As the conversation over data leakage and mobile app security continues to gain traction, more and more users have growing concerns over the lack of privacy and security that mobile apps can guarantee. In their article, “Post hoc security and privacy concerns in mobile apps: the moderating roles of mobile apps’ features and providers,” Hamid Reza Nikkhah (University of Nevada, Las Vegas), Varun Grover, and Rajiv Sabherwal examine how users’ concerns about apps and providers’ privacy and security affect app usage and investigate whether things such as privacy policies decrease these concerns.
Mobile cloud computing often requires users to provide personal information for better functionality of the apps. This data is automatically sent to the cloud to provide larger storage capacity and access across various mobile devices, which are the main benefits of this application format. Cloud access allows for a wider reach across devices, improved user experience, real-time analytics, and cost efficiency for providers.
Despite the vitality of mobile cloud computing in modern technology, privacy and security concerns have proven costly for app developers and providers. For many mobile cloud computing (MMC) users, one of the main concerns is the lack of control over where their personal information and data are being shared. Nikkhah, Grover, and Sabherwal examine how developers can build user trust to decrease privacy and security concerns.
What are users’ concerns?
Users have specific concerns about privacy and security measures on MCC applications, primarily that they would lose control over the spread of the information they provide through these apps. Previous research found that users are wary of their information being spread and sold as data to advertisers and marketers to improve their market research.
MCC users also expressed concerns about security, primarily the exposed threat of hackers. Specific fears regarding this often include denial-of-service, eavesdropping, masquerading, IP spoofing, and man-in-the-middle. The most common reaction to these perceived threats was avoidance of these apps entirely! Developers are losing users before they can even try the app.
Generally, users are willing to relinquish privacy and security in exchange for perceived benefit. Privacy calculus refers to the decision that users make to sacrifice their concerns of privacy and security in exchange for digital service. Every day, users must decide if they are willing to relinquish a piece of their online freedom to be a part of that app and its benefits. Earlier research analyzed how users weigh these concerns, showing how the usefulness of MCC apps plays into this privacy calculus.
Trust in the app and its developers largely determines how much the user is willing to compromise in exchange for these benefits. When users have more trust in their app, they are willing to provide more information under the idea that their information is more secure with a secure developer. Previous research found that security and privacy interventions, such as privacy policy acknowledgment, affect levels of trust and decrease levels of distrust of MCC apps.
What happens after the first download?
While these findings are relevant to pre-adoption behavior, Nikkhah, Grover, and Sabherwal examine how privacy and security measures affect behavior after the first use. To decipher this, they conducted a scenario-based survey of 694 MCC app users to measure perceived security threats, value of data transfer, enjoyment, usefulness, and effectiveness of privacy and security measures on a seven-point scale.
Their research found that as users are asked to provide more personal information and data, their security concerns become more prevalent. Many MCC apps ask for access to things such as photos, microphones, contacts, location, and more after the initial download, leading users to become more wary as they grant more access. Security concerns such as these can be detrimental to app developers and often convince users to stop using these apps after first use.
Their discoveries suggest that despite attempts to decrease privacy and security concerns, this challenge remains unyielding, leaving developers to wonder: “What can we do to solve this problem?” One of the most common attempts to increase user trust is adopting the ISO 27018 standard that provides guidelines and best practices on how apps should manage personal information provided by users. Nikkhah, Grover, and Sabherwal found that, despite the added benefits of privacy and security, adopting this standard is not an effective way to increase user trust as the average user will not know that this is a standard for the cloud.
They also analyzed how privacy policies affect user perception of privacy and security. Although these privacy policies outline the measures that app developers take to maintain the privacy of users, the study found that this intervention does not decrease privacy concerns. Often, users will skip past privacy policies as they are usually lengthy and only require the click of a button or touch of a screen to move on. Because of this, privacy policies were found to be ineffective in improving user trust.
So, what can developers do?
It seems that until users can see concrete evidence that their information is secure, post-adoption behavior will not improve. For now, app developers will have to prove that their app is useful enough to be worth the decrease in privacy and security. While interventions seem to be ineffective in improving user trust, providers should still be moving forward with them to increase privacy and security. In this era of digital distrust, privacy and security is the currency of user engagement. Only once users feel safe to provide personal information will we see an increase in MCC app retention rates.
Rajiv Sabherwal is Distinguished Professor and Edwin & Karlee Bradberry Chair of Information Systems
in the Walton College of Business at University of Arkansas. He has published on the
management, use, and impact of information technologies in Information Systems Research,
MIS Quarterly, Management Science, Organization Science, Journal of Management Information
Systems (MIS), and other journals. He has performed numerous editorial and conference
leadership roles, including Editor-in-Chief for IEEE Transactions on Engineering Management,
Conference Co-Chair for International Conference on Information Systems, Program Co-Chair
for Americas Conference on Information Systems, Senior Editor for MIS Quarterly, and
Special Issue Editor for Information Systems Research, MIS Quarterly Executive, and
Journal of Information Technology. He currently serves as Senior Editor for Journal
of Association of Information Systems (AIS) and Journal of Strategic Information Systems,
Department Editor for Decision Sciences, and a member of the editorial board for Journal
of MIS. He is a recipient of the AIS LEO lifetime achievement award, a Fellow of IEEE,
a Fellow of the AIS, and a PhD from University of Pittsburgh.
Varun Grover is the David D. Glass Endowed Chair and Distinguished Professor of Information Systems
at the Sam M. Walton College of Business at the University of Arkansas. He has published
extensively in the information systems field, with over 400 publications, 250 of which
are in major refereed journals. He is consistently ranked as one of the top five researchers
globally in the Information Systems field based on publications in top journals and
citation impact.
Kaslyn Tidmore is a first-year graduate student at the University of Arkansas, earning
her masters in Public Relations and Advertising. Before joining the master’s program
at the Fulbright College of Arts and Sciences, Kaslyn graduated from the University
of Oklahoma with a bachelor’s degree in Print Journalism with a minor in Editing and
Publishing. While earning her B.A., she interned with many publications, including
Parker County Today Magazine, WedLinkMedia, Modern Luxury, and the school’s newspaper,
the OU Daily. She currently works as a graduate assistant at the Walton College of
Business.
