Pakistan is a country with very large social disparities, especially in terms of income and education level. “At the bottom of the social ladder are people who work as cleaning staff, in middle- and upper-class households, or in factories,” explains CISPA researcher Sumair Hashmi. “At the same time, they make up the majority of society. Low income often goes hand in hand with a low literacy rate. I was interested in which cybersecurity threats these people face, how they protect themselves from attacks, and what cybersecurity and data privacy mean to them.” Unlike the behavior of people in industrialized nations, cybersecurity practices among populations in the Global South and in non–English-speaking contexts have so far been little researched.
Hashmi’s research interest was driven by everyday questions: How do people inform themselves about security and privacy? How do they react when they receive a scam call? Those were the kind of questions that intrigued him. “Information on these topics is usually only available in written form and in English,” the researcher continues. “And because people from low-income groups in many cases cannot read or write and generally speak only Urdu, the local language, they have no access to this information.” Hashmi and his fellow researchers from CISPA and the Lahore University of Management Sciences in Pakistan decided to explore the topic through a qualitative interview study, for which they recruited 20 Pakistani participants from the occupational fields mentioned above. The interview study itself was preceded by a phase of ethnographic field observations to gain a deeper understanding of the target group’s living and working conditions.
Results
A total of ten men and ten women between the ages of 20 and 49, with an average monthly income of 30,500 Pakistani rupees (approximately 96 euros), were specifically interviewed for the study. Not all respondents owned personal devices; some used phones belonging to family members or acquaintances. “We identified financial fraud and digital extortion as the most predominant security risks,” Hashmi explained. “We found that all respondents relied on better-informed individuals – either to set up user accounts on their phones and applications or to seek advice when problems arose,” Hashmi continued. Support came either in the form of verbal advice or intermediation.
“Many respondents simply handed their phone to a trusted person and asked them to perform specific actions, such as setting up a password, rather than asking for guidance,” Hashmi noted, describing the social dynamics involved. Advice typically came from family members, close friends, or coworkers. The nature of the advice was influenced by the respondents’ work environments: “University janitorial staff shared more diverse advice than factory workers. They also had more avenues to seek advice from, such as from their co-workers, supervisors, and even the professors and students on campus,” the researcher observed. The security guidance respondents received could be categorized into action-oriented instructions and explanatory advice. The most important practical tips identified were to avoid and block unknown numbers, to check and verify messages and their senders, and to refrain from disclosing personal assets.
In summary, the study highlights the deeply rooted social embeddedness of security-related practices among Pakistanis with low socioeconomic status. “Our study shows how advice is shared within such low socioeconomic communities,” Hashmi explains. Rigid gender roles and the strict norms of Pakistan’s class system play a particularly important role in this context. Family dynamics and the fear of being ridiculed often make it difficult to seek advice. Guidance is typically accepted only when the advisor is perceived as competent and a relationship of trust exists. Another key finding concerned the specific threat landscape faced by the target group in Pakistan: “Due to their precarious financial situation, our study participants are especially vulnerable to scams that lure them with supposedly easy-to-repay loans or lottery winnings,” he notes. Consequently, the nature of the threats faced by respondents tends to exploit human vulnerabilities rather than technological flaws.
Outlooks
The threat landscape for cyberattacks in developing countries such as Pakistan is unique, as attackers exploit people’s financial hardships and their sociocultural norms. “In order to address this situation and to mitigate security and privacy issues for population groups with low socioeconomic status, new context-specific guidance and technologies must be developed,” says Hashmi. “Future research should investigate how security advisories can be targeted to reach the most disadvantaged people in Pakistan, providing them with greater protection,” the researcher continues. He plans to continue working in this area and envisions expanding the study to other regions of the world. “It is crucial that we gain a deeper understanding of the needs and cybersecurity practices of people in the Global South – those who do not belong in the Western, Educated, Industrialized, Rich, and Democratic (W.E.I.R.D) population – in order to develop appropriate recommendations,” he asserts.
