research-article

You `Might' Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications

Authors:
Yixin Zou

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Shawn Danino

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Kaiwen Sun

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Florian Schaub

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing SystemsMay 2019Paper No.: 194Pages 1–14https://doi.org/10.1145/3290605.3300424

Published:02 May 2019Publication History

CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems

Pages 1–14

ABSTRACT

Data breaches place affected individuals at significant risk of identity theft. Yet, prior studies have shown that many consumers do not take protective actions after receiving a data breach notification from a company. We analyzed 161 data breach notifications sent to consumers with respect to their readability, structure, risk communication, and presentation of potential actions. We find that notifications are long and require advanced reading skills. Many companies downplay or obscure the likelihood of the receiver being affected by the breach and associated risks. Moreover, potential actions and offered compensations are frequently described in lengthy paragraphs instead of clearly listed. Little information is provided regarding an action's urgency and effectiveness; little guidance is provided on which actions to prioritize. Based on our findings, we provide recommendations for designing more usable and informative data breach notifications that could help consumers better mitigate the consequences of being affected by a data breach.

Supplemental Material

Available for Download

zip

pn5154.zip (98.1 KB)

The auxiliary material consists of two parts. Appendix A is a list our analyzed data breach notifications retrieved from the website of Maryland's state attorney general's office, including some meta-data (e.g., types of breached information and how breach occurred) and URLs to the original file. Appendix B is the final version of our codebook used for the qualitative analysis.

References

Lillian Ablon, Paul Heaton, Diana Catherine Lavery, and Sasha Romanosky. 2016. Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information. Technical Report. Rand Corporation. Google ScholarDigital Library
Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, et al. 2017. Nudges for Privacy and Security: Understanding and Assisting Users' Choices Online. ACM Computing Surveys (CSUR) 50, 3 (2017), 44. Google ScholarDigital Library
Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and human behavior in the age of information. Science 347, 6221 (2015), 509--514.Google Scholar
Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2013. Sleights of privacy: Framing, disclosures, and the limits of transparency. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 9. Google ScholarDigital Library
Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness.. In USENIX Security Symposium, Vol. 13. Google ScholarDigital Library
Hazim Almuhimedi, Adrienne Porter Felt, Robert W Reeder, and Sunny Consolvo. 2014. Your reputation precedes you: History, reputation, and the chrome malware warning. In Symposium on Usable Privacy and Security (SOUPS), Vol. 4. 2. Google ScholarDigital Library
Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. 2015. Your location has been shared 5,398 times!: A field study on mobile app privacy nudging. In Proceedings of the 33rd Annual ACM conference on Human Factors in Computing Systems. ACM, 787--796. Google ScholarDigital Library
American Bankers Association. 2018. Data Security & Customer Notification Requirements for Banks. https://www.aba.com/Tools/ Function/Technology/Pages/datasecuritynotification.aspx. Last accessed on: 09.13.2018.Google Scholar
BBC. 2011. Using bullet points and numbers in lists. http://www.bbc.co.uk/skillswise/factsheet/en13styl-l1-f-bulletedand-numbered-points. Last accessed on: 01.06.2019.Google Scholar
Fabio Bisogni. 2016. Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution? Journal of Information Policy 6, 1 (2016), 154--205.Google ScholarCross Ref
Cristian Bravo-Lillo, Lorrie Faith Cranor, Julie Downs, and Saranga Komanduri. 2011. Bridging the gap in computer security warnings: A mental model approach. IEEE Security & Privacy 9, 2 (2011), 18--26. Google ScholarDigital Library
Cristian Bravo-Lillo, Saranga Komanduri, Lorrie Faith Cranor, Robert W Reeder, Manya Sleeper, Julie Downs, and Stuart Schechter. 2013. Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 6. Google ScholarDigital Library
Ronald P Carver. 1983. Is reading rate constant or flexible? Reading Research Quarterly (1983), 190--215.Google Scholar
F. H. Cate. 2010. The Limits of Notice and Choice. IEEE Security Privacy 8, 2 (2010), 59--62. Google ScholarDigital Library
Alexander Chernev, Ulf Böckenholt, and Joseph Goodman. 2015. Choice overload: A conceptual review and meta-analysis. Journal of Consumer Psychology 25, 2 (2015), 333--358.Google ScholarCross Ref
Lauren Lyons Cole. 2017. After the Equifax breach, consumers were advised to freeze their credit - but almost no one did it. http: //www.businessinsider.com/equifax-credit-freeze-2017--9. Last accessed on: 01.22.2018.Google Scholar
Council of European Union. 2017. General Data Protection Regulation (GDPR). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri= CELEX:32016R0679. Last accessed on: 04.28.2018.Google Scholar
Lorrie Faith Cranor. 2012. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. J. on Telecomm. & High Tech. L. 10 (2012), 273.Google Scholar
Lorrie Faith Cranor, Pedro Giovanni Leon, and Blase Ur. 2016. A largescale evaluation of US financial institutions' standardized privacy notices. ACM Transactions on the Web (TWEB) 10, 3 (2016), 17. Google ScholarDigital Library
Sauvik Das, Joanne Lo, Laura Dabbish, and Jason I Hong. 2018. Breaking! A Typology of Security and Privacy News and How It's Shared. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. ACM, 1. Google ScholarDigital Library
Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 581--590. Google ScholarDigital Library
Anthony Downs. 1957. An economic theory of political action in a democracy. Journal of Political Economy 65, 2 (1957), 135--150.Google ScholarCross Ref
Adrienne Porter Felt, Alex Ainslie, Robert W Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL warnings: Comprehension and adherence. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2893--2902. Google ScholarDigital Library
Rudolf Franz Flesch et al. 1949. Art of readable writing. Harper.Google Scholar
Alain Forget, Sonia Chiasson, Paul C van Oorschot, and Robert Biddle. 2008. Improving text passwords through persuasion. In Proceedings of the 4th Symposium on Usable Privacy and Security. ACM, 1--12. Google ScholarDigital Library
Brian Fung. 2018. Equifax's massive 2017 data breach keeps getting worse. https://www.washingtonpost.com/news/the-switch/wp/ 2018/03/01/equifax-keeps-finding-millions-more-people-who-wereaffected-by-its-massive-data-breach/?noredirect=on&utmterm= .52f7af5c120a. Last accessed on: 09.09.2018.Google Scholar
Loretta Garrison, Manoj Hastak, Jeanne M Hogarth, Susan Kleimann, and Alan S Levy. 2012. Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. Journal of Consumer Affairs 46, 2 (2012), 204--234.Google ScholarCross Ref
Gemalto. 2017. Data Breaches and Customer Loyalty 2017. Technical Report. Gemalto.Google Scholar
General Assembly of Maryland. 2018. Md. Code Ann. Comm. Law 14--3504: Maryland's Personal Information Protection Act. http: //mgaleg.maryland.gov/webmga/frmStatutesText.aspx?article= gcl§ion=14--3501&ext=html&session=2017RS&tab=subject5. Last accessed on: 06.05.2018.Google Scholar
Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. 2016. How short is too short? Implications of length and framing on the effectiveness of privacy notices. In 12th Symposium on Usable Privacy and Security (SOUPS). 321--340. Google ScholarDigital Library
Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur. 2018. What was that site doing with my Facebook password?: Designing Password-Reuse Notifications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1549--1566. Google ScholarDigital Library
Kelli Grant. 2017. Identity theft, fraud cost consumers more than $16 billion. https://www.cnbc.com/2017/02/01/consumers-lost-morethan-16b-to-fraud-and-identity-theft-last-year.html Last accessed on: 06.19.2018.Google Scholar
Claire Greene and Joanna Stavins. 2017. Did the Target data breach change consumer assessments of payment card security? Journal of Payments Strategy & Systems 11, 2 (2017), 121--133.Google Scholar
Robert Gunning. 1969. The fog index after twenty years. Journal of Business Communication 6, 2 (1969), 3--13.Google ScholarCross Ref
Erika Harrell and Lynn Langton. 2015. Victims of identity theft, 2014. Technical Report.Google Scholar
HIPPA Journal. 2017. What are the HIPAA Breach Notification Requirements? https://www.hipaajournal.com/hipaa-breach-notificationrequirements/. Last accessed on: 09.13.2018.Google Scholar
Mark Hochhauser. 2001. Lost in the Fine Print: Readability of Financial Privacy Notices. https://www.privacyrights.org/blog/lost-fine-printreadability-financial-privacy-notices-hochhauser. Last accessed on: 09.13.2018.Google Scholar
Alexander Jenkins, Murugan Anandarajan, and Rob D'Ovidio. 2014. "All that Glitters is not Gold': The Role of Impression Management in Data Breach Notification. Western Journal of Communication 78, 3 (2014), 337--357.Google ScholarCross Ref
Carlos Jensen and Colin Potts. 2004. Privacy policies as decisionmaking tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 471--478. Google ScholarDigital Library
Elizabeth Keyes. 1993. Typography, color, and information structure. Technical communication (1993), 638--654.Google Scholar
Bart P Knijnenburg and Alfred Kobsa. 2013. Making decisions about privacy: information disclosure in context-aware recommender systems. ACM Transactions on Interactive Intelligent Systems (TiiS) 3, 3 (2013), 20. Google ScholarDigital Library
Jeffery Kosseff. 2016. My company has had a breach: Whom do I have to notify? https://iapp.org/news/a/my-company-has-had-a-breachwho-do-i-have-to-notify/. Last accessed on: 09.18.2018.Google Scholar
Thomas Kude, Hartmut Hoehle, and Tracy Ann Sykes. 2017. Big data breaches and customer compensation strategies: Personality traits and social influence as antecedents of perceived compensation. International Journal of Operations & Production Management 37, 1 (2017), 56--74.Google ScholarCross Ref
Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. 2017. Research methods in human-computer interaction. Morgan Kaufmann.Google Scholar
Joseph Lazzarotti, Jason Gavejian, and Maya Atrakchi. 2018. Security Breach Notification Laws. http://www.ncsl.org/research/ telecommunications-and-information-technology/security-breachnotification-laws.aspx. Last accessed on: 06.05.2018.Google Scholar
Johnny Lieu. 2017. Terms and Conditions are too long, just ask a guy who read Amazon's for 9 hours. https://mashable.com/2017/03/15/ reading-amazons-terms-conditions/#IQDa1u7BsOq0. Last accessed on: 09.13.2018.Google Scholar
Ewa Luger, Stuart Moran, and Tom Rodden. 2013. Consent for all: revealing the hidden complexity of terms and conditions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2687--2696. Google ScholarDigital Library
Bernard Mar. 2018. GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been). https://www.forbes.com/ sites/bernardmarr/2018/06/11/gdpr-the-biggest-data-breaches-andthe-shocking-fines-that-would-have-been/#199b5b4b6c10. Last accessed on: 09.18.2018.Google Scholar
Maryland Coordination and Analysis Center. 2018. Maryland Data Breach Notification Law Updated. http://www.mcac.maryland.gov/ newsroom/Critical%20Infrastructure%20News/maryland-databreach-notification-law-updated. Last accessed on: 06.05.2018.Google Scholar
Maryland's State Attorney General. 2018. Guidelines for businesses to comply with the Maryland Personal Information Protection Act. http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/ businessGL.aspx. Last accessed on: 06.05.2018.Google Scholar
Aleecia M McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. ISJLP 4 (2008), 543.Google Scholar
Vyacheslav Mikhed and Michael Vogan. 2015. Out of sight, out of mind: consumer reaction to news on data breaches and identity theft. (2015). Working Paper.Google Scholar
Drew Mitnick. 2018. No more waiting: it's time for a federal data breach law in the U.S. https://www.accessnow.org/no-more-waitingits-time-for-a-federal-data-breach-law-in-the-u-s/. Last accessed on: 09.18.2018.Google Scholar
M Granger Morgan, Baruch Fischhoff, Ann Bostrom, and Cynthia J Atman. 2002. Risk communication: A mental models approach. Cambridge University Press.Google Scholar
National Conference of State Legislators. 2018. 2018 Security Breach Legislation. http://www.ncsl.org/research/telecommunications-andinformation-technology/2018-security-breach-legislation.aspx. Last accessed on: 09.13.2018.Google Scholar
Jakob Nielsen. 1997. How Users Read on the Web.Google Scholar
Patricia A Norberg, Daniel R Horne, and David A Horne. 2007. The privacy paradox: Personal information disclosure intentions versus behaviors. Journal of Consumer Affairs 41, 1 (2007), 100--126.Google ScholarCross Ref
Don Norman. 2013. The design of everyday things: Revised and expanded edition. Constellation.Google Scholar
Eyal Peer and Alessandro Acquisti. 2016. The impact of reversibility on the decision to disclose personal information. Journal of Consumer Marketing 33, 6 (2016), 428--436.Google ScholarCross Ref
Justin Petelka, Yixin Zou, and Florian Schaub. 2019. Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
Ponemon Institute. 2014. The Aftermath of a Data Breach: Consumer Sentiment. Technical Report. Ponemon Institute LLC.Google Scholar
Privacy Rights Clearinghouse. 2016. What to Do When You Receive A Data Breach Notice. https://www.privacyrights.org/consumerguides/what-do-when-you-receive-data-breach-notice. Last accessed on: 09.13.2018.Google Scholar
Privacy Rights Clearinghouse. 2018. Data Breaches. https:// www.privacyrights.org/data-breaches. Last accessed on: 09.13.2018.Google Scholar
Robert W Proctor, M Athar Ali, and Kim-Phuong L Vu. 2008. Examining usability of web privacy policies. Intl. Journal of Human--Computer Interaction 24, 3 (2008), 307--328.Google ScholarCross Ref
Ashwini Rao, Florian Schaub, Norman Sadeh, Alessandro Acquisti, and Ruogu Kang. 2016. Expecting the unexpected: Understanding mismatched privacy expectations online. In Symposium on Usable Privacy and Security (SOUPS), Vol. 4. 2. Google ScholarDigital Library
Joel R Reidenberg, Jaspreet Bhatia, Travis D Breaux, and Thomas B Norton. 2016. Ambiguity in privacy policies and the impact of regulation. The Journal of Legal Studies 45, S2 (2016), S163--S190.Google ScholarCross Ref
Joel R Reidenberg, Travis Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James T Graves, Fei Liu, Aleecia McDonald, Thomas B Norton, and Rohan Ramanath. 2015. Disagreeable privacy policies: Mismatches between meaning and users' understanding. Berkeley Tech. LJ 30 (2015), 39.Google Scholar
Joel R Reidenberg, N Cameron Russell, Alexander J Callen, Sophia Qasir, and Thomas B Norton. 2015. Privacy harms and the effectiveness of the notice and choice framework. ISJLP 11 (2015), 485.Google Scholar
Alex Reynolds. 2017. GDPR matchup: US state data breach laws. https: //iapp.org/news/a/gdpr-match-up-u-s-state-data-breach-laws/. Last accessed on: 09.18.2018.Google Scholar
Sasha Romanosky, Rahul Telang, and Alessandro Acquisti. 2011. Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management 30, 2 (2011), 256--286.Google ScholarCross Ref
Manuel Rudolph, Denis Feth, and Svenja Polst. 2018. Why Users Ignore Privacy Policies--A Survey and Intention Model for Explaining User Privacy Behavior. In International Conference on Human-Computer Interaction. Springer, 587--598.Google Scholar
Sonam Samat and Alessandro Acquisti. 2017. Format vs. Content: The Impact of Risk and Presentation on Disclosure Decisions. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). 377--384. Google ScholarDigital Library
Sonam Samat, Alessandro Acquisti, and Linda Babcock. 2017. Raise the Curtains: The Effect of Awareness About Targeting on Consumer Attitudes and Purchase Intentions. In Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017). USENIX Association, 299--319. Google ScholarDigital Library
F. Schaub, R. Balebako, and L. F. Cranor. 2018. Designing Effective Privacy Notices and Controls. IEEE Internet Computing (2018), 1--1. Google ScholarDigital Library
Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 1--17. Google ScholarDigital Library
Benjamin Scheibehenne, Rainer Greifeneder, and Peter M Todd. 2010. Can there ever be too many options? A meta-analytic review of choice overload. Journal of Consumer Research 37, 3 (2010), 409--425.Google ScholarCross Ref
Barry Schwartz. 2004. The paradox of choice: Why more is less. Ecco New York.Google Scholar
Tali Sharot. 2011. The optimism bias. Current biology 21, 23 (2011), R941--R945.Google Scholar
Robert H Sloan and Richard Warner. 2014. Beyond notice and choice: Privacy, norms, and consent. J. High Tech. L. 14 (2014), 370.Google Scholar
Paul Slovic, Baruch Fischhoff, and Sarah Lichtenstein. 1979. Rating the risks. Environment: Science and Policy for Sustainable Development 21, 3 (1979), 14--39.Google ScholarCross Ref
Peter Swire and Kenesa Ahmad. 2012. Foundations of Information Privacy and Data Protection. International Association of Privacy Professionals.Google Scholar
Richard H Thaler and Cass R Sunstein. 2008. Nudge: Improving decisions about health, wealth, and happiness. HeinOnline.Google Scholar
The California State Government. 2003. California Civ. Code s. 1798.82(a). https://leginfo.legislature.ca.gov/faces/ codesdisplaySection.xhtml?lawCode=CIV§ionNum=1798.82. Last accessed on: 06.05.2018.Google Scholar
The Federal Trade Commission. 2018. Gramm-Leach-Bliley Act. https://www.ftc.gov/tips-advice/business-center/privacy-andsecurity/gramm-leach-bliley-act. Last accessed on: 09.13.2018.Google Scholar
The Privacy Rights Clearinghouse. 2018. Data Breaches. https:// www.privacyrights.org/data-breaches. Last accessed on: 12.19.2018.Google Scholar
The U.S. Government Printing Office. 1996. Health Insurance Portability and Accountability Act of 1996, Public Law 104191. https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW104publ191.htm. Last accessed on: 09.18.2018.Google Scholar
Susan Tompor. 2018. Credit freeze: A misunderstood freebie that you actually want. https://www.freep.com/story/money/personalfinance/susan-tompor/2018/09/06/equifax-freeze-credit-breach/ 1156255002/. Last accessed on: 09.13.2018.Google Scholar
Janice Y Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti. 2011. The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research 22, 2 (2011), 254--268. Google ScholarDigital Library
United States Congress. 1999. S.900 - Gramm-Leach-Bliley Act. https: //www.congress.gov/bill/106th-congress/senate-bill/00900. Last accessed on: 09.13.2018.Google Scholar
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, et al. 2012. How does your password measure up? The effect of strength meters on password creation.. In USENIX Security Symposium. 65--80. Google ScholarDigital Library
Matthew W Vail, Julia B Earp, and Annie I Antón. 2008. An empirical study of consumer perceptions and comprehension of web site privacy policies. IEEE Transactions on Engineering Management 55, 3 (2008), 442--454.Google ScholarCross Ref
Jennifer R Veltsos. 2012. An analysis of data breach notifications as negative news. Business Communication Quarterly 75, 2 (2012), 192--207.Google ScholarCross Ref
Melanie Volkamer, Karen Renaud, Benjamin Reinheimer, and Alexandra Kunz. 2017. User experiences of TORPEDO: tooltip-powered phishing email detection. Computers & Security 71 (2017), 100--113. Google ScholarDigital Library
Paul Wagenseil. 2017. What to Do After a Data Breach. https:// www.tomsguide.com/us/data-breach-to-dos,news-18007.html. Last accessed on: 09.13.2018.Google Scholar
Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for facebook. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 2367--2376. Google ScholarDigital Library
Kelce Wilson. 2018. Data breach notifications may facilitate identity theft. https://iapp.org/news/a/data-breach-notifications-mayfacilitate-identity-theft/. Last accessed on: 09.13.2018.Google Scholar
Shomir Wilson, Justin Cranshaw, Norman Sadeh, Alessandro Acquisti, Lorrie Faith Cranor, Jay Springfield, Sae Young Jeong, and Arun Balasubramanian. 2013. Privacy manipulation and acclimation in a location sharing application. In Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing. ACM, 549--558. Google ScholarDigital Library
Yixin Zou, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. 2018. "I've Got Nothing to Lose": Consumers' Risk Perceptions and Protective Actions after the Equifax Data Breach. In Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library

Index Terms

You `Might' Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. Empirical studies in HCI
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
    2. Usability in security and privacy

Recommendations

Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Read More
Help Wanted: Consumer Privacy Behavior and Smart Home Internet of Things (IoT) Devices
SIGITE '18: Proceedings of the 19th Annual SIG Conference on Information Technology Education

The infrastructure of smart home IoT devices is complex and the combination of data streams that run throughout it is convoluted. This poses a threat to consumer privacy. However, consumers fall short of adopting privacy protection measures. This study ...
Read More
Taxonomy and analysis of security protocols for Internet of Things
Abstract
The Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights
- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems
May 2019
9077 pages
ISBN:9781450359702
DOI:10.1145/3290605
General Chairs:
Stephen Brewster
University of Glasgow, Scotland, UK
,
Geraldine Fitzpatrick
TU Wien, Austria
,
Program Chairs:
Anna Cox
University College London, UK
,
Vassilis Kostakos
University of Melbourne, Australia
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 May 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
content analysis
data breach
hci design
notice design
privacy
security
usability
Qualifiers
- research-article
Conference

Acceptance Rates
CHI '19 Paper Acceptance Rate703of2,958submissions,24%Overall Acceptance Rate6,199of26,314submissions,24%
More
Upcoming Conference
CHI '24

Sponsor:

sigchi

CHI Conference on Human Factors in Computing Systems

May 11 - 16, 2024

Honolulu , HI , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 18
  Total Citations
  View Citations
- 1,300
  Total Downloads
- Downloads (Last 12 months)251
- Downloads (Last 6 weeks)25
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

You `Might' Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications

CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems

ABSTRACT

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Internet of Things security

Help Wanted: Consumer Privacy Behavior and Smart Home Internet of Things (IoT) Devices

Taxonomy and analysis of security protocols for Internet of Things