The Security & Privacy Acceptance Framework (SPAF)
By Sauvik Das, Carnegie Mellon University, USA, sauvik@cmu.edu | Cori Faklaris, University of North Carolina, USA, cfaklari@uncc.edu | Jason I. Hong, Carnegie Mellon University, USA, jasonh@cs.cmu.edu | Laura A. Dabbish, Carnegie Mellon University, USA, dabbish@cs.cmu.edu
Abstract
How can we encourage end-user acceptance of expert recommended cybersecurity and privacy (S&P) behaviors? We review prior art in human-centered S&P and identified three barriers to end-user acceptance of expert recommendations: (1) awareness: i.e., people may not know of relevant security threats and appropriate mitigation measures; (2) motivation: i.e., people may be unwilling to enact S&P behaviors because, e.g., the perceived costs are too high, and (3) ability; i.e., people may not know when, why, and how to effectively implement S&P behaviors. These three barriers make up what we call the “Security & Privacy Acceptance Framework” (SPAF). We then review and critically analyze prior work that has explored mitigating one or more of the barriers that make up the SPAF. Finally, using the SPAF as a lens, we discuss how the human-centered S&P community might re-orient to encourage widespread end-user acceptance of pro-S&P behaviors by employing integrative approaches that address each one of the awareness, motivation, and ability barriers.
The Security & Privacy Acceptance Framework (SPAF)
Cybersecurity and Privacy (S&P) unlock the full potential of computing. Use of encryption, authentication, and access control, for example, allows employees to correspond with professional colleagues via email with reduced fear of leaking confidential data to competitors or cybercriminals. It also allows, for example, parents to share photos of children with remote loved ones over the Internet with reduced fear of this data reaching the hands of unknown strangers, and anonymous whistleblowers to share information about problematic practices in the workplace with reduced fear of being outed. Conversely, failure to employ appropriate S&P measures can leave people and organizations vulnerable to a broad range of threats. In short, the security and privacy decisions we make on a day-to-day basis determine whether the data we share, manipulate, and store online is protected from theft, surveillance, and exploitation.
How can end-users be encouraged to accept recommended S&P behavior from experts? In this monograph, prior art in human-centered S&P is reviewed, and three barriers to end-user acceptance of expert recommendations have been identified. These three barriers make up what we call the “Security & Privacy Acceptance Framework” (SPAF). The barriers are: (1) awareness: i.e., people may not know of relevant security threats and appropriate mitigation measures; (2) motivation: i.e., people may be unwilling to enact S&P behaviors because, e.g., the perceived costs are too high; (3) and, ability: i.e., people may not know when, why, and how to effectively implement S&P behaviors.
This monograph also reviews and critically analyzes prior work that has explored mitigating one or more of the barriers that make up the SPAF. Finally, using the SPAF as a lens, discussed is how the human-centered S&P community might re-orient to encourage widespread end-user acceptance of pro-S&P behaviors by employing integrative approaches that address each one of the awareness, motivation, and ability barriers.
