What I Say Means What I Do: Risk Concerns and Mobile Application-Selection Behaviors.

Abstract

The goal of this study was to examine the relation between users' reported risk concerns and their choice behaviors in a mobile application (app) selection task. Human users are typically regarded as the weakest link in cybersecurity and privacy protection; however, it is possible to leverage the users' predilections to increase security. There have been mixed results on the relation between users' self-reported privacy concerns and their behaviors. In three experiments, the timing of self-reported risk concerns was either a few weeks before the app-selection task (pre-screen), immediately before it (pre-task), or immediately after it (post-task). We also varied the availability and placement of clear definitions and quizzes to ensure users' understanding of the risk categories. The post-task report significantly predicted the app-selection behaviors, consistent with prior findings. The pre-screen report was largely inconsistent with the reports implemented around the time of the task, indicating that participants' risk concerns may not be stable over time and across contexts. Moreover, the pre-task report strongly predicted the app-selection behaviors only when elaborated definitions and quizzes were placed before the pre-task question, indicating the importance of clear understanding of the risk categories. Self-reported risk concerns may be unstable over time and across contexts. When explained with clear definitions, self-reported risk concerns obtained immediately before or after the app-selection task significantly predicted app-selection behaviors. We discuss implications for including personalized risk concerns during app selection that enable comparison of alternative mobile apps.