United States. Researchers from the University of Michigan School of Information and the NortonLifeLock Research Group surveyed more than 900 people about using 30 commonly recommended practices to protect against security, privacy and identity theft risks.
The researchers also make suggestions on how to create friendlier and more sustainable protections. "Most previous studies only focused on whether or not people adopt expert advice, but we are also interested in seeing, once they follow the advice, what makes them abandon it," said lead author Yixin Zou, a PhD candidate in the School of Information.
The team found that security practices, such as avoiding clicking on unknown links or emails, were adopted much more than privacy or identity theft practices (such as using the ad blocker or freezing credit on credit reports, respectively). The possible reason behind this could be that the harm from security risks is much more tangible, the researchers said. When it comes to privacy and the information companies collect about people, the harms are harder to visualize, they said.
"The argument we want to make is that all those practices are really interconnected; for experts, their job is to make wise recommendations on optimization and prioritization so that people don't end up having to adopt 300 different practices," Zou said.
The problem is just that, said Florian Schaub, lead author of the study: There's no shortage of advice for people interested in protecting their privacy, security and identity. "It can be difficult to follow a particular piece of advice and sometimes experts come into conflict with each other to provide advice," said Schaub, an assistant professor at the School of Information.
What the researchers found:
- Of 10 practices with the highest adoption rates, seven were security-related.
Practices with high rates of partial adoption were divided equally between security and privacy.
- The most important privacy risk management practices included cleaning cookies, unknown on the web, and avoiding websites that requested real names.
More than 50% of respondents did not follow recommendations for unique or strong passwords.
- Dropout was less common than total or partial adoption, with a rate of less than 20% for all practices surveyed.
- The most abandoned practices include the use of anonymity systems such as virtual private networks (VPNs), the use of automatic updates for software, and the use of antivirus software.
- Most participants had not adopted and were not very interested in using an identity monitoring service and placing a fraud alert on credit reports.
- Main reasons for partial adoption: the practice was inconvenient or unusable (10%); users relied on their own judgment, for example, "be better than opening a suspicious email" (9%); and users only adopted it when something bad happened, such as a fraudulent charge on an account (8%).
- Reasons for abandonment: the practice was no longer necessary (20%); the risk no longer existed (14%); practice interfered with usability (12%); trust their own judgment (6%); Users adopted another service that had a similar purpose, for example, a tool that clears third-party cookies so that the user does not have to do it manually (6%).
Although 67% of respondents reported being victims of a previous data breach, respondents generally rarely adopted identity theft protection practices, such as credit freezes and fraud alerts. Still, victims adopted more protective practices in general.
About the respondents:
- Men had higher adoption rates than women.
Middle-aged respondents adopted more security measures than younger people, but the opposite trend was found for privacy measures.
- Lower-income participants had higher levels of overall practical adoption.
- More education led to greater adoption.
Source: University of Michigan.
