human issues in security and privacy for e-commerce co-operative bank; smile.co.uk; office of the...
TRANSCRIPT
Human Issues in Security and Privacy for e-Commerce
Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC
www.hispec.org.uk
HiSPEC
The take-up of e-Commerce is being adversely affected by concerns about Privacy and Security
Key Outcomes to date
•An assessment of Privacy and UK Websites
•E-protection: Use and Attitudes throughout the UK
•Promoting e-Protection through Social Marketing
•Best Practice Guidance Publications & Reports
Human Issues in Security and Privacy for e-Commerce
Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC
www.hispec.org.uk
• Solution
Easy to remember acronym: F A R S T A R S Fair
Adequate
Rights
Specific Purpose
Transfer
Accuracy
Retention
Security
• ProblemThere is lack of understanding among Designers of their role in privacy protection
The challenge is to develop best practice guidance for System Designers
Best Practice Guidance
• BenefitsCan be applied at each stage of the design life cycle:
Example: Accuracy
Requirements: identify ‘check by date’ for each data item
Design and Build: include an auditable mechanism for ‘signing-off’ data accuracy
Evaluation: include a clear process for Data Subjects to correct inaccurate data
Use and Monitoring: regularly review data validation procedures
‘Best Practice Guidance for System Designers’
is available for public consultation on
www.dataprotection.gov.uk
HiSPEC
Human Issues in Security and Privacy for e-Commerce
Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC
www.hispec.org.uk
Enabling Environment for e-Commerce
Devices, Desires or Distrust: encouraging the use of e-commerce. Workshop: e-2003 e-challenges conference, Bologna, Italy, Oct, 2003
E-Protection Solutions: Use and attitudes amongst UK Internet user population, Report on NOP study
Stories, Myths and Metaphors: Understanding Internet self-exclusion, HOIT 2003, University of California, Irvine, April, 2003
Design for Trust
Multi-Story Trust and Online Retailer Strategies, International Review of Retail and Distribution Research, forthcoming
Study of Compliance with the Data Protection act 1998 by UK based websites, Report to OIC, November, 2002
Social Marketing
Social Marketing and the Application of Decisional Balance in the Context of Online Privacy Protection, Global Business & Technology Association Intl Conf., Budapest, July, 2003
The Application of the Transtheoretical Model to the Adoption of Self-Protection Methods for Online Privacy and Security, European Association for Education and Research in Commercial Distribution , 12th International Conference, July, 2003
Using the Transtheoretical Model to Understand and to Influence Consumer Adoption of Security and Privacy Enhancing Technologies, E-Factors, University of Surrey, April, 2003
Best Practice Guidelines
Overview of P3P; The dangers of P3P, Reports, March, 2003
Privacy Enhancing Technologies - State of the Art review, Dec, 2002
FARSTARS Best Practise Guidance on Data Protection for Systems Designers, 2002
Publications & Reports
HiSPEC
Human Issues in Security and Privacy for e-Commerce
Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC
www.hispec.org.uk
HiSPEC
ProblemThere is significant lack of awareness and lack of use of e-protective solutions.
The challenge is to promote self-protection amongst all Internet users.
Promoting e-Protection
Solution Social Marketing - a tool to produce positive behaviour change.
Change seen as a process of ‘stages of change’ towards adoption.
Adoption associated with a positive “decisional balance” comparing gains and losses.
Helps identify who to target with what type of message, e.g., high-low threat.
Uses many strategies - education, promotions, advertising, community mobilisation.
ExamplesPromoting more secure passwords: intranet education/cartoon scenarios/quizzes
Checking for https: posters/leaflets/community activation/web-based examples
BenefitsGreater ownership of privacy and security by Internet users.
Encourages self-confidence in use of e-commerce
Improved knowledge and awareness of privacy and security for Internet users.
pros consToo difficult -0.22171 0.482988Pre –contemplation-0.28887 0.232725Contemplation-0.20021 0.384408Action 0.389603 0.248275Maintenance0.332578 -0.51346
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
pros
cons
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
pros
cons
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
1 2 3 4 5
ConsPros
Decisional Balance Changes
with Stage of Adoption Agree
Disagree
Adoption
Human Issues in Security and Privacy for e-Commerce
Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC
www.hispec.org.uk
DescriptionNOP online survey obtained weighted data from 1,100 UK weekly users of the Internet aged 16+ about awareness, use and attitudes towards 5 solutions chosen to represent low (privacy policies) to high (encryption) technical requirements.
OutcomeProblem of non-use is pervasive - at best just over 50% are using a simple e-protection solution, e.g., checking for HTTPS - just 9% using encryption software.
Lack of awareness prominent - particularly amongst less experienced users.
Perceived difficulty, extra hassles, techno-phobia and fear of social disapproval are all significant attitudes preventing adoption of e-protection solutions.
BenefitsThe survey indicates strategies for encouraging adoption of individual solutions.
Low levels of awareness suggests education campaigns.
Poor attitudes suggest social marketing and community based promotional campaigns
Usability problems suggest adjustments to existing solutions.
Data also suggest specifications for next generation privacy enhancing technologies.
E-protection: Use and Attitudes
ProblemThe rapid spread of viruses and continuing ‘spam’ troubles suggest that many Internet users are not fully implementing e-protection. Which people are using what precautions? If they are not, is this because they are unaware of what is available; is ease of use holding them back or are there other reasons for not using?
HiSPEC
Human Issues in Security and Privacy for e-Commerce
Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC
www.hispec.org.uk
HiSPEC
• ProblemTo assess the degree of compliance to the 1998 Data Protection Act by UK websites
To unveil to reality behind the promise: what is promised on the site versus reality
Privacy and UK Websites
• Method Independent analyst assessment of a representative sample of UK websites In-depth interviews by telephone and face-to-face Post visit assessments
• Key Results (full report available)Large or regulated companies show a high level of compliance
Small or unregulated companies typically show a low level of compliance
25% of sites provide no contact details
Only 5% of Privacy Statements reached the recommended readability score
Security and Retention are the greatest cause for concern
Only 45% sites have a data security policy related to Data Protection
Many companies do not have a retention policy or procedures for removing data
• RecommendationsSmall companies need more support and freely available education
Web site developers need a greater understanding of the implications for site design and database design of security and retention requirements