You `Might' Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications

  title={You `Might' Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications},
  author={Yixin Zou and Shawn Danino and Kaiwen Sun and Florian Schaub},
  journal={Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems},
  • Yixin Zou, Shawn Danino, F. Schaub
  • Published 2 May 2019
  • Computer Science
  • Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems
Data breaches place affected individuals at significant risk of identity theft. Yet, prior studies have shown that many consumers do not take protective actions after receiving a data breach notification from a company. We analyzed 161 data breach notifications sent to consumers with respect to their readability, structure, risk communication, and presentation of potential actions. We find that notifications are long and require advanced reading skills. Many companies downplay or obscure the… 

Figures from this paper

Beyond Mandatory: Making Data Breach Notifications Useful for Consumers

Potential reasons for consumers' inaction after a data breach are analyzed, and how data breach notifications and respective requirements should be improved are discussed.

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior

The findings highlight two issues: 1) security awareness needs to be increased; and 2) current awareness is so low that expecting users to be aware and take remedial action may not be effective.

A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web

A large-scale, user-driven measurement study is conducted to identify 374 unique recommended behaviors contained within 1,264 documents of online security and privacy advice, and suggests a crisis of advice prioritization.

Who Would Bob Blame? Factors in Blame Attribution in Cyberattacks Among the Non-Adopting Population in the Context of 2FA

Users primarily hold service providers accountable for breaches but they feel the same companies should not enforce stronger security policies on users, and results indicate that people do hold end users accountable for their behavior in the event of a breach.

The TL;DR Charter: Speculatively Demystifying Privacy Policy Documents and Terms Agreements

This design fiction puts forward an alternate reality and presents a policy-based approach to fording the consent gap with the TL;DR Charter: an agreement governing the parties involved by harnessing the power of formal governments, industry, and other stakeholders, and taking users expectation of privacy into account.

Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices

An online survey examining the adoption and abandonment of 30 commonly recommended practices discusses how security, privacy, and identity theft protection recommendations and tools can be better aligned with user needs.

When Googling It Doesn't Work: The Challenge of Finding Security Advice for Smart Home Devices

This paper engages in a critical study of the type of advice that home Internet of Things (IoT) or smart device users might be presented with on the Internet to inform their cyber security practices.

Are You Tired? I am: Trying to Understand Privacy Fatigue of Social Media Users

This work proposes and proves the perceived antecedents and behavioral consequences of the privacy fatigue model based on the Stimulus Organism Response (S-O-R) theory, taking personality traits as the moderating factor, and provides complementary evidence to existing research on cultural factors.

Predicting Text Readability from Scrolling Interactions

There are statistically significant differences in the way readers interact with text depending on the text level, such measures can be used to predict the readability of text and the background of a reader impacts their reading interactions and the factors contributing to text difficulty.

Toward Full Accounting for Leakage Exploitation and Mitigation in Dynamic Encrypted Databases

This paper systematically study the exploitable information disclosed during the database querying process, and considers two types of attacks that can recover encrypted queries, and proposes a two-layer encrypted database hardening approach that obfuscates both search indexes and encoded data in a continuous way.



‘All that Glitters is not Gold’: The Role of Impression Management in Data Breach Notification

Data breaches have become a seemingly unavoidable aspect of the information age for both consumers and organizations. Breaches have tangible consequences, including the increased possibility of

Beyond Mandatory: Making Data Breach Notifications Useful for Consumers

Potential reasons for consumers' inaction after a data breach are analyzed, and how data breach notifications and respective requirements should be improved are discussed.

Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding

This paper investigates the differences in interpretation among expert, knowledgeable, and typical users and explores whether those groups can understand the practices described in privacy policies at a level sufficient to support rational decision-making, and seeks to fill an important gap in the understanding of privacy policies through primary research on user interpretation.

"I've Got Nothing to Lose": Consumers' Risk Perceptions and Protective Actions after the Equifax Data Breach

Although many participants were aware of and concerned about the Equifax breach, few knew whether they were affected, and even fewer took protective measures after the breach, it is found that this behavior is not primarily influenced by accuracy of mental models or risk awareness, but rather by costs associated with protective measures.

Out of Sight, Out of Mind: Consumer Reaction to News on Data Breaches and Identity Theft

We use the 2012 South Carolina Department of Revenue data breach to study how data breaches and news coverage about them affect consumers’ take-up of fraud protections. In this instance, we find that

How Short Is Too Short? Implications of Length and Framing on the Effectiveness of Privacy Notices

The potential of shortening privacy notices by removing privacy practices that a large majority of users are already aware of, and highlighting the implications of described privacy practices with positive or negative framing is examined, suggesting that the length of an effective privacy notice may be bounded.

Sleights of privacy: framing, disclosures, and the limits of transparency

It is illustrated in a series of experiments that even simple privacy notices do not consistently impact disclosure behavior, and may in fact be used to nudge individuals to disclose variable amounts of personal information.

A Design Space for Effective Privacy Notices

This paper surveys the existing literature on privacy notices and identifies challenges, requirements, and best practices for privacy notice design, and mapping out the design space for privacy notices by identifying relevant dimensions provides a taxonomy and consistent terminology of notice approaches.

"What was that site doing with my Facebook password?": Designing Password-Reuse Notifications

Insight is provided into notifications used by companies in situations potentially involving password reuse and how notifications alone appear insufficient in solving password reuse.

An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies

Results of an empirical study, involving 993 Internet users, which compared various ways to present privacy policy information to online consumers suggest that users perceive typical, paragraph-form policies to be more secure than other forms of policy representation, yet user comprehension of such paragraph- form policies is poor as compared to other policy representations.