Technical considerations aside [47, 245], there are also considerable acceptance challenges to implementing a privacy management program within an organization. Developing the “human” side of the policies should be a priority for the MIS and CSCW communities, as shown by the work by Adams and Blandford. Adams and Blandford discuss the effects of the introduction of access control systems to patient data within a health care settings . They studied two hospitals through in-depth interviews, focus groups, and observations, and found that in one hospital, a user-centered approach resulted in a collaborative system that was accepted and used by the organization, but still clashed with existing working practices. In the second hospital, poor communication to workers about IT security resulted in their misuse by some employees, who viewed them as a tool of social control. Similarly Gaw et al. observed that email encryption tools can fail adoption because of social pressure and perceptions of one’s identity .
Finally, the privacy community needs better tools for performing audits, probing data processing practices, and tracing information leaks. The former tools would ensure that information is not being leaked accidentally (e.g., being published on web sites, such as in a case with AOL ) or intentionally. The latter tools would ensure that any published information can be traced back to the original owner so that appropriate corrective actions can be taken.
Sasse reflects on the current “usability disaster” afflicting security technology and suggests two courses of action for recovery . She suggests using HCI techniques to analyze the cognitive demands of security technologies such as password schemes. Sasse also suggests using these techniques to predict expected behaviors, such as users writing down hard-to-remember passwords. In fact, Sasse points out relevant research challenges, noting that carelessness for security and privacy depends largely on user attitudes. One possible way of fostering secure behavior is to make it the preferable option, that is devising technologies that are secure by default. We took a similar stance above in Section 3.3.3, when we discussed the option of motivating users to adopt more secure behaviors.
In summary, since HCI researchers have started to study how security technology is used in the real world , security and privacy management should be viewed as a major and promising item requiring much additional research.
4.5 Understanding Adoption
Finally, the fifth emerging theme that we see emerging is the convergence of research on privacy with research on end-user technological acceptance and adoption. The main evidence supporting this trend is 1) that privacy expectations and perceptions change over time as people become accustomed to using a particularly technology, and 2) that privacy concerns are only one of several elements involved in the success of a particular application.
In Section 3.1, we described some methods that have been employed to understand user needs; however, it is still difficult to assess what the potential privacy impact will be
end-user-privacy-in-human-computer-interaction-v57.docPage 74 of 85