Dimensions of risk in mobile applications: A user study

Zach Jorgensen, Jing Chen, Christopher S. Gates, Ninghui Li, Robert W. Proctor, Ting Yu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

14 Citations (Scopus)

Abstract

Mobile platforms, such as Android, warn users about the permissions an app requests and trust that the user will make the correct decision about whether or not to install the app. Unfortunately many users either ignore the warning or fail to understand the permissions and the risks they imply. As a step toward developing an indicator of risk that decomposes risk into several categories, or dimensions, we conducted two studies designed to assess the dimensions of risk deemed most important by experts and novices. In Study 1, semi-structured interviews were conducted with 19 security experts, who also performed a card sorting task in which they categorized permissions. The experts identified three major risk dimensions in the interviews (personal information privacy, monetary risk, and device availability/ stability), and a forth dimension (data integrity) in the card sorting task. In Study 2, 350 typical Android users, recruited via Amazon Mechanical Turk, filled out a questionnaire in which they (a) answered questions concerning their mobile device usage, (b) rated how often they considered each of several types of information when installing apps, (c) indicated what they considered to be the biggest risk associated with installing an app on their mobile device, and (d) rated their concerns with regard to specific risk types and about apps having access to specific types of information. In general, the typical users' concerns were similar to those of the security experts. The results of the studies suggest that risk information should be organized into several risk types that can be better understood by users and that a mid-level risk summary should incorporate the dimensions of personal information privacy, monetary risk, device availability/ stability risk and data integrity risk.

Original languageEnglish
Title of host publicationCODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages49-60
Number of pages12
ISBN (Print)9781450331913
DOIs
Publication statusPublished - 2 Mar 2015
Event5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015 - San Antonio, United States
Duration: 2 Mar 20154 Mar 2015

Other

Other5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015
CountryUnited States
CitySan Antonio
Period2/3/154/3/15

Fingerprint

Application programs
Sorting
Mobile devices
Availability

Keywords

  • Android
  • Mobile security
  • Risk
  • Smartphones

ASJC Scopus subject areas

  • Information Systems
  • Software
  • Computer Science Applications

Cite this

Jorgensen, Z., Chen, J., Gates, C. S., Li, N., Proctor, R. W., & Yu, T. (2015). Dimensions of risk in mobile applications: A user study. In CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (pp. 49-60). Association for Computing Machinery, Inc. https://doi.org/10.1145/2699026.2699108

Dimensions of risk in mobile applications : A user study. / Jorgensen, Zach; Chen, Jing; Gates, Christopher S.; Li, Ninghui; Proctor, Robert W.; Yu, Ting.

CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2015. p. 49-60.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Jorgensen, Z, Chen, J, Gates, CS, Li, N, Proctor, RW & Yu, T 2015, Dimensions of risk in mobile applications: A user study. in CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, pp. 49-60, 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, San Antonio, United States, 2/3/15. https://doi.org/10.1145/2699026.2699108
Jorgensen Z, Chen J, Gates CS, Li N, Proctor RW, Yu T. Dimensions of risk in mobile applications: A user study. In CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc. 2015. p. 49-60 https://doi.org/10.1145/2699026.2699108
Jorgensen, Zach ; Chen, Jing ; Gates, Christopher S. ; Li, Ninghui ; Proctor, Robert W. ; Yu, Ting. / Dimensions of risk in mobile applications : A user study. CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2015. pp. 49-60
@inproceedings{ee7668ee4b484462b089762e6c982f9e,
title = "Dimensions of risk in mobile applications: A user study",
abstract = "Mobile platforms, such as Android, warn users about the permissions an app requests and trust that the user will make the correct decision about whether or not to install the app. Unfortunately many users either ignore the warning or fail to understand the permissions and the risks they imply. As a step toward developing an indicator of risk that decomposes risk into several categories, or dimensions, we conducted two studies designed to assess the dimensions of risk deemed most important by experts and novices. In Study 1, semi-structured interviews were conducted with 19 security experts, who also performed a card sorting task in which they categorized permissions. The experts identified three major risk dimensions in the interviews (personal information privacy, monetary risk, and device availability/ stability), and a forth dimension (data integrity) in the card sorting task. In Study 2, 350 typical Android users, recruited via Amazon Mechanical Turk, filled out a questionnaire in which they (a) answered questions concerning their mobile device usage, (b) rated how often they considered each of several types of information when installing apps, (c) indicated what they considered to be the biggest risk associated with installing an app on their mobile device, and (d) rated their concerns with regard to specific risk types and about apps having access to specific types of information. In general, the typical users' concerns were similar to those of the security experts. The results of the studies suggest that risk information should be organized into several risk types that can be better understood by users and that a mid-level risk summary should incorporate the dimensions of personal information privacy, monetary risk, device availability/ stability risk and data integrity risk.",
keywords = "Android, Mobile security, Risk, Smartphones",
author = "Zach Jorgensen and Jing Chen and Gates, {Christopher S.} and Ninghui Li and Proctor, {Robert W.} and Ting Yu",
year = "2015",
month = "3",
day = "2",
doi = "10.1145/2699026.2699108",
language = "English",
isbn = "9781450331913",
pages = "49--60",
booktitle = "CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Dimensions of risk in mobile applications

T2 - A user study

AU - Jorgensen, Zach

AU - Chen, Jing

AU - Gates, Christopher S.

AU - Li, Ninghui

AU - Proctor, Robert W.

AU - Yu, Ting

PY - 2015/3/2

Y1 - 2015/3/2

N2 - Mobile platforms, such as Android, warn users about the permissions an app requests and trust that the user will make the correct decision about whether or not to install the app. Unfortunately many users either ignore the warning or fail to understand the permissions and the risks they imply. As a step toward developing an indicator of risk that decomposes risk into several categories, or dimensions, we conducted two studies designed to assess the dimensions of risk deemed most important by experts and novices. In Study 1, semi-structured interviews were conducted with 19 security experts, who also performed a card sorting task in which they categorized permissions. The experts identified three major risk dimensions in the interviews (personal information privacy, monetary risk, and device availability/ stability), and a forth dimension (data integrity) in the card sorting task. In Study 2, 350 typical Android users, recruited via Amazon Mechanical Turk, filled out a questionnaire in which they (a) answered questions concerning their mobile device usage, (b) rated how often they considered each of several types of information when installing apps, (c) indicated what they considered to be the biggest risk associated with installing an app on their mobile device, and (d) rated their concerns with regard to specific risk types and about apps having access to specific types of information. In general, the typical users' concerns were similar to those of the security experts. The results of the studies suggest that risk information should be organized into several risk types that can be better understood by users and that a mid-level risk summary should incorporate the dimensions of personal information privacy, monetary risk, device availability/ stability risk and data integrity risk.

AB - Mobile platforms, such as Android, warn users about the permissions an app requests and trust that the user will make the correct decision about whether or not to install the app. Unfortunately many users either ignore the warning or fail to understand the permissions and the risks they imply. As a step toward developing an indicator of risk that decomposes risk into several categories, or dimensions, we conducted two studies designed to assess the dimensions of risk deemed most important by experts and novices. In Study 1, semi-structured interviews were conducted with 19 security experts, who also performed a card sorting task in which they categorized permissions. The experts identified three major risk dimensions in the interviews (personal information privacy, monetary risk, and device availability/ stability), and a forth dimension (data integrity) in the card sorting task. In Study 2, 350 typical Android users, recruited via Amazon Mechanical Turk, filled out a questionnaire in which they (a) answered questions concerning their mobile device usage, (b) rated how often they considered each of several types of information when installing apps, (c) indicated what they considered to be the biggest risk associated with installing an app on their mobile device, and (d) rated their concerns with regard to specific risk types and about apps having access to specific types of information. In general, the typical users' concerns were similar to those of the security experts. The results of the studies suggest that risk information should be organized into several risk types that can be better understood by users and that a mid-level risk summary should incorporate the dimensions of personal information privacy, monetary risk, device availability/ stability risk and data integrity risk.

KW - Android

KW - Mobile security

KW - Risk

KW - Smartphones

UR - http://www.scopus.com/inward/record.url?scp=84928124360&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84928124360&partnerID=8YFLogxK

U2 - 10.1145/2699026.2699108

DO - 10.1145/2699026.2699108

M3 - Conference contribution

AN - SCOPUS:84928124360

SN - 9781450331913

SP - 49

EP - 60

BT - CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery, Inc

ER -