Mental Model-Based Designs: The Study in Privacy Policy Landscape

Abstract

Users’ mental models influence secure and privacy-preserving behavior in a computing environment. Prior studies on users’ mental models of Internet, security tools, and digital privacy show that there is no one-size-fits-all solution when it comes to security and privacy design. However, little study to date has explored the ways to translate users’ mental models into interactive security and privacy designs. As we begin to address this gap, we focus on privacy policy in this paper. The typical text-based privacy policy suffers from poor readability and usability. A recent study proposed a Visual Interactive Privacy Policy (VIPP), showing promise to offer a better user experience as compared to prior designs – we used VIPP as a control condition and compared that with our mental model (MM)-based designs, inspired by users’ privacy mental models explored in the existing literature. We iteratively improved our MM-based designs through a series of user studies in the lab setting. We evaluated our updated designs in an online study with 182 participants over Amazon Mechanical Turk. The participants rated MM-based designs significantly better than the control in most of our evaluation parameters. Furthermore, we found that when a design is centered around the mental model of participants, study participants rated it higher in terms of personal connection to the design, perspicuity, attractiveness, being stimulated towards privacy protection, as well as the propensity for real-life adoption. Based on our findings, we discussed the successes and challenges of MM-based designs and provided guidelines on the scope of leveraging mental models in the broader area of privacy and security designs.