Trust in Computing Research: 7: Consumerization of IT (location Breakdown)

This blog post is part of a continuing series on the Trust in Computing Research, a survey we undertook across nine countries and thousands of individuals during a project called TwC Next. During the process, more questions than answers arose in discussions about all of the computing and technology trends that society is currently experiencing and how they affect people’s trust in technology.

This blog post specifically looks at the questions we asked about devices and the concept of consumerization of IT across the world.

These results are focused on the location breakdown. There were several interesting points that came out of the first and second parts the series.

  • There are a significant number of people wanting to use their own devices in the workplace (40 percent) and actually doing so (67 percent).
  • 49 percent of respondents are allowed to use their own mobile devices, with a roughly 50/50 split on whether the IT department manages those devices or not.
  • People are generally concerned about security, privacy and reliability issues, with 87 percent concerned about system outages.
  • Information workers and home users are significantly less likely to use smartphones than others. 32 percent of Home Users compared with 78 percent of IT Professionals frequently use smartphones for personal use.
  • IT professionals, developers and decision makers (60 percent on average) see more importance of using your own device in the workplace than others (42 percent on average).
  • Business / Policy decision makers (30 percent) and IT professionals (28 percent) are more likely to be prohibited from putting their own applications and data on their computers than others (19 percent).

During the survey we asked what devices people use, how they use them, and with what frequency they do so. I started wondering if the geographic location of the person responding to the survey made any difference.

Let’s start with a look at the different types of devices people are using and how frequently they are using them across the globe. These are for reference as they help provide a foundation for the rest of the analysis.

[1] Personal Computer use frequency around the globe

clip_image002

For very frequent (more than 10 times per day) personal computer use, while there is significant variation between locations (China as the lowest at 48 percent vs. Russia as the highest at 74 percent), overall usage is significantly higher than all the other device categories across the globe. We also see this looking at the other end of the scale where the “do not use this type of device” response rate is very low for all locations. This leads me to believe that while people may have and use multiple devices, the PC is still the primary device people use most widely. Keep in mind that people are often using a PC for work and therefore this would impact the frequency use. I will discuss this more a little later on as there are some surprising results when you look at other devices.

  As a side note, we didn’t ask how long people were using the devices for, or how many things they did in a single session, and again these may be interesting factors. i.e. If you use a PC for two hours and perform twenty tasks, does this constitute one use, or twenty? Whereas if you use another device (for example a smartphone) for one minute to perform a single task twenty times in two hours, is this one use, or twenty? Food for thought about how use is interpreted…

 

[1] Tablet Computer use frequency around the globe

clip_image004

Here for Tablet use frequency, the “do not use this type of device” is significantly higher than all other categories around the globe, except for China. This suggests that China today may be at the forefront of tablet adoption.

[1] Smartphone for personal use frequency around the globe

clip_image006

Okay, I admit, this one is a bit hard to read, but therein lies the interesting part… let’s start with the orange lines representing “do not use this type of device”. You can see that around the globe there are between 20 percent (India) and 36 percent (Russia) of people that do not use smartphones for personal use. However, China is once again the anomaly with around seven percent that do not use smartphones for personal use. If we look the very frequent users (10 times or more per day) category, while China is in the lead with nearly 34 percent, most of the other locations are close behind in very frequent use (India with 30 percent, Australia with 30 percent and Germany at the bottom of the list with 20 percent). What this tells me is that while there are still large differences between the percentages of people using smartphones for personal use around the globe, when they do use them, people use them frequently.

[1] Smartphone for work use around the globe

clip_image008

It was useful to differentiate between “smartphones for personal use” and “smartphones work use” as we saw with the second part of the series as job function can determine use, for example whether you are given a smartphone for work etc. It also can mean that you might use the smartphone for work more frequently as you are in essence being paid to do so. This may be indicated by the result above where far fewer people actually use smartphones for work, but of those that do, they use them frequently.

[1] Gaming console connected to the Internet use around the globe

clip_image010

Asking who used a gaming consoles connected to the Internet was always expected to yield a far smaller set of results, but the anomalies here are Brazil (60 percent use these devices), India (62 percent use these devices) and China (76 percent use these devices). Unsurprisingly frequency of use is pretty low, but that could mean that people are using them for several hours to play games, stream movies and other content, which may constitute a single use. I do wonder as the push by many console manufacturers to make the console the media hub of your living room continues, how these figures may change in the future.

Let us change tack a little and see what happens when we compare the types of devices with people who are classified as “frequent” users. These are people who use the device once or more a day. We also classify people as “infrequent users” if they use the device for less than once per day.

[1] Frequent users of devices by location

clip_image012

This comparison of “frequent users” by device and location presents us with a couple of interesting data points:

  • China has significantly more “frequent” smartphone users, 86 percent for personal use and 72 percent for business use, than anywhere else, where the global average is 64 percent and 52 percent respectively.
  • China has significantly more “frequent” users in almost all categories than everywhere else by a significant margin, with India leading the rest of the field.

Following in the theme of “Bring Your Own Device” or BYOD, we looked at whether or not people are using their own devices in the workplace.

[2] Use of own devices in the workplace by location

clip_image014

In this instance, we can see that China once again leads with over 95 percent of people using their own devices in the workplace as compared with Germany with only 47 percent (only… this is still a big number). The conclusion here could be that Germans like to keep their work and personal life more separate, or potentially German companies provide more business managed devices? We will be exploring this shortly.

Perhaps we should start with whether or not Germans want to use their own devices in the workplace?

[3] Importance of using own devices in the workplace by location

clip_image016

It is interesting here that a relatively low number (36 percent) of Germans want to use their own devices in the workplace, especially compared with the BRIC countries (Brazil; 68 percent, Russia; 64 percent, India; 65 percent and China; 76 percent).

What about whether Germans want to be able to separate out their personal and work profiles on a device? (akin to using the same device work personal and work activities, but being able to separate those two worlds).

[3] Importance of separating out personal and work profiles/applications on a single device by location

clip_image018

Once again we see people in locations such as China, Brazil and India deeming it important to separate out person and work worlds. I did however expect to see a larger desire in countries with stronger privacy advocacy such as Germany, UK and Canada to be able to separate out personal and work profiles and applications. However in Germany for example, fewer than 50 percent of respondents expressed a desire to separate out their personal and work profiles on a single device. This suggests an even greater separation is preferred.

What about company policy affecting device use in the workplace you may well ask.

Given that the most common and frequently used devices are personal computers and laptops, we asked what organization’s policies were on employees buying their own PCs or laptops for work purposes.

[4] Policy on employees buying their own PCs or laptops for work purposes by location

clip_image020

As you can see, companies in countries such as China, India and Brazil allow more employees to buy their own devices for work purposes. Germany seems to have more companies that specifically prohibit employees from buying their own devices. In case you are wondering, “Other” refers to there not being a policy or that the respondent didn’t know.

[4] Policy on employees buying their own PCs or laptops for work purposes by location

clip_image022

If the employees are allowed, looking at whether or not a company is subsidizing the buying of PCs by the employee for work purposes can tell us how serious a company is. My conjecture is that many companies allow employees to buy their own PCs as a way to save money, specifically in terms of enabling people to keep up with the latest technology. For example, how many of us have wished that we had a new computer long before ours is due for replacement? Allowing employees to purchase and use their own computers outside of the normal replacement schedule may be a way to accommodate user’s hardware preferences.

The other side of the coin is that some organizations are actively helping by subsidizing the purchase of computers by employees for work purposes. This may be because an organization is trying to save money on procurement costs or just bowing to employee pressure to have more choice in the devices they use. Interestingly enough, some companies that have gone down this path have seen mixed results. For example, in the last part in the series, I referred to a recent interview with Jeanette Horan (IBM’s chief information officer), where it was suggested that allowing employees to use their own devices in the workplace didn’t save money, instead created new challenges.

We also asked what the organization’s policies were towards installing users own applications or personal data on their work PC.

[5] Policy on employees installing their own applications or personal data on work PCs by location

clip_image024

In line with the previous question, companies in countries such as China, India and Brazil allow more employees to installing their own applications or personal data on work PCs. Germany and the UK seem to have more organizations that specifically prohibit employees from doing so. It could be that not only do German employees want to keep personal and work lives separate, but so do German companies.

Now if we look at whether IT departments support personal applications and data being present on work PCs where companies specifically allow its presence.

[5] Policy on employees installing their own applications or personal data on work PCs by location

clip_image026

The one big differential here is that the US is the highest out of all of the non BRIC countries in supporting installing your own applications or personal data by the IT department. This could mean that companies in the US are reducing risk by fully supporting machines whether they contain personal applications and data or not.

Mobile devices such as smartphones and tablets are becoming a bigger part of our work lives as the new form factors are adopted.

[6] Organization’s mobile device policy for work email and applications by location

clip_image028

Here, when we asked about the organization’s policy towards mobile devices for work email and applications we noticed that apart from the US, the BRIC countries all allow the use of more employee owned mobile devices for work email and applications. The other countries all seem to have a preference for organization owned devices. This may also suggest that companies in Germany would prefer to have their users leveraging company owned devices.

[6] Organization’s mobile device policy for work email and applications by location

clip_image030

For those organizations that allow employees to use their own mobile devices for work email and applications, we see that with the exception of companies in China, organizations prefer to allow self-management of devices. There are degrees of management that may not show up here, whereby technologies like Microsoft Exchange can force policies (such as timed lockout and pin numbers etc) on to a device, which means that while the organization does not directly manage the device, they do influence how the device is used in order to allow connectivity to corporate resources.

[6] Organization’s mobile device policy for work email and applications by location

clip_image032

For instances where organizations provide devices to employees, it seems that there is a stronger likelihood that the device will be managed by the IT department. Companies in locations such as Germany, Australia and the UK are significantly more likely to have their IT departments manage corporate owned mobile devices than not. This is typically to reduce risk to the organization.

Now that we have spent some time looking at preference and policies towards the use of user owned devices, applications and data within organizations around the globe, I want to take a look at how these policies influence what people are concerned about.

If we think about some of the things we have discussed from a risk perspective, the choices we make as a consumer and as organizations can significantly impact our risk posture. For example, if an organization allows employees to purchase and use their own devices in the workplace, how would this affect security and privacy? In many cases it is easier for an organization to secure and manage a small set of devices, operating systems and applications than it is to do many.

It can also be a potential risk to allow employees to install their own applications and data on a device when that could in themselves be a new and unknown attack vector in to an organization. For example, what happens when an employee installs a consumer cloud synchronization / storage solution to be able to back up their data and perhaps company data is now allowed to exfiltrate the organization by being synchronized on to a computer at home?

What about the storage of information on un-managed devices? For example, I mentioned that some email server software forces a user to log on to a smartphone with a pin number. Why would that be important – consider that if an employee is storing company data on a device that leaves the building every night, what happens if the employee loses the smartphone? A pin number may be a small step to stopping free and easy access to the data held on the device. There are many such scenarios, but for most organizations, it is about knowing and understanding the risks, and where possible putting safeguards in place to help mitigate the risk.

These understood risks often show up as concerns. i.e. people understand the possible outcomes and often prioritize based on that they perceive would have the biggest impact to themselves and their organizations.

In the survey, we asked about a number of potential outcomes (in no particular ranking):

  1. Organization, employee, or customer data breach/loss
  2. Intellectual property misappropriated/stolen
  3. System outage
  4. Organization announcement compromised
  5. Negative press cycle
  6. Employee/internal human resources issues
  7. External legal issues

While this list is not exhaustive, it represents many of the common challenges faced by organizations.In each case, here are the levels of concern around the globe:

[7] Organization, employee, or customer data breach/loss by location

clip_image034

[7] Intellectual property misappropriated/stolen by location

clip_image036

[7] System outage by location

clip_image038

[7] Organization announcement compromised by location

clip_image040

[7] Negative press cycle by location

clip_image042

[7] Employee/internal human resources issues by location

clip_image044

[7] External legal issues by location

clip_image046

Here are the overall top three concerns by location [7]:

1. Organization, employee, or customer data breach/loss
2. Intellectual property misappropriated/stolen
3. System outage
4. Organization announcement compromised
5. Negative press cycle
6. Employee/internal human resources issues
7. External legal issues

Key

Top 1

 

Top 2

 

Top 3

 

 

US

Canada

United Kingdom

Australia

India

China

Brazil

Russia

Germany

Overall

1

49.60%

44.30%

46.50%

43.70%

67.40%

81.70%

63.50%

 

39.10%

55.50%

2

49.20%

47.20%

42.70%

46.80%

66.40%

     

42.80%

54.60%

3

52.40%

48.20%

45.30%

53.20%

 

77.40%

65.20%

78.50%

38.50%

57.40%

4

       

64.50%

81.70%

60.50%

73.00%

   

5

                   

6

             

72.00%

   

7

                   

As you can see, there is a good amount of commonality in concerns about Organization, employee, or customer data breach/loss and System outages. It was however interesting to note that in BRIC countries, the organization announcement compromised seems to be a bigger concern than elsewhere.

Conclusion

In this part of the series, we looked at some general factors around device usage (what are people using and how frequently) and the policies companies have toward the use of personal devices in the workplace by location. Both of these fall in line with the concept of consumerization of IT. We wrapped up by asking how concerned people are with security, privacy and reliability issues given their company’s policies on cloud, social media and device usage and will drill into this area more in upcoming analysis.

There were several interesting findings that came out of this analysis:

  • China has significantly more “frequent” smartphone users, 86 percent for personal use and 72 percent for business use, than anywhere else, where the global average is 64 percent and 52 percent respectively.
  • Users in BRIC countries are significantly more likely to use their own devices in the workplace than elsewhere in the world.
  • More companies in China, India, Brazil and US actively subsidize users to buy their own PCs and laptops for work use than organizations in other locations.
  • Most mobile devices used for accessing company resources are managed by the users themselves.

Make sure you keep watching the Microsoft Security Blog: http://blogs.technet.com/security for further analysis.


Sources and references

[1] Source: On average, how often, if at all, do you use the following devices? (PC, Tablet, Smartphone for Personal Use, Smartphone for Business Use, Game Console)

[2] Source: Trust in Computing Survey 2012, Q. Do you currently use any of your own devices in the workplace (PC, Tablet, Smartphone for Personal Use, Smartphone for Business Use, Game Console)?

[3] Source: Trust in Computing Survey 2012, Q. How important is it to you to be able to do each of the following? (Own device, separate profiles)

[4] Source: Trust in Computing Survey 2012, Q. Please indicate your organization’s policy on employees buying their own PCs or laptops for work purposes.

[5] Source: Trust in Computing Survey 2012, Q. Q43. Please indicate your organization’s policy on employees installing their own applications or storing personal data on their work PC.

[6] Source: Please indicate your organization’s mobile device policy for work email and applications.

[7] Source: Trust in Computing Survey 2012, Q. Given your organization’s policies on cloud, social, and devices, how concerned are you with the following? (data breach, IP stolen, system outage, negative PR)