Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data


Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, and Oxana Comanescu, Google


Data exposed by breaches persist as a security and privacy threat for Internet users. Despite this, best practices for how companies should respond to breaches, or how to responsibly handle data after it is leaked, have yet to be identified. We bring users into this discussion through two surveys. In the first, we examine the comprehension of 551 participants on the risks of data breaches and their sentiment towards potential remediation steps. In the second survey, we ask 10,212 participants to rate their level of comfort towards eight different scenarios that capture real-world examples of security practitioners, researchers, journalists, and commercial entities investigating leaked data. Our findings indicate that users readily understand the risk of data breaches and have consistent expectations for technical and non-technical remediation steps. We also find that participants are comfortable with applications that examine leaked data—such as threat sharing or a "hacked or not'' service—when the application has a direct, tangible security benefit. Our findings help to inform a broader discussion on responsible uses of data exposed by breaches.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {219414,
author = {Sowmya Karunakaran and Kurt Thomas and Elie Bursztein and Oxana Comanescu},
title = {Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data},
booktitle = {Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018)},
year = {2018},
isbn = {978-1-939133-10-6},
address = {Baltimore, MD},
pages = {217--234},
url = {},
publisher = {USENIX Association},
month = aug