Influence of Privacy Priming and Security Framing on Android App Selection

Abstract

Many users unknowingly grant mobile applications (apps) permission to access their personal information (Felt et al., 2012). This access is in part a result of the large number of permissions apps request and users’ difficulty in understanding the nature of these potentially harmful requests (Kelley et al., 2011; Liccardi et al., 2014). Laboratory studies have suggested that different approaches can be taken to curtail the likelihood of mobile users installing malicious apps. A large body of work investigating mobile app security agrees that it is indeed possible to get users to make safer and more knowledgeable decisions during the app selection process. Gates, Chen, Li, and Proctor (2014), for example, found that users made less risky decisions when they were presented with a summary risk or safety ranking that conveys the overall risk of an app. Most recently, the effects of priming manipulations have indicated that introducing an intervention before the app selection process begins may be just as effective (Rajivan & Camp, 2016). In the current study we combined the work that has been conducted on providing overall risk/safety information (Chen et al., 2014; Choe et al., 2013) with that focused on priming users with self-relevant privacy questions (Rajivan & Camp, 2016). We sought to determine whether the subjective privacy priming effect reported by Rajivan and Camp could be replicated and whether an objective priming condition (in which facts about what information apps can access were presented) would have a similar or possibly even stronger effect. Another concern was how these priming conditions would interact with positively- vs, negatively-framed safety rankings (safety and risk scores, respectively). Participants were recruited through Amazon Mechanical Turk (MTurk). Participants were presented with subjective or objective safety items before the app-selection task and with apps and their respective safety rankings during the selection process. Subjective priming was induced with the eight subjective items used by Rajivan and Camp (2016), whereas objective priming was by way of app-permission examples modified from Harbach, Hettig, Weber, and Smith (2014). In the control condition, participants completed the task without any priming material, similar to the study by Chen et al. (2015). Also, summary safety and risk rankings were varied for the app-selection task, as in Chen et al.’s (2015) study. The procedure closely followed that of Chen et al. (2015). Participants were provided with a demonstration of the elements of the apps they would be selecting. Each app was displayed with several pieces of information including the app icon, app name, developer, user rating (out of five stars), user rating count, permission safety or risk ranking (out of five circles), and a brief description of the app. The distributions of user ratings and permission safety/risk rankings were identical to those used by Chen et al. (2015). For the safety framing condition, a higher safety ranking indicated a safer app, whereas for the negative framing condition, a higher risk ranking indicated a riskier app. Participants were instructed to pick two out of the six apps for six groups of apps. We were able to replicate the findings of Chen et al. (2015), showing a greater impact from summary scores framed as safety rather than risk. The data suggest that participants were more sensitive to the safety rankings when higher rankings indicated low vs. high safety than low vs. high risk. We also replicated the findings of Rajivan and Camp (2016) in which subjective priming of security enhances participants’ consideration of the safety rankings. Moreover, we obtained evidence that objective priming with specific app permissions yields a similar benefit. Since priming with either kind of safety-relevant items resulted in safer app selections than a control condition without priming, we conclude that the benefit of priming is primarily due to the general activation of security and privacy as part of the task set. In sum, this study supports the notion that a multi-pronged approach where safety-related information is presented before the app selection process and a summary safety index is displayed may be the most effective way to improve users’ safety behaviors.