"I've Got Nothing to Lose": Consumers' Risk Perceptions and Protective Actions after the Equifax Data Breach

Equifax, one of the three major U.S. credit bureaus, experienced a large-scale data breach in 2017. We investigated consumers' mental models of credit bureaus, how they perceive risks from this data breach, whether they took protective measures, and their reasons for inaction through 24 semi-structured interviews. We find that participants' mental models of credit bureaus are incomplete and partially inaccurate. Although many participants were aware of and concerned about the Equifax breach, few knew whether they were affected, and even fewer took protective measures after the breach. We find that this behavior is not primarily influenced by accuracy of mental models or risk awareness, but rather by costs associated with protective measures, optimism bias in estimating one's likelihood of victimization, sources of advice, and a general tendency towards delaying action until harm has occurred. We discuss legal, technical and educational implications and directions towards better protecting consumers in the credit reporting system.

[1]  W. H. F. Barnes The Nature of Explanation , 1944, Nature.

[2]  J. Forrester Counterintuitive behavior of social systems , 1971 .

[3]  B. Everitt,et al.  Statistical methods for rates and proportions , 1973 .

[4]  J. Fleiss,et al.  Statistical methods for rates and proportions , 1973 .

[5]  B. Fischhoff,et al.  How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits , 1978 .

[6]  M. Douglas,et al.  Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers , 1983 .

[7]  Donald A. Norman,et al.  Some observations on mental models , 1987 .

[8]  J. Short The Social Fabric at Risk: Toward the Social Transformation of Risk Analysis , 1984 .

[9]  S. Rayner,et al.  How Fair Is Safe Enough? The Cultural Approach to Societal Technology Choice1 , 1987 .

[10]  Karl Dake Orienting Dispositions in the Perception of Risk , 1991 .

[11]  W. Brewer,et al.  Mental models of the earth: A study of conceptual change in childhood , 1992, Cognitive Psychology.

[12]  Jodi Aronson A Pragmatic View of Thematic Analysis , 1995 .

[13]  Robert B. Allen,et al.  Mental Models and User Models , 1997 .

[14]  Erik Hollnagel,et al.  Human factors and folk models , 2004, Cognition, Technology & Work.

[15]  M. Perl It's Not Always about the Money: Why the State Identity Theft Laws Fail to Adequately Address Criminal Record Identity Theft , 2003 .

[16]  Rocky Ross,et al.  Mental models , 2004, SIGA.

[17]  José Carlos Brustoloni,et al.  Hardening Web browsers against man-in-the-middle and eavesdropping attacks , 2005, WWW '05.

[18]  Daniel J. Solove,et al.  'I've Got Nothing to Hide' and Other Misunderstandings of Privacy , 2007 .

[19]  M. White,et al.  Assessing Our Knowledge of Identity Theft , 2008 .

[20]  Farzaneh Asgharpour,et al.  Experimental Evaluations of Expert and Non-expert Computer Users’ Mental Models of Security Risks , 2008 .

[21]  Alessandro Acquisti,et al.  Do Data Breaches Disclosure Laws Reduce Identity Theft? , 2010, WEIS.

[22]  O. Mitchell,et al.  How Ordinary Consumers Make Complex Economic Decisions: Financial Literacy and Retirement Readiness , 2009 .

[23]  Patryk Szewczyk,et al.  Assessing the Online Security Awareness of Australian Internet Users , 2009 .

[24]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[25]  Randolph G. Bias,et al.  Research Methods for Human-Computer Interaction , 2010, J. Assoc. Inf. Sci. Technol..

[26]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[27]  David L. Remund,et al.  Financial Literacy Explicated: The Case for a Clearer Definition in an Increasingly Complex Economy , 2010 .

[28]  T. Sharot The optimism bias , 2011, Current Biology.

[29]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[30]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[31]  G. Loewenstein,et al.  The Impact of Relative Standards on the Propensity to Disclose , 2012 .

[32]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[33]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[34]  Zinta S. Byrne,et al.  The Psychology of Security for the Home Computer User , 2012, 2012 IEEE Symposium on Security and Privacy.

[35]  Alessandro Acquisti,et al.  Sleights of privacy: framing, disclosures, and the limits of transparency , 2013, SOUPS.

[36]  G. Klein,et al.  Schemata and Mental Models in Recognition-Primed Decision Making , 2014 .

[37]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[38]  Sunny Consolvo,et al.  "My religious aunt asked why i was trying to sell her viagra": experiences with account hijacking , 2014, CHI.

[39]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[40]  Rick Wash,et al.  Identifying patterns in informal sources of security information , 2015, J. Cybersecur..

[41]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[42]  G. Loewenstein,et al.  Privacy and human behavior in the age of information , 2015, Science.

[43]  Elissa M. Redmiles,et al.  I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[45]  Kenneth. A . . Smith Americans and Cybersecurity , 2016 .

[46]  Elissa M. Redmiles,et al.  How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior , 2016, CCS.

[47]  Akira Yamada,et al.  Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior , 2017, CHI.

[48]  Geoffrey P. Goodwin,et al.  Mental models and reasoning , 2017 .

[49]  Tracy Ann Sykes,et al.  Big data breaches and customer compensation strategies: Personality traits and social influence as antecedents of perceived compensation , 2017 .

[50]  Yang Wang,et al.  Folk Models of Online Behavioral Advertising , 2017, CSCW.

[51]  J. Bromberg,et al.  IDENTITY THEFT SERVICES: Services Offer Some Benefits but Are Limited in Preventing Fraud , 2017 .

[52]  Spyros Kokolakis,et al.  Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon , 2017, Comput. Secur..