human issues in security and privacy for e-commerce co-operative bank; smile.co.uk; office of the...

Human Issues in Security and Privacy for e-Commerce

Co-operative Bank; smile.co.uk; Office of the Information CommissionerCooksons.com; RedbricksOnline ltd; Homes For ChangeUMIST School of Management & Department of ComputationUK Department of Trade and Industry; Research Councils EPSRC & ESRC

www.hispec.org.uk

HiSPEC

The take-up of e-Commerce is being adversely affected by concerns about Privacy and Security

Key Outcomes to date

•An assessment of Privacy and UK Websites

•E-protection: Use and Attitudes throughout the UK

•Promoting e-Protection through Social Marketing

•Best Practice Guidance Publications & Reports



www.hispec.org.uk

• Solution

Easy to remember acronym: F A R S T A R S Fair

Adequate

Rights

Specific Purpose

Transfer

Accuracy

Retention

Security

• ProblemThere is lack of understanding among Designers of their role in privacy protection

The challenge is to develop best practice guidance for System Designers

Best Practice Guidance

• BenefitsCan be applied at each stage of the design life cycle:

Example: Accuracy

Requirements: identify ‘check by date’ for each data item

Design and Build: include an auditable mechanism for ‘signing-off’ data accuracy

Evaluation: include a clear process for Data Subjects to correct inaccurate data

Use and Monitoring: regularly review data validation procedures

‘Best Practice Guidance for System Designers’

is available for public consultation on

www.dataprotection.gov.uk

HiSPEC



www.hispec.org.uk

Enabling Environment for e-Commerce

Devices, Desires or Distrust: encouraging the use of e-commerce. Workshop: e-2003 e-challenges conference, Bologna, Italy, Oct, 2003

E-Protection Solutions: Use and attitudes amongst UK Internet user population, Report on NOP study

Stories, Myths and Metaphors: Understanding Internet self-exclusion, HOIT 2003, University of California, Irvine, April, 2003

Design for Trust

Multi-Story Trust and Online Retailer Strategies, International Review of Retail and Distribution Research, forthcoming

Study of Compliance with the Data Protection act 1998 by UK based websites, Report to OIC, November, 2002

Social Marketing

Social Marketing and the Application of Decisional Balance in the Context of Online Privacy Protection, Global Business & Technology Association Intl Conf., Budapest, July, 2003

The Application of the Transtheoretical Model to the Adoption of Self-Protection Methods for Online Privacy and Security, European Association for Education and Research in Commercial Distribution , 12th International Conference, July, 2003

Using the Transtheoretical Model to Understand and to Influence Consumer Adoption of Security and Privacy Enhancing Technologies, E-Factors, University of Surrey, April, 2003

Best Practice Guidelines

Overview of P3P; The dangers of P3P, Reports, March, 2003

Privacy Enhancing Technologies - State of the Art review, Dec, 2002

FARSTARS Best Practise Guidance on Data Protection for Systems Designers, 2002

Publications & Reports

HiSPEC



www.hispec.org.uk

HiSPEC

ProblemThere is significant lack of awareness and lack of use of e-protective solutions.

The challenge is to promote self-protection amongst all Internet users.

Promoting e-Protection

Solution Social Marketing - a tool to produce positive behaviour change.

Change seen as a process of ‘stages of change’ towards adoption.

Adoption associated with a positive “decisional balance” comparing gains and losses.

Helps identify who to target with what type of message, e.g., high-low threat.

Uses many strategies - education, promotions, advertising, community mobilisation.

ExamplesPromoting more secure passwords: intranet education/cartoon scenarios/quizzes

Checking for https: posters/leaflets/community activation/web-based examples

BenefitsGreater ownership of privacy and security by Internet users.

Encourages self-confidence in use of e-commerce

Improved knowledge and awareness of privacy and security for Internet users.

pros consToo difficult -0.22171 0.482988Pre –contemplation-0.28887 0.232725Contemplation-0.20021 0.384408Action 0.389603 0.248275Maintenance0.332578 -0.51346

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

pros

cons

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

pros

cons

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

1 2 3 4 5

ConsPros

Decisional Balance Changes

with Stage of Adoption Agree

Disagree

Adoption



www.hispec.org.uk

DescriptionNOP online survey obtained weighted data from 1,100 UK weekly users of the Internet aged 16+ about awareness, use and attitudes towards 5 solutions chosen to represent low (privacy policies) to high (encryption) technical requirements.

OutcomeProblem of non-use is pervasive - at best just over 50% are using a simple e-protection solution, e.g., checking for HTTPS - just 9% using encryption software.

Lack of awareness prominent - particularly amongst less experienced users.

Perceived difficulty, extra hassles, techno-phobia and fear of social disapproval are all significant attitudes preventing adoption of e-protection solutions.

BenefitsThe survey indicates strategies for encouraging adoption of individual solutions.

Low levels of awareness suggests education campaigns.

Poor attitudes suggest social marketing and community based promotional campaigns

Usability problems suggest adjustments to existing solutions.

Data also suggest specifications for next generation privacy enhancing technologies.

E-protection: Use and Attitudes

ProblemThe rapid spread of viruses and continuing ‘spam’ troubles suggest that many Internet users are not fully implementing e-protection. Which people are using what precautions? If they are not, is this because they are unaware of what is available; is ease of use holding them back or are there other reasons for not using?

HiSPEC



www.hispec.org.uk

HiSPEC

• ProblemTo assess the degree of compliance to the 1998 Data Protection Act by UK websites

To unveil to reality behind the promise: what is promised on the site versus reality

Privacy and UK Websites

• Method Independent analyst assessment of a representative sample of UK websites In-depth interviews by telephone and face-to-face Post visit assessments

• Key Results (full report available)Large or regulated companies show a high level of compliance

Small or unregulated companies typically show a low level of compliance

25% of sites provide no contact details

Only 5% of Privacy Statements reached the recommended readability score

Security and Retention are the greatest cause for concern

Only 45% sites have a data security policy related to Data Protection

Many companies do not have a retention policy or procedures for removing data

• RecommendationsSmall companies need more support and freely available education

Web site developers need a greater understanding of the implications for site design and database design of security and retention requirements

human issues in security and privacy for e-commerce co-operative bank; smile.co.uk; office of the...

Documents