Human Issues in Security and Privacy in e-Commerce (HiSPEC) Professor Linda A Macaulay Department of Computation, UMIST Co-investigators: Professor Peter McGoldrick, Dr. Kathy Keeling School of Management, UMIST HiSPEC is a collaborative project • Co-operative Bank • UMIST (University of Manchester Institute of Science and Technology) • Office of the Information Commissioner • Housing communities: Homes for Change; Redbricks Online • Local SMEs: Cooksons.com, CNP Ltd Project Sponsors • DTI/ESRC/EPSRC/Co-operative Bank Presentation Contents • Overview of HiSPEC – The Problem – The Approach • Influencing User Behaviour – Social Marketing – Illustration • Conclusions Overview of HiSPEC • The problem The growth of e-commerce held back by poor consumer perceptions of security and privacy • Research agenda 1) Security and privacy perceptions a) end-user behaviours b) factors affecting user engagement/ rejection c) social marketing 2) Better experience of use a) derive “Rules of Trust” and design for trust b) best practice guidelines and PETs Perception of privacy and security 9 Whose perception? 9 E-commerce users 9 Non-users 9 At work 9 As part of a community 9 As an individual 9 Socially and technically advantaged 9 Socially and technically disadvantaged How do we find out? • Interviews and ethnographic studies – – – – – – Wired housing communities Users of e-commerce retail sites Individual consumers Families at home Intranet users at work Mobile users (limited) • Surveys of – UK Websites (Compliance/Rules of Trust) – UK Internet population (NOP) How do we use the results? User Interface design Collect Data Rules of Trust Learning & improving Technology Requirements Influence User Perception Experimenting & influencing practice How can we impact user perceptions? • Impact perceptions through impacting expectations and behaviours • Influence expectations and behaviours through social marketing campaigns • Social marketing versus advertising Next… • Overview of our approach to social marketing and an illustration……. What is Social Marketing? Problem Problem definition definition Recommended Recommended Security Securityand and Privacy Privacy Behaviour Behaviour Consumer Consumerreality reality --beliefs beliefs --needs needs --behavior behavior Research Research User User&&non-user non-user 6/5/2003 Strategy Strategy --purpose purpose --target target Evaluation Evaluation Change Change --beliefs beliefs --needs needs --behavior behavior Illustration National Opinion Poll Survey NOP Data collection on use of Security & Privacy Enhancing behaviours by UK weekly Internet users aged 16+ Period of collection 14-23 August 2002 Problem Definition • Consumer worries about online payment, privacy and security constitute a real psychological barrier to e-commerce (1) • One source of privacy and security concerns lie in the lack of understanding of the technology and what effective behaviours can be employed in order to gain a feeling of control (2) [1] Labuschagne, L. and Eloff, J.H.P. (2000) Electronic commerce: The informationsecurity challenge. Information Management and Computer Security; 8(3), p: 154-157 [2] Hoffman, D. L., Novak, T. P. and Peralta, M. (1999) Building consumer trust online. Communications of the ACM, 42(4), p: 80-85. Recommended security and privacy behaviour 1. 2. 3. 4. 5. Examine privacy policy and ‘seals’ carefully Use two or more email addresses Check for use of HTTPS (secure hypertext transfer protocol) Turn on Cookie notices Use encryption software Respondent Profile Sample size – 1,100 weekly users representative of the GB weekly Internet usage profile. Gender – 60% male and 40% female. Age profile – largest group of users 25-34, but the gap is narrowing – levels of use in all but the 55+ are becoming more even. • Other respondent data collected: marital status, children under 15, employment status, TV region, internet expertise Two types of ‘questions’ Type 1: ‘States of Change’ of the behaviour • • • • • • Pre-contemplation (not aware) Contemplation (not made mind up) Preparation (plan to do it in the next 30 days) Action (doing it but not regularly or for less than 6 months) Maintenance (have been doing it regularly for more than six months) Rejection (tried but don’t do it now or don’t feel it is necessary ) Type 2: Pros and Cons of adopting the behaviour i.e. what do they do now and how do they feel about changing their behaviour? ‘Pros and Cons’ (sample ‘questions’) Pros • I would feel more secure • I would be foolish to ignore security risks • More and more people are doing this • People close to me would be less worried Cons • It would take longer • Playing with technology is not for me • It might cause other people more effort • Other people might think of me as a computer ‘nerd’ • Other people might think I mistrust them STATE OF CHANGE 1. No, I do not consider it necessary 2. No, I was not aware of the need for this 3. No, I have been thinking about it, but haven't made my mind 4. No, but I plan to do this in the next 30 days 5. Yes, I am doing it but not regularly 6. Yes, I have been doing this regularly but for less than 6 mo 7. Yes, I have been doing this regularly for more than 6 months 8. Yes, I have tried it but I don't do it now Total Don't know %using PRIVACY/SECURITY ENHANCING SOLUTION EXAMINE EXTRA E- HTTPS COOKIE ENCRYPTION PRIVACY MAIL NOTICES SOFTWARE POLICIES ADDRESS 13.3 20.8 23.2 25.4 3.1 26.3 24.4 35.0 28.8 29.5 11.7 8.9 4.8 9.7 17.0 3.4 1.6 6.4 1.2 27.8 .6 8.4 2.1 14.1 6.1 9.4 2.2 3.2 .8 6.6 18.2 30.9 8.1 3.2 3.9 5.4 3.2 2.9 .9 88.0 12.0 93.1 6.9 94.9 5.1 93.0 7.0 83.5 16.5 35% 28.7% 51.1% 19.7% 7.2% Consumer Reality: Usage Overall, PriSES use is low • at best it is just over 50% Highest use • a security related solution rather than a privacy enhancing solution • Checking for https – 51% report use • Even though 26% were not aware Lowest use • amongst the more ‘technical’ behaviours • around 20% turn on cookie notices • just about 7% use encryption software Consumer Reality: Rejection Adding together rejection as unnecessary and rejection after trial gives the total rejection rate • Highest rejection rate • 28-30% two e-mails, cookie notices and encryption software • Lowest rejection rate • Checking for https – only 6% • Checking privacy policies /seals – 13% Identifying Decisional Balance Issues (Stages & Pros/cons) pros Too difficul -0.22171 0.6 Pre –conte -0.28887 Contempla -0.20021 Action 0.389603 0.4 Maintenanc 0.332578 0.2 cons 0.482988 0.232725 0.384408 0.248275 -0.51346 0.6 Cons 0 0.4 0.4 0.2 0.2 Too difficult -0.6 Precomtem -0.6 Comtem Co nt em pl -0.4 cons Ac t -0.2 5 pros pla tio n 4 e 3 te na nc To o -0.4 Pr e -0.6 di ffi -0.2 -0.4 0 0 To atio n Co o nt dif em fic u pl at lt Pr io n e –c on te A mcti plaon M tio ai n n 2 cu lt Pros –c on te m 1 -0.2 0.6 Persuasion Support Action Main Regression modelling: Identifying Specific Attitudes Support CONS remember embarrassed Adoption extra obstacle boring responsible others approval Persuasion PROS Example Strategy for https Increase perceptions that checking for https is the ‘normative’ thing to do Educate prospective users • what the risks might be but at the same time • why https is more secure • what significant indicators to look for in checking for https Each secure behaviour may need a different strategy Conclusions • Will Social Marketing work in this context? – Two proof-of-concept campaigns have been conducted – Further work in progress • Is there a general need to improve user perception of privacy and security? – Our view is ‘yes’ and it can it can be done!