University of Arkansas

Walton College

The Sam M. Walton College of Business

Understanding User Perceptions of Privacy, Security Policies

Man working on computer, sending files to a protected cloud
April 07, 2022  |  By Mitchell Simpson, Rajiv Sabherwal

Share this via:

Cloud computing has become a crucial feature of the modern home office, and its technology was essential to businesses’ survival during the early days of quarantine. Clouds are, however, often lacking when it comes to cybersecurity, as Rajiv Sabherwal and Hamid Reza Nikkhah argue in “Information disclosure willingness and mobile cloud computing collaboration apps: the impact of security and assurance mechanisms. 
Sabherwal, Distinguished Professor, Edwin & Karlee Bradberry Chair, and Department Chair of Information Systems at the Walton College of Business, and Nikkhah, Assistant Professor of Information and Process Management at Bentley University, and a recent alumnus of the Walton College doctoral program in information systems, demonstrate that the perception of security threats, especially to user privacy, has been an obstacle to end-user adoption of the technology. Its ease-of-access might be the cloud’s greatest fault, and decisions to migrate to the cloud are made against the backdrop of yet another front in cyberwarfare, an ever-evolving cybersecurity threat that is targeting civilian business and infrastructure
Sabherwal and Nikkhah analyze the interaction of the conflicting goals of end-users as they weigh the utility of cloud computing against their security and privacy concerns. Given the realities of an increasingly digital economy and workplace, the conflict between utility and security and privacy now looms large over many workplace utility decisions. Their research sheds light on how users decide whether to share personal information with mobile cloud computing providers, helping both cloud service providers and information systems professionals understand the privacy calculus of cloud technology users. 
Mobile cloud computing providers need their users to voluntarily provide personal information for their apps to function properly, and experts believe the technology trends of the pandemic economy are with us for the long run. Sabherwal and Nikkhah’s contributions are, therefore, integral to business success and collaboration in the digital economy of the 2020s. Data, as many researchers and practitioners argue, has become the new intellectual property for many firms; without valuable customer data, your firm may lose its competitive advantage or simply be missing an important asset that can sustain or drive growth. Understanding how users decide to share data with your service has never had more operational or strategic importance. 
What motivates users’ decisions? 
Sabherwal and Nikkhah’s study reveals the contours of users’ privacy calculus, which is the active, cognitive decision users make as they weigh the costs of sacrificing degrees of privacy for the use of a digital service. In an economy dominated by apparently free services, our inner lives have become a form of intangible currency that we are increasingly asked to intelligently spend in exchange for our digital products and services. 
Earlier research analyzed how users weighed perceived privacy concerns against perceived usefulness and ease of use. Until Sabherwal and Nikkhah’s research, the dynamics of perceived security on users’ privacy calculus decision-making were underexplored. They realized that security is a key mitigating factor in offsetting users’ privacy concerns. 
Since privacy concerns form a major obstacle to users’ choice to share data and to adopt new technologies, cloud computing providers’ success depends on understanding the mechanisms of users’ decisions. Providers must convince users to exchange their privacy for a service, but they are not only relinquishing a degree of privacy but also a degree of control over their information—stored in remote server farms, managed by faceless technicians—for the cloud service to work most efficiently. 
To analyze security perception, Sabherwal and Nikkhah only measured the (perception of the) threat of improper access, such as a provider’s employee reading the data, because cloud computing professionals have identified unauthorized access events as the biggest threat to cloud-housed data. Sabherwal and Nikkhah note that providers can address these concerns with transparent privacy policies and industry self-regulation that assures users of their data’s safety
To test their hypotheses, the researchers surveyed a diverse group of cloud computing software users over the course of three years. Their analyses show that neither perceptions about the ease of use nor the efficacy of industry self-regulation encourage users to disclose private information. They do, however, find that perceived security positively affects users’ perceived usefulness of a service, and the perception of effective privacy policies improve users’ views of the service’s security. 
Their findings further suggest that perceived risks to privacy reduce users’ willingness to disclose their private information, and perception of improper access greatly undermines a user’s perception of the privacy of a cloud computing service. Also, while ease of use does not directly affect a user’s choice to disclose information, it does positively reinforce perception of usefulness, which in turn encourages users to disclose information. 
Honesty – still the best policy 
Sabherwal and Nikkhah’s research suggests that dumping cash into UI and UX may not be a sound investment for developers if broader questions of usefulness have not been addressed. They find that users view cloud computing apps as similar to other mobile apps, so the ease of use does not affect users’ privacy or security concerns. Certainly, there are some very well-designed apps that are inherently a risk to user privacy. Usefulness, on the other hand, can convince the user that their privacy is worth the exchange. If your application helps the users accomplish a key task, they will find disclosure worth the cost of use. 
On the security front, for users to perceive a cloud service as secure, the researchers find that users need to believe that a services’ privacy policies are “honest and rigorous,” citing the Dropbox privacy policy as emblematic of their suggestions. Sabherwal and Nikkhah view the explicit security practices in place to ensure users’ privacy as particularly persuasive to users because merely allowing users to set permissions on their data, for example, is not enough if users still believe that a veneer of security can be easily bypassed. 
Although the researchers find that end-users are not convinced by industry self-regulation, providers should not disregard such policies. The researchers argue that self-regulation is still important for organization-level decisions regarding which cloud service to use. In other words, solid adherence to industry self-regulation can be crucial in cementing a B2B deal.  
Good practice dictates that providers should be constantly striving to improve their services. Most of the improvements in a cloud service’s security will be under the hood, and there are no benefits for a provider “if users are not aware of this increased security,” according to Sabherwal and Nikkhah. Providers should consistently and creatively reach out to their customers to communicate how they are delivering a better and safer cloud. Just like a finely tuned engine, under-the-hood security improvements can be a competitive advantage for firms as they fight to gain customers. 

Post Researcher/Author:

Matt WallerRajiv Sabherwal is Distinguished Professor and Edwin & Karlee Bradberry Chair of Information Systems in the Walton College of Business at University of Arkansas. He has published on the management, use, and impact of information technologies in Information Systems Research, MIS Quarterly, Management Science, Organization Science, Journal of Management Information Systems (MIS), and other journals. He has performed numerous editorial and conference leadership roles, including Editor-in-Chief for IEEE Transactions on Engineering Management, Conference Co-Chair for International Conference on Information Systems, Program Co-Chair for Americas Conference on Information Systems, Senior Editor for MIS Quarterly, and Special Issue Editor for Information Systems Research, MIS Quarterly Executive, and Journal of Information Technology. He currently serves as Senior Editor for Journal of Association of Information Systems (AIS) and Journal of Strategic Information Systems, Department Editor for Decision Sciences, and a member of the editorial board for Journal of MIS. He is a recipient of the AIS LEO lifetime achievement award, a Fellow of IEEE, a Fellow of the AIS, and a PhD from University of Pittsburgh.

Mitchell SimpsonMitchell Simpson is a doctoral student in the Department of English at the University of Arkansas. His research focuses on the Global Middle Ages and cross-cultural communication in the European Medieval and Early Modern Periods. When his nose isn't buried in a book (usually a Japanese textbook right now), he can be found hiking the Ozarks or at the gym improving his grappling. He lives with his wife, Rachel, and their small menagerie, two cats, Hildi and Winnie, and a goofy dog, Birch, in Fayetteville.