New research digs into why many people who try to follow expert advice on cybersecurity and privacy end up only doing so halfway or giving up altogether.
To find out why people adopt and then sometimes abandon online safety measures, researchers surveyed more than 900 people about their use of 30 commonly recommended practices to guard against security, privacy, and identity theft risks.
The researchers also make suggestions for how to create more user-friendly and sustainable protections.
“Most prior studies only focused on whether or not people adopt expert advice, but we also are interested in seeing once they follow the advice what makes them abandon it,” says lead author Yixin Zou, a doctoral candidate at the School of Information at the University of Michigan.
The team found that adopted more security practices like avoiding clicking on unknown links or emails than privacy or ID theft practices (such as using ad blocker or placing a credit freeze on one’s credit reports, respectively). The potential reason behind this might be that the damage from security risks is much more tangible, the researchers say. When it comes to privacy and the information companies collect about people, the harms are more difficult to visualize, they say.
“The argument we want to make is that all of those practices are actually interconnected; for experts, their job is to make wise recommendations about optimization and prioritization so that people don’t end up having to adopt 300 different practices,” Zou says.
The problem is just that, says senior author Florian Schaub, assistant professor in the School of Information: There is no shortage of advice for people who are interested in protecting their privacy, security, and identity.
“It can be challenging to follow through with a particular piece of advice, and sometimes experts conflict with each other in providing advice,” says Schaub,.
What the researchers found:
- Of 10 practices with the highest adoption rates, seven were security related.
- Practices with high partial adoption rates were evenly split between security and privacy.
- Top privacy risk management practices included cleaning cookies, going incognito on the web, and avoiding websites that asked for real names.
- More than 50% of respondents did not follow recommendations for unique or strong passwords.
- Abandonment was less common than full or partial adoption, with a rate below 20% for all surveyed practices.
- The most abandoned practices included using anonymity systems such as virtual private networks (VPNs), using automated updates for software, and using antivirus software.
- Most participants had not adopted and were not much interested in using an identity monitoring service and placing a fraud alert on credit reports.
- Top reasons for partial adoption: the practice was inconvenient or unusable (10%); users relied on their own judgment, e.g., “I know better than to open a suspicious email” (9%); and users only adopted when something bad happened, like a fraudulent charge on an account (8%).
- Reasons for abandonment: the practice was not needed anymore (20%); the risk no longer existed (14%); the practice interfered with usability (12%); trust in own judgment (6%); users adopted another service that served a similar purpose, e.g., a tool that clears third-party cookies so the user does not have to do it manually (6%).
- Although 67% of respondents reported being a victim of a previous data breach, the respondents overall rarely adopted identity theft protection practices, such as credit freezes and fraud alerts. Even so, those who were victims adopted more protection practices overall.
About the respondents:
- Men had higher adoption rates than women.
- Middle-aged respondents adopted more security measures than younger people, but the opposite trend was found for privacy measures.
- Lower-income participants had higher levels of practice adoption overall.
- More education led to higher adoption.
“Obviously if someone is abandoning a practice then that practice can no longer be effective and protect them,” Schaub says.
“So, what we need to do as researchers, designers, and practitioners is to not only better explain to people why it’s important to keep doing something they had been doing at some point, but also figure out how to make security and privacy tools and solutions easier to use so that people are not struggling.”
The study will appear in the Proceedings of the 2020 ACM CHI Conference on Human Factors in Computing Systems, which has been canceled due to COVID-19 but will publish conference research.
Additional researchers from the University of Michigan School of Information and NortonLifeLock’s Research Group contributed to the work.
Source: University of Michigan