CSIS Seminar

Why Don't People ... Use Security, Protect Their Data, and Adopt the Available Solutions?

Abstract

Is it that people don't care? Or people don't understand security and privacy? Is it a question of usability? Or is it a combination of all three? Individuals may rationally choose not to invest in security to benefit others, may underestimate their own risks, and may simultaneously find solutions to be unusable. The solution to the lack of adoption of security (and the corresponding privacy paradox) depends upon research thread one follows. For a classic economist, privacy is means a less efficient market. Given that market efficiency is contingent on more information, individuals are rationally unconcerned; the value from information sharing outweighs the costs of privacy loss. Thus, the solution is to ensure that the value of the information being transacted is realized by the individual. From a behavioral perspective, the problem is misperceptions: the perceived risk and perceived benefit of information sharing are incorrect. Risk perceptions can then be informed by appropriate risk communication. A final explanation is that current security and privacy enhancing technologies are not usable. The solution then is to design technology that is usable and aligns with user's needs, e.g. users must be provided risk mitigating options and not just informed of the risk. In this presentation I examine these explanations and their relative merits, referencing research that addresses each of these. I conclude that the emerging threat landscape of IoT and cyberphysical systems requires a comprehensive solution that addresses all three.

Speaker Bio

Jean Camp is a Professor at the School of Informatics and Computing at Indiana University. She joined Indiana after eight years at Harvard’s Kennedy School where her courses were also listed in Harvard Law, Harvard Business, and the Engineering Systems Division of MIT. She spent the year after earning her doctorate from Carnegie Mellon as a Senior Member of the Technical Staff at Sandia National Laboratories. She began her career as an engineer at Catawba Nuclear Station and with a MSEE at University of North Carolina at Charlotte. Her research focuses on the intersection of human and technical trust, levering economic models and human-centered design to create safe, secure systems. She has authored more than two hundred publications. She has peer-reviewed publications on security and privacy at every layer of the OSI model. She has alumni in the private, public, and nonprofit sectors. She is a Fellow of the Institute of Electrical and Electronic Engineers, as well as a Fellow of the American Association for the Advancement of Science.