Security and privacy compliance – how much does it cost?
Advanced Google Analytics Data Studio visualisation to assess how much compliance might cost.
I had a fascinating question from a client recently:
“Can you build a segment to show how many users will be affected if we only support TLS 1.2?”
The reason for this question is the decision by the PCI Security Council that TLS 1.0 is not a strong enough form of encryption.
Put simply TLS, or Transport Layer Security, makes the internet more secure for you. The latest standard fixes a whole bunch of vulnerabilities. Yes, you really need to do better for your users.
I can hear you wondering…”Wait, but, won’t loads of users be unable to use my site?”
That’s what I sought to dig out. TLS 1.2 support is quite broad but the range of devices, operating systems, browsers and versions means the net needs to trawl wide and deep to identify user agents that are or are not capable of talking TLS 1.2
Digging for the answer
There are myriad resources on what does and doesn’t support TLS 1.2. Finding the data in Google Analytics requires multiple dimensions:
- Browser version
- Operating system
- Operating system version
Building a segment in GA is going to be super hard. Wrangling those dimensions into logical groups isn’t trivial. Let’s use the power of Data Studio to find the answer instead.
Advanced Google Analytics Data Studio visualisation
First, we need to build a toolkit of custom dimensions:
Now we’ve got a neat set of tools with which we can build powerful queries. I don’t suggest this technique will generate a 100% exhaustive list of TLS 1.2 supported clients but it’s solid enough to build a decision on so here goes.
We need to match a variety of browsers, versions and operating systems and versions. This needs one more custom dimension.
Using a Case/When conditional calculated field we can use a series of regular expressions to perform our matching logic.
Say we want to pull out Firefox browsers of version 27 and over, we’re really only interested in the top level version. As you can see above, the Browser and version custom dimension concatenates the browser name with the Browser Top Level Version custom Dimension which we can then match against this reg ex:
Firefox - ([2-9][7-9]|[3-9][0-9])
When regexp_match returns true, we set the TLS 1.2 supported custom dimension value to TRUE. Then it’s a case of rinse a repeat for all the clauses you want to add based on the browser & OS custom dimensions at our disposal:
CASE WHEN REGEXP_MATCH(Browser and version, 'Firefox - ([2-9][7-9]|[3-9][0-9])') THEN TRUE WHEN REGEXP_MATCH(Browser and version, 'Chrome - [3-9][0-9]') THEN TRUE WHEN REGEXP_MATCH(Browser and version, 'Internet Explorer - ([1-9][1-9]|[2-9][0-9])') THEN TRUE WHEN REGEXP_MATCH(Browser and version, 'Opera - ([1-9][7-9]|[2-9][0-9])') THEN TRUE WHEN REGEXP_MATCH(Browser and version, 'Edge - ([1-9][3-9]|[2-9][0-9])') THEN TRUE WHEN REGEXP_MATCH(Browser, version & OS, 'Safari - ([5-9]|1[0-9]) - iOS') THEN TRUE WHEN REGEXP_MATCH(Browser, version & OS, 'Safari - (7|8|9|1[0-9]) - Macintosh') THEN TRUE WHEN REGEXP_MATCH(OS & OS Version, '[b-zB-Z]|Android - ([4-9].[0-9]|[5-9][0-9])') THEN TRUE ELSE FALSE END
This is a useful dimension we can match up against metrics to quantify the scale of the problem or opportunity.
We can see that just under 4% of sessions don’t support TLS 1.2 That doesn’t sound so good but when we look at how support has grown over the first half of the year we see a positive trend – much more persuasive:
Here’s the big takeaway though: To answer the key business question in a more meaningful way, we need to look at how the value from browsers that support TLS 1.2 changes over time:
Wow – that’s much steeper. Up and to the right is always a good sign.
Good – overall, only 1.2% of revenue currently comes from browsers that don’t support TLS 1.2. An actionable insight indeed.
This stands up to scrutiny when you consider older browsers are those in the “don’t support” segment. If you don’t run contemporary browser software, it’s less likely you’re the typical online purchasing type. Ergo, the impact of TLS 1.2 support only can be considered minimal.