Human beings have evolved to detect and react to threats in their physical environment, and have developed perceptual systems selected to assess these physical stimuli for current, material risks. In cyberspace, the same stimuli are often absent, subdued, or deliberately manipulated by malicious third parties. Hence, security and privacy concerns that would normally be activated in the offline world may remain muted, and defense behaviors may be hampered. While it is not possible to directly test such conjecture, it is possible to test the impact that "visceral" stimuli in the physical world (that is, physical, sensorial cues processed non-consciously rather than with conscious awareness) have on security and privacy behavior in cyberspace. We use a stream of human subjects experiments to investigate the impact of three sets of stimuli over security behavior and privacy behavior in cyberspace: 1) sensorial stimuli (such as auditory, visual, or olfactory cues of the physical proximity of other human beings); 2) surveillance stimuli (such as cues that one is being observed); and 3) environmental stimuli (such as inherent characteristics of the physical environment in which a subject is located). Security behavior is operationalized in terms of individuals? ability to recognize and react to cyber attacks. Privacy behavior is operationalized in terms of individuals? propensity to disclose personal or sensitive information. The goals of the experiments are twofold. From a positive perspective, the goal is to understand whether privacy and security decision making online is made harder by the absence of sensorial stimuli that humans have evolved to use to detect and react to threats in the physical world. From a normative perspective, the goal is to examine whether physical stimuli can be used to ameliorate security and privacy behavior in cyberspace. For instance: Can stimuli indicating physical proximity to others trigger changes in security and privacy behavior in cyberspace? If so, can the same stimuli be leveraged and exploited to design privacy and security interventions aimed at helping end users? Findings from this research may inform the work of security and privacy technologists, providing insights that go beyond the technical security of hardware and software infrastructure, and that help revisit the strategies and assumptions underlying those systems. Finally, by exposing conditions under which technology alone may not guarantee cybersecurity, this research can actively inform the work of policy makers.
SBE: Medium: Collaborative: Understanding and Exploiting Visceral Roots of Privacy and Security Concerns