Smartphone users: Understanding how security mechanisms are perceived and new persuasive methods

RESEARCH ARTICLE Smartphone users: Understanding how security mechanisms are perceived and new persuasive methods Mansour Alsaleh1*, Noura Alomar2, Abdulrahman Alarifi1 1 King Abdulaziz City for Science and Technology (KACST), Riyadh, Kingdom of Saudi Arabia, 2 Software Engineering Department, King Saud University, Riyadh, Kingdom of Saudi Arabia * Abstract a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 OPEN ACCESS Citation: Alsaleh M, Alomar N, Alarifi A (2017) Smartphone users: Understanding how security mechanisms are perceived and new persuasive methods. PLoS ONE 12(3): e0173284. https://doi. org/10.1371/journal.pone.0173284 Editor: Kim-Kwang Raymond Choo, University of Texas at San Antonio, UNITED STATES Received: July 15, 2016 Accepted: February 4, 2017 Protecting smartphones against security threats is a multidimensional problem involving human and technological factors. This study investigates how smartphone users’ securityand privacy-related decisions are influenced by their attitudes, perceptions, and understanding of various security threats. In this work, we seek to provide quantified insights into smartphone users’ behavior toward multiple key security features including locking mechanisms, application repositories, mobile instant messaging, and smartphone location services. To the best of our knowledge, this is the first study that reveals often unforeseen correlations and dependencies between various privacy- and security-related behaviors. Our work also provides evidence that making correct security decisions might not necessarily correlate with individuals’ awareness of the consequences of security threats. By comparing participants’ behavior and their motives for adopting or ignoring certain security practices, we suggest implementing additional persuasive approaches that focus on addressing social and technological aspects of the problem. On the basis of our findings and the results presented in the literature, we identify the factors that might influence smartphone users’ security behaviors. We then use our understanding of what might drive and influence significant behavioral changes to propose several platform design modifications that we believe could improve the security levels of smartphones. Published: March 15, 2017 Copyright: © 2017 Alsaleh et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Data Availability Statement: All relevant data are within the paper. Funding: This work was supported by King Abdulaziz City for Science and Technology (KACST) - Internal Fund. Competing interests: The authors have declared that no competing interests exist. 1 Introduction The mobility, portability, and increasing capabilities of smartphones have significantly contributed to the increasing popularity of these multi-purpose devices. A recently published report showed that more than two thirds of American adults possess a smartphone [1]. Furthermore, more than 334 million smartphones were sold in less than 3 months in 2015 [2]. As smartphones begin to replace personal computers because of their advanced features and ease of use, large volumes of sensitive data are now stored and processed in smartphones including contacts, emails, photos, and videos. This makes smartphones an attractive target for hackers, particularly as regards the many ways of installing malicious codes on their victims’ devices PLOS ONE | https://doi.org/10.1371/journal.pone.0173284 March 15, 2017 1 / 35 Smartphone users: Understanding how security mechanisms are perceived and new persuasive methods and gaining unauthorized access to users’ sensitive data [3–5]. For example, the lack of awareness of many smartphone users might make them vulnerable to downloading malicious applications from uncontrolled app marketplaces [4, 6]. Receiving phishing messages that could come from SMS, MMS, email messages, social networks, and phone calls might also increase the vulnerability of smartphone users to many security- or privacy-related threats [4]. In 2014, Symantec analyzed over 6 million mobile applications and found that over 15% of them included malicious content, whereas around 37% were considered grayware programs [5]. Recently, Apple also stated that 100 billion applications were downloaded from its application repository [7]. A report published by Symantec also showed that smartphone vulnerabilities experienced a growth of 32% in 1 year [5]. A recent survey [8] showed that there is a lack of awareness among smartphone users about the security and privacy risks associated with downloading smartphone apps. Most surveyed participants assumed that controlled app marketplaces (e.g., Google Play) are secure [8], which indicates that users’ perceptions might negatively affect their security. According to the results of another survey [5], most smartphone users have worries and fears related to their privacy and security, yet they perform risky behaviors (e.g., over 65% of the surveyed individuals gave free applications permissions to access their data). Understanding smartphone users’ perceptions and misconceptions about security and privacy is therefore essential. This will help researchers develop mechanisms that preserve the confidentiality, integrity, and availability of data stored in smartphones. In this paper, thirty qualitative interviews were performed to understand users’ securityrelated behaviors and to examine the correlations between them. We extend the work of Egelman et al. [9] by identifying the correlations and dependencies between various privacy- and security-related behaviors (in addition to locking behaviors), and by understanding how they are influenced by users’ preconceived perceptions, and propose new persuasive approaches. One of our interesting findings shows that the behavior related to locking mechanisms correlates with the practices related to backing up smartphone data, saving photos in gallery applications and connecting to public Wi-Fi hotspots. For example, we found that over 88% of our participants who chose not to lock their phones do not back up their smartphone devices. Furthermore, at least eight out of nine users who do not use smartphone locking mechanisms connect to public Wi-Fi networks. Similarly, more than 88% of the users who do not lock their phones save their personal photos in gallery applications. Inspired by the participants’ subjective feedback related to many security features as well as by the related behavioral literature, we identify the factors that could assist in predicting smartphone users’ decisions of whether to adopt protective behaviors or not. Contributions. Our main contributions are the following. 1. Studying Users’ Behaviors Toward Multiple Security Features. Our study examined smartphone users’ behaviors toward se (...truncated)