The goal of this study was to examine the relation between users’ reported risk concerns and their choice behaviors in a mobile application (app) selection task.
Background
Human users are typically regarded as the weakest link in cybersecurity and privacy protection; however, it is possible to leverage the users’ predilections to increase security. There have been mixed results on the relation between users’ self-reported privacy concerns and their behaviors.
Method
In three experiments, the timing of self-reported risk concerns was either a few weeks before the app-selection task (pre-screen), immediately before it (pre-task), or immediately after it (post-task). We also varied the availability and placement of clear definitions and quizzes to ensure users’ understanding of the risk categories.
Results
The post-task report significantly predicted the app-selection behaviors, consistent with prior findings. The pre-screen report was largely inconsistent with the reports implemented around the time of the task, indicating that participants’ risk concerns may not be stable over time and across contexts. Moreover, the pre-task report strongly predicted the app-selection behaviors only when elaborated definitions and quizzes were placed before the pre-task question, indicating the importance of clear understanding of the risk categories.
Conclusion
Self-reported risk concerns may be unstable over time and across contexts. When explained with clear definitions, self-reported risk concerns obtained immediately before or after the app-selection task significantly predicted app-selection behaviors.
Application
We discuss implications for including personalized risk concerns during app selection that enable comparison of alternative mobile apps.
AcquistiA.BrandimarteL.LoewensteinG. (2015). Privacy and human behavior in the age of information. Science, 347, 509–514.https://doi.org/10.1126/science.aaa146525635091
3.
AcquistiA.JohnL. K.LoewensteinG. (2013). What is privacy worth?The Journal of Legal Studies, 42, 249–274.https://doi.org/10.1086/671754
4.
AggarwalP.GautamA.AgarwalV.GonzalezC.DuttV. (2019). HackIT: A human-in-the-loop simulations tool for realistic cyber deception experiments. In10th International Conference on Applied Human Factors and Ergonomics (pp.109–121). Springer.
5.
AhmedM.SharifL.KabirM.Al-MaimaniM. (2012). Human errors in information security. International Journal of Advanced Trends in Computer Science and Engineering, 1, 82–87.
6.
AïmeurE.LawaniO.DalkirK. (2016). When changing the look of privacy policies affects user trust: An experimental study. Computers in Human Behavior, 58, 368–379.https://doi.org/10.1016/j.chb.2015.11.014
7.
AjzenI.FishbeinM. (1977). Attitude-behavior relations: A theoretical analysis and review of empirical research. Psychological Bulletin, 84, 888–918.https://doi.org/10.1037/0033-2909.84.5.888
8.
AjzenI.FishbeinM. (2005). The influence of attitudes on behavior. InAlbarracínD.JohnsonB. T.ZannaM. P. (Eds.), The handbook of attitudes (pp.173–221). Erlbaum Publishers.
9.
AwadKrishnan. (2006). The personalization privacy paradox: An empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Quarterly, 30, 13–28.https://doi.org/10.2307/25148715
10.
BarthS.de JongM. D. T. (2017). The privacy paradox – investigating discrepancies between expressed privacy concerns and actual online behavior – a systematic literature review. Telematics and Informatics, 34, 1038–1058.https://doi.org/10.1016/j.tele.2017.04.013
11.
BaumeisterR. F.VohsK. D.FunderD. C. (2007). Psychology as the science of self-reports and finger movements: Whatever happened to actual behavior?Perspectives on Psychological Science, 2, 396–403.https://doi.org/10.1111/j.1745-6916.2007.00051.x26151975
12.
Ben-AsherN.MeyerJ. (2018). The triad of risk-related behaviors (TriRB): A three-dimensional model of cyber risk taking. Human Factors, 60, 1163–1178.https://doi.org/10.1177/001872081878395329989834
13.
Ben-AsherN.MeyerJ. (2019). Three dimensions of user risk-taking: Individual differences in the TriRB. InProceedings of the Human Factors and Ergonomics Society Annual Meeting (pp.267–271). SAGE Publications.
14.
BertrandM.MullainathanS. (2001). Do people mean what they say? Implications for subjective survey data. The American Economic Review, 9, 67–72.
15.
BrehmJ. W.CohenA. R. (1962). Explorations in cognitive dissonance. John Wiley.
16.
BuckC.HorbelC.GermelmannC. C.EymannT. (2014). The unconscious app consumer: Discovering and comparing the information-seeking patterns among mobile application consumers. InAvitalM.SchultzeU.LeimeisterJ. M. (Eds.), Proceedings of the twenty second european conference on information systems (pp.1–14). Association for Information Systems. AIS Electronic Library (AISeL).
17.
CarpenterS.ShreevesM.BrownP.ZhuF.ZengM. (2018). Designing warnings to reduce identity disclosure. International Journal of Human–Computer Interaction, 34, 1077–1084.https://doi.org/10.1080/10447318.2017.1413792
18.
ChenJ.GeH.MooreS.YangW.LiN.ProctorR. W. (2018). Display of major risk categories for android apps. Journal of Experimental Psychology: Applied, 24, 306–330.https://doi.org/10.1037/xap000016329927274
19.
ChongI.GeH.LiN.ProctorR. W. (2018). Influence of privacy priming and security framing on mobile app selection. Computers & Security, 78, 143–154.https://doi.org/10.1016/j.cose.2018.06.005
20.
ConnellyK.KhalilA.LiuY. (2007). Do I do what I say?: Observed versus stated privacy preferences. InIFIP conference on human-computer interaction (pp.620–623). Springer.
21.
FestingerL. (1962). A theory of cognitive dissonance. Stanford University Press.
HardeeJ. B.WestR.MayhornC. B. (2006). To download or not to download: An examination of computer security decision making. Interactions, 13, 32–37.
24.
JacksonC. B.WangY. (2018). Addressing the privacy paradox through personalized privacy notifications. InProceedings of the ACM on interactive, mobile, wearable and ubiquitous technologies (Vol. 2, pp.68:1–68:25). Association for Computing Machinery.https://doi.org/10.1145/3214271
25.
JensenC.PottsC.JensenC. (2005). Privacy practices of internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies, 63, 203–227.https://doi.org/10.1016/j.ijhcs.2005.04.019
26.
JorgensenZ.ChenJ.GatesC. S.LiN.ProctorR. W.YuT. (2015). Dimensions of risk in mobile applications: A user study. InProceedings of the fifth ACM conference on data and application security and privacy (pp.49–60). Association for Computing Machinery.
27.
JuangK.GreensteinJ. (2018). Integrating visual mnemonics and input feedback with passphrases to improve the usability and security of digital authentication. Human Factors, 60, 658–668.https://doi.org/10.1177/001872081876768329718722
28.
KeithM. J.ThompsonS. C.HaleJ.LowryP. B.GreerC. (2013). Information disclosure on mobile devices: Re-examining privacy calculus with actual user behavior. International Journal of Human-Computer Studies, 71, 1163–1173.https://doi.org/10.1016/j.ijhcs.2013.08.016
29.
KobsaA. (2007). Privacy-enhanced web personalization. InBrusilovskyP.KobsaA.NejdlW. (Eds.), The adaptive web: Methods and strategies of web personalization (pp.628–670). Springer-Verlag.
30.
KokolakisS. (2017). Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon. Computers & Security, 64, 122–134.https://doi.org/10.1016/j.cose.2015.07.002
31.
McDougaldB. R.WogalterM. S. (2014). Facilitating pictorial comprehension with color highlighting. Applied Ergonomics, 45, 1285–1290.https://doi.org/10.1016/j.apergo.2013.05.00823759792
32.
MinchevZ. (2015). Challenges to human factor for advance persistent threats proactive identification in modern social networks. Information & Security: An International Journal, 34, 57–70.https://doi.org/10.11610/isij.3404
33.
MorandoF.IemmaR.RaiteriE. (2014). Privacy evaluation: what empirical research on users’ valuation of personal data tells us. Internet Policy Review, 3, 1–12.https://doi.org/10.14763/2014.2.283
34.
NorbergP. A.HorneD. R.HorneD. A. (2007). The privacy paradox: Personal information disclosure intentions versus behaviors. Journal of Consumer Affairs, 41, 100–126.https://doi.org/10.1111/j.1745-6606.2006.00070.x
35.
OcampoB.Al-JanabiS.FinkbeinerM. (2015). Direct evidence of cognitive control without perceptual awareness. Psychonomic Bulletin & Review, 22, 1083–1088.https://doi.org/10.3758/s13423-014-0766-325404552
36.
PentinaI.ZhangL.BataH.ChenY. (2016). Exploring privacy paradox in information-sensitive mobile app adoption: A cross-cultural comparison. Computers in Human Behavior, 65, 409–419.https://doi.org/10.1016/j.chb.2016.09.005
37.
ProctorR. W.ChenJ. (2015). The role of human factors/ergonomics in the science of security: Decision making and action selection in cyberspace. Human Factors, 57, 721–727.https://doi.org/10.1177/001872081558590625994927
38.
RajivanP.CampJ. (2016). Influence of privacy attitude and privacy cue framing on Android app choices. Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS). USENIX Association.
39.
SawyerB. D.HancockP. A. (2018). Hacking the human: The prevalence paradox in cybersecurity. Human Factors, 60, 597–609.https://doi.org/10.1177/001872081878047229986155
40.
SiegelJ. T.NavarroM. A.TanC. N.HydeM. K. (2014). Attitude-behavior consistency, the principle of compatibility, and organ donation: A classic innovation. Health Psychology, 33, 1084–1091.https://doi.org/10.1037/hea000006224707844
41.
SutantoJPalmeETanC.-HPhangC. WFudan University. (2013). Addressing the personalization-privacy paradox: An empirical assessment from a field experiment on smartphone users. MIS Quarterly, 37, 1141–1164.https://doi.org/10.25300/MISQ/2013/37.4.07
42.
TaylorD. G.DavisD. F.JillapalliR. (2009). Privacy concern and online personalization: The moderating effects of information control and compensation. Electronic Commerce Research, 9, 203–223.https://doi.org/10.1007/s10660-009-9036-2
43.
TochE.WangY.CranorL. F. (2012). Personalization and privacy: A survey of privacy risks and remedies in personalization-based systems. User Modeling and User-Adapted Interaction, 22, 203–220.https://doi.org/10.1007/s11257-011-9110-z
44.
TourangeauR.RasinskiK. A. (1988). Cognitive processes underlying context effects in attitude measurement. Psychological Bulletin, 103, 299–314.https://doi.org/10.1037/0033-2909.103.3.299
45.
Tsay-VogelM.ShanahanJ.SignorielliN. (2018). Social media cultivating perceptions of privacy: A 5-year analysis of privacy attitudes and self-disclosure behaviors among Facebook users. New Media & Society, 20, 141–161.https://doi.org/10.1177/1461444816660731
46.
TyworthM.GiacobeN. A.MancusoV. F.McNeeseM. D.HallD. L. (2013). A human-in-the-loop approach to understanding situation awareness in cyber defence analysis. ICST Transactions on Security and Safety, 1, e6.https://doi.org/10.4108/trans.sesa.01-06.2013.e6
47.
van de Garde-PerikE.MarkopoulosP.de RuyterB.EggenB.IjsselsteijnW. (2008). Investigating privacy attitudes and behavior in relation to personalization. Social Science Computer Review, 26, 20–43.https://doi.org/10.1177/0894439307307682
48.
WiederholdB. K. (2014). The role of psychology in enhancing cybersecurity. Cyberpsychology, Behavior, and Social Networking, 17, 131–132.https://doi.org/10.1089/cyber.2014.150224592869
49.
WilsonT. D.HodgesS. D. (1992). Attitudes as temporary constructions. InMartinL. L.TesserA. (Eds.), The construction of social judgments (pp.37–65). Erlbaum.
50.
WogalterM. S.RacicotB. M.KalsherM. J.Noel SimpsonS.SimpsonS. N. (1994). Personalization of warning signs: The role of perceived relevance on behavioral compliance. International Journal of Industrial Ergonomics, 14, 233–242.https://doi.org/10.1016/0169-8141(94)90099-X
51.
WogalterM. S.RacicotB. M.KalsherM. J.SimpsonS. N. (1993). Behavioral compliance to personalized warning signs and the role of perceived relevance. InProceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 37, pp.950–954). SAGE Publications.https://doi.org/10.1177/154193129303701404
52.
XuH.GuptaS.RossonM. B.CarrollJ. M. (2012). Measuring mobile users’ concerns for information privacy. InProceedings of Thirty Third International Conference on Information Systems (pp.1–16).
53.
YanZ.RobertsonT.YanR.ParkS. Y.BordoffS.ChenQ.SprisslerE. (2018). Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?Computers in Human Behavior, 84, 375–382.https://doi.org/10.1016/j.chb.2018.02.019
54.
ZhongC.YenJ.LiuP.ErbacherR. F. (2016). Automate Cybersecurity Data Triage by Leveraging Human Analysts’ Cognitive Process. In2016 IEEE 2nd International Conference on big data security on cloud (BigDataSecurity), IEEE International Conference on high performance and smart computing (HPSC), and IEEE International Conference on intelligent data and security (IDS) (pp.357–363). Institute of Electrical and Electronics Engineers.
