the act of manipulating people into performing actions or divulging confidential information” [33]. It is one of the most common ways a hacker gains access to an unauthorized system, and is highly relevant to our survey regarding computer intrusion. Although a company or individual may purchase the very best security systems available, and implement them and follow their procedures rigorously, but still be completely vulnerable. The weakest link is always going to be humans themselves, and this is why awareness training is such an important part of organizational security. It is entirely possible that someone will simply call that individual or company, pretending to be someone else, and acquiring all the information they require simply by asking for it [35]. Within Social Engineering, an attacker is said to have ’burned the source’ if the victim realizes an attack has taken place. The victim will then notify the appropriate people to assist him in recovering what was lost or changed, and it will become very difficult to attack the same individual once more in the same manner. The key here, is that the attack would not have been able to take place in the first place if the victim had had the knowledge he gained due to the attack beforehand. But Social Engineering, unfortunately, is considered the most difficult type of attack to detect and defend against [36, 33].
The goal of social engineering is for the most part the same as ’hacking’ in general: To gain access to systems or information to commit network intrusion, industrial espionage, fraud, identity theft, or simply disrupt a system, service or network. As discussed in 2.2, there is the problem of organizations wanting to keep the fact that they have been victimized a secret, making measuring the frequency of these kinds of attacks hard. Generally, an average user will not be the victim of social engineering, rather, this privilege is reserved for c-suite individuals who possess lucrative information, or companies with provide significant monetary incentive for the perpetrator[26, 33].
2.4.2
Types of Attackers and Motivations
Aside from automated tools or random malware that commonly infect machines such as viruses or worms, there are also individuals who actively engage in computer intrusion. These individuals can be broadly categorized as the following:
White Hat Hackers and Penetration Testers, whom attempt computer intrusion in order to notify the victim
(usually a company) of the faults so it can be patched and secured, so that nobody with ill intent can exploit them.
Black Hat Hackers whom generally commit computer intrusion with malicious intent, be it to steal data, hijack
computing power and so on. Sometimes referred to as Crackers by hacking purists. Script kiddies, a subset of black hat hackers who make up the majority. These tend to have no real computing skill and rely on scripts and software found online, usually simply thrill-seeking. Spy hackers whom either work for a corporations or work free-lance trying to get information or trade secrets that can profit their client or company. Hacktivists, whom work similarly to spy hackers but usually for their own ideological cause rather than profit. And finally
State Sponsored Hackers, and Cyberterrorists, whom take the previously mentioned roles of spy hackers
and hacktivists to a global scale, with cyberterrorists working for their own organization or ideologies, and state sponsored hackers working for a country mainly for modern military purposes [37, 38].
2.5. INTERVIEW TECHNIQUE
And as to what motivates an average hacker: A study performed by Thycotic –a software firm specializing in
privileged access password protection– at the event Black Hat USA 20142found that 51% were motivated simply
by the sense of fun and thrill associated with the act. Only 19% were after money, and only a measly 1% cared about the notoriety associated with hacking. Additionally, only 14% believe they will ever face repercussions for their actions. Another interesting statistic from the study is that 88% of those asked believed their own information was at risk, even though most of those asked can be assumed to have had a high interest or maybe even expertise in information security [39]. An article written by T. Jordan and P. Taylor further confirms that monetary reasons are not the primary motivator, stating hackers are motivated by curiosity, the thrill of doing something illicit, and the feeling of power associated with the act [40].
2.5
Interview Technique
There are four main ways of gathering information for this type of study: Surveys, semi-structured interviews, and unstructured interviews. Whereas a survey is very useful for gathering data in the form of numbers, which can easily be analyzed via various statistical methods, it is very easy to accidentally ’force’ or ’push’ the interviewee into certain answers or categories which can skew the data. Surveys are generally considered better for acquiring facts. Interviews, however, tend to take a more fluid and conversational form, and allow for the interviewee to properly express their thoughts and give the answer in a way that is satisfactory for them. In this respect, you can gather far more ’accurate’ data as you can have them explain their experiences and thought process, but at the cost of it being harder to quantify and later analyze. It is not too uncommon for researchers to draw information from many different sources in their work. This is called triangulation. By using multiple methods or many different sources, you are able to maximize your understanding of the problem at hand [41, 42].
This thesis primarily, however, uses semi-structured interviews as its method of gathering data, and as such, this part will focus on just that.
“With the right questions, the interviewer can get the answer to anything he wants from the interviewee” [43]. Structuring up the interviews performed in the thesis work in such a way that actually extracts the relevant information is very important. There are several factors that weight whether or not someone even agrees to be interviewed, including trust in the interviewer, the purpose of the interview and the terms of the interview. Building a case for the importance of your topic, and building sympathy for your cause is key when attempting to recruit interviewees [43].
When structuring an interview template, it is important to avoid leading questions, which end up making the interview completely formed by the hypothesis of the interviewer. The best is to have simple, concrete and focused questions. Simple in the sense that you do not make them immoderately complicated, and give the interviewee too much to ponder before answering. Concrete in the sense that you present a solid case, or reality, rather than attempting to have them answer an abstract, general case. This also reduces risk of the interviewee interpreting the question in a way which you may have not intended. Focused in the sense that your question treats the topic at hand and doesn’t get sidetracked [43].
Of course, aside from the above mentioned aspects, there is much more depth to the field of interview technique. But since it is not the main topic of this thesis work, the above mentioned summary will have to serve as a brief, hopefully sufficient introduction to the topic, as well as display its importance in this work.
2
A computer security conference for individuals interested in information security. Attracts a wide
range of attendees, including representatives of government agencies and corporations in addition to
hobbyists.
3
|
Method
This thesis work is built on two main cornerstones. One being a literature study performed at the very start of the project, and the other being the gathering of information on individuals perception on hacking. This chapter aims to explain the process in which we performed this project in a simple, understandable and hopefully replicable way.
3.1
Initial Planning
The first part of the thesis work consisted of a literature study where we attempted to fill the holes in our knowledge, mainly in the field of interview technique, and attempt to find similar studies and their results. Unfortunately, it seems not too much similar work has been done. We found one article, written by Andrew G. Kotulic and Jan Guynes Clark, which discussed the lack of information security research studies, with one of the reasons being companies that distrusted their motives. In one instance, for example, “one of the researchers
was informed that his credentials had been reviewed with a third party, because the organization was concerned that he might be practicing “social engineering” techniques to gain information about the firm’s SRM (security risk management) program countermeasures” [44]. This, coupled with an unwillingness to deal with corporate
non-disclosure agreements, led us to focus solely on individuals, rather than both small companies and individuals. More specifically, we tried to get as many individuals who worked within an organization as possible, interviewing them anonymously, rather than trying to interview a company as an entity. However, there were some studies of similar nature which were found during the literature study. These are discussed in section 5.2.
3.1.1
Planning the Interviews
When planning how to gather the information, the choice stood between easily quantifiable surveys or qualitative interviews. After the literature study we reached the conclusion that interviews would be the better choice, albeit it would create more work for us, as we would later have to ourselves analyze and classify the interviewees and their answers.
For the purpose of this study, two main groups need to be interviewed. One group of individuals with high experience in regards to computers, and one with very low. There were some that fell in between these two categories, and therefore a third, ’average’ category was also needed to be introduced.
3.1.2
Finding the Right Interviewees
Although the best scenario would be finding a large sample size which contained even representations of the various demographics we are interested in questioning, it proved far easier and way more practical to simply interview everyone we could get a hold of who didn’t mind being interviewed, and then afterwards going through them and hoping we achieved a decent representation of each group. This, considering our circle of friends primarily are interested in computer science, leads to some bias, as we ended up interviewing many more people with higher technical expertise rather than with low which were the main target of this thesis. This, however, we argue does not diminish the confidence of the statistics drawn from the smaller group, but rather allows for the intermediate average experience group to be introduced so as to act as a measuring stock towards the low experience users and
3.2. DESIGNING THE INTERVIEW TEMPLATE
the high experience individuals whom mostly had industry experience. This means that the users which we in chapter 4 classify as having average experience are actually individuals with high experience, and the individuals placed in the high experience group being those whom ought to have excellent knowledge due to their extensive experience. The low experience group then, which was the primary target, is technically more accurately described as an average experience group outside the context of this thesis.
3.2
Designing the Interview Template
When deciding which questions to ask during the interviews, some leeway was allowed due to the semi-structured nature of the interview. We realized it would be better to have general questions and then follow-up with more specific questions should we feel they were necessary. This way we could, in some way, personalize the questions we asked in order to make sure we were able to extract the data we required. This interview template, with the questions in the correct, final order that we used, is available in full athttp://www.lysator.liu.se/~arrwzy/ kandidatarbete/.
Initially, we required a set of questions to discern how experienced the interviewee was in an IT and computer related context. These following were the ones we decided to use:
1. What is your current occupation?
2. Do you have any experience working within IT or with computers? 3. Do you have an interest in computers?
4. How often do you use a computer?
5. For what purpose do you use the computer?
These questions serve to gather in data from the interviewee that could be used to determine their experience level. In addition to these questions stated above, another question, "How old are you?", which we predicted would grant interesting meta data, was added as the very first question. This question would also serve so as to ease the interviewee into the interview by commencing with an easy and straight-forward question. Other questions which we felt would grant interesting data that was not directly related to the main question were also designed at this stage, with the final three that were added to the template being:
1. Who or what do you think poses a threat to you in terms of computer and/or information security? 2. Why do you think you would be the target of a type of attack, and what kind of attack?
3. Do you actively take any precautions in order to secure yourself against computer intrusion?
These were added to help discern the interviewees opinions around the topic of computer intrusion without addressing the main question at hand, thus allowing us to extract data that would help us draw future conclusions as it gave us a broader insight into the mindset of the interviewee. Following this, before asking the main questions, a few scenario-esque questions were designed so as to draw out the interviewees thought and opinions regarding what may be actual cases of computer intrusion they might encounter in every day life. The first of these scenarios was one regarding a compromised email account. The questions relating the first scenario were the following:
1. You notice a mail has been sent from your e-mail account, but you weren’t the one who sent it, what do you think may have happened?
2. Why do you think someone may have done this, or why do you think it may have happened?
The answers to the first question would allow us to gather data for placing the interviewee in one of the three knowledge levels, as well as depending on depth of answer give us a potentially interesting insight into the thoughts of the interviewee. The answers to the second question would allow us to better judge the interviewees opinions regarding the motives behind this type of computer intrusion. Also, depending on how the interviewee interprets
CHAPTER 3. METHOD
the first question here, he or she could also discuss spoofing when asked the question, which we would attempt to lead the interviewee on to if we deemed his/her familiarity of the subject was at a high enough level. Following these questions, we were interested in the interviewees opinions regarding password security on arbitrary systems or accounts. So the questions around the second scenario were formed as such:
1. How do you choose a password? When do you feel a password is sufficiently secure?
2. You notice someone else has changed the password of your account on some random unimportant forum. How do you think this may have happened?
3. What would you do in response to this hypothetical event?
The first question grants some interesting meta data, and despite not being a question related to the main question, allows a smooth transition into the following question regarding the scenario at hand. The obvious focus on passwords in this scenario allows us to extract data regarding the users opinion on password security, and the quality of their answer to the second and third question in this scenario further allows us to determine which knowledge group to place them in, with the second question again being usable for interesting meta data. For the last scenario, we wanted to focus on the topic of phising. The questions selected were the following:
1. You receive and email containing a link from a friend who normally doesn’t send emails, how do you react? 2. Would it have made any difference if it was a facebook or skype message instead of an email?
These questions were quite straightforward, with the first question, the scenario building one, clearly describing a classic case of phising, and the second one prodding to determine whether or not the interviewee was familiar with modern phising techniques. The types of answers expected were simple ones such as "I delete the mail" or "I guess I’m less cautious on social media", but we were actually given some interesting answers here which we will discuss later when presenting figure 4.7 in chapter 4.2. After those questions, only the last few main questions remained:
1. How do you think computer intrusion happens? 2. Why do you think computer intrusion happens?
3. What do you think of the ’hacking’ you often see in TV-shows or movies? 4. Do you have any own thought on the matter or anything you would like to add?
The first question allows us to gather the data we require to answer the main question of this thesis, while at the same time giving us information required for deciding which knowledge group to place the interviewee in. Whereas the second one allows us to once again gather interesting meta data regarding individuals thoughts regarding what motives individuals who perform computer intrusion, or in layman terms, what they think motivates ’hackers’.
Originally, a question regarding website security certificate errors was also planned to be included, but after much consideration was decided to be omitted. The original thought was to display a picture of a typical error page an internet browser would generate upon failing to verify a websites certificate, and ask the interviewee of his/her opinions would they encounter such a situation. It was decided that such a question, since it required the display of a picture, and a pause in the natural process of the interview, would disrupt the flow of the casual, conversational style of the interview, and in the end would not grant any required data that could not be extracted via the other questions. Thus, in order to keep the interview fluid and smooth, it was discarded.
3.3
Conducting the Interviews
We tried to conduct the interviews in a friendly manner, and most were held in public areas such as cafes at the university, parks, or study areas on campus. The interviews were conducted over a time frame of 2 months. We took the liberty of asking additional supplementary questions when we felt they were needed, which the semi-structured nature of the interviews allowed us the freedom of doing. This allowed us to make sure we could extract the required information from each individual interviewee, which was a clear advantage over the alternative of using a questionnaire.
3.4. COMPILING THE RESULTS
3.4
Compiling the Results
Once the interviews were underway, we started processing the answers, and divided the interviewees into three main categories depending on whether their general experience interacting with computers was high, average, or low in the context of this thesis. Worth noting, low, in this case, more accurately reflects the average user we described in 1.1, with average experience rather being somewhere in between an actual average and high. This is due to the bulk of the interviewees being university students within STEM fields. Which group they where placed in depended on their interests in computer science (mainly computer/information security), education, field of study and work-life experience, with each weighing in on the decision of which group they were assigned.
After that, they were again divided into three groups based this time on their knowledge regarding computer intrusions. These were decided based on the quality of their answers to the questions in the interview. If one question was answered unsatisfactory, but others in an excellent matter, a spot in the high group was justified. And by the same logic if only one was answered well and the rest poorly, they would be placed in the low knowledge group. This will be explained in further detail shortly. This data was then quantified and presented as figures in chapter 4.
3.4.1
Determining Knowledge Levels of Interviewees
When determining which of three experience levels the interviewee would be classified as possessing, the initial set of questions discussed earlier in chapter 3.2 were what the decision was almost entirely based on. However, for deciding the knowledge level of each interviewee we had to look at the entirety of the answers given across the interview and use these to determine what level the interviewee was on. The more in-depth and technically advanced the answer was, the better. And the more vague the answer we received, the worse we classified it as. This was because many interviewees gave answer that, although were not technically incorrect, were far too vague to be able to reasonable classify as decent. Examples of answers we decided to classify as ’good’ include:
“Because of the strength of modern encryption techniques, I think a lot of phising is prevalent, trying to get close
to the intended target, if there is one.”
This answer was considered good since it acknowledges some form of knowledge regarding the efficiency of modern encryption techniques while accurately stating that phising is an efficient method of approach.
“In order to secure myself against potential computer intrusion, I always make sure my security systems are up
to date, I run Linux rather than Windows which in itself gives a layer of security against many of the random attacks that are designed specifically to target Windows machines.”
This answer displays a reasonable level of knowledge regarding automated attacks and malware that one may encounter on a machine connected to the internet, and shows the user realizes the importance of keeping systems up to date to avoid being the victim of attacks exploiting vulnerabilities that may not have been known for a long time.
“I would first off probably, depending on what the e-mail contained, assume someone had spoofed the e-mail
address, claiming in their SMTP communication that it was from me when in reality it wasn’t, which is a reoccurring trait for those types of phising emails.”
This is an excellent answer. It displays an accurate knowledge of spoofing in regard to phising emails, while displaying a deep understanding of mail protocols in the mention of the SMT protocol. The interviewee in this case, following the quote above, also elaborates and describe his thoughts regarding the scenario had it not been a case of spoofing and his e-mail had actually been compromised, which leads to an impeccable final answer. Examples of answers we classified as ’bad’ include:
“If someone changed my password, I think, maybe, it’s one of my friends, who knew my password, and because
of that they could change my password.”
While technically a realistic scenario, it does not in any positive manner display the knowledge of the interviewee. It does not display how or why the friend would know the password, or explain any alternative scenario wherein some stranger (or bot) would be the culprit. Misconception such as these can imply that the user does not understand that there is a threat to the users information security outside of the users friends playing pranks on them.
“I imagine computer intrusion is done by people who really know a lot about computers, who have a lot of
CHAPTER 3. METHOD
knowledge about computers, and can, like, hack some stuff in order to get some money.”
An answer that doesn’t really say anything, is vague and fails to display how the interviewee believes computer intrusion occurs. Additionally, this type of answer assumes money to be the only motivating factor, and implies every case of computer intrusion requires an active individual. This disregards automated attacks completely, and fails to go into any depth regarding the possible ways computer intrusion happens.
“I have no idea how computer intrusion occurs.”
This answer shows that the interviewee is unfamiliar with computer intrusion, and as such this answer is classified as a low knowledge answer.
These quotes above were paraphrased, mainly because almost all of the original interviews were in Swedish, and also to omit having to write out the preceding question in their entirety. In general, the more in-depth the answer, and the more IT terminology displayed, and facts the interviewee were able to present, the better the answer would be classified as. The process as a whole worked as such that we asked the questions and based on the quality of all the answers and the impression given, we would group them into one of the three knowledge levels.
4
|
Results
In section 3.1.1 we briefly described the initial structuring of the interviews, and will here give another slightly deeper description so as to make the graphs easier to decipher. After the interviews had been conducted, the data from each interview that had been conducted was added to an excel sheet that was used to compile the statistics used to draw the graphs in this chapter. Each interviewee was placed within an experience group, low, average or high, depending on their prior experience within IT and with computers in general, and then later based on their answers placed in one of three knowledge groups, also low, average or high, depending on how knowledgeable they were regarding the topic of computer intrusion. Users in the high experience group all have extensive experience interacting and/or working with computers during their lifetimes, and people in the low experience group have near none other than using it for basic personal use. People in the average experience group were mostly individuals whom either had a quite deep personal interest in computers and were familiar with computers at a deeper level than the average user, or were studying a computer science related field and had as such accumulated more experience within IT and with computers then their low experience counterparts. These interviewees did not have as much experience as the high experience interviewees whom had for the most part finished a similar degree and/or had real work-life experience within IT or with computers.
After the initial categorization, additional data, be it derivative such as their age, or primary such as their answers to the primary question of how they believed computer intrusion occurs, was also compiled so it could be quantifiable. This data is presented in the form of graphs in this chapter, and are the main results of the interviews conducted by this thesis. This chapter serves only to present the data acquired, refer to section 5.2 for our opinions and the conclusions we draw based on this data.
As stated in the abstract, all interviews and surrounding materials are available athttp:// www.lysator.liu.se/ ~arrwzy/ kandidatarbete/.
CHAPTER 4. RESULTS
4.1
Main Statistics
This section contains the primary statistics that this thesis aimed to find. This data is used to answer the questions stated in chapter 1.2. In total 46 people were interviewed, and the data from those qualitative interviews were quantified and turned into the graphs presented in the figures that follow.
Low Experience
Average Experience
High Experience
0
2
4
6
8
10
12
14
16
Numb
er
of
interview
ees
Low Knowledge
Average Knowledge
High Knowledge
Figure 4.1: Knowledge distribution of the various experience groups
Figure 4.1 shows how many interviewees from each experience group were interviewed, and their knowledge levels in regard to computer intrusion. In total, 18 (39.13 %) people with low experience were interviewed, 16 people (34.78 %) with average experience were interviewed, and 12 (26.08 %) people with high levels of computer and IT experience were interviewed. This graph further displays how knowledgeable the individuals within each group were. With lower experienced users being less knowledgeable than their more experienced counterparts. Interestingly, within users with high experience, there was still a noticeable group with somewhat disappointing knowledge of computer intrusion1.
8.33 % of high experience interviewees were placed in the low knowledge group, and 33.33 % of high experience interviewees were placed in the average knowledge group. This implies that just over 40 % of individuals with high experience within IT and or with computers have unsatisfactory knowledge regarding computer intrusions. Within the average experience group, 31.25 % of interviewees were placed in the low knowledge group and 25 % in the high experience group, meaning interviewees on average had a slightly lower knowledge level then would be expected.
1
Decimals when calculating percentages rounded to the nearest hundredth.
4.1. MAIN STATISTICS
Poor
Unsatisfactory
Decent
Good
18
12
11
5
Quality of Answers
Figure 4.2: Quality of answers when asked the question "How do you think computer
intrusion occurs?".
0
2
4
6
8
10
12
14
Phising or
Spoofing
Social
En-gineering
Users Fault
Malware
Hollywood
Stereotype
Unknowledgeable
Insiders
9
2
9
7
5
14
2
Number of times mentioned
Ho
w
users
b
elieve
computer
intrusion
o
cc
ur
s
Figure 4.3: What people mentioned when asked how computer intrusion occurs
Figure 4.2 displays somewhat that interviewees in general did not posses particularly good knowledge of computer intrusions, with the interviewees who gave satisfactory answers being outnumbered by those who did not 16 to 30. For insight into our definitions of good or bad/poor answers, refer to section 3.4.1.
Excluding those who gave fully rounded good answers, figure 4.3 shows how the interviewees think computer intrusion occurs. It displays how often types of answers were mentioned during the interview process, including an ’unknowledgeable’ group, that either did not posses enough knowledge to give an answer or gave vague answers and were unable to elaborate. 9 people mentioned computer intrusion occurs because of some mistake the users themselves make, such as forgetting to log out of public terminals or sharing their accounts with friends. These
CHAPTER 4. RESULTS
answers should not be mixed up with the phising/spoofing answers, which can also be said to be the fault of the users themselves, but were given their own category in the figure. Interestingly, five people gave answers that matched the Hollywood stereotype we defined earlier in section 2.3, and insiders and social engineering were quite underrepresented with only 2 mentions each.
Also, when asked what type of attack they thought they would be the victim of, almost all users grouped in the low experience and most grouped in the average experience were unable to answer. By those who did answer, the most common answers included DDoS, Identity Theft, and Phising, in that order, with too few answers being given to be able to confidently quantify any significant results.
Computational
Power
Monetary
Grudges
For fun
Government
3
42
3
10
5
Motives
Numb
er
of
times
mentioned
Figure 4.4: How many times certain motives were mentioned as fueling computer
intrusion during interviews.
Graph 4.4 illustrates the amount of times motives for computer intrusion were mentioned by an interviewee. Only one person gave a fully rounded and good answer that matched the statistics we found and presented in 2.2. People holding grudges or being after computational power (hijacking your hardware) were each mentioned twice, and 4 people mentioned a "big brother"-esque government after the users information. The two main motives for computer intrusion, monetary and doing it for no real reason other than fun were also represented, but with their places switched with how often they actually do occur. Money was mentioned by 41 out of 46 interviewees as a motive, totaling 91.3 % of interviewees.
4.2
Additional Interesting Findings
In this section we have gathered some additional interesting statistics we compiled from the interviews that are derivatives of the actual purpose of the study (i.e., findings that were not intended to be found but were observable from the data gathered and can be considered somewhat interesting).
4.2. ADDITIONAL INTERESTING FINDINGS
19
20
21
22
23
24
25
26
27
29
31
32
34
53
3
4
4
6
11
7
3
1
1
2
1
1
1
1
Age
P
articipants
Figure 4.5: Age distribution of interviewees.
Age 21 & Below
Age 22 to 24
Age 25+
0
2
4
6
8
10
12
14
Numb
er
of
interview
ees
Low Knowledge
Average Knowledge
High Knowledge
Figure 4.6: Age distribution of the various experience groups
At 76 %, a clear majority of the interviewees were within the age group 20-25, which is shown in 4.5. The oldest being an interviewee at the age of 53, and the youngest being three interviewees at the age of 19. Graph 4.6 shows that the only age group where high knowledge individuals outnumber those from one of the other two knowledge groups is the age 25+ group. This, we believe, can be attributed to two main factors. One; they have more experience as they have lived longer. And two; the majority of individuals interviewed who worked within IT or computing fell into this age group.
CHAPTER 4. RESULTS
Low Experience
Average
Experience
High Experience
Maybe
0
2
4
6
8
10
12
Numb
er
of
interview
ees
Maybe
Yes
No
Figure 4.7: Whether they were less cautious on personal applications (such as
facebook, skype, etc) as compared to email in regards to phising.
Graph 4.7 shows interviewees answers to whether or not they think they are less cautious on platforms such as facebook or skype as compared to e-mails concerning suspicious messages and links. The trend seems to show that individuals with low computer and/or IT experience who believe they are as cautious on those types of platforms outnumber those who don’t. Within average experience, the groups seem to about equally large. And within the group of interviewees with high experience they mostly believed themselves to be sufficiently cautious on both types of platforms. The graph also contains a maybe column, as two users were indecisive in their answers. Interestingly enough, the answers we received by interviewees in this topic far exceeded our expectations. We originally only anticipated simple uninteresting, and easily quantifiable answers, but some of the interviewees from the higher knowledge group stated that they would either occasionally open phising links for fun or out of curiosity in virtual machines, or that they always worked in virtual boxes and thus did not fear malware that could infiltrate their machines from these types of communication channels.
4.2. ADDITIONAL INTERESTING FINDINGS
Low Experience
Average Experience
High Experience
0
2
4
6
8
10
12
14
Numb
er
of
interview
ees
Yes
No
Figure 4.8: Regarding whether or not they actively take measures to protect
themselves against computer intrusion.
Graph 4.8 displays the answers given by the interviewees when asked whether or not they actively take any measures to protect themselves against any potential computer intrusion. A clear trend can be seen here where higher experienced individuals are more likely to actively be protecting themselves against computer intrusion. Only one third of the low experience group stated that they actively took measures to secure themselves against computer intrusion, whereas 56.25 % of the average experience group and 83.33 % of the high experience group stated they did.
Additionally, only three people believed hacking as shown on TV and/or film was displayed in a realistic manner, two from the low experience group, and one from the average experience group. This is interesting considering five people gave descriptions fitting this stereotype as seen in 4.3, and 14 people didn’t possess enough knowledge to deliver a proper answer. Worth noting, when referring to tv/film hacking in this context, we are talking about Hugh Jackman "Swordfish" or 1995s "Hackers" style computer intrusion, not the "Mr. Robot" kind. When asked about their passwords, six people mentioned using software which managed their passwords for them, one from the low experience group, one from the average, and four from the high experience group.
5
|
Discussion
Right off the bat, we’d like to state that we were surprised, and somewhat disappointed, over how unknowledgeable the sample size was on average. Even people whom majored in computer science related fields had (at least we felt) quite unsatisfactory knowledge regarding computer intrusions. Examples of this include answers from high experience individuals such as (paraphrasing): “People who want to perform computer intrusion first find someone
who piques their interest, then they just do something illegal on their computer ”, with no further description or
explanation given after that in the follow-up. Another example from a user in the average experience category (again, paraphrasing); “The only people I can really imagine being a threat to my information security is the
government”.
While some of this can be attributed to how the interviewee interpreted the question, we would often repeat or ask follow-up questions when we felt the interviewee had misunderstood the question, or not given a complete answer to the best of their abilities. We believe that the incomplete or misinformed answers we received are most likely explained by a lack of knowledge and understanding of the subject matter at hand.
The approach of interviewing individuals within the industry rather than companies as entities, we feel, was a good choice that paid off. This was validated even more so when we stumbled upon Kotulic & co.’s article[44] previously mentioned in section 3.1. We do believe this way of conducting the study, using semi-structured interviews, was by and far the best choice for this type of survey.
5.1
Regarding the Method
Although we feel we did a well enough job for the purposes of this thesis, obviously, a larger and more varied sample size is always better when dealing with a qualitative survey such as this. More data on people from various age groups and technical expertise would allow higher confidence should this data be used for further analysis. Two obviously interesting groups that were not covered were the slightly more elderly, and the younger teenage group, as their opinions on the subject matter could have been interesting for the purposes of comparison.
Furthermore, the interviews, had they been conducted by someone with extensive experience conducting inter-views, or had the interviews been refined further, may have lead to better results. In chapter 2.5 we covered some theory behind interview technique, but it was an area that we were previously completely unfamiliar with, and further experience within the subject may have allowed us to extract more precise answers from my interviewees. We noticed that by the time we reached the final interviews we were a lot better at asking supplementary questions and successfully extracting all the information we required from our interviewees as opposed to the first few in-terviews when we were unfamiliar. Examples of supplementary questions we asked include asking the interviewee to elaborate on what kind of work they did if they stated they worked within IT. Asking how many hours a day they used the computer if they replied that they used it daily, or in general asking the interviewee to elaborate should we believe the interviewee was capable of giving an answer that was less vague. Also, the structure of the interview template may have led to some interviewees interpreting some questions asked as personal, whereas we mostly were interested in their opinions regarding general scenarios. This is another aspect that could have been improved had the interviews been conducted by someone with more experience.
Additional levels of experience and knowledge to divide the interviewees into would have been preferably, we felt, as often there would be an interviewee who would fall between high/average or low/average in experience or knowledge, and we would have to make a tough decision on where to place them. The problem with having say five groups instead of three as we did, we feel, would have been that each of the five individual groups would have been too thin to be able to confidently quantify any results from. When dividing the interviewees into their respective experience and knowledge groups, having had a pre-determined checklist to lean on when determining
