the design (this part is called “adequacy”).
Iachello and Abowd evaluated the proportionality method in a controlled experiment with Hong’s risk analysis , Bellotti and Sellen’s method , and, as a control condition, Design Rationale . The results of the evaluation show that none of the participants in the four conditions identified all the privacy issues in the application. Each design method prompted the participants of the evaluation to probe a certain set of issues, based on the questions that were included in the design framework. Moreover, the level of experience of the participants and the amount of time employed to perform the analysis were better correlated than the design method used with the number of privacy issues identified by each participant .
The results of this study suggest that, again, the scope of the design method strongly influences its effectiveness in analyzing specific design problems. Second generation design methods  can help in the privacy requirements analysis by forcing designers to think through the design as extensively as possible.
3.5.3 Modeling Frameworks
The third type of “design methods” we discuss are modeling frameworks. Some modeling frameworks, such as k-anonymity  and the Freiburg Privacy Diamond , are heavily influenced by information theory. They describe exchanges of information mathematically, which allows for requirements to be tightly defined and verified. Given the lack of reference to the human user, however, these frameworks are not used in the HCI community. Instead, HCI researchers have focused on economic and behavioral models.
Economic Frameworks and Decision Making Models
Researchers have developed economic models to describe individuals’ decision making in the disclosure of personal information. Early work in this area includes Posner’s and Stigler’s work in the late 1970s [240, 276]. In particular, Posner argues that privacy is detrimental from an economic standpoint because it reduces the fluidity of information and thus market efficiency.
Posner predicts markets for personal information, where individuals can freely trade their personal data. Varian argues that from an economic analysis standpoint, personal information could be protected by associating with it an economic value, thus increasing the cost of collecting and using it to an equitable balance . In these markets, data users pay license rights to the data subjects for using their personal information. Similar markets exist already (i.e., credit and consumer reporting agencies). However, critics of these economic models question whether increased fluidity actually provides economic benefit . It should be noted that these markets are quite incompatible with the underlying assumptions of data protection legislation such as EU Directive 95/46, which treats personal information as an unalienable object and not as property.
Varian takes a more pragmatic approach, suggesting that disclosure decisions should be made by balancing the costs and the subjective benefits of the disclosure . Researchers have also developed economic models to describe disclosure behaviors. For example, Vila et al. have developed a sophisticated economic model to explain the
end-user-privacy-in-human-computer-interaction-v57.docPage 64 of 85