More than Usability: Differential Access to Digital Security and Privacy

Abstract

Despite over two decades of usable security and privacy (S&P) research, there remains a yawning gap between expert-recommended S&P advice and user behavior. The Security and Privacy Acceptance Framework (SPAF) identifies awareness, motivation, and ability as main factors influencing S&P behavior. The inclusive S&P literature highlights the importance of user diversity, yet there are open questions regarding how and why sociodemographic differences in S&P emerge. We apply SPAF to analyze interview data from 47 participants with varying age, gender, education, income, (dis)ability, and expertise. Our findings highlight seven new underlying factors not covered by SPAF (e.g., how experiences with threats and doing one's own research contribute to awareness) and four barriers (e.g., limited social support). Drawing from our findings, we establish the notion of differential access as a new concept to consider for inclusive S&P research beyond system-level accessibility: Users' access to S&P protections and information largely hinges on their social and relational position within the society and access to resources, which varies across sociodemographics.