Foundations and Trends® in Privacy and Security > Vol 5 > Issue 1-2

The Security & Privacy Acceptance Framework (SPAF)

By Sauvik Das, Carnegie Mellon University, USA, sauvik@cmu.edu | Cori Faklaris, University of North Carolina, USA, cfaklari@uncc.edu | Jason I. Hong, Carnegie Mellon University, USA, jasonh@cs.cmu.edu | Laura A. Dabbish, Carnegie Mellon University, USA, dabbish@cs.cmu.edu

 
Suggested Citation
Sauvik Das, Cori Faklaris, Jason I. Hong and Laura A. Dabbish (2022), "The Security & Privacy Acceptance Framework (SPAF)", Foundations and Trends® in Privacy and Security: Vol. 5: No. 1-2, pp 1-143. http://dx.doi.org/10.1561/3300000026

Publication Date: 31 Dec 2022
© 2022 S. Das et al.
 
Subjects
User interfaces,  Privacy,  Security,  Computer supported cooperative work,  Design and evaluation,  Human factors in security and privacy
 

Free Preview:

Download extract

Share

Download article
In this article:
1. Introduction
2. Background
3. The Security & Privacy Acceptance Framework
4. Encouraging Widespread Security & Privacy Acceptance
5. Discussion
6. Conclusion
Acknowledgments
References

Abstract

How can we encourage end-user acceptance of expert recommended cybersecurity and privacy (S&P) behaviors? We review prior art in human-centered S&P and identified three barriers to end-user acceptance of expert recommendations: (1) awareness: i.e., people may not know of relevant security threats and appropriate mitigation measures; (2) motivation: i.e., people may be unwilling to enact S&P behaviors because, e.g., the perceived costs are too high, and (3) ability; i.e., people may not know when, why, and how to effectively implement S&P behaviors. These three barriers make up what we call the “Security & Privacy Acceptance Framework” (SPAF). We then review and critically analyze prior work that has explored mitigating one or more of the barriers that make up the SPAF. Finally, using the SPAF as a lens, we discuss how the human-centered S&P community might re-orient to encourage widespread end-user acceptance of pro-S&P behaviors by employing integrative approaches that address each one of the awareness, motivation, and ability barriers.

DOI:10.1561/3300000026
ISBN: 978-1-63828-118-4
158 pp. $99.00
Buy book (pb)
 
ISBN: 978-1-63828-119-1
158 pp. $290.00
Buy E-book (.pdf)
Table of contents:
1. Introduction
2. Background
3. The Security & Privacy Acceptance Framework
4. Encouraging Widespread Security & Privacy Acceptance
5. Discussion
6. Conclusion
Acknowledgments
References

The Security & Privacy Acceptance Framework (SPAF)

Cybersecurity and Privacy (S&P) unlock the full potential of computing. Use of encryption, authentication, and access control, for example, allows employees to correspond with professional colleagues via email with reduced fear of leaking confidential data to competitors or cybercriminals. It also allows, for example, parents to share photos of children with remote loved ones over the Internet with reduced fear of this data reaching the hands of unknown strangers, and anonymous whistleblowers to share information about problematic practices in the workplace with reduced fear of being outed. Conversely, failure to employ appropriate S&P measures can leave people and organizations vulnerable to a broad range of threats. In short, the security and privacy decisions we make on a day-to-day basis determine whether the data we share, manipulate, and store online is protected from theft, surveillance, and exploitation.

How can end-users be encouraged to accept recommended S&P behavior from experts? In this monograph, prior art in human-centered S&P is reviewed, and three barriers to end-user acceptance of expert recommendations have been identified. These three barriers make up what we call the “Security & Privacy Acceptance Framework” (SPAF). The barriers are: (1) awareness: i.e., people may not know of relevant security threats and appropriate mitigation measures; (2) motivation: i.e., people may be unwilling to enact S&P behaviors because, e.g., the perceived costs are too high; (3) and, ability: i.e., people may not know when, why, and how to effectively implement S&P behaviors.

This monograph also reviews and critically analyzes prior work that has explored mitigating one or more of the barriers that make up the SPAF. Finally, using the SPAF as a lens, discussed is how the human-centered S&P community might re-orient to encourage widespread end-user acceptance of pro-S&P behaviors by employing integrative approaches that address each one of the awareness, motivation, and ability barriers.

 
SEC-026