As you may have read in the introduction Bruce and I posted to kick off this series, we undertook the Trust in Computing Research after coming up with more questions than answers during a project called TwC Next which marked the 10-year milestone of Microsoft Trustworthy Computing. The questions in the survey arose during interesting discussions about all of the computing and technology trends that society is currently experiencing and how they affect people’s trust in technology.
This is the part in the ongoing series specifically looking at questions we asked about devices and consumerization of IT. You can read the full introduction here.
Note: The consumerization of IT refers mainly to consumer technology that is ultimately adopted in the enterprise. A good example of this would be bring your own device (BYOD), where companies may allow employees to use their own mobile devices for business purposes rather than issuing a “corporate” device.
During the survey, we asked a number of questions relating to the devices people use, what they use them for, as well as whether or not people are using their own devices in the workplace. From a security, privacy and reliability perspective (the core pillars of Trustworthy Computing), this is an important factor.
Take for example my smartphone… It is a device that I own personally. I access my work email and other resources from it. I also use it for social networking and browsing the Internet among other things. That means that it is a risk for the IT department to let me loose in the world with a device that they do not manage, but contains company data. The company mitigates some of the risk by applying some policies such as an automatic screen lock and password to unlock the device. That helps reduce the risk if I lose the device. However, I put personal applications on the device, so what happens if one of those applications is malicious? The short answer is – for the company and myself, it is all about how you weigh risk vs. benefit.
For TwC, our goal is to both help people understand the risk vs. benefit equation as well as provide the information, tools and guidance to help mitigate some of the risk.
Consumerization of IT
The first question in this space that we asked was – “On average, how often, if at all, do you use the following devices? (PC, tablet, smartphone for personal use, smartphone for business use, game console connected to the Internet)?” I will start with the complicated, but interesting, graphs (below). What you see is that personal computers (the dark blue boxes) are used significantly more frequently than any other device type, followed by smartphones for personal use (purple) and then business use (light blue). Despite the growth in the market, tablets (green) had the largest number of people not using these types of devices (55.2%). We chose to specify that we were only interested in games consoles connected to the Internet as these, in many cases, are capable of accessing cloud-based services as well as games.
 Frequency of devices usage (PC, tablet, smartphone, game)
You might have noticed that we split out smartphones for both personal and business use. This was to provide a way to separate out usage scenarios. We noticed a significant difference between the number of people using smartphones frequently for personal use (64%) and business use (52%).
 Comparison of frequency of smartphones for personal and business use
Going back to our theme of consumerization of IT, we wondered how many people used personal devices in the workplace. This could range from personal computers to smartphones and tablets.
 Use of own devices in the workplace
From our survey, it seems the vast majority of people (67%) use their own devices in the workplace. However, we wondered as to what extent this is sanctioned by the organization. We asked “Please indicate your organization’s policy on employees buying their own PCs or laptops for work purposes” The importance here is that personal computers or laptops are the most common devices to be issued by a company to their employees. There is, however, a trend (commonly referred to as BYOD) where companies allow users to select the device that they would like, or use their own. In this case, we found that 53 percent of respondents indicated that there was a policy allowing them to use their own devices, with only 24 percent being prohibited from doing so. Even more interestingly, 20 percent suggested that the company subsidized the use of personal devices in the workplace.
 Organizations’ policies on employees using their own personal computers or laptops for work purposes
It is one thing for an organization to allow or even subsidize the use of personal computers or laptops for work purposes, but how about installation of personal (non-work related) applications on those devices? A potential risk to an organization is if a user installs a malicious third-party application on to a computer. There have been many instances of consumer applications being used to propagate malware (see the Microsoft Security Intelligence Report for further information). If a business limited or prohibited the use of these applications, it could reduce the threat to company data; however, this might be unpopular with employees. Different organizations take different approaches depending on the potential threat to their organization. For example, 29 percent of respondents suggested their organizations prohibit the installing of personal applications on to their computer. In contrast, 22 percent are allowed to do so and supported by their IT department.
 Organizations’ policies on employees installing their own applications or storing personal data on their work PC
Personal computers and laptops are the most common device used in organizations, but as we saw earlier, 52 percent of respondents use a smartphone for business purposes. We asked people to “Please indicate your organization’s mobile device policy for work email and applications?” Keep in mind that we allowed people to select multiple answers given that while an organization may provide a managed device for employees, they may also allow the use of personal mobile devices to access work email as well. This was in part to understand not only who supplies the devices, but who manages them. For example, you may supply your own mobile device, but it could be managed by the company.
Perhaps a surprisingly small number (26 percent) of respondents suggested their organization did not permit personal mobile devices to access corporate resources. Nearly double that amount, 49 percent of respondents suggested that the organization they worked for allows them to use their own mobile devices. Interestingly, 48 percent suggest that they manage their mobile devices themselves vs. 47 percent that are managed by the organization.
 Organization’s mobile device policy for work email and applications
After discussing what companies allow, what do people want? We asked how many people would like to use their personal devices in the workplace. Overall, 56 percent of respondents suggested it was important or very important that they could use their own devices in the workplace, compared to 23 percent suggesting it was not important to be able to do so.
 How important is it to use your own devices in the workplace?
We also wondered if people using their own devices or applications in the workplace would prefer to separate their profiles. This can be important to help people separate their personal and professional lives. A good example of this would be to have two separate logins to a laptop whereby one includes work applications and data, whereas another would just include personal applications and data. 55 percent of respondents felt it was important or very important to do this separation.
 How important is it to separate your personal and work profiles on your mobile device?
One of the reasons an organization might be concerned about employees leveraging their own devices, is what happens when things go wrong. We asked what people were concerned with, given their company’s policies on cloud, social and devices. Overall, there is a reasonably high level of concern with potential security, privacy and reliability issues. Highest among the scenarios we suggested is concern about system outages (87 percent somewhat or very concerned), with people least concerned about negative press cycles (20.2 percent).
 Given your organization’s policies on cloud, social and devices, how concerned are you?
In this part of the series, we looked at some general factors around device usage (what are people using and how frequently) and the policies companies have toward the use of personal devices in the workplace. Both of these fall in line with the concept of consumerization of IT. We wrapped up by asking how concerned people are with security, privacy and reliability issues given their company’s policies on cloud, social media and device usage and will drill into this area more in upcoming analysis.
There were several interesting findings that came out of this analysis:
- There is a significant number of people wanting to use their own devices in the workplace (40 percent) and actually doing so (67 percent).
- 49 percent of respondents are allowed to use their own mobile devices, with a roughly 50/50 split on whether the IT department manages those devices or not.
- People are generally concerned about security, privacy and reliability issues, with 87 percent concerned about system outages.
Make sure you keep watching the Microsoft Security Blog: http://blogs.technet.com/security for further survey results and analysis.
Sources and references
 Source: On average, how often, if at all, do you use the following devices? (PC, Tablet, Smartphone for Personal Use, Smartphone for Business Use, Game Console)
 Source: Trust in Computing Survey 2012, Q. Do you currently use any of your own devices in the workplace (PC, Tablet, Smartphone for Personal Use, Smartphone for Business Use, Game Console)?
 Source: Trust in Computing Survey 2012, Q. Please indicate your organization’s policy on employees buying their own PCs or laptops for work purposes.
 Source: Trust in Computing Survey 2012, Q. Q43. Please indicate your organization’s policy on employees installing their own applications or storing personal data on their work PC.
 Source: Please indicate your organization’s mobile device policy for work email and applications.
 Source: Trust in Computing Survey 2012, Q. How important is it to you to be able to do each of the following? (Own device, separate profiles)
 Source: Trust in Computing Survey 2012, Q. Given your organization’s policies on cloud, social, and devices, how concerned are you with the following? (data breach, IP stolen, system outage, negative PR)