Privacy Concerns and Acceptance Factors of OSINT for Cybersecurity: A Representative Survey

Thea Riebe; Tom Biselli; Marc-André Kaufhold; Christian Reuter

Privacy Concerns and Acceptance Factors of OSINT for Cybersecurity: A Representative Survey

Authors: Thea Riebe (Technical University of Darmstadt), Tom Biselli (Technical University of Darmstadt), Marc-André Kaufhold (Technical University of Darmstadt), Christian Reuter (Technical University of Darmstadt)

Volume: 2023
Issue: 1
Pages: 477–493
DOI: https://doi.org/10.56553/popets-2023-0028

Download PDF

Abstract: The use of Open Source Intelligence (OSINT) to monitor and detect cybersecurity threats is gaining popularity among Cybersecurity Emergency or Incident Response Teams (CERTs/CSIRTs). They increasingly use semi-automated OSINT approaches when monitoring cyber threats for public infrastructure services and incident response. Most of the systems use publicly available data, often focusing on social media due to timely data for situational assessment. As indirect and affected stakeholders, the acceptance of OSINT systems by users, as well as the conditions which influence the acceptance, are relevant for the development of OSINT systems for cybersecurity. Therefore, as part of the ethical and social technology assessment, we conducted a survey (N=1,093), in which we asked participants about their acceptance of OSINT systems, their perceived need for open source surveillance, as well as their privacy behavior and concerns. Further, we tested if the awareness of OSINT is an interactive factor that affects other factors. Our results indicate that cyber threat perception and the perceived need for OSINT are positively related to acceptance, while privacy concerns are negatively related. The awareness of OSINT, however, has only shown effects on people with higher privacy concerns. Here, particularly high OSINT awareness and limited privacy concerns were associated with higher OSINT acceptance. Lastly, we provide implications for further research and the use of OSINT systems for cybersecurity by authorities. As OSINT is a framework rather than a single technology, approaches can be selected and combined to adhere to data minimization and anonymization as well as to leverage improvements in privacy-preserving computation and machine learning innovations. Regarding the use of OSINT, the results suggest to favor approaches that provide transparency to users regarding the use of the systems and the data they gather.

Keywords: cybersecurity, OSINT, online social networks, privacy, surveillance

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.