The State of Digital Security Behavior in 2026 – Exclusive Report

What 2,000 Users and Millions of VPN Sessions Reveal About Modern Cyber Habits

Survey cohort: 2,000 respondents across the United States, United Kingdom, Germany, India, and the United Arab Emirates. Session dataset: aggregated, anonymized telemetry from millions of active VPN connections. All findings reported in accordance with responsible disclosure and data minimization principles.

SECTION 01

Executive Briefing

Key Findings at a Glance

Two data sources sit behind this report. One is a survey, 2,000 people across five countries, answering detailed questions about what they actually do online. The other is something rarer: real behavioral data from millions of VPN sessions, showing how people act when no one is asking them about it. Put together, they reveal a picture of digital security habits in 2026 that is sharper, and more uncomfortable, than either source could produce on its own.

Six patterns keep surfacing across both datasets, across all five countries, across every demographic split we ran. They are listed below.

Sr. No	Finding	What the Data Shows
01	People know the rules. They just don’t follow them.	The vast majority of respondents could correctly identify phishing attempts, explain what two-factor authentication is, and describe why public Wi-Fi is risky. Their actual behavior tells a different story entirely.
02	Public Wi-Fi is the most ignored risk in daily digital life.	Most respondents connect to open networks regularly and rate their own security as fine. The gap between that confidence and their actual exposure is one of the widest this study documents.
03	Password reuse is still everywhere.	Despite knowing the risk, a large share of respondents reuse passwords across multiple accounts. One stolen credential, in this scenario, unlocks far more than one door. (Verizon DBIR, 2025)
04	VPN use is growing but still mostly reactive.	Session data shows users switching protection on for travel or banking, then letting it lapse. The gaps that creates are precisely when routine attacks tend to succeed.
05	Mobile devices get treated as if they are somehow safer.	The security habits people apply on laptops and desktops rarely translate to their phones. Given how much sensitive activity now happens on mobile, that asymmetry is a growing problem. (Pew Research Center, 2025)
06	Work security and personal security exist in separate mental compartments.	Employees who follow IT policy carefully at work often abandon those same habits the moment they are on personal devices or accounts. Attackers have noticed this. (Ponemon Institute, 2025)

Table 1: Core findings summary. Primary research, this study.

The Core Behavioral Contradiction

Here is the thing about this study’s central finding: it has nothing to do with technology. No unpatched vulnerabilities, no misconfigured servers. The most consequential gap in digital security right now is that people know what they should be doing and they aren’t doing it.

That’s not a new observation. Researchers have been documenting the gap between security knowledge and security behavior for more than twenty years. (Bulgurcu et al., Information Systems Research, 2010) What’s notable in 2026 is how little has changed despite everything that has happened. The headlines got bigger, the breaches got more personal, the training programs got more sophisticated. And yet the behavioral gap hasn’t closed in any meaningful way. In some areas it has widened.

The tempting explanation is that people simply don’t care. That’s not what the data shows. Survey respondents were genuinely concerned about cybersecurity. They worried about their accounts, their financial data, their privacy. The issue isn’t concern. It’s the psychological distance between ‘cyber threats are real and serious’ and ‘this is going to happen to me specifically.’ That gap is where protective behavior goes to die. (Weinstein, Journal of Personality and Social Psychology, 1980)

What this means practically is that security programs built on the premise that better-informed users make better decisions are working from an incomplete model. Awareness matters. But the actual levers are things like friction, defaults, social norms, and how much effort something takes. These variables consistently outperform knowledge in determining what people actually do day to day. (Wash and Rader, SOUPS, 2015)

Research Observation

The most significant security vulnerability identified in this study is not a software flaw or an unpatched system. It is the widely held assumption that awareness produces behavior, a model that the data consistently fails to support.

Why This Study Matters in 2026

There is no shortage of cybersecurity research. What is in shorter supply is research that takes human behavior, observed at real scale across real countries in real usage conditions, as the primary unit of analysis rather than an afterthought. That is what this study is trying to be.

The timing matters more than it might seem. Several things have converged in the past two years to make behavioral security failures more consequential than they have ever been before. Remote work has moved the organizational security perimeter out of the office and into wherever employees happen to be sitting. AI tools have made phishing attacks cheaper, faster, and far more convincing. Digital financial services have expanded into markets where millions of new users now have high-value accounts but haven’t had years to develop protective instincts. And the consolidation of personal and professional life onto a handful of cloud platforms means a single stolen credential can now cascade into consequences across someone’s entire digital existence.

Against that backdrop, understanding how ordinary people actually behave online, not how they say they behave, not how they perform in a simulated exercise, but what they do when no one is watching and convenience is right there, is genuinely important work. The session telemetry in this dataset is particularly valuable for exactly that reason. It captures behavior as it happens, before memory and social desirability get a chance to clean it up.

None of the findings that follow are meant as criticism of individual users. People are doing entirely predictable things in digital environments that were designed primarily around convenience, not security. The failure is systemic, not personal.

SECTION 02

The Modern Digital Risk Environment

The Cyber Threat Landscape in 2026

The most honest way to describe the 2026 threat landscape is this: the attacks haven’t changed that much, but everything that makes them easier to pull off has gotten dramatically better. Ransomware, credential theft, phishing, supply chain compromise, these have been the dominant vectors for years. What’s different now is who can run them, how convincingly, and at what scale.

Artificial intelligence deserves specific mention here, not because it has invented new attack categories, but because it has lowered the floor on the old ones. Phishing lures can now be personalized at scale. Malware variants can be iterated faster than signature-based defenses can track them. Deepfake audio and video are viable tools for business email compromise in a way they weren’t three years ago. The skilled attacker of 2020 is, in capability terms, closer to the average attacker of 2026 than most people realize. (Google Project Zero, 2025; MITRE ATT&CK, 2025)

Threat Category	2025 Status	Why It Matters to Individuals
Credential Theft	Dominant initial access vector. Billions of exposed pairs in active circulation. (Verizon DBIR, 2025)	Directly enables account takeover and financial fraud, especially when passwords are reused
Phishing	Present in the majority of confirmed breaches. AI personalization accelerating significantly. (APWG, 2025)	Works on informed users too, because it exploits attention and habit, not just ignorance
Ransomware	Rising average cost per incident. Increasingly targets organizations over individuals. (IBM, 2025)	Mostly affects individuals indirectly, via breached institutions that hold their data
Public Network Exploitation	Consistent opportunistic threat wherever people gather with devices. (OWASP, 2025)	Direct personal risk for anyone doing sensitive activity on an open connection
Account Takeover Fraud	Fastest-growing financial fraud category globally. (FTC, 2025)	The most common downstream consequence of credential theft and weak authentication

Table 2: Threat category overview. Sources as cited.

For most individuals, the threat landscape comes down to three things: someone trying to steal their credentials through phishing or a data breach, someone exploiting a poorly secured network connection, or someone using a reused password to get into an account they didn’t directly compromise. These aren’t dramatic, spy-thriller attacks. They’re routine, automated, and happening continuously whether they make the news or not.

Credential Theft and Phishing Trends

What makes credential theft and phishing worth studying separately from other threat categories is that they don’t succeed by breaking anything. They succeed because humans are predictable. Under time pressure, when something looks familiar, when an authority figure is apparently making a reasonable request, people respond in consistent ways. Attackers know this and build for it.

Phishing in particular has gone through a genuine evolution that deserves more credit than it typically gets. The clumsy, obvious campaigns of a decade ago, full of grammar errors and implausible scenarios, have mostly given way to messages that are contextually precise, psychologically calibrated, and hard to distinguish from the real thing even for people who know what to look for. Large language models have accelerated this shift substantially. Generating a convincing personalized phishing email at scale used to require real effort. It largely doesn’t anymore. (Google Project Zero, 2025; APWG Phishing Activity Trends Report, 2025)

Survey respondents in this study reported receiving communications in the past twelve months they later identified as phishing attempts, and a meaningful share admitted they had initially engaged before realizing what they were dealing with. This is consistent with controlled simulation data across the industry: even well-trained, security-conscious populations click on well-crafted phishing attempts at rates that surprise most people who assume awareness solves the problem. (Proofpoint State of the Phish Report, 2025)

On the credential side, the scale of compromised data available on dark web markets is the kind of number that stops feeling real at a certain point. Billions of unique username and password pairs, continuously refreshed by new breaches, available to anyone willing to pay relatively modest prices. For users who reuse passwords, this isn’t a hypothetical future risk. It’s a live, ongoing one. A single breach at a site they barely use may have already unlocked something they care about far more. (Have I Been Pwned, 2025; SpyCloud Annual Credential Exposure Report, 2025)

Persistent Threat Levels Beyond News Cycles

There’s a consistent pattern in how cybersecurity threat awareness moves through the public: a big incident makes the news, attention spikes, behavior shifts a bit, and then it all slowly returns to normal within a few weeks. The problem is that the threats don’t follow that same rhythm. They run continuously, at scale, on automation, completely indifferent to whether they’re currently getting coverage.

This creates a structural mismatch that’s easy to underestimate. The most dangerous period for individual users isn’t the week after a major breach story, when everyone is briefly alert and cautious. It’s the months in between, when attention has drifted and behavior has reverted but the attack infrastructure never paused. Session data from this study shows measurable engagement spikes following major security news events, then a consistent slide back toward baseline within a few weeks. The pattern holds across every geography and user segment in the dataset.

The behavioral economics behind this is well documented. Humans naturally give more weight to vivid, recent, emotionally resonant events than to equivalent risks that are abstract or ongoing. (Tversky and Kahneman, Science, 1974) In security terms: the breach you read about last Tuesday feels more threatening than the credential stuffing attack that has been quietly running against your accounts for months. One is a story. The other is just statistics.

Analytical Insight

Threat actors operate on a continuous schedule. User protective behavior operates on a news cycle. That temporal mismatch is one of the most consequential and least discussed dimensions of the modern behavioral security gap.

Why Awareness Does Not Equal Protection

This is perhaps the most important and most inconvenient finding in the entire report, so it’s worth being direct about it: security awareness training, as it is typically designed and delivered, does not reliably produce secure behavior. Organizations spend billions on it annually (Gartner, 2025), and the return on that investment is substantially lower than the model assumes.

That’s not an argument for stopping awareness efforts. Respondents with higher awareness scores did show slightly better self-reported habits. The problem is that the gap between knowing and doing is not primarily a knowledge gap. It’s a behavioral architecture gap. It’s about the structure of the decision, not the information available when making it.

Behavioral science has been fairly clear on this for decades. Default settings, friction costs, social norms, perceived effort, these variables consistently drive behavior harder than information provision in contexts that don’t involve deliberate, careful reasoning. And most security decisions in daily life don’t involve deliberate, careful reasoning. They happen fast, on autopilot, amid distraction, at the tail end of a day when someone just wants to check their email quickly. (Fogg, Persuasive Technology, 2003; Thaler and Sunstein, Nudge, 2008; Adams and Sasse, Communications of the ACM, 1999)

The 2FA adoption data from this study makes the point cleanly. Among respondents who said they understood two-factor authentication and recognized its value, consistent across-the-board deployment was far lower than you’d expect from that awareness level. Their explanations: it’s annoying, it slows down login, and honestly most of those accounts probably aren’t worth protecting that carefully. That last one is the revealing answer. It’s not ignorance. It’s a fundamentally wrong model of how attackers think about which accounts are worth targeting, and no amount of awareness training has corrected it. (NIST Special Publication 800-63B, 2024)

SECTION 03

Public Wi-Fi Exposure: Everyday Risk in Plain Sight

Frequency of Public Wi-Fi Usage Across Countries

Ask most people whether public Wi-Fi is risky and they’ll say yes. Watch what they actually do in an airport, a coffee shop, or a hotel lobby, and you’ll see them connect to whatever network pops up first without a second thought. That gap, between knowing and doing, shows up nowhere more consistently in this study than in public network behavior.

The majority of respondents across all five countries connect to public Wi-Fi at least once a week. Among younger cohorts, frequent travelers, and remote workers, the number is higher. And why wouldn’t it be? Public Wi-Fi has been built into daily infrastructure over the past decade. It’s free, it’s fast enough, it’s everywhere you want to be. The notion that it might be doing something dangerous in the background doesn’t surface as a conscious thought in most connection decisions. It probably should. (Anderson, Security Engineering, 2020)

Country	Weekly Public Wi-Fi Use	Financial Activity on Public Wi-Fi	Encryption Active During Session	Primary Risk Driver
United States	High	High	Moderate	Dense commercial Wi-Fi; deeply embedded mobile banking habits
United Kingdom	Moderate	Moderate	Moderate-High	Higher mobile data penetration provides practical alternatives
Germany	Moderate	Moderate	Moderate	Strong privacy culture but limited conversion to active protection
India	High	Moderate-High	Low-Moderate	Rapid digital adoption with encryption habits still catching up
UAE	Low-Moderate	Low-Moderate	High	Robust cellular options; regulatory context normalizes VPN use

Table 3: Public Wi-Fi usage and risk profile by country. Primary research, this study; ITU Global ICT Development Index, 2025.

Banking and Financial Access on Public Networks

Of everything documented in this section, the behavior with the most direct and immediate risk profile is conducting financial transactions on unsecured public networks. Banking sessions, payment processing, investment account logins, digital wallet activity, a significant share of respondents reported doing all of these regularly over public Wi-Fi, often out of straightforward necessity. The transaction needed to happen, they were already connected, and so it did.

The protection that most users assume exists, specifically HTTPS and app-level security, is real but partial. It doesn’t cover every attack scenario on an untrusted network. Man-in-the-middle attacks, SSL stripping, and malicious hotspot impersonation remain viable in environments where network authenticity can’t be verified, and the hasty, distracted context in which these transactions typically happen makes it less likely a user would notice anything unusual even if there were warning signs. (Bhargavan et al., ACM CCS, 2014; OWASP, 2025)

Two justifications came up repeatedly in survey responses. First: urgency. The transfer couldn’t wait. Second: a belief that the app’s own security was sufficient regardless of what network it was running on. That second belief is worth examining, because it’s not irrational exactly, it just mislocates where the risk lives. The app may be secure. The network it’s traveling over may not be.

Risk Observation

The combination of financial transaction behavior and public network exposure is the highest-density risk scenario documented in this study. It’s also the one where the gap between what users believe they’re protected from and what they’re actually exposed to is widest.

Work and Corporate System Access Over Open Wi-Fi

Remote work has added a layer to the public Wi-Fi problem that goes well beyond individual exposure. When employees access corporate systems, internal tools, and work email from coffee shops and airport lounges, the security properties of the network they’re using become an organizational issue, not just a personal one. Survey data from employed respondents confirms this is happening at scale, and that many are doing it without organizational-mandated secure access protocols. (CISA Remote Work Security Guidelines, 2025)

The stakes are different here. The individual checking their personal bank account on a sketchy hotel Wi-Fi is primarily putting themselves at risk. The same individual logging into a corporate email account is potentially providing an entry point into an organizational system whose value to an attacker is orders of magnitude higher than the personal account. Lateral movement through corporate networks often starts exactly this way: one credential, captured in an unremarkable moment at an unremarkable location, becomes the first step in a chain that ends somewhere much more serious. (MITRE ATT&CK, 2025; Ponemon Institute, 2025)

What makes this harder to address is that the employees doing it aren’t being reckless by their own lights. They’re getting work done. The organization’s tools work fine over public Wi-Fi. Nothing seems wrong. The risk is invisible at the moment of exposure, which is precisely what makes it persistent.

The Encryption Adoption Gap

The most straightforward technical fix for public Wi-Fi exposure is encrypting your traffic through a VPN or equivalent secure tunnel. Most survey respondents knew this. They knew what a VPN was, they knew why it helps on public networks, and a meaningful share had used one at some point. The gap is between that awareness and consistent use.

• Most respondents understood that encrypted connections reduce exposure on public networks.
• A significant share had used a VPN in the past year.
• But session data shows a clear gap between stated awareness and encryption being actively running during public network sessions.
• The pattern is selective, not habitual. Tools get activated for high-stakes moments like international travel or banking, then quietly dropped between them.

This is a friction problem more than a knowledge problem. Encryption tools that require deliberate activation, that add latency, or that interrupt the seamless experience people expect from their devices will be used selectively and abandoned when the immediate threat salience fades. The cognitive model is risk-triggered, not baseline: turn it on when you feel exposed, let it go when you don’t. The trouble is that the moments when users feel most safe on public networks often aren’t the moments they’re most protected. (Egelman and Peer, IEEE Security and Privacy, 2015)

Country-by-Country Comparison of Risk Behavior

The five-country comparison resists simple narratives. The United States has high security awareness scores alongside elevated rates of financial activity on public networks, a combination driven by the density of commercial Wi-Fi infrastructure and deeply embedded habits around mobile banking. Being aware of the risk, evidently, is not sufficient to override those habits in the moment. Germany shows a different version of the same mismatch: high expressed concern about data privacy, moderate encryption adoption. Concern and action are not the same thing. (Eurobarometer, 2025)

India’s profile reflects the specific dynamics of a market in rapid digital transition. Urban respondents show high dependency on public networks in co-working and commercial environments, with encryption habits still developing. The UAE cohort’s comparatively lower public Wi-Fi risk is partly structural: cellular infrastructure in the Gulf makes it a practical alternative to open networks, and familiarity with VPN tools is higher partly due to the regulatory context around internet access. (GSMA Mobile Economy Report, 2025; TDRA UAE Digital Report, 2025)

Behavioral Drivers Behind Public Network Risk

Three things keep coming up when you dig into why public Wi-Fi risk behavior persists even among users who understand the exposure. Each one is distinct, each one is well-documented in behavioral research, and none of them responds well to awareness campaigns.

• Convenience dominance: Connecting to available Wi-Fi takes one tap. Activating a VPN, switching to cellular data, or deferring a transaction until a safer moment all take more steps, more mental overhead, more friction. That friction cost, however small in absolute terms, is enough to change behavior in low-deliberation moments. Most public network connections are low-deliberation moments. (Thaler and Sunstein, Nudge, 2008)
• Risk invisibility: Physical threats give you a signal at the moment of exposure. Network-level threats don’t. There’s no notification that someone just set up a rogue access point three tables away. No warning that the network you joined is logging traffic. No immediate consequence from connecting. Without that feedback loop, the cognitive systems responsible for threat-avoidance behavior simply don’t engage. (Schneier, Beyond Fear, 2003)
• Social proof: In a coffee shop where dozens of people are using the same network and visibly fine, the available social evidence points toward safety. That inference is logically weak but behaviorally powerful, and it happens below the level of conscious deliberation. (Cialdini, Influence, 2021)

SECTION 04

Fear vs. Reality: The Threat Perception Gap

What Users Say They Fear Most

When asked to rank the cybersecurity threats they considered most dangerous to their personal security, respondents did something entirely predictable: they ranked the threats that make the best news stories. Large-scale institutional breaches. Government surveillance. Ransomware. Dramatic identity theft. These fears are not without foundation. But the proportion of worry directed at them outpaces the proportion of actual individual harm they produce, while the threats responsible for most real-world personal compromises sat further down the list.

Surveillance anxiety stood out particularly, especially among German and US respondents, shaped by years of public discourse around digital privacy, legislative battles, and high-profile revelations. That concern is legitimate in a policy and civil liberties context. Where it becomes a practical security problem is when it displaces protective energy that should be going toward credential hygiene and phishing resistance, which are statistically far more likely to cause personal financial harm than surveillance is. (Eurobarometer, 2025; Pew Research Center, 2025)

Threat Category	Where It Ranks in Expressed Fear	Where It Ranks in Actual Individual Harm
Government / Corporate Surveillance	High	Low (primarily a structural and policy concern)
Large Institutional Data Breach	High	Moderate (indirect harm via third-party exposure)
Ransomware on Personal Device	High	Low (predominantly targets organizations)
Phishing / Credential Theft	Moderate	Very High (dominant initial access vector across breach data)
Password Reuse / Credential Stuffing	Low-Moderate	Very High (billions of attempts running daily)
Public Wi-Fi Exploitation	Low	High (continuous, opportunistic, massively underreported)
Account Takeover Fraud	Low-Moderate	High (fastest-growing financial fraud category)

Table 4: Expressed fear versus empirical incident frequency. Sources: Verizon DBIR, 2025; FTC Consumer Sentinel Network, 2025; SpyCloud, 2025.

The Most Common Real-World Attack Vectors

Set aside the survey responses for a moment and just look at what the incident data says. Credential theft and phishing account for the plurality of individual account compromises, and that has been true across every major breach dataset for several years running. The Verizon DBIR 2025 is consistent with previous editions on this point: the human element is present in the overwhelming majority of confirmed breaches, and social engineering is the dominant initial access mechanism. The attacks generating the most individual harm are not the dramatic, cinematic ones. They’re the repetitive, automated, mundane ones. (Verizon DBIR, 2025; SpyCloud Annual Credential Exposure Report, 2025)

Ransomware is worth addressing directly given how much fear it generates. Device-level ransomware targeting personal users does occur, but it’s a much smaller category than its media presence would suggest. Most individuals encounter ransomware as a downstream casualty of attacks on institutions that hold their data, a healthcare provider, a financial institution, a public service. The attacker wasn’t targeting them. They just happened to be in the database. That’s a real harm, but it’s a different harm from the one most people imagine when they think about ransomware. (CISA Ransomware Guide, 2025)

The Phishing Blind Spot

Here is arguably the most practically significant finding in this entire section. Respondents who demonstrated accurate, detailed knowledge of phishing, who could identify its mechanics, describe its warning signs, and explain why it’s dangerous, still consistently rated their own personal susceptibility as below average. They knew phishing was a serious threat. They just didn’t think it would work on them specifically.

This is optimism bias operating with particular precision. (Weinstein, Journal of Personality and Social Psychology, 1980) And it’s worth taking seriously rather than dismissing, because it has a direct behavioral consequence: if you believe you’re not particularly susceptible to phishing, you’re less likely to maintain the specific vigilance habits that make you less susceptible. The subjective sense of immunity becomes a partial self-fulfilling prophecy in the wrong direction.

Controlled phishing simulations consistently show click-through rates that surprise organizations running them, even after recent training, even among technically sophisticated staff. The conditions that make phishing effective, authority cues, urgency, contextual familiarity, the exploitation of habitual email behavior, are conditions that operate faster than deliberate security reasoning. A good phishing attempt that arrives during a busy afternoon will catch people who absolutely know better. (Cialdini, Influence, 2021; Workman, Computers in Human Behavior, 2008; Proofpoint State of the Phish, 2025)

Analytical Insight

The phishing blind spot is self-reinforcing. Users who believe they aren’t susceptible are less likely to maintain the vigilance habits that would actually make them less susceptible. Subjective immunity, rather than its objective presence, may be one of the most effective tools a social engineer possesses.

Tracking Anxiety vs. Credential Theft Risk

The divergence between how much people worry about being tracked and how much they protect against credential theft is worth spending time on, because these are not the same concern and they don’t respond to the same protective behaviors. Tracking anxiety, concern about behavioral monitoring, advertising surveillance, location data collection, is a legitimate privacy issue with real implications for civil liberties. But protecting against it does not protect against account takeover. Using a private browser doesn’t help when your reused password is in a breach database.

Survey data showed that high tracking anxiety and high credential security practices are largely orthogonal. They don’t cluster together. People who score high on concern about being surveilled don’t show correspondingly better password hygiene or 2FA adoption. The two concern categories appear to occupy different parts of people’s mental security models, and improving one doesn’t seem to motivate the other. That has real implications for how security education and product communications should be structured. (Pew Research Center, 2025; FTC Data Security Report, 2025)

Psychological Biases Shaping Digital Risk Perception

The threat perception gap isn’t the result of irrational thinking or insufficient education. It’s the result of entirely normal cognitive mechanisms operating in an environment they weren’t built for. Three biases show up consistently in this study’s data.

• The availability heuristic: Threats that are vivid and recently encountered in media feel more probable than their actual base rates justify. Ransomware stories generate genuine fear because they’re well-told. Credential stuffing attacks don’t make the news because they’re tedious and routine, which is precisely what makes them such a dominant source of actual harm. (Tversky and Kahneman, Science, 1974)
• Optimism bias: Respondents who rated phishing as highly dangerous to people in general rated themselves as notably less susceptible than the average person. That’s a mathematically impossible distribution at the population level, and it’s a textbook demonstration of optimism bias in action. Everyone thinks the average person is more at risk than they are. (Weinstein, Journal of Personality and Social Psychology, 1980)
• The abstraction effect: Statistical risk, expressed as probabilities and percentages, generates less protective motivation than concrete, identifiable threats. ‘Millions of credentials are exposed in breaches every year’ lands differently than ‘your email address and an old password of yours appeared in a breach database last month.’ Same information, very different behavioral impact. (Slovic, Perception of Risk, 2000; Loewenstein et al., Psychological Bulletin, 2001)

SECTION 05

Headline-Driven Security: The Reactive Protection Pattern

VPN Usage Spikes During Major Security Headlines

One of the clearest and most consistent patterns in the session data is what happens to protective tool usage after a major security story breaks. Big breach disclosures, ransomware attacks on visible targets, widely covered credential exposure events: each one produces a measurable spike in engagement. New user onboarding accelerates. Lapsed users reconnect. Active users connect more frequently and for longer. The data isn’t ambiguous on this. (IBM Institute for Business Value, 2025)

The psychology is familiar enough. A high-profile incident makes an abstract risk suddenly feel concrete and personal. ‘This happened to a company I use’ or ‘that could have been my data’ activates protective motivation that had been sitting dormant. It’s the same mechanism that makes people buy smoke detectors the week after a neighbor’s house catches fire.

What makes this pattern interesting is how selective it is. The events that reliably trigger it share specific characteristics.

• They involve organizations people have heard of and interact with.
• They plausibly affect or threaten to affect large numbers of ordinary users.
• They get covered by mainstream media, not just specialist security outlets.

Technically significant incidents that don’t have a good consumer story attached to them barely register in the behavioral data. The trigger is perceived personal relevance, not objective threat magnitude. Attackers don’t always pick targets that generate that kind of media coverage.

The Protection Half-Life: How Long Behavior Changes Last

If the spikes described above produced lasting behavioral change, the reactive protection pattern would still be a net positive. It doesn’t. Session data shows post-spike behavior reverting toward pre-event baseline with a consistency that makes it look almost mechanical. The typical protection half-life, the median time for engagement to return to within one standard deviation of the pre-event baseline, is somewhere in the range of three to four weeks.

Three to four weeks. That’s how long the protective motivation generated by a major security incident typically sustains changed behavior before it erodes back to default. The behaviors that drop off first are the ones that imposed the most friction. Consistent VPN activation. Regular password reviews. Multi-factor authentication on every account. Behaviors that had become semi-habitual or required minimal effort held better. The conclusion is fairly clear: post-spike protective behavior is motivated behavior. And motivated behavior, without the transition to genuine habit, has an expiry date.

Behavioral Decay

A user who takes up protective behaviors after a major security story is likely to be no more protected four weeks later than they were in the weeks before it. The cycle produces the appearance of security behavior change without the durable protection that genuine habit formation would provide.

Protection Levels vs. Ongoing Attack Levels

While users go through cycles of brief alertness and gradual reversion, attack infrastructure doesn’t. Automated credential stuffing runs don’t take a break after a high-profile breach makes the news. Phishing campaigns don’t wind down while public attention is focused elsewhere. The activity level of threat actors is determined by available targets and economic returns, neither of which is sensitive to what journalists happen to be covering this week. (Verizon DBIR, 2025; CISA Threat Intelligence Summary, 2025)

This creates an asymmetry that rarely gets named directly: the periods when users are most alert and most protected are not the periods of highest attack activity, they’re just the periods when attack activity is most visible. The weeks and months between news cycles, when protective behavior has quietly retreated and nothing seems threatening, are when the ambient, continuous attack infrastructure does its most uncontested work.

Event-Driven Protection vs. Always-On Protection

The practical difference between reactive protection and always-on protection isn’t philosophical. It’s a question of whether your security posture has gaps, and if so, when they appear. Reactive protection, by design, has gaps. They appear exactly where they’re most dangerous: in the quiet periods between events, when threat actors are still running their automated processes and users have stopped thinking about it. (Schneier, Beyond Fear, 2003)

Always-on protection doesn’t require users to correctly identify which moments are high-risk, a standard they won’t meet consistently given the threat perception gaps this study documents. It provides protection as a structural condition rather than a conscious decision. The behavioral science on defaults is unambiguous here: default states that require deliberate action to exit produce far higher sustained adoption than optional states requiring deliberate action to enter, regardless of how strongly people say they prefer the optional version. (Johnson and Goldstein, Science, 2003; Dinner et al., Journal of Marketing Research, 2011)

The Behavioral Decay Cycle

The behavioral decay cycle is the recurring loop of threat salience triggering reactive adoption, followed by gradual reversion, followed by extended baseline exposure until the next triggering event. It’s not specific to any country, any age group, or any awareness level in this dataset. It appears everywhere. Which means it isn’t a characteristic of particular users. It’s a characteristic of human cognition operating in digital environments built for convenience.

Breaking it requires changing the environment, not the user. The goal shouldn’t be to keep users in a permanently heightened state of threat awareness. That’s not achievable and it’s probably not healthy. The goal should be to design systems where protection is the default condition, where maintaining it requires less effort than abandoning it, where habit formation is supported rather than accidentally undermined. (Lally et al., European Journal of Social Psychology, 2010; Milkman et al., PNAS, 2011)

Phase	What Users Are Doing	What Attackers Are Doing
Quiet baseline period	Convenience-optimized behavior; minimal active protection	Continuous automated attacks across available targets
Activating news event	Threat salience spikes; protective motivation activated	No change; operations continue as before
Reactive adoption window	New tool adoption; password changes; increased vigilance	Attempting to exploit whatever gaps remain
Decay phase (weeks 2-4)	Friction-heavy behaviors dropping off; engagement declining	Still running; unaffected by the news cycle
Return to baseline	Near-identical to pre-event; no durable habits formed	Business as usual; gaps fully restored

Table 5: The behavioral decay cycle. Based on session telemetry analysis conducted for this study.

SECTION 06

Cross-Country Security Behavior Comparison

Running this study across five countries wasn’t just about geographic breadth. It was about testing whether the behavioral patterns documented elsewhere are universal or contextual. The answer, broadly, is both. The core dynamics, the knowledge-behavior gap, the reactive protection cycle, the threat perception distortion, show up in every country. But the specific profile of each country’s risk exposure and protective behavior varies in ways that reflect real structural and cultural differences worth examining.

Country	Public Wi-Fi Risk	Encryption Adoption	Threat Perception Gap	Security Reactivity	Overall Posture
United States	High	Moderate	High	High	Vulnerable
United Kingdom	Moderate	Moderate-High	Moderate	Moderate	Mixed
Germany	Moderate	Moderate	Low-Moderate	Low	Mixed
India	High	Low-Moderate	High	High	Vulnerable
UAE	Low-Moderate	High	Moderate	Moderate-High	Improving

Table 6: Cross-country behavioral index. Ratings are relative within this study’s cohort. Primary research conducted for this report.

Public Wi-Fi Risk Ranking

The US and India rank highest on public Wi-Fi risk exposure, but for quite different reasons. In the United States, the risk profile is driven by behavior, specifically the combination of dense commercial Wi-Fi everywhere you go and deeply ingrained habits around mobile banking and financial apps. High awareness scores don’t seem to interrupt these patterns much. The knowledge is there; the habit is stronger.

• United States: Dense commercial infrastructure meets strong mobile banking culture. Awareness doesn’t override ingrained convenience habits.
• India: Rapid digital transition with encryption adoption still catching up. Urban co-working environments drive high public network dependency.
• UK: Higher mobile data penetration provides a practical cellular alternative. Moderate exposure profile overall.
• Germany: Strong privacy culture but that concern doesn’t reliably translate into lower public network exposure or higher encryption rates.
• UAE: Robust cellular infrastructure makes public Wi-Fi less necessary. Regulatory familiarity with VPN tools adds a baseline of encryption adoption. (TDRA UAE Digital Report, 2025)

Encryption Adoption Ranking

Encryption adoption rates have the clearest relationship with work-related security mandates of any behavioral dimension in this study. The UAE cohort leads, a result of the intersection of work-mandated VPN use in the Gulf’s international business environment and a regulatory context where VPN familiarity is unusually high. The UK’s moderate-to-high adoption reflects a relatively high proportion of respondents working in organizations with enforceable security compliance requirements. (Ponemon Institute, 2025)

Germany’s moderate adoption, despite high privacy concern levels, underscores the study’s broader finding one more time: concern doesn’t produce protection without corresponding changes to how convenient and default the protective behavior is. India’s lower adoption rate reflects a market still in transition. The trajectory there is upward, but the current gap is real.

Threat Perception Gap Ranking

The threat perception gap, specifically the divergence between what users are most afraid of and what is most likely to actually harm them, is largest in the US and India and narrowest in Germany. Germany’s smaller gap doesn’t necessarily reflect better security behavior, it reflects a somewhat less distorted threat hierarchy: less pronounced over-weighting of surveillance and dramatic breach scenarios, slightly more attention to the mundane credential risks that dominate actual incident data. (Eurobarometer, 2025)

The US result is particularly interesting. High security awareness paired with a large threat perception gap suggests that being exposed to a lot of security information doesn’t straighten out the threat hierarchy. If anything, high media consumption environments may amplify distortion by disproportionately covering the dramatic, narrative-rich incidents over the statistically dominant but story-resistant ones. (Slovic, Perception of Risk, 2000)

Security Reactivity Score

The security reactivity score measures how event-driven versus habitual a cohort’s protective behavior is. High reactivity in the US and India cohorts; lower reactivity in Germany and the UK. The UK and Germany result is partly structural: organizational security compliance requirements and GDPR-driven security culture appear to support more consistent baseline protective behavior rather than behavior that spikes and drops with the news. (GDPR Compliance Survey, 2025)

The relationship between reactivity score and protection half-life holds across all five countries. High reactivity correlates with shorter protection half-lives and longer inter-event exposure windows. That relationship is consistent enough across different cultural contexts to suggest it reflects something fundamental about how event-driven motivation and habitual protection work differently as mechanisms for maintaining security posture over time.

SECTION 07

User Archetypes: The Four Security Behavior Profiles

One of the more useful things that becomes possible when you combine survey data with behavioral telemetry is clustering. The four profiles below didn’t come from theoretical frameworks or intuition. They came from the data, validated against survey response patterns and checked across all five countries. Each appears in every geography surveyed, which suggests these are behavioral types rooted in something more fundamental than culture or demographic.

The reason these archetypes matter practically is that the same security intervention doesn’t work equally across all four. What reaches a Reactive Protector is irrelevant to a Convenience-First User. Understanding the distribution in any target audience is a prerequisite for designing responses that actually move the needle.

ARCHETYPE 01The Reactive ProtectorEngaged, aware, and genuinely motivated by security threats. The problem is that the motivation doesn’t last. Behavioral pattern: Session data shows the most dramatic spike-and-decay pattern for this group. After a major security event, engagement surges above average. Within three to six weeks, it’s dropped back to a baseline that’s often below the population median. The protection was real while it lasted. It just didn’t last.What drives it: Protective behavior here is motivation-dependent rather than habit-based. When the motivating event fades from memory, the behavior fades with it. There’s no underlying habit to sustain it through the quiet periods.The risk: Each cycle leaves this user no more durably protected than the previous one. The repeated pattern produces a subjective sense of having taken action on security without building the baseline protection that actually matters.What works: Catching this user in the post-spike window, when motivation is high and receptivity peaks, and using that window to lower the activation cost of habits that can sustain without ongoing motivation. That window is short. (Milkman et al., PNAS, 2011; Lally et al., European Journal of Social Psychology, 2010)

ARCHETYPE 02The Passive OptimistKnows the threat is real. Firmly believes it probably won’t happen to them. Behavioral pattern: Consistently low protective tool adoption, minimal response to news events, stable low engagement across all measurement periods. Unlike the Reactive Protector, this user isn’t cycling. They’re just in a steady state of underprotection.What drives it: Optimism bias, operating fully. Not indifference to cybersecurity as a concept but a deeply held, rarely examined belief that the people who get caught by these things are somehow different from them. Less careful. Less savvy. Less lucky. (Weinstein, Journal of Personality and Social Psychology, 1980)The risk: General statistical risk communication reinforces rather than disrupts this mental model. ‘Millions of people are affected by credential theft annually’ doesn’t move someone who has already mentally excluded themselves from the affected population.What works: Concrete personal exposure evidence. A notification that their specific email address appeared in a specific breach. An account security audit that shows actual vulnerabilities. Something that makes the risk about them, not about the abstract population of people who get hacked. (Have I Been Pwned, 2025; Slovic, Perception of Risk, 2000)

ARCHETYPE 03The Always-On DefenderConsistently and habitually protective. The rarest profile in the dataset and the one everything else aspires toward. Behavioral pattern: Stable session engagement across all measurement periods, independent of what’s in the news. Protective behavior was present before the last big breach story and remains present long after it fades. No meaningful spike-and-decay signature.Who they are: Disproportionately found among respondents with professional security backgrounds, those in organizations with strong enforced compliance cultures, and those who at some point experienced a genuinely significant personal security incident. That last group is interesting: lived experience appears capable of producing durable behavioral change in a way that awareness training typically doesn’t.The insight: The most reliable path to this behavioral profile isn’t education. It’s habit formation, and the conditions most likely to produce it are organizational mandates, default-secure tool design, and direct personal experience with the cost of not being protected.Policy relevance: The goal of security infrastructure should be to engineer conditions that move the population distribution toward this archetype structurally, through design and defaults, rather than trying to motivate each individual user to get here on their own. (Lally et al., 2010; Thaler and Sunstein, Nudge, 2008)

ARCHETYPE 04The Convenience-First UserFully aware. Openly resistant. Friction is the variable that matters. Behavioral pattern: Security-literate, does not dispute best practice recommendations, consistently declines to follow them when doing so adds meaningful friction to their day. Unlike the Passive Optimist, this user isn’t underestimating the risk. They’ve made a different calculation about whether the cost is worth it.What drives it: Not ignorance, not misplaced optimism. A deliberate, usually unconscious weighting of immediate tangible inconvenience above a future probabilistic harm. Adams and Sasse identified this same pattern in foundational usable security research in 1999 and noted it was entirely rational from the user’s perspective given how security tools were designed. (Adams and Sasse, Communications of the ACM, 1999)The risk: Awareness campaigns are entirely the wrong tool here. The knowledge gap doesn’t exist. Survey responses from this group are candid: they know their habits are suboptimal, they have every intention of improving them at some undefined future point, and the primary obstacle is that the tools are annoying.What works: Friction reduction. Security behaviors that are designed to impose minimal workflow disruption, that integrate seamlessly with how this user already operates, and that don’t require a deliberate conscious decision each time. Make the secure option the easy option and adoption follows. (Fogg, Persuasive Technology, 2003; Egelman and Peer, IEEE Security and Privacy, 2015)

SECTION 08

The Cost of Behavioral Gaps

Financial Exposure and Credential Theft Risk

The behavioral patterns throughout this report have real financial consequences, and it’s worth being specific about how they connect. Credential theft, enabled by password reuse, public network exposure, and phishing susceptibility, is the primary mechanism through which individual financial harm happens in the current threat environment. The costs aren’t limited to the moment of initial compromise. They extend through account recovery, credit monitoring, fraudulent account activity, and in more serious cases, cascading identity fraud that can take months or years to fully resolve. (IBM Cost of a Data Breach Report, 2025; FTC Consumer Sentinel Network, 2025)

Account takeover fraud in particular has become a fast, largely automated process. Once an attacker has valid credentials for a banking or payment account, whether obtained through phishing, purchased from a breach database, or derived from credential stuffing against a reused password, the time between initial access and attempted fraud is often measured in hours rather than days. The pipeline is fast precisely because it’s designed to move before the account holder notices anything unusual. (FTC Consumer Sentinel Network, 2025; SpyCloud Annual Credential Exposure Report, 2025)

Type of Harm	How It Typically Starts	Which Behavioral Patterns in This Study Enable It
Direct financial fraud	Account takeover via stolen credentials	Password reuse; financial access on public Wi-Fi; weak or absent 2FA
Extended account recovery	Incomplete credential rotation post-compromise	Infrequent security reviews; passwords changed only reactively
Identity-adjacent fraud	Aggregated data from multiple breaches	Reusing credentials across personal and financial accounts
Corporate breach via employee	Personal device or network compromised	Accessing corporate systems on public Wi-Fi; personal and work credential overlap
Long-tail credit and identity harm	Synthetic identity creation; tax fraud; medical identity theft	Passive Optimist and Convenience-First behavioral profiles left uncorrected over time

Table 7: Financial harm pathways and contributing behaviors. Sources: FTC Consumer Sentinel Network, 2025; SpyCloud, 2025.

Financial Risk Context

SpyCloud’s 2025 Credential Exposure Report indicates the average consumer has credentials exposed in multiple breach events, with a significant proportion unaware of any single exposure. Against that backdrop, the password reuse patterns documented in this study represent not a theoretical vulnerability but a live, quantifiable exposure to ongoing automated exploitation attempts.

Enterprise Risk Through Remote Access

The behavioral findings in this study become more expensive when they involve people who work. The normalization of remote work has moved the organizational security perimeter into coffee shops, airports, home offices, and hotel lobbies. Individual behavioral failures in those environments, connecting corporate systems to public networks, using personal devices without organizational controls, overlapping personal and work credentials, don’t stay personal failures. They become organizational exposure events whose consequences scale in ways the individual behavior that created them doesn’t. (Ponemon Institute, 2025; CISA, 2025)

IBM’s Cost of a Data Breach Report 2025 identifies breaches initiated through compromised employee credentials as among the costliest category. The reason is dwell time. When an attacker enters through a stolen credential, their initial activity looks like a legitimate remote access session. Detection is harder. Containment takes longer. And in the time between initial compromise and discovery, considerable lateral movement, data access, and exfiltration can occur. (IBM Cost of a Data Breach Report, 2025)

One finding from the employed respondent data deserves specific attention: the behavioral risk gaps documented in this study aren’t concentrated in junior or less technical staff. Management and senior professional respondents showed comparable behavioral security gaps to the broader sample, and in some specific dimensions, particularly corporate system access over public Wi-Fi, they showed higher rates, reflecting the travel patterns of people at that level. The employees whose compromise would be most damaging to an organization aren’t demonstrably better protected than everyone else.

Long-Term Impact of Reactive Security Habits

The cumulative cost of the reactive security habit pattern is harder to quantify than a specific fraud event, but it’s real. Users who cycle through spike-and-decay repeatedly accumulate an exposure history that is substantially longer than their post-event protective windows suggest. The periods between protective episodes, the weeks and months when habits have quietly reverted and nothing seems threatening, are where the ambient, continuous attack infrastructure does its uncontested work.

A behavioral health analogy is useful here. Someone who exercises intensively for two weeks after a health scare and then stops doesn’t accumulate the benefits of consistent moderate exercise. The same logic applies in security. The cumulative protective value of modest but consistent security habits substantially outperforms intensive but episodic protection, because the risk environment is continuous and the episodic model is inherently gapped. (Lally et al., European Journal of Social Psychology, 2010; Wood and Neal, Psychological Review, 2007)

There’s also an institutional dimension worth naming. Security awareness training programs that produce genuine short-term behavior change are generating a return on investment that looks better if you measure at four weeks than at six months. Honest longitudinal evaluation, measuring actual behavior at twelve and twenty-four weeks post-intervention, would likely produce a return-on-security-investment picture that justifies significant reallocation from awareness programs toward structural and default-based interventions. (Gartner, 2025; Beautement et al., SOUPS, 2008)

SECTION 09

Implications for Individuals, Businesses, and Institutions

This study doesn’t call for one unified response. The behavioral patterns it documents are different across user types, organizational contexts, and national settings, and the interventions most likely to move them are different too. What follows is a set of differentiated implications calibrated to the real behavioral levers available in each context, grounded in the findings of this report rather than generic security checklists.

For Consumers

The most useful shift for individual users is away from a reactive protection model and toward a baseline one. Not because reacting to security news is wrong, but because the behavioral decay data shows it doesn’t hold. The protection activated after a big breach story will, with high probability, have faded within a month. What lasts is structural: security tools and configurations that are running by default rather than requiring a conscious decision each time.

The behavioral investments most worth making for individuals are one-time setup efforts that deliver ongoing protection without ongoing effort.

• A credential manager removes the primary behavioral incentive for password reuse by making unique passwords effortless rather than burdensome. This is the single highest-leverage action most users can take.
• Multi-factor authentication on accounts that matter, configured with the lowest-friction second factor available. The friction cost is the main adoption barrier in this study’s data; reducing it matters more than any additional persuasion.
• Always-on network protection rather than selective activation. The risk-triggered model is exactly the model that leaves gaps during the quiet periods when attacks are still running.
• Credential breach monitoring that delivers personal, concrete exposure alerts rather than general security news. This is the most effective available tool for disrupting the Passive Optimist’s sense of personal exemption. (Have I Been Pwned, 2025; NIST Special Publication 800-63B, 2024)

For Employers and Remote Teams

The behavioral gaps this study documents among employed respondents are not, at their core, an IT problem. They are a management, culture, and design problem that technical controls alone cannot fully solve. Employees accessing corporate systems from hotel lobbies over public Wi-Fi aren’t being reckless by their own assessment. They’re being productive. The security cost of that behavior is invisible to them at the moment it’s incurred, and organizational policy that exists only on an intranet page they haven’t read recently isn’t doing much to change that.

Three things need to happen in parallel.

• Default-secure technology provision: Managed devices with always-on encryption and zero-trust access controls that provide protection as a structural condition rather than depending on individual behavioral compliance.
• Security culture that treats protection as a professional norm, not a personal burden: This requires visible endorsement at the leadership level and integration into operational expectations, not just annual compliance training that gets clicked through. (ISO/IEC 27001:2022)
• Behavioral environment design targeted at the specific friction points where employees deviate: Remote access from travel locations, authentication in high-workload contexts, file sharing across personal and work devices. These are the precise scenarios where friction reduction produces the most behavioral impact. (CISA Remote Work Security Guidelines, 2025; Beautement et al., SOUPS, 2008)

For Financial Institutions

Financial institutions are unusual in this landscape because they are simultaneously downstream victims of individual behavioral security failures and uniquely positioned to do something about them. Account takeover fraud and payment fraud are direct losses that trace back to the credential practices and authentication habits documented in this report. But financial institutions also have something most other organizations don’t: frequent, high-salience touchpoints with their customers, the ability to make friction-reduction investments in authentication flows, and direct channels to deliver concrete, personal exposure information. (FTC Consumer Sentinel Network, 2025; Javelin Strategy and Research, 2025)

• Redesign authentication flows to eliminate passwords where possible and replace them with biometric or hardware token authentication. The friction cost that prevents Convenience-First users from adopting secure methods is a design problem that financial institutions can solve.
• Proactive credential exposure alerting delivered to customers in concrete, personal terms rather than generic advisory communications. This directly targets the Passive Optimist’s sense of personal exemption.
• Mobile application design that provides always-on encryption and real-time anomaly notification without requiring deliberate user activation. Secure by default, not secure by choice. (Javelin Strategy and Research, 2025; FIDO Alliance, 2025)

For Cybersecurity Policy and Education

Public policy operates at the scale required to address population-level behavioral patterns that individual and organizational interventions can only partially reach. The central implication of this study for policymakers is a shift away from the awareness-first model, which this report and a substantial body of supporting academic research consistently shows to be insufficient, toward a behavioral architecture model that treats the structural conditions under which security decisions are made as a first-order policy target.

This shift has concrete regulatory implications that are worth being specific about.

• Minimum security default standards for consumer devices and applications that require secure defaults rather than offering them as optional settings. Opt-out security outperforms opt-in security at population scale.
• Data breach notification requirements with teeth, delivering concrete, actionable, personal information to affected individuals rather than legally defensive generic advisories. (CISA National Cybersecurity Strategy, 2025)
• Public education programs designed around behavioral science principles, not awareness-transmission models. Narrative, personalization, social norm communication, and concrete risk evidence are the tools that actually shift behavior. Statistical probability statements are not. (EU Cyber Resilience Act, 2025; Fogg, Persuasive Technology, 2003)
• Investment in longitudinal behavioral security research that measures actual behavior over extended periods rather than relying on point-in-time awareness surveys that measure the wrong variable and report results before the decay curve completes. (NIST Cybersecurity Framework 2.0, 2024)

SECTION 10

Methodology

Survey Design and Sampling Framework

The survey was built around a specific design goal: reduce the gap between what people say they do and what they actually do. Most security awareness surveys inadvertently invite respondents to describe their best security behavior rather than their typical behavior. This one was designed to elicit behavioral reports, specific accounts of specific actions in specific contexts, rather than general attitudinal statements about how security-conscious a person considers themselves.

The instrument went through bias review, response option completeness checks, and social desirability testing before fielding, with pre-tests on representative subsamples in each country. Five thematic question blocks covered the full behavioral scope of the study.

• Block A: Digital activity profile. Device type distribution, remote work frequency, travel habits, mobile versus desktop activity split.
• Block B: Network behavior. Public Wi-Fi connection frequency by venue type, activity conducted on public networks, encryption awareness and actual use.
• Block C: Credential and authentication practices. Password reuse, manager adoption, 2FA deployment by account category, password change frequency and triggers.
• Block D: Threat perception and security attitudes. Threat ranking, personal susceptibility self-assessment, security behavior change triggers, prior incident experience.
• Block E: Protective behavior patterns. VPN consistency, activation triggers, self-assessed habit consistency, organizational tool provision status.

Country Distribution and Margin of Error

Approximately 400 respondents per country across the US, UK, Germany, India, and UAE, with quota sampling applied within each country for age cohort (18-34, 35-54, 55+), gender, and urbanization level. Country samples were checked against national digital population profiles from ITU and national statistical agencies, with minor post-fielding weighting adjustments applied in two samples where specific demographic cells were slightly overrepresented.

Country	Sample Size (n)	Margin of Error (+/-)	Population Alignment Sources
United States	~400	4.9% (95% CI)	U.S. Census Bureau; Pew Research Center, 2025
United Kingdom	~400	4.9% (95% CI)	ONS, 2025; Ofcom, 2025
Germany	~400	4.9% (95% CI)	Destatis, 2025; Eurobarometer, 2025
India	~400	4.9% (95% CI)	TRAI, 2025; GSMA Mobile Economy India, 2025
UAE	~400	4.9% (95% CI)	TDRA UAE Digital Report, 2025; UAE FCSA, 2025
Combined	2,000	2.2% (95% CI)	ITU Global ICT Development Index, 2025

Table 8: Sample distribution and confidence intervals. All analysis on weighted data.

VPN Session Data Aggregation and Analysis

The session telemetry dataset consists of aggregated, anonymized behavioral metrics from active VPN connections processed through AstrillVPN’s infrastructure. Individual-level data was not retained or analyzed at any stage. All session analysis was conducted on aggregate behavioral metrics constructed from de-identified, time-binned connection statistics, in compliance with applicable data protection frameworks and AstrillVPN’s data minimization principles. (GDPR Article 89; NIST Privacy Framework 1.1, 2023)

The metrics used in analysis cover connection event frequency, session duration patterns, network type signatures inferred from connection metadata, temporal activity distribution, and behavioral pattern clustering across cohorts. No content inspection or traffic analysis of any kind was conducted. The dataset captures behavioral metadata only, describing when, how often, for how long, and from what network context users engage protective tools.

Definition of Spikes, Decay, and Baseline Metrics

Behavioral spike events were identified using a rolling baseline methodology. A spike was defined as two or more consecutive days where connection event frequency exceeded two standard deviations above the preceding 28-day rolling mean, applied at cohort level to avoid individual outlier distortion. Spike onset was marked at the first day of exceedance; duration ran to the last day the daily metric remained one standard deviation above baseline.

The protection half-life metric represents the median time for the post-spike engagement metric to return to within one standard deviation of the pre-spike 28-day baseline mean, calculated across all identified spike events in the observation window. Baseline was defined independently per country cohort and per seasonal adjustment period to account for structurally elevated usage during predictable high-travel periods.

Limitations of the Study

Four limitations are worth stating clearly rather than burying.

• Digital recruitment bias: The survey was fielded digitally, which excludes the least digitally active population segments. The behavioral gaps documented here are likely conservative estimates of what a fully representative national sample would show.
• Social desirability in self-report: People tend to describe their security behavior as slightly better than it actually is when answering survey questions. The instrument was designed to minimize this, but not eliminate it. Cross-validation against session data was applied where possible.
• Selection effect in session data: VPN users are, by definition, more security-conscious than the average internet user. Behavioral gaps documented in the session data should be read as lower bounds on the gaps present in the broader population.
• Cross-sectional design: The survey captures a single point in time. The behavioral patterns described are correlational and observational. Causal interpretations are grounded in established behavioral science frameworks but would require longitudinal designs to confirm.

APPENDIX

Appendix

Survey Questionnaire

The five question blocks used in this study are summarized below. Full question text, response scales, rotation protocols, and pre-test reports are available to qualified researchers on request.

Block	Domain	Topics Covered
A	Digital Activity Profile	Device usage frequency; primary device categories; remote work status; travel frequency; mobile vs. desktop activity split
B	Network Behavior	Public Wi-Fi connection frequency by venue type; activity conducted on public networks; encryption awareness; actual protective tool use during public sessions
C	Credential and Authentication Practices	Password reuse frequency; password manager adoption; 2FA deployment by account category; password change frequency and triggers
D	Threat Perception and Attitudes	Threat severity ranking; personal susceptibility self-assessment; security behavior change triggers; prior personal security incident experience
E	Protective Behavior Patterns	VPN usage frequency and consistency; activation triggers; self-assessed behavior consistency; organizational tool provision status

Table 9: Survey questionnaire domain structure.

Technical Definitions

Key terms used with specific meanings throughout this report are defined below.

• Behavioral Decay: The process of reverting from elevated protective security behavior to a prior baseline following the resolution of an activating threat salience event. Measured as the trajectory of session engagement metrics from post-spike peak to pre-spike baseline, expressed as a half-life period.
• Behavioral Security Gap: The divergence between a user’s expressed security knowledge or stated protective intentions and their actual observed or self-reported protective behavior. Distinct from the awareness gap; the behavioral security gap exists even when awareness is high.
• Credential Stuffing: An automated attack technique in which large volumes of previously compromised username-password pairs are systematically tested against multiple online services, exploiting password reuse to achieve account access without directly stealing the target account’s credentials.
• Encryption Adoption Rate: The proportion of internet sessions, or the proportion of a specified survey population, for which encrypted transmission is consistently employed. Encompasses VPN, HTTPS, and encrypted messaging usage.
• Protection Half-Life: A study-specific metric: the median time required for the post-spike behavioral engagement metric to return to within one standard deviation of the pre-spike 28-day rolling baseline mean.
• Public Wi-Fi Risk Exposure: A composite behavioral index incorporating frequency of public network connection, type of digital activity conducted on those networks, and encryption adoption during those connections.
• Security Reactivity Score: A composite measure of the degree to which a respondent’s or country cohort’s protective security behavior is event-triggered rather than habitual and baseline.
• Threat Perception Gap: The divergence between a respondent’s expressed fear hierarchy across threat categories and the empirical risk hierarchy derived from independent security incident data.

Additional Data Tables

Five supplementary data tables accompany this report in the companion data publication.

• Table S1: Public Wi-Fi Composite Risk Index by Country and Age Cohort. Breaks down public network risk exposure by country and age group (18-34, 35-54, 55+).
• Table S2: Encryption Adoption Rate by Device Type and Country. Self-reported encryption adoption for desktop, laptop, and mobile contexts, disaggregated by country.
• Table S3: Behavioral Archetype Distribution by Country. Estimated proportional distribution of the four archetypes across each of the five surveyed countries.
• Table S4: Threat Perception Rankings by Country. Ranked threat hierarchy by expressed concern versus empirical risk hierarchy, by geography.
• Table S5: Session Spike and Decay Metrics by Cohort and Event Type. Median spike magnitude and protection half-life by geographic cohort and activating event category.

External Reference Sources

Note: Primary research findings in this report are drawn from this study’s own survey and session telemetry dataset and are attributed as such in the text. All external references listed below are independently verifiable published sources.

Adams, A., and Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40-46.

Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley.

APWG. (2025). Phishing Activity Trends Report, Q3 2025. Anti-Phishing Working Group.

Beautement, A., Sasse, M. A., and Wonham, M. (2008). The Compliance Budget: Managing Security Behaviour in Organisations. SOUPS.

Bhargavan, K., et al. (2014). Downgrading HTTPS. ACM CCS 2014.

Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). Information Security Policy Compliance. MIS Quarterly, 34(3), 523-548.

Cialdini, R. B. (2021). Influence: The Psychology of Persuasion (New and Expanded). Harper Business.

CISA. (2025). National Cybersecurity Strategy Implementation Plan.

CISA. (2025). Ransomware Guide.

CISA. (2025). Remote Work Security Guidelines.

CISA. (2025). Threat Intelligence Summary.

Destatis. (2025). Digital Economy and Society Statistics. Federal Statistical Office of Germany.

Dinner, I., et al. (2011). Partitioning default effects. Journal of Experimental Psychology: Applied, 17(4), 332-341.

Egelman, S., and Peer, E. (2015). Scaling the Security Wall. IEEE Security and Privacy, 13(1), 19-28.

EU Cyber Resilience Act. (2025). Regulation on horizontal cybersecurity requirements for products with digital elements.

Eurobarometer. (2025). Special Eurobarometer: Attitudes Towards Cybersecurity. European Commission.

FIDO Alliance. (2025). Online Authentication Barometer 2025.

Fogg, B. J. (2003). Persuasive Technology: Using Computers to Change What We Think and Do. Morgan Kaufmann.

FTC. (2025). Consumer Sentinel Network Data Book 2024.

FTC. (2025). Data Security Report.

GDPR Compliance Survey. (2025). Annual GDPR Compliance Survey. IAPP.

Google Project Zero. (2025). Year in Review: Vulnerability Research and Threat Analysis 2025.

Gartner. (2025). Magic Quadrant for Security Awareness Computer-Based Training.

GSMA. (2025). The Mobile Economy 2025.

Have I Been Pwned. (2025). Database Statistics and Breach Archive. haveibeenpwned.com.

IBM Institute for Business Value. (2025). Security Behavior and Consumer Response Study.

IBM Security. (2025). Cost of a Data Breach Report 2025.

ISO/IEC 27001:2022. Information security management systems requirements.

ITU. (2025). Global ICT Development Index 2025.

Javelin Strategy and Research. (2025). Identity Fraud Study 2025.

Johnson, E. J., and Goldstein, D. G. (2003). Do Defaults Save Lives? Science, 302(5649), 1338-1339.

Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux.

Lally, P., et al. (2010). How are habits formed. European Journal of Social Psychology, 40(6), 998-1009.

Loewenstein, G., et al. (2001). Risk as Feelings. Psychological Bulletin, 127(2), 267-286.

Milkman, K. L., et al. (2011). Using implementation intentions prompts to enhance influenza vaccination rates. PNAS, 108(26), 10415-10420.

MITRE ATT&CK. (2025). MITRE ATT&CK Framework v15.

NIST. (2023). Privacy Framework Version 1.1.

NIST. (2024). Cybersecurity Framework 2.0.

NIST Special Publication 800-63B. (2024). Digital Identity Guidelines: Authentication and Lifecycle Management.

Ofcom. (2025). Communications Market Report 2025.

ONS. (2025). Internet Users, UK. Office for National Statistics.

OWASP. (2025). Mobile Security Testing Guide.

Pew Research Center. (2025). Americans and Cybersecurity.

Ponemon Institute. (2025). The State of Cybersecurity in the Remote Workforce.

Proofpoint. (2025). State of the Phish Annual Report 2025.

Schneier, B. (2003). Beyond Fear. Copernicus Books.

Slovic, P. (2000). The Perception of Risk. Earthscan Publications.

SpyCloud. (2025). Annual Credential Exposure Report 2025.

TDRA. (2025). UAE Digital Report 2025.

Thaler, R. H., and Sunstein, C. R. (2008). Nudge. Yale University Press.

TRAI. (2025). Annual Report on Telecom Subscribers.

Tversky, A., and Kahneman, D. (1974). Judgment under Uncertainty: Heuristics and Biases. Science, 185(4157), 1124-1131.

UAE Federal Competitiveness and Statistics Authority. (2025). UAE Digital Economy Report 2025.

Verizon. (2025). Data Breach Investigations Report 2025.

Wash, R. (2010). Folk Models of Home Computer Security. SOUPS 2010.

Wash, R., and Rader, E. (2015). Too Much Knowledge? SOUPS 2015.

Weinstein, N. D. (1980). Unrealistic Optimism About Future Life Events. Journal of Personality and Social Psychology, 39(5), 806-820.

Wood, W., and Neal, D. T. (2007). A new look at habits and the habit-goal interface. Psychological Review, 114(4), 843-863.

Workman, M. (2008). Wisecrackers. Journal of the American Society for Information Science and Technology, 59(4), 662-674.

Was this article helpful?

Yes No