A Behavioral Economics Perspective on the Formation and Effects of Privacy Risk Perceptions in the Context of Privacy-Invasive Information Systems

In recent years, more and more information systems are proliferating that gather, process and analyze data about the environment they are deployed in. This data oftentimes refers to individuals using these systems or being located in their surroundings, in which case it is referred to as personal information. Once such personal information is gathered by an information system, it is usually out of a users’ control how and for which purpose this information is processed or stored. Users are well aware that this loss of control about their personal information can be associated with negative long-term effects due to exploitation and misuse of the information they provided. This makes using information systems that gather this kind of information a double-edged sword. One can either use such systems and realize their utility but thereby threaten ones’ own privacy, or one can keep ones’ privacy intact but forego the benefits provided by the information system. The decision whether to adopt this type of information system therefore represents a tradeoff between benefits and risks. The vast majority of information systems privacy research to date assumed that this tradeoff is dominated by deliberate analyses and rational considerations, which lead to fully informed privacy-related attitudes and behaviors. However, models based on these assumptions often fail to accurately predict real-life behaviors and lead to confounding empirical observations. This thesis therefore investigates, in how far the risk associated with disclosing personal information to privacy-invasive information systems influences user behavior against the background of more complex models of human decision-making. The results of these investigations have been published in three scientific publications, of which this cumulative doctoral thesis is comprised. These publications are based on three large-scale empirical studies employing experimental approaches and being underpinned by qualitative as well as quantitative pre-studies. The studies are guided by and focus on different stages of the process of perceiving, evaluating and mentally processing privacy risk perceptions in considerations whether to disclose personal information and ultimately use privacy-invasive information systems. The first study addresses different conceptualizations of privacy-related behaviors, which are oftentimes used interchangeably in privacy research, despite it has never been investigated whether they are indeed equivalent: Intentions to disclose personal information to an information system and intentions to use an information system (and thereby disclose information). By transferring the multiple-selves-problem to information systems privacy research, theoretical arguments are developed and empirical evidence is provided that those two intentions are (1) conceptually different and (2) formed in different cognitive processes. A vignette-based factorial survey with 143 participants is used to show, that while risk perceptions have more impact on disclosure intentions than on usage intentions, the opposite holds for the hedonic benefits provided by the information system. These have more impact on usage intentions than on disclosure intentions. The second study moves one step further by addressing systematically different mental processing of perceived risks and benefits of information disclosure when considering only one dependent variable. In particular, the assumption that the perceived benefits and risks of information disclosure possess additive utility and are therefore weighted against each other by evaluating a simple utility function like “Utility = Benefit – Cost” is investigated. Based on regulatory focus theory and an experimental pre-study with 59 participants, theoretical arguments are developed, that (1) the perception of high privacy risks evokes a state of heightened vigilance named prevention-focus and (2) this heightened vigilance in turn changes the weighting of the perceived benefits and risks in the deliberation whether to disclose personal information. Results from a second survey-based study with 208 participants then provide empirical evidence, that perceptions of high risks of information disclosure in fact evoke a prevention focus in individuals. This prevention focus in turn increases the negative effect of the perceived risks and reduces the positive effect of the perceived benefits of information disclosure on an individuals’ intention to disclose personal information. Instead of investigating the processing of risk perceptions, the third study presented in this thesis focuses on the formation of such perceptions. The focus is therefore on the process of selecting, organizing and interpreting objective cues or properties of information systems when forming perceptions about how much privacy risk is associated with using the system. Based on an experimental survey study among 233 participants the findings show, that individuals in fact have difficulties evaluating privacy risks. In particular, (1) the formation of privacy risk perceptions is dependent on external reference information and (2) when such external reference information is available, individuals are enabled to form more confident risk judgments, which in turn have a stronger impact on an individual’s privacy-related behavior. These findings suggest a reconceptualization of privacy risks as not only being characterized by an extremity (how much risk is perceived) but also the dimension of confidence in ones’ own risk perception. Overall, the research findings of the three studies presented in this thesis show, that widely accepted assumptions underlying information systems privacy research are severely oversimplified. The results therefore contribute significantly to an improved understanding of the mental processes and mechanisms leading to the acceptance of privacy-invasive information systems.