Why we adopt then abandon online safety practices

We try to follow experts' cybersecurity and privacy recommendations but quite often many of us do so halfway or we give up.

There are too many steps. The repetitious procedures get cumbersome. The trade-off of reduced access to information in exchange for a vague sense of security doesn't seem worth it.

To find out why people adopt and then sometimes abandon online safety measures, researchers from the University of Michigan School of Information and NortonLifeLock's Research Group surveyed more than 900 people about their use of 30 commonly recommended practices to guard against security, privacy, and identity theft risks.

Their study will appear April 26 in the Proceedings of the 2020 ACM CHI Conference on Human Factors in Computing Systems, which has been canceled due to COVID-19 but will publish conference research. The U-M paper has been recognized with an Honorable Mention Award.

The researchers also make suggestions for how to create more user-friendly and sustainable protections.

"Most prior studies only focused on whether or not people adopt expert advice, but we also are interested in seeing once they follow the advice what makes them abandon it," said lead author Yixin Zou, a doctoral candidate at the School of Information.

The team found that security practices like avoiding clicking on unknown links or emails were much more adopted than privacy or ID theft practices (such as using ad blocker or placing a credit freeze on one's credit reports, respectively). The potential reason behind this might be that the damage from security risks is much more tangible, the researchers said. When it comes to privacy and the information companies collect about people, the harms are more difficult to visualize, they said.

"The argument we want to make is that all of those practices are actually interconnected; for experts, their job is to make wise recommendations about optimization and prioritization so that people don't end up having to adopt 300 different practices," Zou said.

The problem is just that, said Florian Schaub, senior author of the study: there is no shortage of advice for people who are interested in protecting their privacy, security and identity.

"It can be challenging to follow through with a particular piece of advice, and sometimes experts conflict with each other in providing advice," said Schaub, assistant professor in the School of Information.

What the researchers found:

• Of 10 practices with the highest adoption rates, seven were security related.
• Practices with high partial adoption rates were evenly split between security and privacy.
• Top privacy risk management practices included cleaning cookies, going incognito on the web and avoiding websites that asked for real names.
• More than 50% of respondents did not follow recommendations for unique or strong passwords.
• Abandonment was less common than full or partial adoption, with a rate below 20% for all surveyed practices.
• The most abandoned practices included using anonymity systems such as virtual private networks (VPNs), using automated updates for software and using antivirus software.
• Most participants had not adopted and were not much interested in using an identity monitoring service and placing a fraud alert on credit reports.
• Top reasons for partial adoption: the practice was inconvenient or unusable (10%); users relied on their own judgment, e.g., "I know better than to open a suspicious email" (9%); and users only adopted when something bad happened, like a fraudulent charge on an account (8%).
• Reasons for abandonment: the practice was not needed anymore (20%); the risk no longer existed (14%); the practice interfered with usability (12%); trust in own judgment (6%); users adopted another service that served a similar purpose, e.g., a tool that clears third-party cookies so the user does not have to do it manually (6%).
• Although 67% of respondents reported being a victim of a previous data breach, the respondents overall rarely adopted identity theft protection practices, such as credit freezes and fraud alerts. Even so, those who were victims adopted more protection practices overall.

About the respondents:

• Men had higher adoption rates than women.
• Middle-aged respondents adopted more security measures than younger people, but the opposite trend was found for privacy measures.
• Lower-income participants had higher levels of practice adoption overall.
• More education led to higher adoption.

"Obviously if someone is abandoning a practice then that practice can no longer be effective and protect them," Schaub said. "So, what we need to do as researchers, designers and practitioners is to not only better explain to people why it's important to keep doing something they had been doing at some point, but also figure out how to make security and privacy tools and solutions easier to use so that people are not struggling."