The Myth of the Average User: Improving Privacy and Security Systems through Individualization

While individual differences in decision-making have been examined within the social sciences for several decades, they have only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the "Big Five" personality traits. In this paper, we show that the five factor model is actually a weak predictor of privacy attitudes, and that other well-studied individual differences in the psychology literature are much stronger predictors. Based on this result, we introduce the new paradigm of psychographic targeting of privacy and security mitigations: we believe that the next frontier in privacy and security research will be to tailor mitigations to users' individual differences. We explore the extensive work on choice architecture and "nudges," and discuss the possible ways it could be leveraged to improve security outcomes by personalizing privacy and security mitigations to specific user traits.

[1]  Aleecia M. McDonald,et al.  Beliefs and Behaviors: Internet Users' Understanding of Behavioral Advertising , 2010 .

[2]  A. Joinson,et al.  Development of measures of online privacy concern and protection for use on the Internet , 2007, J. Assoc. Inf. Sci. Technol..

[3]  Michelle X. Zhou,et al.  KnowMe and ShareMe: understanding automatically discovered personality traits from social media and user sharing preferences , 2014, CHI.

[4]  J. Block A contrarian view of the five-factor approach to personality description. , 1995, Psychological bulletin.

[5]  D. Whitten,et al.  The Chief Information Security Officer: An Analysis of the Skills Required for Success , 2008, J. Comput. Inf. Syst..

[6]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[7]  Elke U. Weber,et al.  The Decision Making Individual Differences Inventory and guidelines for the study of individual differences in judgment and decision-making research , 2011, Judgment and Decision Making.

[8]  L. Jean Camp,et al.  Comparative eye tracking of experts and novices in web single sign-on , 2013, CODASPY '13.

[9]  E. Weber,et al.  A Domain-Specific Risk-Taking (DOSPERT) Scale for Adult Populations , 2006, Judgment and Decision Making.

[10]  Alessandro Acquisti,et al.  Strangers on a Plane: Context-Dependent Willingness to Divulge Sensitive Information , 2011 .

[11]  C. F. Kao,et al.  The efficient assessment of need for cognition. , 1984, Journal of personality assessment.

[12]  L. Jean Camp,et al.  Risk Communication Design: Video vs. Text , 2012, Privacy Enhancing Technologies.

[13]  Wen Zhang,et al.  How much can behavioral targeting help online advertising? , 2009, WWW '09.

[14]  Heng Xu,et al.  Information Privacy Concerns: Linking Individual Perceptions with Institutional Privacy Assurances , 2011, J. Assoc. Inf. Syst..

[15]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[16]  Yang Wang,et al.  From Facebook Regrets to Facebook Privacy Nudges , 2013 .

[17]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[18]  Estelle M. Morin,et al.  A comprehensive meta-analysis of the relationship between Emotional Intelligence and health , 2010 .

[19]  Irwin P. Levin,et al.  Need for Cognition and Choice Framing Effects , 1996 .

[20]  W. Sharpe,et al.  Choosing Outcomes Versus Choosing Products: Consumer-Focused Retirement Investment Advice , 2008 .

[21]  J. Patton,et al.  Factor structure of the Barratt impulsiveness scale. , 1995, Journal of clinical psychology.

[22]  G. Kalyanaram,et al.  Nudge: Improving Decisions about Health, Wealth, and Happiness , 2011 .

[23]  Nicolas Christin,et al.  Building the security behavior observatory: an infrastructure for long-term monitoring of client machines , 2014, HotSoS '14.

[24]  H. Thoms,et al.  Born That Way , 1941, The British journal of physical medicine : including its application to industry.

[25]  T. Judge,et al.  Five-factor model of personality and transformational leadership. , 2000, The Journal of applied psychology.

[26]  Yong Zhang,et al.  Moderating Effects of Need for Cognition on Responses to Positively versus Negatively Framed Advertising Messages , 1999 .

[27]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[28]  Jeff Joireman,et al.  Promotion Orientation Explains Why Future-Oriented People Exercise and Eat Healthy , 2012, Personality & social psychology bulletin.

[29]  J. Cacioppo,et al.  Effects of need for cognition on message evaluation, recall, and persuasion. , 1983 .

[30]  L. Jean Camp,et al.  Self-identified experts lost on the interwebs: the importance of treating all results as learning experiences , 2012, LASER '12.

[31]  Eric J. Johnson,et al.  The Construction of Preference: Do Defaults Save Lives? , 2006 .

[32]  Lady Gaga Born This Way , 2011 .

[33]  Mary Beth Rosson,et al.  The personalization privacy paradox: An exploratory study of decision making process for location-aware marketing , 2011, Decis. Support Syst..

[34]  B. Rimer,et al.  General Performance on a Numeracy Scale among Highly Educated Samples , 2001, Medical decision making : an international journal of the Society for Medical Decision Making.

[35]  Yang Wang,et al.  Privacy nudges for social media: an exploratory Facebook study , 2013, WWW.

[36]  Melinda Korzaan,et al.  The Influence of Personality Traits and Information Privacy Concerns on Behavioral Intentions , 2008, J. Comput. Inf. Syst..

[37]  V. Reyna,et al.  How numeracy influences risk comprehension and medical decision making. , 2009, Psychological bulletin.

[38]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[39]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[40]  Yang Wang,et al.  A field trial of privacy nudges for facebook , 2014, CHI.

[41]  Kevin Lane Keller,et al.  Marketing Management -12/E. , 2006 .

[42]  Aad van Moorsel,et al.  Nudging whom how: Nudging whom how: IT proficiency, impulse control and secure behaviour , 2014 .

[43]  L. Hough The 'Big Five' Personality Variables--Construct Confusion: Description Versus Prediction , 1992 .

[44]  Daniel G. Goldstein,et al.  Beyond nudges: Tools of a choice architecture , 2012 .

[45]  Schneider,et al.  All Frames Are Not Created Equal: A Typology and Critical Analysis of Framing Effects. , 1998, Organizational behavior and human decision processes.

[46]  P. Costa,et al.  The revised NEO personality inventory (NEO-PI-R) , 2008 .

[47]  Norman A. Johnson,et al.  Personality traits and concern for privacy: an empirical study in the context of location-based services , 2008, Eur. J. Inf. Syst..

[48]  Louis E. Boone,et al.  Contemporary Marketing 1999 , 1999 .

[49]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[50]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[51]  J. H. Curtis,et al.  Learning Theory and Behavior , 1960 .

[52]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[53]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[54]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[55]  Kathleen M. Galotti,et al.  Decision-making styles in a real-life decision: Choosing a college major , 2006 .

[56]  Allison Woodruff,et al.  Would a Privacy Fundamentalist Sell Their DNA for $1000 ... If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences , 2014, SOUPS.

[57]  Wendell R. Smith Product Differentiation and Market Segmentation as Alternative Marketing Strategies , 1956 .

[58]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[59]  L. Jean Camp,et al.  Targeted risk communication for computer security , 2011, IUI '11.

[60]  Lorrie Faith Cranor,et al.  Americans' attitudes about internet behavioral advertising practices , 2010, WPES '10.

[61]  Kathleen C. Gerbasi,et al.  Short, homogeneous versions of the Marlow‐Crowne Social Desirability Scale , 1972 .

[62]  Yang Wang,et al.  Smart, useful, scary, creepy: perceptions of online behavioral advertising , 2012, SOUPS.

[63]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[64]  Matthew E. Kahn,et al.  Energy Conservation "Nudges" and Environmentalist Ideology: Evidence from a Randomized Residential Electricity Field Experiment , 2010 .

[65]  Keith E. Stanovich,et al.  Individual differences in rational thought. , 1998 .

[66]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[67]  Ponnurangam Kumaraguru,et al.  Privacy Indexes: A Survey of Westin's Studies , 2005 .

[68]  Bernard J. Jaworski,et al.  Enhancing and Measuring Consumers’ Motivation, Opportunity, and Ability to Process Brand Information from Ads , 1991 .

[69]  Curtis P. Haugtvedt,et al.  Need for Cognition and Advertising: Understanding the Role of Personality Variables in Consumer Behavior , 1992 .

[70]  I. Levin,et al.  A New Look at Framing Effects: Distribution of Effect Sizes, Individual Differences, and Independence of Types of Effects , 2002 .

[71]  S. Gosling,et al.  A very brief measure of the Big-Five personality domains , 2003 .

[72]  S. Frederick Journal of Economic Perspectives—Volume 19, Number 4—Fall 2005—Pages 25–42 Cognitive Reflection and Decision Making , 2022 .

[73]  M. Rothbart,et al.  Temperament and personality: origins and outcomes. , 2000, Journal of personality and social psychology.

[74]  D. M. Pedersen Personality Correlates of Privacy , 1982 .

[75]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[76]  Alessandro Acquisti,et al.  Nudging Users Towards Privacy on Mobile Devices , 2011 .

[77]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[78]  Nicolas Christin,et al.  Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines (CMU-CyLab-14-009) , 2014 .

[79]  A. Tenbrunsel,et al.  Organizational Behavior and Human Decision Processes , 2013 .

[80]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[81]  C. K. Mertz,et al.  PSYCHOLOGICAL SCIENCE Research Article Numeracy and Decision Making , 2022 .

[82]  Heather Richter Lipford,et al.  The impact of social navigation on privacy policy configuration , 2010, SOUPS.

[83]  I. Ajzen The theory of planned behavior , 1991 .

[84]  Terry L. Childers,et al.  Measurement of Individual Differences in Visual Versus Verbal Information Processing , 1985 .

[85]  Russell A. Poldrack,et al.  The relationship between measures of impulsivity and alcohol misuse: an integrative structural equation modeling approach. , 2012, Alcoholism, clinical and experimental research.

[86]  A. Tversky,et al.  The framing of decisions and the psychology of choice. , 1981, Science.

[87]  M. Matsunaga How to factor-analyze your data right: do’s, don’ts, and how-to’s. , 2010 .

[88]  Reginald A. Bruce,et al.  Decision-Making Style: The Development and Assessment of a New Measure , 1995 .

[89]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[90]  D. Hoffman,et al.  The “Right” Consumers for Better Concepts: Identifying Consumers High in Emergent Nature to Develop New Product Concepts , 2010 .