Privacy, Trust, and Security - Coursework Example

Privacy, Trust, and Security: online privacy indicators, trust factors, password protection and security, awareness of user security, graphical passwords privacy issues, and cloud computing By Student Name Computer Sciences and Information Technology Institution Date Table of Contents Introduction 3 Internet Users’ Perceptions of Online Privacy and Security Risks 4 Security and Privacy Protection Online 9 Conclusion 13 Directions for Further Research 14 Bibliography 15 Introduction New and polished Internet users experience some degree of mistrust with respect to privacy and security protection in Internet technology. The core issue is the risk of misuse of identity and financial information by third parties (Miyazaki & Fernandez, 2001). As a result Internet users are reluctant to share personal and financial information online and this impedes the growth of electronic commerce. Moreover, online shopping and information sharing provides businesses with a tool for gathering information for marketing purposes (Nam, Song, Lee, & Park, 2006). Cloud computing which provides Internet users with the ability to store and access data from remote locations is also compromised by privacy and security issues (Pearson, 2012). Research conducted by Egelman, Tsai, Cranor and Acquisiti (2009) reveals that regardless of online privacy indicators posted by websites, users either do not read the indicators, or do not understand them or the indicators fail to address users’ main concerns. This essays explores the privacy and security issues that affect Internet users and generally contributes to the reluctance to reveal personal and financial information online. The primary research question is: what are the main privacy and security concerns for Internet users? The secondary research question is: how are privacy and security risks for Internet users addressed? This essay is therefore divided into two main parts. The first part of this essay provides an exploratory review of literature on Internet Users’ perceptions of online privacy and security risks. The second part of the essay provides an exploratory review of the literature on the measures taken to address Internet users’ perceptions of online privacy and security risks and whether or not those measures can be improved to the satisfaction of Internet users. This essay will therefore identify areas for future research. As it is, the Internet is a valuable forum for entertainment, education and “marketplace exchange” (Miyazaki & Fernandez, 2000). It is conceptualised that user perceptions of security and privacy risks are linked to the user’s decision to use the Internet and the extent to which he or she is willing to disclose information. This conceptualisation is based on research and perceived risk theory, indicating that consumers make decisions based on risk perceptions (Libermann & Stashevsky, 200). By exploring Internet users’ privacy and security concerns and how those concerns can be addressed, directions for further research will inform providers of online services and products how best to address users’ concerns and to improve what and how often users disclose personal and financial information online. Internet Users’ Perceptions of Online Privacy and Security Risks Internet users’ reluctance to disclose personal and financial information in making online purchases on the basis of security and privacy risks concerns is well-documented in the literature. According to Miyazaki and Krishnamurthy (2002) user reluctance to use online services and to make purchases online are linked to concerns about security and privacy. These concerns are linked to a number of “features of online transactions” (Miyazaki & Krishnamurthy, 2002, p. 30). These features include, the “temporal separation of payment and product delivery”, the requirement for disclosing personal and payment information, and the “inability to examine products before making the purchase” (Miyazaki & Krishnamurthy, 2002, p. 31). It also doesn’t help that that the media is persistently publicising stories of internet security and privacy breaches (Miyazaki & Krishnamurthy, 2002). In attempting to shed light on user perception of privacy and security risks in a variety of internet services, Featherman and Pavlov (2003) conducted a study in which two samples of 214 and 181 undergraduate business students participated in two different trial shopping demonstrations online. Following the trial, the participants were asked to complete a Likert scale survey rating risks associated with the shopping trial. The survey was based on the perceived risks theory which integrated the Technology Acceptance Model (TAM) (Feathermann & Pavlov, 2003). For the purpose of the study, perceived risk theory was defined as “felt uncertainty regarding possible negative consequences of using a product or service” (Featherman & Pavlov, 2003, p. 453). The facets of perceived risk were categorized as consisting of performance and psychosocial elements which included actual performance, financial, opportunity, safety, social and psychological losses (Feathermann & Pavlov, 2003). For the purpose of the study TAM was described as an assumption that: …an attitude toward using an information system is based on two primary antecedent variables – perceived usefulness and perceived ease of use (Feathermann & Pavlov, 2003, 457). Guided by perceived risk theory and TAM, the results of the study demonstrated that neither of the samples perceived significant risks associated with the trial shopping demonstrations. However, there were concerns relative to the prospects of forming commercial relationships with an unknown, remote and faceless merchant (Feathermann & Pavlov, 2003). The samples however, included individuals who were more educated and more computer literate than members of the general population. This might explain why these particular individuals did not perceive significant security and privacy risks with respect to the online shopping demonstrations. Moreover, the online shopping demonstrations did not involve actual money. It is therefore possible, that had the participants used actual money, they may have had a very different perception of risks. The study also demonstrates that security and privacy risks are generally associated with the lack of personal interaction with those to whom they are disclosing personal and financial information. In other words, perceived risks may exist even where TAM risk facets are absent. For example, a user may find that the application for online service or shopping is easy to use and is particularly useful. However, the user may still have reservations about using the online application because they are concerned about security and privacy breaches on the part of a remote, faceless and unknown service provider. Another study suggests however, that TAM together with perceived risk theory might explain user perceptions of security and privacy risks and thus user intention to provide information and make online purchases (Wang, Wang, Lin, & Tang, 2003). The study involved telephone interviews with 123 Internet users who subscribed to online banking services. The results of the study found that perceived ease of use and perceived usefulness alone did not explain the users’ willingness to accept and adopt online banking services. The study found that perceptions of credibility were also significant indicator of user willingness to use online banking services (Wang, et al., 2003). It would therefore appear that while users may have experience and expectations with respect to online services, they are willing to disclose information necessary for obtaining a service or product online if they trust the service provider. Online banking may be different from other online services since users will typically have a pre-existing real world relationship with their banks and thus do not feel inhibited by perceptions of risk associated with using remote, unknown and faceless online service providers. Lee (2009) explored the advantages and disadvantages of online banking services and drawing on perceived risk theory integrated the advantages and disadvantages with TAM and the theory of planned behaviour. Lee (2009) found that a user’s intention to utilize online banking services is negatively influenced by security and privacy concerns together with financial risks and is mediated by perceptions of benefits and attitudes and perceptions of usefulness (Lee, 2009). Thus, users would learn to use and actually use online banking services if the benefits with respect to saving time and money outweighed the risk of a security and/or privacy breach. Online banking and other forms of online services and transactions provide for the disclosure of limited information compared to cloud computing. Therefore, if security and privacy risks are preventing many users taking utilizing online services such as online banking and commercial transactions, one would expect even greater resistance to cloud computing. Cloud computing is an information technology (IT) tool that permits users to store and access voluminous files containing information online (Subashini & Kavitha, 2011). The benefits of cloud computing are self-explanatory. Users, businesses and individuals alike are able to save on storage capacities without having to spend on “new infrastructure, training new personnel, or licensing new software” (Subashini & Kavitha, 2011, p. 1). However, as Subashini and Kavitha (2011) note: …as more and more information on individuals and companies are placed in the cloud, concerns are beginning to grow about just how safe an environment it is (p.1). The reality is, consumers and businesses are hesitant about placing information in the cloud. Security is a significant concern that stifles the development of cloud computing and “complications with data privacy and data protection continue to plague the market” (Subashini & Kavitha, 2011, p. 1). Therefore, perceived usefulness and perceptions of ease of use in the context of cloud computing is juxtaposed against an equally valid perception of risks. The main security and privacy concern with respect to cloud computing is that conventional security and privacy protection software and policies are not as effective and efficient for protecting information stored in the cloud computing databases (Zissis & Lekkas, 2012). As it is, Internet users are already concerned about Internet security and privacy risks relative to conventional computing. It therefore follows that concerns about the use of cloud computing which is not as safe as conventional computing would be expected to be greater. Given that there is a general perception that using the Internet for whatever reason involves some degree of security and privacy risks, researchers have attempted to distinguish between those who are more amenable to the risks and those who are not. For example, Fogel and Nehmad (2009) conducted a study on 205 college students and studied they profiles on Facebook and Myspace. The study found that Facebook generated greater confidence in terms of protection of privacy and security than MySpace among users (Fogel & Nehmad, 2009). The study also found that profile information and privacy settings on both MySpace and Facebook indicated that men were more susceptible to assume the risk of privacy and security breaches than women were. Men were more amenable to making personal information available for public consumption than women were. For example, men displayed their telephone numbers, addresses and email addresses publically while women were more inclined to exclude this information from their public profiles (Fogel & Nehmad, 2009). Based on a review of literature, it can be concluded that Internet users are generally concerned about risk of security and privacy breaches. However, based on TAM and perceived risk theory, there are two kinds of users: those who are prepared to accept the risk in exchange for the benefit and those who are not prepared to accept the risks or will limit the extent of the information they disclose and thus the type of services they will use. The next section of this essay explores how security and privacy issues are addressed and whether or not there is room for improving those measures to effectively respond to users’ concerns about security and privacy. Security and Privacy Protection Online Measures taken to safeguard security and privacy on the Internet usually involve protecting the environment from attacks by viruses, malware and so on and authenticating data, controlling access and ensuring user privacy (Weber, 2010). User privacy policies are particularly important to Internet users as Internet users for the most part take their steps to protect their computers from attacks and are equally responsible for controlling access to their computers. What users cannot control is access to information that they provide to websites and to merchants on the Internet. Therefore, as Flavian and Guinaliu (2006) explain, trust in the web sites’ privacy protection methods is the most important indicator of user disclosure of personal and financial information. Websites will typically display or use privacy indicators to gain Internet user trust and loyalty. According to Neph (2007), privacy indicators include “voluntary privacy seals, trust marks” and other signals that indicate “strong privacy practices” (Neph, 2007, p. 253). In reality, however, users are right to be sceptical of these signals as the “scope of mark assurance is narrower than one might expect” (Neph, 2007, p. 253). According to Neph (2007): …The most popular marks, at best, ensure only that the business discloses a privacy policy with minimal protection of consumer interests and that the mark issuer has no knowledge that the business in not following its policy as stated (p. 253). Entities that license marks have no formal requirement for subscribers to control the volume and type of information that they do collect and how and “with whom” they share the information (Neph, 2007, p. 253). Mark licensors do not conduct structured inventories of how subscribers are honouring their privacy policies. As a result, it is possible that websites that do not use privacy signals honour privacy policies more aggressively than those who use privacy indicators (Neph, 2007). In other words, privacy indicators do not provide a greater degree of privacy protection than websites that do not use privacy indicators. Separate and apart from privacy protection in the context of website policy, security and privacy breaches can occur independent of a website’s privacy policies. These breaches include fraud, identity theft and malware/virus attacks. To this end there are a number of technologies available for Internet users including firewall, encryption, anti-virus protection, malware protection and the use of private networking (Hawkins, Yen, & Chou, 2000). Although these technologies are available, much depends on the behaviour of the Internet user and his or her security awareness (Stanton, Stam, Mastrangelo, & Jolton, 2005). Despite the availability of information technologies and software for protecting against security and privacy risks, Internet users continue to become susceptible to security and privacy breaches. However, the security and privacy breaches are related to a lack of security awareness as evidenced by reckless behaviour and destructive practices (Yeo, Rahim, & Ren, 2009). These behaviours include using weak passwords for authenticating one’s identity, sharing passwords, failure to adhere to security warnings when visiting a corrupt website, failing to scan corrupt files for viruses or malware, failing to scan the computer and websites for malware and viruses and so on. According to Yeo, et al., (2009), a lack of security awareness also involves the failure to subscribe to an anti-virus programme or a failure to update the programme in a timely fashion (Yeo, et al., 2009). A lack of security awareness can be devastating to the Internet user. For example, an email containing a virus or malware can be dispatched to the user, who unaware of the security risk, opens the email and or an attached document and corrupts his or her entire computer. Personal and financial information contained in the computer is likely exposed to the individual or entity sending the email. Likewise, an individual who lacks security awareness might be inclined to click on a pop-up that claims the user has been selected for a free laptop or Ipod and once the user accepts the offer, is required to provide personal and financial information for receiving the gift. The user’s lack of security awareness, persuaded by the benefits of providing that information, assumes the risks to his or her detriment. For the most part, the pop-up was always intended to obtain personal and financial information for spamming purposes, or worse fraud or identity theft. Rational choice theory assumes that individuals with sufficient Internet security awareness are more likely to behave responsibly with a view to minimising or eliminating negative outcomes with respect to Internet usage (Bulgurcu, Cavusoglu, & Benbasat, 2010). Rational choice theory dictates that individuals who comply with internet security requirements are more likely to prevent Internet security and privacy breaches. Rational choice theory indicates that individuals who are aware of security and privacy risks are more likely to know what behaviours prevent security and privacy breaches and what behaviours increase security and privacy breaches and will choose to behave in a way that prevents security and privacy breaches (Bulgurcu, et al., 2010). Aside from security awareness, the use of passwords is another method by which Internet users protect against security and privacy breaches. Passwords are means by which individuals authenticate their identities and restrict access and control of online information, particularly financial and personal information. To this end, Internet users are inclined to use short alphanumerical passwords that they can remember. The difficulty with these types of passwords is that they are “short and insecure” for the most part (Wiedenbeck, Waters, Birget, Brodskiy, & Memon, 2005, p. 102). One way to cure the problem of creating and using short and insecure passwords is the use of graphical passwords. Graphical passwords involve the user “clicking on images” as opposed to “typing alphanumeric strings” (Wiedenbeck, et al., 2005, p. 102). A comparative study was conducted on trial and control group in which the control group created alphanumerical passwords and the trial group created graphical passwords. The passwords were used for a period of six weeks. The study found that the trial group had fewer problems creating their graphical passwords than the control group. Nevertheless, the trial group used more time and input invalid passwords more frequently than the control group of alphanumeric Internet users. Although both the control and trial group demonstrated similar memories of their passwords, the trial group took longer to enter their graphical passwords (Wiedenbeck, et al., 2005). It would therefore appear that while graphical passwords are an effective alternative to weak and insecure alphanumeric passwords, they also have their difficulties. The margin of error involved in entering invalid passwords and the time it takes to enter the graphical passwords makes it an unsuitable alternative. It is possible that users will become frustrated and discouraged and will likely prefer using the alphanumerical password system. The difficulty with alphanumerical passwords is that in order for them to be secure, they have to be difficult for others to guess and this often means that they are difficult for the creator to remember. A review of literature suggests that much of the security and privacy risks associated with the Internet are within the control of the Internet user. Privacy protection is more complex in that the user takes the risk that the website to which information is disclosed, might use the information inappropriately or share it without the user’s express consent. Even so, the Internet user can limit this risk by either refusing to disclose information or simply using websites that they trust and have a history of protecting the privacy of its users. Internet security is protected by technologies and software specifically designed to safeguard against security and privacy breaches. However, much depends on the users’ security awareness and behaviour. It can therefore be concluded that the Internet user’s behaviour contributes to the extent to which Internet security and privacy risks exists. Conclusion Perceived risk theory dictates that consumers make decisions relative to the Internet and their behaviour based on their perceptions of the risk involved. However, TAM which favours perceptions of usefulness and ease of use indicates that the impact of perceptions of risk may be mediated by perceived benefits and/or ease of use. For example, although users may perceive that using graphical passwords are safer than using short and insecure passwords, users may be discouraged by perceptions of the ease of use of these passwords. Since it has been determined that graphical passwords are difficult to input, take longer to input and are susceptible to invalid entries, perceptions of ease of use may be negative. As a result, despite its relatively safer use, Internet users may be more likely to assume the risk of alphanumeric passwords. Internet security awareness is a significant indicator of risk-taking behaviour on the part of Internet users. An Internet user who is aware of the security risk will likely take measures to avoid the risks. Rational choice theory informs that Internet users will usually weigh the advantages and disadvantages of taking risks on the Internet, provided they have sufficient Internet security awareness. Internet security and privacy protection tools are available for Internet users. However, these tools require cooperation and compliance by the Internet user. For example, warnings that pop up or that are displayed indicate to the user that there are security risks involved should they visit a particular website. Rational choice theory assumes that based on a user’s Internet security awareness, the user will make the decision regarding whether or not he or she will visit the website. According to rational choice theory, a user with Internet security awareness will most likely avoid the site altogether. However, an Internet user with little or no Internet security awareness will likely visit the site and assume the risk. In the final analysis, Internet security and privacy risks are unavoidable, but can be controlled. As technologies improve to prevent and detect security and privacy risks, hackers and spammers are becoming more ambitious. It is up to the Internet user to adopt and use the technologies available to them and to ensure that they behave responsibly. Internet security awareness is the key to identifying responsible behaviour. At the same time, knowing which websites to trust with information and which websites that cannot be trusted is the best method for preventing privacy breaches. In other words, it is primarily up to the Internet user, whether or not his or her security and privacy is protected on the Internet. Directions for Further Research Cloud computing is a relatively new phenomenon with a wealth of benefits for Internet users. It provides a cost saving method of data storing and facilitates access and storage from remote locations. Therefore usefulness under TAM is not an issue and well-supported. As an innovative tool for businesses and individuals, its ease of use under TAM is likely not an issue, but requires further examination. Therefore, empirical evidence testing the ease of use of cloud computing should be obtained in research studies. The purpose of this research would be to determine whether or not perceptions of risk are connected to perceptions of ease of use. Moreover, since cloud computing is linked to perceptions of its high risk to data sharing, further research should be conducted to gather empirical evidence of security breaches. So far, reports in the literature suggest that there are perceptions of security and privacy risks relative to cloud computing. However, there is no evidence of security and privacy breaches reported in the literature. If evidence is collected of actual security and privacy breaches, then it will be possible for technology developers to create appropriate security and privacy protection software for cloud computing. After all, cloud computing is an efficient and effective method of data storage and it is convenient for accessing files anywhere and anytime. Bibliography Bulgurcu, B.; Cavusoglu, H. and Benbasat, I. (September 2010). “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.” MIS Quarterly, Vol. 34(3): 523-548. Egelman, S.; Tsai, J.; Cranor, L.F. and Acquisiti. (2009). “Timing is Everything?: The Effects of Timing and Placement of Online Privacy Indicators.” Proceedings of SIGHI Conference on Human Factors in Computing Systems, 319-328. Featherman, M.S. and Pavlov, P.A. (October 2003). “Predicting e-Services Adoption: A Perceived Risk Facets Perspective.” International Journal of Human-Computer Studies, Vol. 59(4): 451-474. Flavian, C. and Guinaliu, M. (2006). “Consumer Trust, Perceived Security and Privacy Policy: Three Basic Elements of Loyalty to a Web Site.” Industrial Management and Data Systems, Vol. 106(5): 601-620. Fogel, J. and Nehmad, E. (January 2009). “Internet Social Network Communities: Risk Taking, Trust, and Privacy Concerns.” Computers in Human Behavior. Vol. 25(1): 153-160. Hawkins, S.; Yen, D.C. and Chou, D.C. (2000). “Awareness and Challenges of Internet Security.” Information Management & Computer Security, Vol. 8(3): 131-143. Lee, M-C. (May-June 2009). “Factors Influencing the Adoption of Internet Banking: An Integration of TAM and TPB with Perceived Risk and Perceived Benefit.” Electronic Commerce Research and Applications, Vol. 8(3): 130-141. Libermann, Y. and Stashevsky, S. (2002). “Perceived Risks as Barriers to Internet and e-Commerce Usage.” Qualitative Market Research: An International Journal, Vol. 5(4): 291-300. Miyazaki, A.D. and Krishnamurthy, S. (Summer 2002). “Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions.” Journal of Consumer Affairs, Vol. 36(1): 28-49. Miyazaki, A.D. and Fernandez, A. (Summer 2001). “Consumer Perceptions of Privacy and Security Risks for Online Shopping.” Journal of Consumer Affairs, Vol. 35(1): 27-44. Miyazaki, A.D. and Fernandez, A. (Spring 2000). “Internet Privacy and Security: An Examination of Online Retailer Disclosures.” Journal of Public Policy & Marketing, Vol. 19(1): 54-61. Nam, C.; Song, C.; Lee, E. and Park, C.I. (2006). “Consumers’ Privacy Concerns and Willingness to Provide Marketing-Related Personal Information Online.” Advances in Consumer Research, Vol. 33: 212-217. Nehf, J. P. (Winter 2007). “Shopping for Privacy on the Internet.” The Journal of Consumer Affairs, Vol. 41(2): 351-375. Pearson, S. (2012). “Privacy, Security and Trust in Cloud Computing.” HP Laboratories, HPL:2012-80RI: 1-58. Stanton, J.M.; Stam, K.R.; Mastrangelo, P. and Jolton, J. (March 2005). “Analysis of End User Security Behaviors.” Computers and Security, Vol. 24(2): 124-133. Subashini, S. and Kavitha, V. (January 2011). “A Survey on Security Issues in Service Delivery Models of Cloud Computing.” Journal of Network and Computer Applications, Vol. 34(1): 1-11. Wang, Y-S.; Wang, Y-M.; Lin, H-H. and Tang, T-I. (2003). “Determinants of User Acceptance of Internet Banking: An Empirical Study.” International Journal of Service Industry Management, Vol. 14(5): 501-519. Weber, R. H. (January 2010). “Internet of Things – New Security and Privacy Challenges.” Computer Law & Security Review, Vol. 26(1): 23-30. Wiedenbeck, S.; Waters, J.; Birget, J-C.; Brodskiy, A. and Memon, N. (July 2005). “Passpoints: Design and Longitudinal Evaluation of a Graphical Password System.” International Journal of Human-Computer Studies, Vol. 63(1-2): 102-127. Yeo, A.C.; Rahim, M. and Ren, Y.Y. (2009). “Use of Persuasive Technology to Change End-Users’ IT Security Awareness Behaviour: A Pilot Study.” International Journal of Human and Social Sciences, Vol. 4(9): 673-679. Zissis, D. and Lekkas, D. (March 2012). “Addressing Cloud Computing Security Issues.” Future Generation Computer Systems, Vol. 28(3):583-592. Read More