Impact of user trust in IT systems on security and privacy

Abstract

In today's society, information technology (IT) is becoming increasingly important. However, IT systems are often not designed for their users, who frequently do not have deep IT security knowledge. These users are repeatedly forced to make complex security-critical decisions, such as which software, services, or hardware to use and how to react to browser warnings or suspicious emails. These decisions are influenced by the trust users place in the IT systems. Misplaced trust can have far-reaching consequences, as security and privacy are threatened when users trust applications or tools that are in fact insecure, or distrust and reject those that are secure. This thesis examines how users build trust in IT systems and how their trust influences their perceptions and behavior, and thus their security and privacy. A large-scale survey was conducted, which showed that stories about security incidents that people have heard from others or the media can impact their trust in security technologies and their behavior. Furthermore, this dissertation investigated how users build trust in two widely used security technologies: the Hypertext Transfer Protocol Secure (HTTPS) and Hardware Security Tokens (HST). For HTTPS, a qualitative interview study was conducted, showing that trust issues lead to insecure behavior and less secure HTTPS configurations. For HSTs, a market review and a large-scale survey revealed that users often build trust in HST authenticity based on meaningless features. This work contributes to a better understanding of user trust in IT systems and its implications on their security and privacy. Based on the study findings, guidelines are presented on how storytelling can be used to improve risk communication and security training, and how IT systems should be designed to promote the formation of appropriate trust.