User Interaction with Smartphone Security and Privacy Mechanisms

User interaction with smartphone security and privacy mechanisms

Interaktion von Nutzern mit Sicherheits- und Privatsph¨aremechanismen von Smartphones

Der Rechts- und Wirtschaftswissenschaftlichen Fakult¨at/ dem Fachbereich Wirtschafts- und Sozialwissenschaften

der Friedrich-Alexander-Universit¨atErlangen-N¨urnberg zur Erlangung des Doktorgrades Dr. rer. pol.

vorgelegt von Lena Reinfelder M.Sc. aus Forchheim

Als Dissertation genehmigt von der Rechts- und Wirtschaftswissenschaftlichen Fakultät/ vom Fachbereich Wirtschafts- und Sozialwissenschaften der Friedrich-Alexander-UniversitätErlangen-Nürnberg

Promotionstermin: 09. Juli 2019 Tag der mundlichen¨ Prufung¨ : 02. Juli 2019 Vorsitzender des Promotionsorgans: Prof. Dr. Markus Beckmann Gutachter: Prof. Dr. Freimut Bodendorf Prof. Dr. Felix Freiling

Abstract

In the last ten years, smartphones revolutionized the way people are using and accessing the Internet. Today it is possible to go online (almost) anytime and anywhere. Further- more, smartphones have become an integral part of our world influencing social contacts, media usage and business processes. This growing importance and usage of smartphones also leads to an increased demand in security and privacy measures. While in the private context, the smartphone operating system providers implement security and privacy mechanisms, in the business context organizational IT departments often take the role in providing appropriate additional security measures. In this thesis, we investigate how users in a private context as well as in a business context interact with security mechanisms. First, we consider private smartphone usage with special regard to user interaction with the permission systems and application handling of the different smartphone operating systems of Google and Apple. We examine security and privacy attitudes, behavior of smartphone users as well as the relationship between the different smartphone platforms (Android and iOS) and security and privacy aspects. We apply quantitative as well as qualitative research methods in order to gain these insights by conducting and analyzing online-based surveys and semi-structured interviews. According to our results, we conclude that iOS is considered more secure than Android, which results in a feeling of responsibility for security by Android users. Also, Android users seem to be more security and privacy aware than iOS users mostly because they notice Android permissions. Further, the runtime permission model is perceived as more useful and evokes a more positive emotional attitude than the former Android permission model. With this research, we contribute to a better understanding of the role of the specific security and privacy features, such as permission systems and application handling. In doing so, we facilitate improvements of the current and future development of security and privacy features of mobile systems, such that the systems can be better adjusted with perceptions, concerns and requirements of the users. Second, we investigate interactions of smartphone users with security mechanisms in an organizational context. We first conduct a structured literature review. We base our search on the Dynamic Security Success Model (DSSM), which we develop according to the Organizational Learning Theory and the Information Systems Success Model. The DSSM provides insights into organizational smartphone security processes and reveals research gaps. According to the identified research gaps, we conduct semi-structured interviews with security managers from large-scale German organizations as well as with employees from various companies. We investigate the process of smartphone security development and implementation in organizations and uncover effects of these security mechanisms on the behavior of employees. The results reveal that smartphone security development in organizations lacks organizational structures for including users into this process. This leads to a negative perception of users by security managers and consequently in a control-oriented, rather than a user-oriented approach. The insights gained through our research help organizations to reconsider the role of employees during the development phase of their security solutions as usability of security measures is essential for their effectiveness. Zusammenfassung

In den letzten zehn Jahren haben Smartphones die Art, wie Menschen das Internet nutzen und darauf zugreifen, revolutioniert. Es ist heute möglich, von (nahezu) uberall¨ und zu jeder Zeit das Internet zu nutzen. Weiterhin sind Smartphones zu einem Teil unserer Welt geworden, der nicht mehr wegzudenken ist und Einfluss auf soziale Kontakte, Mediennutzung und Geschäftsprozesse nimmt. Die wachsende Bedeutung und Nutzung von Smartphones fuhrt¨ auch zu einer erhöhten Nachfrage von Sicherheits- und Privatsphäremaßnahmen. Während im privaten Kontext die Smartphone-Hersteller Sicherheits- und Privatsphäremechanismen zur Verfugung¨ stellen, sind es im Unternehmenskontext oftmals die IT-Abteilungen der Unternehmen, welche diese Rolle ubernehmen¨ und entsprechende zusätzliche Sicherheitsmaßnahmen ein- setzen. In der vorliegenden Arbeit wird untersucht, wie Nutzer mit Sicherheitsmaßnahmen sowohl in einem privaten als auch in einem beruflichen Kontext interagieren. Zuerst wird die private Smartphonenutzung betrachtet, insbesondere die Interakti- on der Nutzer mit den Berechtigungssystemen und ihren Umgang mit Applikatio- nen der Smartphone-Betriebssysteme von Google und Apple. Die Sicherheits- und Privatsphäreeinstellungen, das Verhalten der Smartphonenutzer sowie die Beziehung zwischen der Art des Smartphones (Android und iOS) und den Sicherheits- und Pri- vatsphäreaspekten werden untersucht. Dazu werden sowohl quantitative als auch qualitative Forschungsmethoden angewendet, indem online-basierte Umfragen und halb- strukturierte Interviews durchfuhrt¨ und analysiert werden. Ausgehend von den Ergebnis- sen, schließen wir, dass iOS sicherer als Android wahrgenommen wird, was zu einem Gefuhl¨ der Verantwortung fur¨ Sicherheit bei Android Nutzern fuhrt.¨ Ebenso scheinen Android Nutzer ein ausgeprägteres Bewusstsein fur¨ Sicherheit und Privatsphäre zu haben, als iOS Nutzer. Dieses Bewusstssein ist vor allem der Nutzerwahrnehmung von Android Berech- tigungen zuzuschreiben. Weiterhin wird das runtime Berechtigungssystem als nutzlicher¨ und als positiver wahrgenommen, im Vergleich zum vorherigen Berechtigungssystem. Mit dieser Forschung leisten wir einen Beitrag zu einem verbesserten Verständnis davon, welche Rolle Sicherheits- und Privatsphärefunktionen spielen, wie z.B. das Berechti- gungssystem und der Umgang mit Apps. Somit ermöglichen wir Verbesserungen in der heutigen und zukunftigen¨ Entwicklung von Sicherheits- und Privatsphärefunktionen von mobilen Systemen, wodurch diese besser auf Nutzerwahrnehmungen, Bedenken und Anforderungen abgestimmt werden können. Zweitens wird die Interaktion von Smartphonenutzern mit Sicherheitsmechanismen im Unternehmenskontext untersucht. Dazu wird eine strukturierte Literaturanalyse durch- gefuhrt.¨ Die Literatursuche basiert auf dem eigens entwickelten Dynamic Security Success Model (DSSM), welches sich von der Organizational Learning Theorie und dem In- formation Systems Success Model ableitet. Das DSSM beinhaltet Erkenntnisse uber¨ organisationelle Smartphone-Sicherheitsprozesse und identifiziert Forschungslucken.¨ Aus- gehend von den identifizierten Forschungslucken,¨ fuhren¨ wir halb-strukturierte Interviews mit Sicherheitsmanagern aus deutschen Großunternehmen durch, sowie mit Mitarbei- tern aus unterschiedlichen Unternehmen. Das Ziel ist es, den Prozess der Smartphone- Sicherheitsentwicklung und Umsetzung in Unternehmen zu untersuchen und Auswirkun- gen dieser Sicherheitsmaßnahmen auf das Verhalten der Mitarbeiter offen zu legen. Die Ergebnisse offenbaren, dass bei der Entwicklung von Smartphone-Sicherheit in Unterneh- men organisationelle Strukturen fehlen, um Nutzer in diesen Prozess einzubinden. Dies fuhrt¨ zu einer negativen Wahrnehmung der Nutzer durch Sicherheitsmanager und in der Konsequenz zu einem kontrollorientierten und nicht einem nutzerorientierten Ansatz. Die Erkenntnisse aus diesen Untersuchungen helfen Unternehmen die Rolle der Mitarbeiter im Entwicklungsprozess von Sicherheitslösungen zu berucksichtigen,¨ da die Benutzbarkeit von Sicherheitsmaßnahmen essentiell fur¨ deren Effektivität ist. Acknowledgments

This thesis would not have been possible without quite a number of people. First of all, I want to thank my doctoral advisors Felix Freiling and Zinaida Benenson for giving me the chance to work at the chair of IT-Security Infrastructures at the Department of Computer Science at the FAU Erlangen-N¨urnberg. They supported me during various projects and helped me to overcome challenges regarding my research topic. In addition, I want to thank Freimut Bodendorf for his collaboration, which allowed me to work at the lab of Felix Freiling, while at the same time working on my thesis at the faculty of business, economics and law. He provided me with feedback on my work at numerous doctoral seminars. Furthermore, I would like to thank my colleagues at the lab, who provided me with support for content issues and even more important, who made me feel welcome. Last but not least, I want to thank my family, my parents and my brother Samuel, for supporting me in every condition of my life. And most importantly, I want to thank my husband Daniel (who I married, with whom I renovated an entire house, and most importantly, with whom I have two kids - all during my time at the lab) for always supporting, and encouraging me. Without him, I would not be the person who I am today. Thank you for your unconditional love and that you are always there for me.

Contents

1 Introduction ...... 6 1.1 Motivation...... 6 1.2 Structure of this Thesis...... 8 1.3 Contributions...... 11 1.3.1 Contributions of Part I: Private Smartphone Usage...... 11 1.3.2 Contributions of Part II: Business Smartphone Usage...... 12 1.4 Publications...... 13

2 Background on User Interaction with Smartphone Security and Privacy ...... 16 2.1 Permission Models...... 16 2.2 App Security...... 17 2.3 User Authentication...... 18 2.4 Encryption...... 19 2.5 Deletion of Data...... 19 2.6 Summary...... 20

Part I: Private Smartphone Usage

3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes ...... 24 3.1 Introduction...... 24 3.2 Related Work...... 25 3.3 Research Model...... 27 3.4 Method...... 29 3.4.1 Interview Guide...... 29 3.4.2 Analysis Method...... 30 3.4.3 Sample Characteristics...... 33

i Contents

3.5 Results...... 37 3.5.1 Feelings of (In)Security...... 37 3.5.2 Knowledge about Security and Privacy...... 42 3.5.3 Speciﬁc Security and Privacy Concerns...... 43 3.5.4 Security and Privacy Related Behavior...... 44 3.6 Discussion...... 47 3.6.1 Implications of Similarities between Android and iOS...... 47 3.6.2 Implications of Diﬀerences between Android and iOS...... 48 3.7 Limitations...... 49 3.8 Conclusion...... 50 3.9 Summary...... 50

4 Perception and Handling of Applications ...... 52 4.1 Introduction...... 52 4.2 Related Work...... 53 4.3 Research Methodology...... 54 4.3.1 Hypotheses and Survey Design...... 54 4.3.2 Measuring Security and Privacy Awareness...... 55 4.3.3 Participants...... 55 4.4 Analysis of the Results...... 55 4.4.1 Hypothesis 1: Security Awareness...... 55 4.4.2 Hypothesis 2: Privacy Awareness...... 57 4.5 Limitations...... 61 4.6 Conclusion...... 61 4.7 Summary...... 61

5 Perception and Usage of Smartphone Permission Models ...... 62 5.1 Introduction...... 62 5.2 Related Work...... 64 5.3 Method...... 65 5.3.1 Survey Design...... 65

ii Contents

5.3.2 Data Analysis...... 67 5.3.3 Participants...... 67 5.4 Results...... 69 5.4.1 RQ1 – Usage of Permission Models...... 70 5.4.2 RQ2 – Perception of Permission Models...... 71 5.5 Discussion...... 72 5.6 Conclusion...... 73 5.7 Summary...... 74

Part II: Business Smartphone Usage

6 Smartphone Security Processes in Organizations ...... 78 6.1 Introduction...... 78 6.2 Theoretical Background...... 79 6.2.1 Information Systems Success Model...... 80 6.2.2 Organizational Learning Theory...... 81 6.3 Dynamic Security Success Model...... 84 6.3.1 Model Components...... 85 6.3.2 Relationships between the Constructs...... 85 6.4 Research Methodology...... 89 6.5 Synthesis and Identification of Research Gaps...... 90 6.5.1 Effect of Security Objectives on Security Measures (E1)...... 90 6.5.2 Effect of Security Measures on the Consequences (E2)...... 91 6.5.3 Effect of Use on User Satisfaction and vice versa (E3+E4)...... 91 6.5.4 Effect of Use and User Satisfaction on Individual Impact (E5).... 92 6.5.5 Effect of Individual Impact on Organizational Impact (E6)...... 92 6.5.6 Effect of Single-loop Learning (E7)...... 93 6.5.7 Effect of Double-loop Learning (E8)...... 94 6.6 Conclusion...... 94 6.7 Summary...... 95

iii Contents

7 Smartphone Security from an Organizational View ...... 96 7.1 Introduction...... 96 7.2 Background...... 97 7.2.1 The Relation of Security and Usability in Literature...... 99 7.2.2 Why Smartphone Security?...... 99 7.3 Method...... 100 7.4 Findings...... 101 7.4.1 The Role of Users and Usability in the Development and Evalu- ation of Security Measures...... 101 7.4.2 Perception of Users by Security Managers...... 102 7.4.3 Coping with User Behavior...... 103 7.5 Implications...... 104 7.5.1 Missing Structures Lead to a Negative Perception...... 104 7.5.2 Security as Organizational Learning Process...... 105 7.5.3 Ways of Creating Eﬀective Security...... 106 7.5.4 Research Directions...... 107 7.5.5 Limitations...... 107 7.6 Conclusion...... 108 7.7 Summary...... 108

8 Organizational Smartphone Security from the Employees’ View . 110 8.1 Introduction...... 110 8.2 Background...... 111 8.3 Research Methodology...... 112 8.4 Results...... 114 8.4.1 Smartphone Usage...... 114 8.4.2 Security Measures...... 114 8.4.3 Eﬀects of Smartphone Security Measures on Employees...... 118 8.5 Discussion...... 119 8.6 Conclusion...... 120 8.7 Summary...... 120

iv Contents

9 Summary and Conclusion ...... 122

10 Appendices ...... 124 10.1 Proﬁle Matrix...... 124 10.2 Interview Guide of Chapter3...... 131 10.2.1 Einleitung...... 131 10.2.2 Fragen zur Person...... 131 10.2.3 Entscheidungsfaktoren beim Smartphone-Kauf...... 132 10.2.4 App Auswahl...... 133 10.2.5 Privacy und Security Awareness...... 134 10.3 Online Questionnaire of Chapter4...... 136 10.3.1 Umfrage zur Smartphone-Nutzung...... 136 10.4 Online Questionnaire of Chapter5...... 140 10.4.1 Umfrage zur Benutzbarkeit von Smartphones...... 140 10.5 Literature Review Protocol...... 148 10.5.1 Introduction...... 148 10.5.2 Background...... 148 10.5.3 Research Questions...... 148 10.5.4 Search Strategy...... 149 10.5.5 Selection Criteria...... 150 10.5.6 Quality Assessment...... 151 10.5.7 Data Extraction Strategy...... 151 10.5.8 Data Synthesis...... 151 10.6 Interview Guide of Chapter7...... 151 10.6.1 Einleitung...... 152 10.6.2 Fragen...... 152 10.7 Interview Guide of Chapter8...... 153 10.7.1 Einleitung...... 153 10.7.2 Fragen...... 154

Bibliography ...... 156

List of Figures

1.1 Research picture...... 9

3.1 Research model for the relationship of the smartphone ecosystem with security and privacy aspects...... 28 3.2 Codebook tree...... 31 3.3 Category and code creation...... 32

4.1 Security software installed on smartphone...... 56 4.2 Privacy issues of new apps...... 57 4.3 App privacy awareness...... 58 4.4 Decision against app usage...... 60

6.1 Information Systems Success Model...... 80 6.2 Organizational Learning Theory...... 82 6.3 Dynamic Security Success Model...... 84

7.1 Security development cycle...... 105

9.1 Research picture...... 123

List of Tables

3.1 Participants’ characteristics (part 1)...... 33 3.2 Participants’ characteristics (part 2)...... 34 3.3 Similarities and differences of participants (part 1)...... 38 3.4 Similarities and differences of participants (part 2)...... 38 3.5 Similarities and differences of participants (part 3)...... 39 3.6 Similarities and differences of participants (part 4)...... 39

4.1 Important factors for app choice...... 59

5.1 Various terminology used for Android permission models...... 63 5.2 Participants’ characteristics...... 68 5.3 Usual behavior towards runtime permission requests...... 71 5.4 Usefulness of permissions...... 71 5.5 Attitude and experience with permissions...... 72

6.1 Description and Examples of Model Constructs of the ISSM...... 82 6.2 Description and Examples of Model Constructs of the Organizational Learning Theory...... 83 6.3 Description and Examples of Model Constructs of the DSSM...... 88

7.1 Participants’ characteristics...... 100

8.1 Participants’ characteristics...... 113 8.2 Smartphone Security Measures mentioned by the respondents...... 118

10.1 Proﬁle matrix...... 130

Chapter 1

Introduction

In this chapter, we ﬁrst motivate the topic of this thesis by showing the relevance of gaining knowledge about users interacting with smartphone security and privacy mechanisms. Then, we present the structure of this thesis, which includes the research picture and the underlying research questions. Further, we show the contributions and the publications, which are used throughout this thesis.

1.1 Motivation

Smartphones revolutionized the way we are connected socially and economically around the world. Over 1.4 billion smartphones have been sold worldwide in 2018 [189]. Most important for this development is probably the mobile access to the Internet. In 2018, 90% of the German population used the Internet, of which 87% preferred to use a smartphone to access it [58]. The spread of smartphones also affects organizations. In 2017, the German Federal Statistical Office collected data whether organizations use portable devices to access the Internet among different economic sectors (e.g., construction industry, trade, information and communication). In organizations with more than 250 employees, more than 90% of employees use portable devices [57]. Independent of the organizations’ size, 62% of the employees use portable devices to access the Internet. We live in a global information society and economy, which is characterized by the importance to create, manage and distribute information [201]. Handling information involves security and privacy issues society and economy have to face. Therefore, the protection of data from unauthorized access or manipulation becomes a primary objective for private as well as for business users. Smartphone manufacturers, as well as organizations in a business context have to develop and implement appropriate security mechanisms in order for their users to maintain trust in the systems and to guarantee controlled processes. Smartphone operating system providers and organizations have developed a wide range of security mechanisms to protect sensitive personal data. Users often perceive these security mechanisms during interaction, and thus, are affected in their user experience, perception and handling of the devices and of the mechanisms themselves. Researchers and developers of smartphone security systems have to consider these effects as users play an important role in establishing and maintaining security. An example of user interaction with smartphone security is Apple’s application handling. The operating system of Apple’s iPhones, called iOS, allows users only to download

6 1 Introduction and use apps available in their official App Store. There, each app has to be signed using an Apple-issued certificate. Applications being available in the official app store are reviewed for malfunctions and malware [95]. However, there exist alternative iOS versions, which allow users to gain root access to their device. Modifying such versions is called “jailbreaking”, which exploits vulnerabilities of the operating system. Users are jailbreaking their devices to be able to use alternative sources for downloading apps, e.g., because they are available for free. As a consequence, jailbroken devices do not only allow to gain access to other app stores, but open the device for unreviewed applications which may include malware [207]. Further, the devices lose their warranty. This example shows that trying to ensure security for smartphone users by restricting and controlling available applications for malware may result in the opposite: Users may circumvent the security mechanisms and thus put their devices and data at risk. Therefore, it is necessary to integrate the user perspective regarding consequences of security measures for smartphone handling into the development of security mechanisms. Excluding user perception and behavior from the development of security mechanisms may otherwise result in security becoming ineffective. The role of users for (smartphone) security is still often presented negatively, which means that users are perceived as a threat to security. In their article called “Users are not the enemy” [1], Adams and Sasse described already in 1999 that users are perceived as the main cause for security breaches due to their careless and unmotivated behavior. The authors analyzed quantitative and qualitative answers of password-related behavior and concluded that such behavior is the result of security mechanisms being implemented without considering user needs and knowledge. The authors suggest adapting user- centered design approaches for security mechanisms. Another example of how users are perceived in the context of security is a sentence often cited in literature: “Users are the weakest link.” [135, 173, 11, 37]. This statement refers to the assumption that the easiest way to attack a system is by attacking the human resource (called social engineering attacks) instead of breaking technical security mechanisms. This negative presentation of users regarding their role in security does not only refer to private users but to business users as well. Especially in an organizational context, employees are considered to be the major cause of security breaches [31]. They are portrayed as acting without care towards company property by not complying with security policies and procedures [144], and as lacking intrinsic motivation to comply [105, 122]. These assumptions often lead to an extrinsically motivated approach by IT experts, trying to motivate employees by punishing them in case of non-compliance [183]. However, there also exists another point of view on the user’s role in security. Albrechtsen [2] argues that users should be involved in the security process in order to create an improved understanding and consensus on security measures, while Kirlappos and Sasse [105] state that IT experts in organizations do not maintain a user-centered perspective, which leads to reduced usability of tools, which in turn leads to employees circumventing security measures. It is further argued that non-compliant behavior does not originate from an employee’s intention to harm the company but from security measures interfering

7 1 Introduction with the completion of work tasks [105]. Beautement et al. [21] introduce the concept of a compliance budget, describing individually perceived costs and benefits of complying with company security procedures. This concept purports that employees have a personal threshold regarding their involvement in security measures, which, when reached, will lead to non-compliance (e.g., by using workarounds). On the one hand, these findings from the literature show that researchers are not in complete agreement about how to develop security mechanisms to accomplish security compliant behavior of the users. On the other hand, we can also observe that users play an important role in the effectiveness of security mechanisms. However, there are still knowledge gaps about how security mechanisms affect user behavior and consequently how to design them to be most effective. This thesis considers how smartphone users interact with smartphone security mechanisms in a private as well as in a business context. The goal is to gain insights and knowledge about their motives and reasons. Only if we recognize and understand how users interact with security and what consequences smartphone security has on users, we will be able to develop effective and efficient security mechanisms, which will finally improve the overall security level.

1.2 Structure of this Thesis

This thesis explores how users interact with security mechanisms, exemplified by smartphones, in a private and business context and what the consequences of those mechanisms are. The overall research question, which guides the research reported in this thesis is: “How do smartphone security and privacy mechanisms affect users?” We display the research picture of this thesis in Figure 1.11. We concentrate on three actors within this thesis: smartphone users, smartphone operating system providers (predominantly Google and Apple), and organizations. Smartphone users may either be using their smartphones for private or business purposes. We further differentiate between internal and external drivers that affect user behavior regarding the use of smartphones and their security mechanisms. Internal drivers are defined by the personal characteristics of the smartphone users. These characteristics include security and privacy awareness, experience with smartphones, and with smartphone security and privacy mechanisms, knowledge and perception of smartphone security and privacy, as well as their primary task. This task can either relate to a private context, e.g., downloading apps, or to a business context, e.g., accessing corporate data. Security is usually a secondary task, which on the one hand enables secure communication. On the other hand, it may become a barrier by hindering or even ruling out certain functions. External drivers are separated into the private context, in which mainly the smartphone operating system providers play a role and into the business context, where organizations can implement additional, often more restrictive security mechanisms.

1 The source for the images used within the research picture is https://pixabay.com/, which runs under the Pixabay License.

8 1 Introduction

Figure 1.1: Research picture

We concentrate on Google and Apple as these companies are the main global players in the market. They equip Android phones and iPhones with a set of security and privacy mechanisms which can partly be switched on and off and require interaction with users, such as application permissions. As there are differences in the implementation of security mechanisms between these operating system providers, Google and Apple show divergent smartphone ecosystems affecting user behavior in a different way. External drivers regarding the business context are organizations which either equip their employees with smartphones or allow private smartphones to be used for business purposes. These organizations often have IT departments with security managers in place (especially large-scale organizations), who develop and maintain organizational security goals and further implement and administer security measures for smartphones. Organizational IT departments thereby act according to defined security goals and security requirements and are often shaped by security standards such as ISO norms. Security measures can influence the primary work task of employees and thus have an impact on their behavior. User behavior in a private context refers to the actions taken by smartphone users, such as adapting app permissions in the settings due to privacy concerns. User behavior in a business context means whether employees comply with organizational security specifications or whether they circumvent security. We formulate research questions according to this research picture, which guide the

9 1 Introduction research reported in this thesis. Research questions referring to private smartphone usage as presented in Part I of this thesis:

1. How does the smartphone ecosystem aﬀect smartphone users’ perceptions, attitudes, concerns and behaviors regarding security and privacy? 2. How does the permission system inﬂuence the perception of smartphone users regarding security and privacy?

The two research questions deal with security and privacy mechanisms, which are provided by Google (Android) and Apple (iOS) and which are most visible to the users such as differences in the app market concepts and in the permission models. We apply a mixed-method approach including semi-structured interviews and online surveys in order to collect data for this research approach. Referring to the second research question, we analyze the development of the Android permission model in more detail, as its evolution includes major changes. These changes allow us to investigate how different approaches in handling personal data by apps affect users. We use an online survey including quantitative and qualitative questions, which are based on hypotheses. Research questions referring to business smartphone usage as presented in Part II of this thesis:

1. How do organizational security measures inﬂuence individuals and the organization as presented in the literature? 2. How are security measures developed in large-scale German organizations and what is the role of the individual (employee) in this process? 3. How do organizational smartphone security mechanisms inﬂuence employees in large- scale German companies?

The first research question deals with the effects of smartphone security measures applied by organizations on individuals (employees) and on organizations. A theoretical model is developed, which reflects the dynamic process of smartphone security in a business context according to relevant scientific literature. We apply a structured literature review approach in order to identify relevant literature and research gaps. With the second research question, we investigate the actual process of smartphone security development in large-scale German organizations from the perspective of security managers. We place a special focus on the way how employees (end users of organizational smartphone security measures) are considered within this process and how user behavior reflects back on security managers. We conduct and analyze semi-structured interviews with security managers in order to discover the organizational security process. Thereby,

10 1 Introduction we speciﬁcally focus on the role of security managers, employees and organizational structures. The last research question takes a detailed look at the consequences, which arise from implemented smartphone security measures regarding the employees and what behavior these measures evoke. We conduct semi-structured interviews in order to get insights into real world eﬀects of applied security measures on employees.

1.3 Contributions

The contributions of this thesis are interdisciplinary as the research projects were conducted in cooperation with researchers from different domains such as sociology, psychology, and marketing. In this thesis, we investigate user interaction with smartphone security mechanisms from two perspectives. In the first part, which comprises Chapters3 to5, we concentrate on private smartphone usage. As there exist different smartphone operating systems including different implementations of security and privacy mechanisms, we consider the most common operating systems (Android and iOS) and compare their settings and especially their impact on users. In Chapter2, we concentrate on security and privacy settings visible to the users. We provide background information on smartphone security mechanisms of Android and iOS, which are visible to the general public and non-expert users. This means that we do not present technical structures in detail, but look at security mechanisms users may get in contact with when using or working with their smartphones. While specific information is discussed in the respective sections, we focus in this chapter more on general knowledge useful for various chapters. In the second part of this thesis, which comprises Chapters6 to8, we focus on business smartphone usage. We illustrate the effects of individual and organizational impacts regarding smartphone security measures on the organization in a self developed model. We then base a structured and exhaustive literature review on this model. The smartphone security development process in organizations is investigated with special regard to the role of the user. We show that organizational structures are missing in large-scale organizations to include users into this development process. This leads to a negative perception of users by security managers and results in a control-oriented approach, rather than a user-oriented approach. Further, we examine how security measures affect employees and conclude that security is circumvented when it hinders the fulfilment of their work tasks.

1.3.1 Contributions of Part I: Private Smartphone Usage

In Chapter3, we explore the relationship between the smartphone ecosystem and users’ perceptions, attitudes, concerns, and behaviors regarding security and privacy. We compare Android and iOS users and outline similarities and diﬀerences of the two user groups. Thereby, we generate knowledge about how the diﬀerent security mechanisms,

11 1 Introduction such as permission systems, affect users and which behavioral patterns they evoke. This knowledge, which is extracted for different smartphone operating systems, contributes to the understanding of how current and future smartphone ecosystems should be designed with respect to security and privacy to be more effective in protecting the privacy and security of people and of their data. In Chapter4, we study the different perception and handling of smartphone applications among Android and iOS users. We compare the two user groups and conclude that security and privacy awareness differs between these user groups. In Chapter5, we concentrate on the perception and usage of smartphone permission models. Android and iOS used to provide different implementations of permission models. This has changed in 2015 with Google adapting the runtime permission model of Apple. We compare users of the former Android permission model with users of the new runtime permission model with iOS users. We analyze the reported usage of these models as well as the perceived usefulness and attitude. We conclude that runtime permissions are perceived as more useful than the former Android permissions. Further, runtime permissions are perceived more positively than the former Android permissions.

1.3.2 Contributions of Part II: Business Smartphone Usage

In Chapter6, we enhance our analysis and focus on business usage of smartphones. We first analyze the literature regarding security measures being applied in organizations as well as how these measures influence the employees and the organization. Second, we develop the Dynamic Security Success Model, which visualizes the process of smartphone security including the learning process of organizations regarding intended and unintended consequences. Third, we compare existing literature and its findings with our model in order to identify research gaps. To the best of our knowledge, there does not exist any theoretical model dealing with the dynamical process of smartphone security in organizations. We contribute to the information systems research area by developing the Dynamic Security Success Model, which presents a new theoretical understanding of smartphone security measures and their impact on individuals and on the organization as well as contrasting existing literature to this model. The identified research gaps form the basis for the research reported in Chapter7 and Chapter8. In Chapter7, we explore based on use cases how smartphone security is developed and implemented in large-scale organizations. We especially focus on the role of users within this process in order to identify the importance of usability. This part of the thesis analyzes how smartphone security is implemented in large-scale organizations to uncover the importance of usability from the perspective of security managers and indirectly by the organization. We identify that currently organizational structures are missing, which would enable security managers to implement usable security solutions for their employees. The research is based on a limited amount of organizational use cases, which makes it explorative in nature. However, the results show the breadth of factors in play (without making claims about their quantitative representativeness). The insights about

12 1 Introduction organizational security gained can help organizations to reconsider their security solutions regarding the usability aspect, as unusable security is ineffective and might probably be circumvented by users. In Chapter8, we further extend our investigation of organizational smartphone security by considering possible effects of security solutions on employees regarding their daily work tasks, such as (non-)compliant behavior. We present use cases of employees uncovering shadow security solutions as a result of unusable security mechanisms. The effects show that security solutions provided by the organizations can be unusable and as a result are circumvented leading to shadow security. These results show that in order to be effective, security has to consider user needs and business processes. These insights can help organizations to develop security, which considers the employees, and thus, is more effective.

1.4 Publications

The results and ﬁndings of this thesis are based on the following publications of peer- reviewed conferences and workshops. The publications are ordered according to their appearance in this thesis.

[222] Zinaida Benenson, Freya Gassmann and Lena Reinfelder. Exploring Interaction between Smartphone Choice and Human Aspects of Security and Privacy. In Proceedings of the 2nd Workshop on Usable Privacy and Security for Mobile Devices (U-PriSM 2), Munich, Germany, August 27, 2013. [161] Lena Reinfelder, Zinaida Benenson and Freya Gassmann. Differences between Android and iPhone Users in Their Security and Privacy Awareness. In Trust, Privacy, and Security in Digital Business - 11th International Conference, TrustBus 2014, Munich, Germany, September 2-3, 2014, pages 156-167. doi: 10.1007/978-3- 319-09770-1 14. URL: https://doi.org/10.1007/978-3-319-09770-1_14. [163] Lena Reinfelder, Andrea Schankin, Sophie Russ and Zinaida Benenson. An Inquiry into Perception and Usage of Smartphone Permission Models. In Trust, Privacy and Security in Digital Business - 15th International Conference, TrustBus 2018, Regensburg, Germany, September 5-6, 2018, pages 9-22. doi: 10.1007/978-3-319- 98385-1 2. URL: https://doi.org/10.1007/978-3-319-98385-1_2. [164] Lena Reinfelder and Eva Weishäupl.A Literature Review on Smartphone Security in Organizations using a New Theoretical Model - the Dynamic Security Success Model. In 20th Pacific Asia Conference on Information Systems, PACIS 2016, Chiayi, Taiwan, June 27 - July 1, 2016, pages 59-76. URL: http://aisel.aisnet.org/ pacis2016/59. [162] Lena Reinfelder, Robert Landwirth and Zinaida Benenson. Security Managers Are Not the Enemy Either, 2019. In CHI Conference on Human Factors in Computing

13 1 Introduction

Systems Proceedings (CHI 2019), May 4-9, 2019, Glasgow, Scotland UK. ACM, New York, NY, USA, pages 1-7. URL: https://doi.org/10.1145/3290605.3300663. [160] Lena Reinfelder and Zinaida Benenson. Exploring Security Processes in Organiza- tions: the Case of Smartphones. In Mensch und Computer 2017 - Workshopband, Regensburg, Germany, September 10-13, 2017. doi: 10.18420/muc2017-ws05-0403. URL: https://doi.org/10.18420/muc2017-ws05-0403.

These publications are used throughout this thesis as follows:

• Chapter3 is based on unpublished preparatory work. We developed a research model, which describes the relationship of the smartphone ecosystem and security and privacy aspects being presented and discussed in our workshop paper “Exploring Interaction between Smartphone Choice and Human Aspects of Security and Privacy” [222]. In Chapter3 we present the results of interviews which are based on this research model. There, we examine the security and privacy attitudes and behavior of smartphone users as well as the relationship between the type of smartphone and security and privacy aspects. Regarding the interviews, the author developed and tested the interview guides with the help of Zinaida Benenson and Anna Girard. The majority of the interviews was conducted by the author of this thesis and some by Anna Girard. The analysis was conducted by the author and Zinaida Benenson in equal parts. While the background and discussion section of the chapter is joint work with Zinaida Benenson, the method and results section was provided by the author. • Chapter4 is based on the conference publication “Diﬀerences between Android and iPhone Users in Their Security and Privacy Awareness” [161]. The basic idea for this work was developed by the author and Zinaida Benenson, while the development, implementation and evaluation of the study were conducted by the author of this thesis. Freya Gassmann helped with the statistical interpretation of the results. The description of the study design, as well as the results, were written by the author of this thesis, while the introduction and background were joint work with Zinaida Benenson. • Chapter5 is based on the conference publication “An Inquiry into Perception and Usage of Smartphone Permission Models” [163]. This publication is the result of the bachelor thesis of Sophie Russ [168] supervised by the author. While the study concept was joint work by the author of this thesis and by Zinaida Benenson, Sophie Russ developed and conducted the survey on which the publication is based on. Statistical results were interpreted with the help of Andrea Schankin. The paper was joint work with the author of this thesis and Zinaida Benenson. • Chapter6 is based on the conference publication “A Literature Review on Smartphone Security in Organizations using a New Theoretical Model - the Dynamic Security Success Model” [164]. The concept for the structural literature review and the decision to base the Dynamic Security Success Model on Organizational Learning such as on the Information Systems Success Model was joint work with Eva Weish¨aupl.The

14 1 Introduction

implementation of the structural review and the identification of the research gaps was conducted and written by the author. • Chapter7 is based on the conference publication “Security Managers Are Not the Enemy Either” [162]. The publication describes a study based on interviews with security managers of large scale German organizations. The author was responsible for the design, recruitment and implementation of the study. Robert Landwirth helped in developing the interview guide and was part of the analysis of the results. The first version of the paper was written by Robert Landwirth and the author, while the final version was revised by Zinaida Benenson and the author. • Chapter8 is based on the workshop publication “Exploring Security Processes in Organizations: The Case of Smartphones” [160]. The publication describes a study, which is based on the master thesis of Stefanie Külz[111], supervised by the author. The concept and implementation of this study, which presents the effects of smartphone security measures on employees, was conducted by the author of this thesis, while Stefanie Külzconducted the interviews. The analysis of the interview data was conducted by the master student in cooperation with the author of this thesis. The author of this thesis contributed large parts of the publication, while Zinaida Benenson helped with iteratively improving the paper.

15 Chapter 2

Background on User Interaction with Smartphone Security and Privacy

In this chapter, we provide background information on smartphone security mechanisms which are visible to the users. While speciﬁc information is discussed in the respective sections, we focus in this chapter more on general knowledge useful for various chapters. We focus on the smartphone operating systems of Google (Android) and Apple (iOS), as these systems are clearly dominating the market. In September 2018, Android’s worldwide market share reached over 76% (in Germany even 83%), while iOS reached worldwide over 20% (in Germany 16%) [191, 190]. We describe technical and conceptual diﬀerences between Android and iOS visible to general public and non-expert users. This means that we do not present technical structures in detail, but look at security mechanisms users may get in contact with when using their smartphones. As this thesis deals with behavioral aspects of smartphone users regarding security and privacy, it is of interest to shed light especially on those mechanisms and settings which are visible to smartphone users. Android and iOS provide a set of security settings which allow users to protect data on their smartphones from unauthorized access. We present details on permission models, app security, user authentication, data encryption, and on the deletion of data via remote wipe for Android and iOS in the following.

2.1 Permission Models

Android’s permission model has evolved over time from the old Android permission model to the runtime permission model. At the beginning of Android in 2008, Android managed data access by the apps with the help of permission requests that were presented to the user during the app installation process. When the user selected an app, a permission screen was displayed prior to the actual installation showing a list of permissions the app wants access to. Permissions are technically tied to the app code, that is, if the app accesses or manipulates certain data, such as contacts, messages, system settings, it has to request permissions. Until Android version 6.0, users have to agree with all permission requests in order to install an app. Thus, the users only have the “all-or-nothing” choice. If the user accepts the permissions, all permissions are granted to the system. If the user does not accept the request, the installation of the app is aborted and the app cannot be used. In October 2015, the Android permission system was changed to the runtime permission model. This means that Android devices running version 6.0 or higher ask

16 2 Background on User Interaction with Smartphone Security and Privacy the user to decide whether to grant or deny app permissions at runtime and the users are further able to change their permissions in the settings of their smartphone at any time. In 2007, the ﬁrst iPhone was introduced including a pre-version of the operating system iOS called iPhone OS, which was renamed in 2008. Apple started to provide runtime requests to their users if an app wants to access certain data. Until 2012 (iOS versions prior to iOS 6), users were only asked for runtime consent if an app wanted to use location data for the ﬁrst time. Many other types of user data could be read and manipulated without the user’s explicit consent [179, 63]. Starting with iOS 6 (released in 2012) the handling of the personal data was radically changed. Now users have to give runtime consent for many more data types such as contacts, calendar, photos and Twitter or Facebook accounts. Users can also customize their data disclosure policies and change privacy settings for the individual apps at any time.

2.2 App Security

Android malware is quite widespread, as anyone can develop and distribute Android apps [186][188]. Although scanning apps from Google Play for malicious functionality started in 2012, this turned out to be quite inefficient [152]. Furthermore, Google introduced the security setting Verify Apps to the Google Play Store, which monitors apps at the installation process for malware [74]. This setting is extended to monitor also apps during runtime and to check apps that are downloaded from third-party app stores [159]. Still, this security setting can be turned off by the user. Moreover, for the usage of the functionality Verify Apps one has to agree to give Google a lot of information such as log files, URLs related to the app, and also information about one’s smartphone (device ID, version of the operating system, IP address) [74]. In July 2017, Google introduced Google Play Protect, which includes Verify Apps and Find my device. One difference to Verify Apps is that it is more apparent and visible to the users [128]. The tool runs in the background and scans apps and the device itself automatically for malware. If malware is found, the user is informed how to uninstall the app and Google reserves the right to remove the app on its own. Reviewed are apps from the official Google Play Store as well as from third party sources [76]. Google Play Protect is activated by default but can be deactivated in the device settings. Apple takes another approach in guaranteeing app security. In order to upload apps to the official Apple App Store, developers must first register with Apple and become part of the Apple Developer Program. This is necessary, as all app code has to be signed by using an Apple-issued certificate with the aim to prevent third-party apps from loading unsigned code or using self-modifying code [95]. Apple also states that they review every app which is uploaded to the App Store to ensure that those apps work properly and do not contain obvious malfunctions. iOS malware is rare [67, 187], which is often attributed to Apple’s review process that all apps undergo before they can be uploaded to the App Store. However, not much is known about this process, and the evidence is growing that

17 2 Background on User Interaction with Smartphone Security and Privacy it is less effective than its reputation suggests [81, 207, 113]. Wang et al. [207] managed to present a method how to get malicious apps into Apple’s App store. Unlike Android, iOS does not allow to use other sources than the official App Store in order to download apps or to run other code. There is only one way for non-corporate iPhone users to install apps that are not approved by the App Store: They have to jailbreak their iOS version which gives them privileged (root) access to their devices. By jailbreaking an iPhone, exploits are used in order to modify the operating system. This way the user removes software restrictions and gets much more control over the device, such that he can add or remove functions and run arbitrary apps (e.g., from unofficial websites). One restriction to jailbreaking is that those devices are no longer covered by Apple’s manufacturer’s warranty [92].

2.3 User Authentication

The primary objective of user authentication on smartphones is to prevent unauthorized access to data and sensors. The danger to smartphone authentication are dominantly related to shoulder surfing and smudge attacks. Attackers gain knowledge of the authentication information through direct observations with or without technical equipment such as cameras [85]. Researchers have consequently focused on improving authentication mechanisms which are resistant to shoulder surfing by developing knowledge-based unlocking mechanisms [30, 123, 175]. Solutions to shoulder surfing attacks include establishing secret channels [29], which means that the PIN for the smartphone is composed of a sequence of a limited set of tactile and audio cues. This enables the authentication system to be resistant to shoulder surfing attacks because there are no visual cues of the system an attacker could get access to. Another solution to shoulder surfing is by using indirect input [51, 52, 102], e.g., as demonstrated by De Luca et al. [51]. The researchers describe an authentication system which uses stroke-based passwords by including both, the front and the back side of the smartphone to enter a password. A user can switch the sides in order to prevent shoulder surfing attacks. Zakaria et al. [217] describe a recall-based graphical password system where users have to doodle their passwords on a drawing grid, thus obfuscating the input [217]. Biometric layers which are added to the input are another defence [50, 180]. Examples for those biometric layers are finger velocity device acceleration and stroke time. This conglomerate of individual layers makes it unlikely for an attacker to gain access to the device as shoulder surfing does not enable him to reproduce the behavior of the user. Android and iOS provide less complex authentication mechanisms by default. Android smartphones can be locked and unlocked using alphanumeric passwords and PINs, graphical and pattern based schemes such as biometric authentication mechanisms. Numerous researchers have analyzed smartphone locking behavior regarding their usability resulting in findings that passwords and PINs are inefficient [130], while biometric authentication mechanisms such as fingerprint and face recognition seem to be more usable with restrictions made to face recognition in dark rooms [28].

18 2 Background on User Interaction with Smartphone Security and Privacy

Similar to Android, iOS offers different possibilities to lock and unlock the iPhone. Users can activate a screen lock after a defined time span. In order to unlock the iPhone, users have the choice to either use a four digit code or an alphanumeric password. Further, there exists the option to delete all data after ten unsuccessful login attempts. This option is deactivated by default. Another possibility to unlock an iPhone is by using biometric authentication mechanisms such as fingerprint (called Touch ID) and face recognition (called Face ID). Apple states that when the fingerprint sensing system is used, the fingerprint map is extended by every usage leading to a possibility that if a random person tries to access the iPhone, 1 in 50,000 persons is able to successfully unlock the device although not being the legitimate user [95]. Face recognition is implemented by mapping the geometry of one’s face by using the camera. Apple states that the possibility for a random person to unlock an iPhone using Face ID is 1 in 1,000,000 and the possibility increases with every successful identification as the system adapts to changes in one’s appearance over time [95]. When using fingerprint or face recognition for user authentication, only five login attempts are allowed before the device asks for a password.

2.4 Encryption

Starting with version 3.0 (honeycomb), Android has introduced the possibility to encrypt data on smartphones. In the beginning, users had to navigate to the security settings menu and enable the encryption of their phone manually [91]. Since October 2015, when version 6.0 (marshmallow) had been introduced, data encryption on Android devices is enabled by default [8]. All user-created data on the smartphone is encrypted by one of two methods, namely full-disk encryption and file-based encryption. While full-disk encryption is supported by Android version 5.0 and above, file-based encryption is supported by version 7.0 and later [8]. With full-disk encryption, users have to enter their credentials before any data can be accessed. File-based encrypted devices boot straight to the lock screen [10, 9] and enable the device to access certain user data, although the smartphone is locked. An example for such data are Whatsapp notifications. Users can enable their devices to show communication content or notifications on the screen, albeit the smartphone is locked. iOS uses a device’s unique identifier (UID) which is built into the smartphone in order to encrpyt user data. User data such as messages, mails, calender, contacts, photos, and health data values are encrypted using file data protection by default. When the user sets a passcode on his iPhone, data protection is automatically enabled for all kind of user data.

2.5 Deletion of Data

There exist two ways to delete user data from an Android smartphone. First, if physical access to the device is possible, the smartphone can be reset to factory settings. Second,

19 2 Background on User Interaction with Smartphone Security and Privacy

Android provides the possibility to remotely wipe user data on the device. This may become necessary in case the smartphone is lost or stolen. One requirement is that the option “Find my device” is activated. If the Android smartphone is connected to an Google account, this option is activated by default [75]. Apple provides the possibility to delete user data by reverting the device to factory setting. Further, it is possible to remotely wipe all user data on an iPhone in case the device is lost or stolen. The remote wipe command can be set by using an MDM (Mobile Device Management) System, over an Exchange server or via iCloud (Cloud System provided by Apple). Another possibility to delete data is to set the command to wipe the device after a series of failed passcode attempts [95].

2.6 Summary

This chapter provides an overview of Android and iOS security mechanisms, which are build by Google and Apple respectively. As this thesis concentrates on user behavior and perception regarding security and privacy aspects, we do not present details on technical security. Albeit, technical security is probably the most important part of security, it is often invisible to users [101] and therefore does not play a decisive role in their decision making. It is rather the visible mechanisms which shape users’ perceptions and feelings of security and privacy. Looking at the different business models of Google and Apple, for example, one can see that these companies pursue different targets. Google allows the installation of third party apps from other sources than the official Play Store while Apple prohibits this possibility. These two approaches appeal different user groups and convey different pictures regarding security and privacy. The effects and implications of security and privacy mechanisms regarding Android and iOS on their users is the aim of this thesis. We take a closer look at the effects and interaction of users with the smartphone ecosystem (Chapter3), as well as the perception and handling of users with Android and iOS apps (Chapter4) and with Android and iOS permission models (Chapter5). Furthermore, we investigate how smartphone security mechanisms are developed, implemented and evaluated in a business context (Chapter6 and Chapter7) and what consequences those security mechanisms have on the employees regarding their work tasks (Chapter8).

Part I

Private Smartphone Usage

Chapter 3

Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

The smartphone operating systems Android and iOS diﬀer in their implementation and presentation of security and privacy mechanisms. Furthermore, their underlying business models are quite diﬀerent. In this chapter, we investigate whether there is a relationship between the smartphone ecosystem and users’ perceptions, attitudes, concerns and behavior regarding security and privacy aspects.

3.1 Introduction

Smartphones and smartphone apps have profoundly influenced our lives, such that the current generation of young people has even been dubbed “The App Generation” [71]. In the book with this title, Gardner and Davis examine the current US youth and their difference to the previous generations by means of several qualitative studies and show how the high involvement with the smartphone apps may have influenced the development of their personalities. Using a smartphone today includes a considerably higher proportion of security- and privacy-related decisions than using a PC or a common cell phone. These decisions vary from choosing a certain smartphone manufacturer to deciding whether a certain app should have access, for example, to the contact list or to the microphone. The ubiquitousness of the smartphones and the great number and diversity of services offered by the smartphone apps make this technology one of the most important case studies of end user perception and handling of security and privacy matters. Although, some aspects of smartphone security and privacy, such as users’ understanding of Android permissions and its improvement, or smartphone locking behavior, have been actively investigated in the last years (see Section 3.2), a holistic view of how people perceive, understand and manage security and privacy matters in the “smartphone world” is lacking so far. The two most popular smartphone operating systems today, Android and iOS, provide us with a unique opportunity to study security and privacy matters from different perspectives. This is due to the fact that although the smartphone usage and the available apps are quite similar on both platforms, the smartphone ecosystems, comprising system architectures, app market policies and underlying business models, are quite different. Accordingly, also the presentation of security and privacy issues to the users differ between the ecosystems.

24 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

In this chapter, we examine not only the security and privacy attitudes and behavior of smartphone users but also the relationship between the type of the smartphone (Android phone versus iPhone) and security and privacy aspects. In particular, the main research question is as following: Is there a relationship between the smartphone ecosystem and users’ perceptions, attitudes, concerns and behaviors in the security and privacy domain? By answering this research question, we contribute to a better understanding of the role the speciﬁc security and privacy features of the present smartphone ecosystems play in users’ security and privacy awareness and behavior. We consider this understanding as one of the necessary steps in guiding current and future development of the security and privacy features of mobile systems, such that the systems can be better adjusted with perceptions, concerns and requirements of the users. We conducted qualitative semi-structured interviews with 10 Android and 10 iOS users. The interviews were analyzed using the qualitative content analysis method [126, 110]. The contributions of this chapter are as follows:

• We present the ﬁrst to our knowledge systematic in-depth investigation of the similarities and diﬀerences between Android and iOS users regarding security and privacy issues. We consider security- and privacy-related feelings, knowledge, concerns and the behavior of the two user groups in order to uncover their connections to the respective smartphone ecosystems. • Our results contribute to the understanding of how current and future smartphone ecosystems should be designed with respect to security and privacy, and what should be avoided.

We provide related work in Section 3.2 and present our research questions and model in Section 3.3. We then discuss the method of this study, such as the interview guide, analysis method and sample characteristics (Section 3.4). Furthermore, we present our results in Section 3.5. We discuss our results in Section 3.6, consider the limitations of our study in Section 3.7 and conclude in Section 3.8.

3.2 Related Work

Prior work mainly focuses on the Android ecosystem, as its openness makes it more convenient for user experiments, or considers smartphone users without stressing which particular smartphones they use. Nevertheless, we found some interesting points in these works that are connected to our ﬁndings. Ben-Asher et al. [25] collected data about smartphone users’ security and privacy concerns, and possible authentication methods other than using a PIN (Personal Identiﬁcation Number). Their study revealed certain data which are sensitive to users, e.g., passwords,

25 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

E-mails, contact lists, and location. We also identified sensitive data types which correspond to these findings. King [103] conducted interviews with 13 Android and 11 iOS users in order to analyze privacy concerns and expectations of smartphone users. King hypothesized that the Apple review process causes iOS users to exhibit more trust into the apps. However, she found out that also Android users thought that Google reviews apps before they are uploaded into the Google Play store, which is also confirmed by Kelley et al. [100] (Google Bouncer was not introduced at that time), and so no difference between platforms could be observed. iOS users were mostly unaware of data usage by the apps (iOS 6 was not released at that time). In contrast, Android users were aware of the permission screen that is shown during the installation, although the majority of them felt that they do not quite understand what the permissions mean. The respondents in our interviews support this result by placing confidence in the official App Stores from Google and Apple likewise. Our Android users were also aware of the permission screen but revealed a lack of precise understanding. Chin et al. [42] examined differences of smartphone users’ perceptions and behavior when using laptops versus smartphones. The authors conducted a survey with 30 iOS as well as with 30 Android users. They showed that participants were more concerned with privacy on their phones than on their laptops and that location services were not considered critical. Furthermore, around 20% of Android users stated that they always consider permissions when installing apps and additional 40% stated that they sometimes considered permissions. This is an interesting contrast to the results by Felt et al. [68] that only 17% of Android users pay attention to the permissions during the installation process. The authors also analyzed user behavior when discovering and installing new apps in order to gain insights into the development of trust in software. Mylonas et al. [140] conducted a survey with 458 smartphone users (mostly university students) in order to gain insights into their security awareness. The authors found out that most smartphone users do not feel being at risk when downloading apps from official application stores and that this effect is independent of the smartphone’s operating system. Smartphone users also do not pay attention to security messages which are shown by the devices. Further, they could only find a slight correlation between the participants’ security background and their awareness of security when using smartphones [139]. Muslukhov et al. [137] investigated requirements for data protection by interviewing 22 smartphone users of four different operating systems. They compiled a list of data types stored on smartphones and analyzed which of them are considered sensitive. For example, contacts were found to be sensitive because users feel responsible for the phone numbers of their contacts, whereas calender events were not perceived as sensitive or valuable. Our results also confirm this finding showing that contacts are related to a feeling of responsibility and are therefore highly sensitive as they belong to others. We only had one iPhone user who stated that her calendar data were sensitive. Shklovski et al. [181] studied Android users emotional reactions to app privacy-violating behavior and found that people find the data usage by apps “creepy”, but still continue

26 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes using them. The analysis of smartphone user locking behavior [199, 85] also mostly concentrates on the Android ecosystem. Tan et al. [194] examine iOS permission requests, which are shown to the user when apps require access to protected data. These requests offer the possibility to include strings of text in order to explain the data access to the user. An online survey with 772 participants has shown that significantly more permissions requests were approved when additional text for the access was included, even when this text did not help the user to understand the reason for the data access. Differences of iOS and Android users’ security and privacy awareness were studied by Reinfelder et al. [161] using an online survey. As a result, the authors showed that Android users significantly more often have an anti-virus installed and significantly more often mention security and privacy (in form of permissions) as decision criteria for app choice. Although these findings may serve as indicators of the influence of the respective ecosystems on users’ security and privacy awareness, no deep understanding of this influence could be gained from the survey. Almuhimedi et al. [5] present an evaluation of the effectiveness of privacy managers such as AppOps for Android devices by conducting a field study with 23 participants. Those privacy managers provide Android users with the possibility to control single permissions for data access by apps. They demonstrate that users benefit from this possibility and become more privacy aware, especially if AppOps is combined with privacy nudges.

3.3 Research Model

As famously remarked by Bruce Schneier [177], “Security is both the feeling and the reality. And they’re not the same.” In this chapter, we investigate the feeling of security as opposed to actually being secure. In particular, we consider the following research questions:

1. Do people feel secure when using their smartphones? 2. What do people know about security and privacy issues of smartphone usage? 3. Which specific security and privacy concerns do smartphone users have? 4. How do smartphone users mitigate their security and privacy concerns? 5. Which similarities and differences between Android and iOS users exist regarding the above four aspects of smartphone usage? a) Does the “open” Android ecosystem versus the “closed” (tightly controlled) iOS ecosystem make any difference? b) Does the permission system of Android versus runtime data access requests and privacy management options of iOS matter?

27 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Figure 3.1: Research model for the relationship of the smartphone ecosystem with security and privacy aspects

c) Are there any other ecosystem features that may inﬂuence users’ perceptions of security and privacy aspects?

The answer to the last question and its subquestions can be uncovered through the comparison of answers to the first four questions by Android and iOS users. The similarities between the two user groups could arise in cases where people’s security and privacy concerns and behaviors are inherently independent on the particular details of the technology, but are instead connected, for example, to the technological features that the ecosystems have in common, such as mobility, app usage, small device size, or to individual differences between users, such as lifestyle, technical background or security and privacy experiences in life areas that are independent on smartphones. The differences between the user groups could arise owing to the differences between the smartphone ecosystems. Looking ahead to our results, we can say that we encountered both kinds of attitudes and behaviors: those that were independent on the particular ecosystem, as well as those that seem to be tightly connected to the smartphone ecosystem. Possible relationships between the smartphone ecosystem and the security and privacy aspects that we investigate in this chapter are presented in our research model in Figure 3.1.

Smartphone ecosystem may inﬂuence security and privacy aspects The usage of an Android phone or an iPhone is directly connected to the usage of the corresponding app market, and each app market has a distinct procedure for presenting data usage by the apps and for reviewing apps for malicious functionality. This, and also the reputation of the companies involved in the phone manufacturing, the look and feel of the hardware, and the features of the operating system may contribute to the security and privacy feelings and concerns. During the daily contact with their device, people may become aware of some threats or security measures that were not known to them previously, they

28 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes may gain experience in the security and privacy domain, and they can be nudged by their devices and the app markets to exhibit particular security- and privacy-relevant behavior. For example, one could hypothesize that Apple’s review process for the apps makes users feel more secure when using apps. However, also Android users can (falsely) think that Google reviews apps before they are introduced into the Google Play Store 1. Moreover, it is possible that some users even don’t know that an app can be written by a third party.

Security and privacy aspects may inﬂuence smartphone choice and usage It is possible that some people choose their smartphone because they think that this particular device or operating system is more secure than the others. This type of behavior might be exhibited by security experts that have the corresponding knowledge and experience, but also by non-experts that are concerned with security and privacy. Some people may feel that Android is more exposed due to its open nature, and that tight control over the app market by Apple is benevolent for security and privacy issues. On the contrary, some people that prefer to take security and privacy matters into their own hands may feel unduly restricted by Apple.

3.4 Method

As a holistic relationship between the smartphone ecosystem and the security and privacy issues is mostly unexplored, we conducted a qualitative study by means of semi-structured interviews with 10 Android and 10 iOS users (see Section 3.4.3 for sample characteristics). We recruited the participants in Germany using eBay Classiﬁeds2, Facebook, and through personal contacts by asking friends to recommend us to other friends that were unknown to us. In order not to prime the participants, we did not mention security and privacy in the recruitment materials but said that we are interested in the daily smartphone usage.

3.4.1 Interview Guide

The interview guide consists of two parts. In the first part, security and privacy issues are not mentioned (unless the participants independently mention them). We ask about criteria for smartphone choice and the circumstances in which it was purchased, whether the participant previously owned a smartphone, criteria for app choice, examples for frequently used apps and whether they have ever bought apps. These questions are intended to find out whether security and privacy issues are among the first that come to mind when participants talk about smartphones and apps. We also ask demographic questions in this part of the interview.

1 Google Bouncer was not introduced at that time. 2 https://kleinanzeigen.ebay.de

29 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

The second part contains questions about security and privacy feelings, knowledge, concerns and behavior regarding smartphone usage. We start by asking the participants whether they can remember in the past six months some positive or negative event concerning security or privacy in connection to their smartphone usage. We then inquire whether the participants differentiate between security and privacy, intending to ask separate questions in case of reported distinction. We then proceed to the questions about the situations in which people become aware of security and privacy matters when using their smartphones, whether security and privacy play a role in the process of the smartphone choice, and how security and privacy issues influence the app choice and usage. Additionally, we ask participants to show us the privacy settings of their smartphone, and which strategies they apply to deal with security- and privacy-related concerns when using the smartphone. We then explicitly inquire about specific security measures such as security software, screen locking, and backup, in case they are not mentioned previously. We also probe into which effect would data loss or loss of the smartphone have on participants in order to assess the possible reasons behind presence or absence of protection mechanisms. Furthermore, we ask participants about the protection of their home computer, in case we would be able to find a relationship between smartphone and computer protection. Finally, we ask about the basic attitude towards security and privacy in order to understand its possible connection with the smartphone usage. The interview guide can be found in the Appendix in Section 10.2.

3.4.2 Analysis Method

All interviews were audio recorded and transcribed verbatim. We used qualitative content analysis [136, 110] to analyze our results. There exist many variants of this method [77, 93, 65], so below we describe the variant that we used in more detail. Qualitative content analysis is based on a category system that is continuously adapted until data saturation is reached. The category system is documented in the codebook consisting of categories, their definitions (coding rules) and example textual passages for the categories and codes. To determine data saturation, we follow the recommendations by Guest et al. [79] who operationalize data saturation as “the point in data collection and analysis when new information produces little or no change to the codebook” [79, p. 65]. Using our research questions, interview guide, and the first two interviews, we conducted a deductive-inductive category construction to create the first variant of the codebook. Two researchers independently applied this codebook to the first three interviews and then jointly adapted the codebook without discussing how the particular interviews should be coded. That is, only the codebook update process was discussed, thus insuring that the coding process is as independent as possible. We then revised the first three

30 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Figure 3.2: An excerpt from the codebook tree with categories (round nodes) and codes (square nodes) interviews according to the adapted system, and repeated this process after the 7th, 12th, 18th and 20th interview. The final codebook consists of 64 categories (organized in a tree) with 154 codes, where codes are situated at the leaves of the tree. We consider the codes as special, more nuanced characteristics of categories [110]. So-called factual (e.g., “age”, “smartphone operating system”) and thematic (e.g., “protection against data loss”) categories do not have codes attached to them and can also serve as leafs in the codebook tree. On the other hand, evaluative categories have a defined number of codes or values. For example, the category “sensitive data” consists of 13 codes with definitions. One such code is “communication contents”, defined as “user says that email, SMS, WhatsApp contents are sensitive”. Another code in this category is “data relevance”, defined as, “user says that the data should be relevant for the app functionality”. Further codes in this category are, for example, “location”, “contacts”, “pictures” and “calender”. An excerpt from the codebook tree is presented in Figure 3.2. Another example for a category is “situation”, which describes the situations in which users become aware of security and privacy issues during the smartphone usage. One of these situations is app installation and updates, another one arises from media reports, for example about security and privacy problems with WhatsApp or other popular apps. The category “screen locking” indicates whether the participants lock their screen and what the reasons are for doing or not doing so. The development of the categories and the codes over the course of the analysis is

31 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Figure 3.3: Category and code creation over the course of data analysis. First codebook variant was created deductively using the research questions and the interview guide (point 0 at the X-axis) and was inductively updated after the analysis of the 3rd, 7th, etc. interview. displayed in Figure 3.3. 60 categories were identified in the initial codebook (marked as interview 0). Additional 3 categories were identified after the 7th interview and one additional category after the 12th interview. The number of categories did not change after the 12th interview, while new codes were still found at a decreasing rate. For example, the last two found codes were “knowledge that the apps can switch on the camera” and “switching on the camera produces sensitive data”. Thus, we consider that the data reached saturation, according to the above definition that new information produces little or no change to the codebook. After all interviews were coded, Cohen’s Kappa was used to assess intercoder agreement and reached the value of 0.77. Thereafter, the disagreement points were discussed and resolved in order to facilitate further analysis and interpretation. As opposed to quantitative content analysis, qualitative content analysis goes beyond counting the categories [136]. The counting serves as a starting point for further analysis and interpretation in this method. For example, we could see after this first analysis step that all 10 iOS users make a backup of their data, but only 3 out of 10 Android users do so. How can this fact be interpreted? Can it be connected to some features of iOS? In another example, 5 Android and 5 iOS users consider contact data saved

32 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

#P Sex Age Current OS and Version Previous OS 1 Female 22 Android 4.2.2 iOS 2 Male 38 Android 4.1.2 Android 3 Female 29 iOS 7.0.x iOS 4 Female 25 Android 4.1.2 Android 5 Male 34 Android 4.2.2 Symbian OS 6 Female 25 iOS 7.0.2 Android 7 Male 27 iOS 7.0.4 iOS 8 Male 52 iOS 7.0.4 None 9 Male 44 Android 4.1.2 Maemo 10 Male 50 iOS 7.0.4 iOS 11 Female 44 Android N.a. None 12 Male 53 Android 4.1.2 Symbian OS 13 Female 30 Android 4.4 A 14 Female 25 Android 4.1.2 N.a. 15 Female 24 Android 2.3.3 None 16 Male 23 iOS 7.0.4 iOS 17 Male 22 iOS 7.0.4 Bada 18 Male 35 iOS 5.1.1 Windows Mobile 19 Female 28 iOS 8.1.2 iOS 20 Female 37 iOS 8.1.2 iOS

Table 3.1: Characteristics of the interviewed participants (part 1). in their smartphones to be especially sensitive, which seems to be independent of the smartphone OS. Can we possibly ﬁnd connections between this fact and some individual characteristics of the users? There are diﬀerent opinions on how to report the counts for investigated categories. Although precise count reporting can be perceived as disturbing the readability, we nevertheless present the counts to allow the readers to assess and evaluate our analysis and conclusions.

3.4.3 Sample Characteristics

For the choice of our participants, we started with a quota plan for gender, five age groups (decades) and for the field of occupation. After we interviewed 10 Android and 10 iOS users whom we judged to be sufficiently different from each other according to our criteria, we decided to stop and to fully analyze existing data, intending to continue sampling if needed. As we show in Section 3.4.2, we collected enough data after 20 interviews. An overview of the demographics can be found in Table 3.1 and 3.2. iOS users included 4 females and 6 males between the ages of 22 and 52 (mean age 33) and Android users included 6 females and 4 males between the ages of 22 and 53 (mean age 34). Five were students and the remaining 15 participants were employed in various fields, five of them

33 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

#P Occupation Technical Security and Privacy background attitude 1 Student to be a math teacher Yes Pragmatic 2 Transport worker No Unconcerned 3 Oﬃce clerk No Pragmatic 4 Human resources No Pragmatic 5 Engineer Yes Pragmatic 6 Freelance (laundry service) No Unconcerned 7 Ph.D. student in physics Yes Pragmatic 8 System administrator Yes Pragmatic 9 Software developer Yes Fundamentalist 10 IT-Consultant Yes Pragmatic 11 Project manager Yes Pragmatic 12 IT-Consultant Yes Fundamentalist 13 Business informatics specialist Yes Unconcerned 14 Physiotherapist No Unconcerned 15 German philology student No Fundamentalist 16 Electrical engineering student Yes Unconcerned 17 Mechanical engineering student Yes Pragmatic 18 Pharmacology student Yes Unconcerned 19 Marketing and sales employee No Pragmatic 20 Lawyer No Pragmatic Fundamentalist: considers security and privacy very important, critical attitude to smartphone usage because of security and privacy concerns. Pragmatic: considers security and privacy important, but willingly makes compromises in smartphone usage for useful functionality and comfort. Unconcerned: never seriously thought about security and privacy, makes at most general remarks without much insight.

Table 3.2: Characteristics of the interviewed participants (part 2).

34 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes in IT-related fields (but not directly connected to security or to smartphones), and the others, for example, in human resources, physiotherapy or in production. According to their educational and occupational history, 12 participants have a technical background and 8 participants do not have a technical background. Naturally, during the analysis, we uncovered some issues not directly related to security and privacy. The most important spontaneously named decision criteria for choosing an iPhone was the brand (that is, the users explicitly wanted an iPhone) (5/9). Technical aspects, such as a particular operating system, camera, storage (6/5) were important for both user groups, as well as usability (4/6) that was perceived to be especially high for Apple devices. For most Android users external influences (advertisement, recommendations, test results) were also important (5/2). The design (4/3) of the smartphone and its cost (2/1) were less important for both user groups. All users reported that they downloaded apps only from the respective official stores, and many Android users did not know that alternative app markets are possible. Both user groups said that the functionality of an app (8/8) and ratings (6/3) are important for their app choice. Android users avoided buying apps, unless they considered them important (WhatsApp was named repeatedly in this context), whereas iOS users bought apps more freely. During the analysis, we segmented the participants into three categories according to their security and privacy attitudes: fundamentalist, pragmatic and unconcerned, with denominations borrowed from the Westin’s privacy index [112]. However, whereas Westin used survey questions for sorting people into these categories, we used our own definitions that are also presented in Table 3.2. In order to facilitate deeper analysis of individual cases, we compiled case summaries for each case and created a profile matrix with most important topics (categories) for each participant, as recommended in [110]. We present two exemplary case summaries in the following and the profile matrix for all 20 participants in Table 10.1 in the Appendix Section. We further present combined characteristics for the three security and privacy categories compiled with the help of case summaries and the profile matrix.

Case Summary P4 Android version 4.1.2, female, 25, works in human resources, S&P3 type: pragmatic. Uses smartphone predominantly for communication, to be reachable. Chose Samsung because friends also have it. S&P does not play any role in smartphone and app choice. Mistrustful of all smartphones, does not communicate important information over the apps (WhatsApp, GMX), prefers phone calls instead. Tries to restrict the amount of data on the phone, no important pictures, is not interested in games. Concerned about security (hackers, Trojans, viruses), therefore installed anti-virus. Generally concerned about privacy because of her occupation (human resources), but does not connect her concerns with the data access by the apps. Permissions = “terms of use”, always clicks “okay”, does not read. Has no knowledge about which data could be accessed by the apps.

3 Security & Privacy

35 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Concerned about mobile online banking, would never do that. Does not have a keylock, because it requires too much eﬀort, feels concerned about it. Mitigates her concern by always having the smartphone on her person and being watchful.

Case Summary P17 iOS version 7.0.4, male, 23, electrical engineering student, S&P type: pragmatic. Uses smartphone very widely, likes games, communication-related apps, buys apps sometimes. When asked about his criteria for smartphone and app choice, privacy issues were the ﬁrst that came to his mind. Has aversion against Google, because it “snoops”, so chose iOS as the lesser of two evils. Still has slight mistrust in Apple also is slightly skeptical whether the technical security and privacy measures that he takes really work. Considers tracking as the “worst that can happen to one” and therefore considers location data especially sensitive. Uses WhatsApp because needs it for communication, but considers it not tap-proof, and actually would prefer using SMS. When an app requests access to some data, always declines, then goes to security options and looks which data accesses to enable. Frequently reviews his security settings and feels well in control of his security and privacy. Considers malware and other security issues less important on iOS, because Apple reviews the apps.

Fundamentalist participants Three Android users were classiﬁed as fundamentalist. Their most important common characteristic is that they willingly forgo important smartphone functionality for the sake of security and privacy. For example, both P12 and P15 report that they did not update the Facebook app because of privacy concerns that came about when they saw the permission requests by the app. P9 reports that he does not conduct online banking (also not on PC), and sometimes leaves the smartphone at home such that “they” at least sometimes cannot track him. Being technically literate, P9 and P12 distrust the technology and feels that they lose control over the devices. P12 even has two devices: A “simple” mobile where he stores his contacts is used for phone calls and SMS, and the smartphone is used for the Internet access with as few data on it as possible. An interesting contrast represents P15, who knows very little about the smartphone technology. Still, she feels very insecure and restricts her smartphone usage as fully as possible, even at the cost of inconvenience. She calls her smartphone “an MP3-player with which one can make phone calls”.

Unconcerned participants Three Android (one male, two females) and three iOS (one female, two males) users were classified as unconcerned, three of them were classified as having a technical background. Their most important common characteristic is that they are very enthusiastic about smartphone functionality, install and use a lot of apps and consider their smartphones as an important part of their lives. When asked whether security and privacy play any role in their smartphone or app choice, they answer in the negative. They usually do not consider Android permissions or iOS data requests, saying that they always click “okay”, and do not know where to find security options in the menu of their devices. Although they are usually able to give examples of the data that an app can access, they often do not consider these data to be sensitive. They also

36 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes report that they have never made a decision not to install or not to use an app because of security or privacy concerns, P6 being the only exception. She reports that she once refused to use an app because the app wanted her to register. They mostly do not use keylock (5 users out of 6) and report that they take good care of their smartphone instead (are watchful about it).

Pragmatic participants The largest group of the participants (4 Android and 7 iOS users) were classiﬁed as pragmatic. They report various security and privacy concerns, and also various degrees of feeling insecure when using the smartphone. Their most important common characteristic is that they consider smartphone usage as a compromise, and often report that they make decisions that in their own perception sacriﬁce security and privacy for the sake of convenience, for example being able to communicate with friends and family. They often mention WhatsApp and Facebook app as the source of their concerns. They usually pay attention to Android permissions and iOS data access requests and try to mitigate their concerns by sometimes refusing to install an app, or changing security settings (shutting down GPS, for example).

3.5 Results

In this section, we present the results of the content analysis. The accompanying illustrative quotations are numbered according to the participant numbers in Table 3.1. The interviews and the analysis were conducted in German, therefore the quotations are translated. The numbers in brackets represent the amount of Android and iOS users, respectively, that fall into a certain category or code, with the first number representing Android users and the second representing iOS users: (#Android / #iOS). We structure our presentation in subsections according to the first four research questions presented in Section 3.3 on page 27, whereas we consider the fifths research question within each subsection. A summary of the results divided into similarities and differences between Android and iOS users can be found in Tables 3.3, 3.4, 3.5 and 3.6.

3.5.1 Feelings of (In)Security

Respondents described security and privacy feelings underlying the smartphone usage, as well as their influence on smartphone usage. We first present similarities within the two user groups and then differences regarding security and privacy related feelings.

Similarities Participants described a general distrust in smartphone operating systems. Some of them remarked with certain resignation that they consider all smartphones equally insecure. When we asked whether security and privacy consideration would be likely to inﬂuence their smartphone choice in the future, most people answered “no” (7/6), sometimes again explaining that they see all smartphones as being equally insecure

37 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Do people feel secure when using their smartphones?

• General distrust in smartphone operating system • Security and privacy not relevant for smartphone choice • Feeling of insecurity and loss of control over app Similarities between data usage Android and iOS users • Concerns related to media reports • Distrust into iCloud/Google sync • Reputation important for smartphone choice

• iOS: Trust in iOS Diﬀerences between • iOS: Users consider security and privacy aspects Android and iOS users in smartphone choice

Table 3.3: Similarities and diﬀerences according to the question: Do people feel secure when using their smartphones?

What do people know about security and privacy issues of smartphone usage?

• Permissions/runtime consent concept Similarities between • Consideration of permissions/runtime consent Android and iOS users when using apps • Knowledge about privacy settings

• iOS: Knowledge of jailbreak Diﬀerences between • iOS: Knowledge of privacy settings for managing Android and iOS users data access by apps

Table 3.4: Similarities and diﬀerences according the question: What do people know about security and privacy issues of smartphone usage?

38 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Which speciﬁc security and privacy concerns do smartphone users have?

• Sensitive data types: Contact data, location, movement proﬁle, communication content, access Similarities between to social media accounts Android and iOS users • Feeling of responsibility for contact data

• Android: Concern of viruses and malware Diﬀerences between Android and iOS users • iOS: Online banking

Table 3.5: Similarities and diﬀerences according to the question: Which speciﬁc security and privacy concerns do smartphone users have?

How do smartphone users mitigate their security and privacy concerns?

• Data access by apps inﬂuences app usage • Providing apps with limited or false data • Limit communication Similarities between • Decision not to use certain apps Android and iOS users • Taking care of smartphone to reduce unauthorized access to the smartphone • Using keylock

• Android: Virus scanner Diﬀerences between Android and iOS users • iOS: Backup of data

Table 3.6: Similarities and diﬀerences according to the question: How do smartphone users mitigate their security and privacy concerns?

39 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes in the future as well. Some users said that they would not buy a smartphone if they somehow know it to be specially insecure. However, the users were very vague about the means by which they could get to know about the insecurity of the devices. As one of them remarked:

“I don’t know much about smartphones [...] if I knew which is especially secure, I would consider this of course [...] but I think I would not know ...” (P15).

We identiﬁed respondents from both user groups who have not thought about security and privacy issues regarding their smartphone before. Three Android and one iPhone user reported that they have not considered security and privacy issues when using their smartphones because they have not made any bad experiences so far. When P2 was asked whether he used anti-virus software on his Android device, he answered:

“No, actually I have not made any bad experiences with viruses or something similar so far. Should one do that [using anti-virus software]?” (P2)

The majority of the respondents of both user groups (7/7), however, described a feeling of insecurity and a loss of control over their data in connection to the smartphone usage, and especially to the app usage.

“One thinks that apps are somehow reviewed. But what the app is really doing, is not understandable for me. If I don’t need apps any more, I delete them, but whether everything is really deleted is another question ”(P5).

When we conducted the interviews, there had been media reports about the NSA and Edward Snowden, in particular, revealing that users were heavily spied out. These reports provoked a feeling of distrust among Android users (3) and in one iOS user that their data stored on their smartphones were spied on. Additionally, respondents of both user groups (4/5) directly referred to the NSA or Edward Snowden.

“This Ed Snowden revelation was a general thing when it became clear to me that this device may be undercut” (P9).

One iOS user (P7) distrusts the iCloud stating that the “everybody” can read the data. Interestingly, only 3 Android users do know about the default setting of Android to upload data such as calendar and contacts using Google Sync 4. Only one of them (P9) did explicitly say that he deactivated this feature because he did not want Google to know his Wi-Fi password. Users struggle with Google’s reputation, which can be seen in the following quotation of an iPhone user: 4 www.google.com/sync

40 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

“If you google Google, you notice quite fast that they really try to collect data ” (P17).

Although this respondent is a mechanical engineering student, he is inﬂuenced more by the perceived bad reputation of Google in the privacy area than by the iOS security features. Also, Android users describe distrust into Google by being more susceptible to viruses as an open ecosystem. P9, being a computer scientist, chose Android because he felt that he has “the most freedom on the [Android] devices” and that it was better suited for writing his own apps, which he also reportedly did. At the same time, he called Google “nosy”. Interestingly, even this advanced user claimed later that he would have to root his Android device in order to be able to download apps from another market than Google Play. Another Android user (P13) commented that if privacy had inﬂuenced her buying decision, she would not have bought her Google Nexus phone. Also, the inverse opinion about Apple having bad data collection practices served as the reason not to buy an iPhone. Users did not name any technical reasons for their iPhone aversion, but mentioned their distrust into Apple:

“iPhone was no option because these things have the reputation to send even more data home than the others [smartphones] [...] I don’t support Apple’s business politics” (P5).

“this [security and privacy] was one of the reasons not to buy an iPhone [...] because to trust everything to such a company as Apple [...] I’m skeptical about this” (P11).

Diﬀerences Two iPhone users feel that their data are well protected when they use their iPhones, but none of the Android users feels secure. Only one iOS user explicitly mentioned security and privacy when asked about his smartphone choice criteria:

“The operating system was mainly important to me. So that it is somewhat secure, also from the perspective of data theft” (P17).

Summary Respondents from both user groups described similar feelings regarding their data on the smartphone. Trust and distrust in operating systems of smartphones could be found by Android and by iPhone users, justifying the chosen smartphone (e.g. Android users distrusting Apple and vice versa). The only diﬀerences in security feelings we could identify are iPhone users who explicitly trust iOS and one iOS user who included security and privacy concerns in his smartphone choice decision. These similarities and diﬀerences can also be found in Table 3.3.

41 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

3.5.2 Knowledge about Security and Privacy

In the following, we present similarities and diﬀerences among Android and iPhone users regarding permissions/runtime consent, knowledge of data access by apps, knowledge about rooting respectively jailbreaking smartphones as well as privacy settings of the smartphone. Participants mainly did not distinguish between security and privacy but stated that these terms have the same meaning, irrespectively whether they had an Android phone or an iPhone. If respondents said that they diﬀerentiate between these terms, we formulated the subsequent knowledge questions separately for security and privacy. However, this mostly bewildered the participants, such that in practice this distinction does not seem to make sense to them.

Similarities Most Android users (7) and iPhone users (6) were able to explain the concept of permissions respectively runtime consent to us. Although most Android users could explain the concept to us, they were not able to completely understand them. Android users therefore made their own rules of keeping secure, for example, they did not install apps that were perceived to request “too many” permissions. One Android user (P2) said that he always reads “the small print” looking for subscription traps, and as he never encountered any, he felt secure. 6 Android users did not consider permissions into their decision for apps, while 4 reportedly did. 6 iOS users positively reported that runtime consent by apps was effective in controlling data access by apps, while 4 iOS users said that those warnings became a habit and were not read at all. Users from both groups felt unsure about what the apps could do with the data once the permissions are granted. One iOS user (P3) explained that although she granted her favorite image processing app access to her photos, she hopes (as there is no assurance) that the app, for example, does not upload them to Twitter. When asked to show the interviewer the privacy settings of their smartphone, seven Android and five iOS users users knew directly where to find them, while the rest of the users had to search for it. Most participants (7/9) already had changed settings, e.g. deactivated positioning service.

Diﬀerences Almost all iOS users (8) knew the term jailbreaking and were able to roughly explain its meaning. However, most iOS respondents did not realize the consequences to security if their device had been jailbroken. One participant had his previous iPhone jailbroken, because it was missing functionalities which the next generation iPhone had. Other reasons for executing jailbreaks were the removal of simlocks, which is today no longer necessary, because iPhones are delivered free of simlock in Germany. One respondent stated that he used a jailbreak with his previous iPhone to get access to apps other than from the Apple App Store and to download apps for free when they were available for a fee at the oﬃcial App Store.

42 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

In comparison, less than half of the Android users (4) were able to explain the meaning of a rooted device to us as well as the consequences for security. Some Android participants thought about rooting their device in order to delete preinstalled apps because the internal storage of the smartphone was too small. However, these users decided against rooting, because they were afraid that the smartphone would not work afterwards. Privacy settings of iOS were positively mentioned by two iOS users, because they allow modiﬁcation of data access by apps at any time.

Summary Some Android and some iOS users have knowledge about permissions/runtime consent shown by their apps. Although, they are not completely understood they are still considered in the app decision process. The existence and the location of privacy settings were also known by respondents of both user groups but were more useful for iOS users because they allowed managing speciﬁc data access by apps. The term jailbreaking and the resulting consequences for security were more common among iOS users.

3.5.3 Speciﬁc Security and Privacy Concerns

After having asked which data the apps could access (thus assessing knowledge), we asked which data types the participants consider especially sensitive (assessing specific concerns). We also asked about situations in which the participants become aware (think) of security and privacy, and whether they can remember in the past six months a positive or a negative event connected with security or privacy regarding smartphone usage. We identified five situations in which security and privacy were generally noticed by the participants: during the installation and updates of apps (4/4), due to reports in the media (3/2), using the Internet (hotspot versus mobile internet) (2/2), using online banking (2/7), and talking to friends or colleagues about smartphones (1/1).

Similarities Security and privacy concerns do not diﬀer much between the two user groups. They are mostly related to the intransparent data handling by the apps. For example, contacts were named as sensitive by half of the participants (5/5). They explained that their contact data were sensitive because they felt that they were not authorized to decide about what happens to those data, as they belonged to others. The respondents described a feeling of responsibility for their contact data and therefore acted carefully with apps accessing them. Notably, users that reported contact data as sensitive also reported that they use their smartphones mostly for communication purposes, whereas the other users were more concentrated on games, navigation apps and news. Location and movement proﬁle were mentioned by 4 Android and 5 iOS users, four users (2/2) felt concerned about communication content and three users (1/2) about the app access to their social media accounts, such as Facebook or Twitter. Only one user (iPhone, P20) mentioned calendar data as especially sensitive.

43 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Users also felt uncomfortable if apps are able to access data unless they are necessary for the app to operate (3/5). An image processing app, for example, needs to access the pictures on the smartphone, while a simple ﬂashlight app does not. Some participants (2/1) said that they are generally suspicious whether the apps actually abide by the given permissions at all. Two Android and one iOS user expressed mistrust into the cloud backup of the respective platforms.

Diﬀerences There is one area of concern that is speciﬁc to Android users: viruses and other malware (6/2). The two iOS users that mentioned malware were not concerned enough to install anti-virus software, whereas the respective Android users had anti-virus installed, meaning that they considered the danger quite real. An exception from this rule is P9, who considers anti-virus software for smartphones to be “snake oil”. Noticeably, online banking seems to be more important for iOS users (2/7). Most of them feel concerned about online banking, although one iPhone user reported a positive opinion:

“The topic online banking is a positive example. Well, there are apps available on the iPhone, which enable online banking and which work quite well. It [the app] seems to be very secure ” (P10).

However, this participant qualiﬁed his opinion by adding that he never conducts bank transfer via apps. Personal data were named as especially sensitive by one Android and four iOS users, and also pictures were mentioned only by one Android, but by four iOS users. However, these diﬀerences seem to be more of a chance nature. On the whole, identifying data as sensitive can be reasonably expected to be disconnected from the particular devices, as the users could also name sensitive data without knowing whether the apps can actually access them.

Summary Two prominent diﬀerences in concerns between the Android and the iOS users is the former’s concerns about malware, and the latter’s concern about online banking. Both user groups considered as sensitive roughly the same data types, most often contacts and location. They also emphasized the relevance of the data for the app operation as a concern, mentioned cloud services security and general mistrust into the binding character of permission request.

3.5.4 Security and Privacy Related Behavior

We describe respondents’ behavior of mitigating security and privacy concerns in the following. Mitigation is related to app usage, unauthorized remote or local access to the data or to the smartphone itself, malware, data loss, and loss or theft of the smartphone.

44 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Similarities Six Android users reported that they at least once decided not to install an app because of permissions and six iPhone users removed an installed app because of its data access request. The main reason not to install or use a certain app was that apps requested permissions which were not necessary for the functionality of the apps (6/5).

“I wanted to download the Facebook app, but then I noticed which data it wanted access to and then I changed my mind. [...] What does Mark Zuckerberg need my contact data for?” (P15)

The participants presented three kinds of coping strategies to deal with data security and privacy concerns. As a ﬁrst strategy, they provide apps with limited data (4/7). For example, they enter fake or limited data at a registration process or restrict the available data on their smartphone by just not putting the data there.

“I’m the treasurer of an association and I deﬁnitely don’t want member details on my private iPhone” (P10).

The second coping strategy limits the communication which is conducted via the smartphone (3/3). As an example for this strategy, one participant (P12) even owns two diﬀerent devices, one to make phone calls and to save the contact data and one device to have access to the Internet. One respondent (P9) even leaves his smartphone sometimes at home in order not to be tracked. iPhone users (2) said that they frequently check the privacy settings for apps on their iPhone to manage data access by apps and iPhone users (2) also did not connect to unknown Wi-Fi because of security concerns. Another example for limiting the communication via the smartphone is presented by P4:

“I don’t do banking over my smartphone at all, because I somehow don’t trust it. [...] Basically, I do not communicate my account number via my smartphone, except when I’m on the telephone, but not using WhatsApp” (P4).

The last strategy to cope with data security and privacy concerns is not to install a certain app or update. Some iOS (6) and Android users (6) have at least once decided against the installation respectively usage of an app due to security and privacy concerns. The main reason not to install or use a certain app was that apps requested permissions which were not necessary for the functionality of the apps.

“If apps need permissions which I can’t understand, then I don’t install them” (P9).

“Either I use only parts of the app, were I think I still can take responsibility for, or I do not use the app at all” (P10).

45 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

We asked respondents whether they take any precautions against unauthorized access to their smartphone. Smartphone users showed diﬀerent behavior, most often interpreting the question as preventing physical access to their smartphone. Users therefore take care of their smartphone (6/3), meaning that they do not leave their device out of their sight. Also using a keylock was reported by both user groups (3/3). Later in the interviews, we directly asked the participants whether they use a keylock on their smartphone, which 6 Android and 7 iOS users did (including the before mentioned amounts). Those participants using a keylock reported that it served as an access control to keep unauthorized people (including their children) from accessing the smartphone (3/4) or to prevent that the smartphone accidentally turned on, e. g., when being in a pocket (1/0). Those users who did not have a keylock said that they pay attention to their smartphone (2/2), that they have nothing to hide (1/1) or that the eﬀort to unlock the device was too high (2/1).

Diﬀerences Two iOS users mentioned security software as a possibility to protect their smartphones, saying at the same time that it is not necessary for iOS, or that no such software exists for iPhones.

“I once wanted to get a virus scanner, [...] but then I thought better that with Apple’s smartphones it is not necessary, because they check all software that is uploaded on the App Store” (P16).

Half of our Android participants had a virus scanner installed on their smartphone, while none of the iOS users had one. The reasons for using a virus scanner were that it induced a feeling of safety (2/0), that it was recommended by others (2/0), or that they also used a virus scanner on their computer at home (1/0). Those respondents who did not have a virus scanner on their smartphone said that they do not need one (3/8), that they had not made any bad experiences so far (1/2) or they did not know that virus scanner exist for smartphones (2/3). All iOS respondents protected the data on their smartphone to prevent the loss of data, using either a cloud based solution or making manual backups. The availability of their data, for example, when the smartphone is broken or stolen, was the main reason for iPhone users to protect their data. Apple provides a preconﬁgured solution to backup data in iCloud or to use iTunes to create a local backup. Since 2009, Android provides a default setting for synchronizing Google mail, contacts, calendar and Google chrome if the smartphone is linked to an Android account. Still, our Android participants were mainly not aware of this setting. Only three Android users backup their smartphone data, one user referred to the Google Sync option, and two users make backups on their home computer. Most Android respondents claimed that they did not make backups due to unimportant data (7) and because of the eﬀort to do so (2). In case the smartphone will be lost, most iPhone users (6) and a few Android users (2) reported using apps to relocate the smartphone. For iPhone respondents, reasons to

46 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes protect their smartphone were financially oriented (2). Consequences of the loss of a smartphone were different for the user groups. Android users (4/1) felt mainly that a loss would result in an effort to restore the previous state, while iOS users more often described an emotional (1/3) loss, whereas financial loss (3/3) was mentioned by users of both groups.

Summary Data access by apps inﬂuences Android and iOS users not to install or use a certain app. Users of both groups presented strategies to cope with security and privacy concern: providing apps with limited or false data, limit communication via the smartphone and deciding against app usage. Preventing unauthorized access to the smartphone by controlling the physical access to the device and using keylock was important for Android and iOS users equally. Unauthorized access to the smartphone data was controlled by using virus scanners (Android users) but was rejected by iOS users. All iPhone users protected their data from data loss by making backups using the iCloud or by making local backups, while only 3 Android users knowingly backup their data.

3.6 Discussion

We present implications of the discovered similarities and diﬀerences between Android and iOS users for the design of current and future mobile ecosystems.

3.6.1 Implications of Similarities between Android and iOS

The similarities between the two user groups include their tendency to justify their smartphone choice by trust or distrust into the respective company (Google or Apple) and their concerns about the intransparent data usage by the apps.

Importance of the Reputation and the Failure of the Technical Security Argu- ments Although some of our users were quite technically knowledgeable and experienced, none of them mentioned technical arguments, such as hard disk encryption or particular features of the respective operating systems. The users justiﬁed their choice of Android or iOS with two types of emotional arguments:

1. The user likes his/her operating system or the corresponding company. Android is positively associated with Linux, with openness and freedom. iOS is positively associated with high usability and trust into Apple. 2. The user intensely dislikes the concurrent company and chooses his/her operating system as “the lesser of two evils”. Both, Google and Apple, are seen by this type of users as having bad data collection practices and spying out their users. A frequent comment is that although the company the own smartphone cannot be trusted, the concurrent company is perceived to be even worse.

47 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes

Also trust in popular apps heavily depends on reputation, for example, many users expressed their concerns with the security of WhatsApp, evoked by unfavorable media reports. However, the participants reported that they have to use WhatsApp anyway, as “everybody else” uses it. This usage is often accompanied by the feeling of resignation.

Prevalence of Privacy Concerns Most users that were not classiﬁed as “unconcerned” uniformly reported concerns with intransparent data access and usage by the apps. They mistrusted the permissions and options, claiming that (1) they do not have any possibility to know whether the apps actually abide the permissions, and (2) there is no guarantee that an app that requested a legitimate permission does not misuse the given data access. An example of the latter concern is an image processing app that has to be given access to the photos, and yet the user has no possibility to know what the app is really doing with the photos, for example, illegally uploading them to some server. Some users also expressed privacy concerns with the cloud services of Google and Apple, as they have the feeling that everything that goes into the cloud can be read by “everybody”.

“Folk” Security and Privacy Measures In order to be (or to feel) secure, people combine diﬀerent strategies, including physical protection (“my smartphone is always in my pocket”), the division of labor between diﬀerent devices (the smartphone is for the Internet, but an old-fashioned mobile phone is for contact data and phone calls), non-usage in certain situations (“when I go shopping, I leave it at home sometimes, just for the fun of not being tracked”). Small, but still noticeable size, light weight, mobility, and the separability of the devices from the person are the enabling features for these folk security and privacy protection measures that are impossible to achieve with the desktop computers or even laptops. We think that future technologies should be designed in such a way as to give the users the ability to apply these folk measures. For example, implantable or otherwise integrated in human body or necessary items (like glasses) devices should be considered critical in this sense.

3.6.2 Implications of Diﬀerences between Android and iOS

We further discuss whether the open vs. closed ecosystem and static (permissions) versus dynamic data access requests should be considered a better design choice.

Open versus Closed Ecosystem Android and iOS users alike frequently commented that they consider iOS to be more secure due to Apple’s tight control over the app market. They trusted Apple’s app review process and felt reasonably secure against malware. On the other hand, Android was repeatedly called insecure by both user groups, such that many Android users felt that they have to protect themselves by installing

48 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes anti-virus software. This also means that Android users feel responsible for their security, whereas iOS users willingly delegate their security to Apple. This also concerns Apple’s preconﬁgured backup possibilities that are used by all Apple users, whereas Google users were mostly unaware of similar Android features. It is still diﬃcult to say whether the closed system design should be preferred. However, users’ perception of Android insecurity is probably more important. This shows that design of open systems should be reconsidered in the future, such that it can provide more transparency and assurance to the users.

Data Access Requests Android permissions produced two types of reaction from the users. On the one hand, especially technically knowledgeable users considered them to be important for app choice, although all of them commented that they only partially understand the permissions. On the other hand, less technically literate users considered permissions to be analogous to “terms of use” or EULAs, and did not read them, accordingly. On the whole, permissions seem to be ineﬀective in giving the users control over security and privacy of their devices. iOS runtime requests meet a similar fate. Some users consider them useful, whereas other users barely notice them because of habituation. Most useful for the usage seems to be security and privacy options of iOS, as they seem to give a good overview and good control possibilities to the users. Some users report that they always refuse the runtime requests, but later consider the iOS security options and decide which permissions they should give to which app. Turning individual permissions on and oﬀ was also mentioned as a highly desirable feature by Android users.

3.7 Limitations

Our study design is based on interviews, meaning that we used statements of smartphone users as the base for our analysis. Therefore, we rely on self-reported data which may be susceptible to false statements, exaggerations or understatements. Qualitative research has been criticized for being based on individual impressions, biased by the researcher. It is further criticized for the lack of reproducibility, meaning that different researchers could come to different conclusions based on the same research material [77]. Although we realized objectivity through an independent coding process with rigorous category and code definitions, categorizing does not entirely exclude subjectivity. Especially when consensus has to be reached when comparing differing coding results, subjective decisions are included in the analysis. Qualitative content analysis, as every qualitative research method, does not lend itself to generalizations to the broad user population. We used a quota sampling in order to minimize the potential selection bias, selecting people with different age, gender and occupation, such that we should be able to gain access to as many different smartphone

49 3 Relationship of the Smartphone Ecosystems with Users’ Security and Privacy Attitudes experiences as possible. Nevertheless, we cannot state that we reliably uncovered every possible facet of the investigated phenomenon. For example, we recruited our participants using eBay Classiﬁed and Facebook, such that we possibly pre-selected smartphone users who use these services.

3.8 Conclusion

Existing studies on smartphone usage regarding security and privacy focus primarily either on iOS or on Android users. This study analyzes both user groups and compares them, focusing on security and privacy feelings, knowledge, concerns and behavior. Our results contribute to the understanding of how future smartphone ecosystems should be designed with respect to security and privacy, and what should be avoided. The diﬀerences between the Android and iOS ecosystems as perceived by their users give hints in which direction the development should go.

3.9 Summary

This chapter investigated the differences and similarities of Android and iOS users regarding security and privacy related decisions and behavior as well as the influence of the smartphone ecosystem on the users. One major finding of this chapter is that iOS is considered to be more secure due to Apple’s tight control over the app market. While Android was considered to be more insecure resulting in a feeling of responsibility for the security of Android users. We deepen our insights and findings by analyzing app perception and app handling regarding security and privacy aspects in the following Chapter4.

Chapter 4

Perception and Handling of Applications

Android and iOS build unique ecosystems which on the one hand attract certain kinds of users and on the other hand provide security and privacy related portfolios of measures available which aﬀect user perception, awareness and behavior. Especially when choosing and using applications, smartphone users are confronted with several security and privacy decisions. In this chapter, we investigate how security and privacy mechanisms provided by these operating systems inﬂuence users perception and decision making, especially when using apps.

4.1 Introduction

Android and iOS are the world’s most popular smartphone operating systems [118], whereas their underlying system architectures and business models differ considerably [16, 53, 197]. It is widely believed that the corresponding user communities differ from each other. We could compile a list of differences from personal communication and different press sources [64, 16]. A typical Android user is assumed to be male and technically savvy while having an iPhone is more often attributed to women1. Moreover, iPhone users are said to be very loyal to Apple, they buy more apps and are more actively engaged with their devices than Android users. In this chapter, we assume that the differences between iOS and Android system architecture and app handling are connected to the differences in perception and behavior of the users with respect to security and privacy. Thus, our main research question is formulated as follows: Are there differences in attitudes and behavior between Android and iOS users concerning security and privacy when using apps? Contribution. We compare Android and iOS users according to their security and privacy awareness, discuss our findings and give directions for future research. To our knowledge, this is the first direct comparison of this kind. We think that the knowledge about these differences can improve the design of future security- and privacy-related features of smartphones and of app stores.

1 For example, according to a 2010 AdMob survey, 73% of Android users versus 57% of iPhone users were male [64].

52 4 Perception and Handling of Applications

In Section 4.2, we present related work on security and privacy awareness of Android and iOS users. Section 4.3 introduces our research methodology and Section 4.4 presents the results. We discuss limitations of this work in Section 4.5. Finally, we conclude with a discussion of ongoing and future work in Section 4.6.

4.2 Related Work

We are only aware of two studies that explicitly mention the differences between Android and iOS users with respect to security and privacy. In order to analyze privacy concerns and expectations of smartphone users, King [103] conducted interviews with 13 Android and 11 iOS users. The research investigates two dimensions: participants’ concerns with other people accessing the personal data stored on smartphones as well as with applications accessing personal data. Almost all participants reported such concerns. King hypothesized that the Apple review process causes iOS users to exhibit more trust into the apps. However, she found out that also Android users thought that Google reviews apps before they are put into the Google Play store2 (this fact is also confirmed by Kelley et al. [100]), and so no difference between platforms could be observed. Users that believed that the apps are reviewed felt safer when using apps. iOS users were mostly unaware of data usage by the apps (iOS 6 was not released at that time). In contrast, Android users were aware of the permission screen that is shown during the installation, although the majority of them felt that they do not quite understand what the permissions mean. Chin et al. [42] examined differences of smartphone users’ perceptions and behavior when using laptops versus smartphones. The authors conducted a survey with 30 iOS as well as with 30 Android users. They noticed that Android users had more free apps than iOS users. Furthermore, around 20% of Android users stated that they always consider permissions when installing apps and additional 40% stated that they sometimes considered permissions. This is an interesting contrast to the results by Felt et al. [68] that only 17% of Android users pay attention to the permissions during the installation process. Independently and concurrently to our work, Mylonas et al. [140] conducted a survey with 458 smartphone users in order to gain insights into their security awareness. The authors found out that most smartphone users do not feel being at risk when downloading apps from official application stores, and that this effect is independent of the smartphone’s operating system. Smartphone users also do not pay attention to security messages which are shown by the devices. Further, they could only find a slight correlation between the participants’ security background and their awareness of security when using smartphones [139]. In addition to the findings of Mylonas et al., we examine also privacy awareness of smartphone users and compare Android and iOS users in detail.

2 Google started to automatically review apps with the introduction of Google Bouncer in February 2012 [120], which was after the study of King was conducted [103].

53 4 Perception and Handling of Applications

Android users received the most attention to date in connection with the Android permissions [68, 117, 40, 100]. Although different research strategies and different user pools were considered, the researchers uniformly found that most users pay only limited attention to the permissions and have a poor understanding of their meaning. We are not aware of any studies that specifically concentrated on security- or privacy-related human factors for iOS users.

4.3 Research Methodology

We conducted a survey of 506 Android and 215 iOS users in order to analyze security and privacy behavior and attitude. We therefore designed an online survey using the LimeSurvey software3. The survey consisted of 21 questions including 17 quantitative and 4 qualitative (open-ended) questions and was available online from September 11th to October 4th, 2012. In order to avoid priming, we called the survey “How well do you know your smartphone?”. Participants were recruited via email from the economics department and from the technical department of the University of Erlangen-Nuremberg. Additionally, 250 ﬂyers were distributed in the city of Erlangen in order to increase the amount of non-student participants. The online questionnaire can be found in the Appendix in Section 10.3.

4.3.1 Hypotheses and Survey Design

According to our research question presented in Section 4.1, we developed two hypotheses: H1: Android phone users are more security aware than iOS users. H2: Android phone users are more privacy aware than iOS users. The hypotheses are based on the assumption that Google’s open app market makes Android users more conscious of possible malware infections and that the explicitly presented app permissions draw user attention to the possibilities of data misuse. It is also possible that security and privacy aware users choose Android because it is open source and because they can see in the permissions which data is accessed and manipulated by the apps. We note that due to the app vetting process of Apple it might be possible that security and privacy aware people choose iOS. In our ongoing work that is based on the survey presented here, we are investigating whether security and privacy awareness is decisive for the choice of smartphone and its operating system, and also whether the choice of smartphone inﬂuences security and privacy awareness (see Section 4.6 for an initial overview).

3 http://www.limesurvey.org

54 4 Perception and Handling of Applications

4.3.2 Measuring Security and Privacy Awareness

In order to measure security and privacy awareness, we ﬁrst asked the participants an open-ended question about what is important to them when choosing a new app. This question was asked before mentioning any security or privacy issues in the survey in order not to prime the participants. Users that mentioned security or privacy issues in their answers were classiﬁed as security respectively privacy aware. Later in the survey, we asked the participants whether they have some security software installed on their smartphones, and we also explicitly asked the participants about their knowledge and concerns about the handling of personal data by the apps.

4.3.3 Participants

We received 917 responses to the survey. After sorting out incomplete questionnaires as well as users that had other kinds of operating systems than iOS or Android, the answers of 721 participants (258 female and 463 male) were left for further analysis. We received answers from 506 Android and 215 iOS users. More than 80% of the participants were between 18 and 25 years old and 14% were between 26 and 30 years old. 93% (674) of the participants were students, 5% (37) were employed and 2% (10) were neither students nor employed.

4.4 Analysis of the Results

We conducted quantitative as well as qualitative analysis of the answers. For the open- ended questions, we used the software for qualitative analysis called MAXQDA4 in order to categorize the answers. For quantitative analysis we used SPSS5.

4.4.1 Hypothesis 1: Security Awareness

To test hypothesis H1 (Android phone users are more security aware than iOS users), we asked the participants if they have security software such as virus scanner installed on their device. 6% of iOS users said to have such software installed, while 38% of Android users stated the same, see Figure 4.1. The difference is highly significant and there is a medium correlation between the operating system of the smartphone and having security software installed (Cramer’s V = .327, p ≤.001). This confirms H1. Mylonas et al. [140] provide similar findings referring to the differences between Android and iOS users. Their survey results show that 33% of Android users but only 14.7% of iOS users have security software, especially virus scanners, installed on their smartphones.

4 http://www.maxqda.de/ 5 http://www.ibm.com/software/de/analytics/spss

55 4 Perception and Handling of Applications

Figure 4.1: Answers to the question “Do you have some security software installed on your smartphone?”

We note, however, that it is not clear whether having a virus scanner can be considered as an independent variable, because there are many virus scanners for Android and virtually no virus scanners for iOS. One may also argue that more security aware people would probably choose iOS because of the Apple review process, and would feel that they do not need any security software in this case. We further qualitatively analyzed responses to the question: What is important to you when choosing a new app? This open-ended question was asked before security or privacy had been mentioned in the questionnaire to avoid priming. We categorized users as being security aware if they mentioned anything connected to “security”, “trust” or “permissions” in their answers (see Table 4.1). In total, 634 users answered this question. 9 iOS and 96 Android users were categorized as security aware (some participants mentioned more than one security-related issue). We conclude that there is a weak correlation between the operating system and the “security” category that is highly signiﬁcant (Cramer’s V = .206, p ≤.000). Further categories that were derived from the answers to this question can also be found in Table 4.1. We divided the results into security- and privacy-related categories as well as into those that are not security and privacy relevant. The above results conﬁrm hypothesis H1: Android users are more security aware if we consider having security software or mentioning of permissions as indicators of security awareness. In their survey, Mylonas et al. [140] also asked participants about their application

56 4 Perception and Handling of Applications

Figure 4.2: Users that mentioned privacy issues as an important factor when choosing a new app selection criteria, resulting in 8 categories “usefulness”, “usability”, “eﬃciency”, “cost”, “reviews”, “reputation”, “developer” and “security/privacy”. Their most often mentioned category was “usefulness” with 58.8 % and the least mentioned category, “security/privacy”, could only be measured in 3.5 % of the answers. In their context, the category security and privacy was e.g. related to not installing an app due to permission requests.

4.4.2 Hypothesis 2: Privacy Awareness

Although there are some measurement scales for privacy concerns in the literature [124, 112], there are not many definitions and scales for privacy awareness [155]. As a first indicator of privacy awareness we analyzed the answers to the question: What is important to you when choosing a new app? We consider users to be privacy aware if they mention anything connected to privacy or personal data, e.g. “privacy”, “permissions” or “trust”. Although we previously used the category “permissions” to analyze security awareness of smartphone users, we also use this category for analysing privacy awareness, as permissions actually refer to both, security-critical actions and personal data access. 10 iOS users and 104 Android users were categorized as privacy aware, see Table 4.1 and Figure 4.2. There is a weak correlation between the operating system of smartphones and the categories mentioned above. This correlation is highly significant (Cramer’s V = .200, p ≤.000). Here, one may be tempted to argue, similarly to H1, that more privacy aware users might choose iOS because they trust that privacy invasive apps will not pass Apple’s review

57 4 Perception and Handling of Applications

Figure 4.3: Privacy awareness: Do you pay attention to whether an app accesses personal data? process. However, Apple’s review criteria are kept secret and iOS apps are known to be quite privacy invasive from the literature [63, 179, 82]. We also asked the participants explicitly about their awareness of data access by the apps. We found no diﬀerences between iOS and Android users here, with more than 90% of the users stating to be aware of the fact. We note, however, one cannot fully rely on the self-reporting by the users, as this question is suggestive. In addition, participants were asked whether they pay attention to app accessing personal data. This question was answered by 213 iOS and 492 Android users. If one regards the answers “yes” and “sometimes” together (see Figure 4.3), Android and iPhone users both gain about 90%. This is interesting if one considers that until iOS 6 emerged, iPhone users were only asked whether they grant the app access to the current location. For all other accesses, users were not directly asked. It remains unclear how iPhone users were able to pay attention to whether an app accesses private data or not. As iOS 6 was actually released exactly in the middle of our survey on September 19th, 2012, we could compare the answers of iOS users that were given before and after the release date. We found no diﬀerence in the answers. Furthermore, we found out that 74% of the iPhone users as well as 82% of the Android users state to have decided against the usage of an app because the app wanted access to their personal data (see Figure 4.4). This question was answered by 202 iOS and 449 Android users. 20% of iPhone users and 15% of Android users never decided against the

58 4 Perception and Handling of Applications

Security and privacy relevant categories Category Description Examples iOS Android The term “security” Security “Data security” 6 (3%) 16 (3%) was mentioned “Protection of private “Data privacy” was data”, “App should Data privacy mentioned or handling 6 (3%) 33 (7%) not collect or circulate of private data personal data” “Kind of permissions of Required permissions an app”, “If permissions Permissions of an app; if permis- 3 (1%) 80 (16%) are relevant for the app to sions were mentioned function” “Trustworthiness of per- Trust Reliable usage of data 2 (1%) 5 (1%) sonal data usage”

Non security and privacy relevant categories Category Description Examples iOS Android “Additionally beneﬁt Useful in daily life, 142 Usefulness through app”, “Useful 318 (63%) functional volume (66%) beneﬁt” “App should be free, be- 90 Costs Costs of an app cause I don’t have a credit 205 (41%) (42%) card”, “Free of cost” “App should be user- 37 Usability Usability of an app 72 (14%) friendly”, “Easy usage” (17%) Recommendations of “Experience of other 26 Rating other users, reviews in users”, “Apps should have 67 (13%) (12%) app markets good ratings in the store” Entertaining functions “App should be fun”, “Fun 21 Entertainment 43 (8%) such as games factor” (10%) “App should have a low Storage space, battery battery consumption”, Resource usage 6 (3%) 47 (9%) consumption “App should not waste storage space” “No intrusive advertise- Absence of adver- No or little advertising ment”, “No annoying ad- 6 (3%) 27 (5%) tisement being part of an app vertisement” 27 N.A. 61 (12%) (13%)

Table 4.1: Most frequent categories for the answer to the question: What is important to you when choosing a new app?

59 4 Perception and Handling of Applications

Figure 4.4: Privacy awareness: Have you ever decided against the usage of an app because the app wanted access to your personal data? usage of such apps (Cramer’s V = .103, p ≤.10). These differences are not significant. Finally, we asked the participants an open-ended question about which kind of data access would cause them to abstain from using an application. Here, some differences between iOS and Android users could be identified. “Reading SMS/MMS” is important for 1% iOS and 12% Android users. This reflects the corresponding Android permission. An interesting category is “Apps causing hidden costs” (0% iOS users and 7% Android users) that reflects the text of the corresponding Android permission. It seems that the Android users that pay attention to permissions are the only ones that realize the dangers of malicious apps sending, for example, premium-rate SMS. The most often mentioned category is “Location” (named by 29% of iOS and by 20% of Android users), followed by “Contact data” (20% of iOS users and 15% of Android users), with no significant differences between the smartphone types. Moreover, around 10% of users on both platforms gave answers such as “it depends on app’s functionality” or “if the data are not related to the core function of the app”, indicating that these users make privacy-related trade-offs when deciding to use an app. The results of this analysis are not straightforward. Are the Android users more privacy aware because they mention one more data type (SMS/MMS) than iOS users? Are the Android users more security aware because a small percentage of them thinks about hidden costs that an app may cause? On the other hand, significantly more Android users stated in an open-ended question that privacy issues and permissions are important for them when deciding to install a new

60 4 Perception and Handling of Applications app (see Figure 4.2). They did so before any privacy-related questions were asked. So we make a tentative conclusion that Android users seem to be more privacy-aware than iOS users, conﬁrming hypothesis H2. We note, however, that this issue needs further investigation.

4.5 Limitations

Our study run form September 11th to October 4th 2012, and iOS 6 was released on September 19th. Thus, the data of iOS users provided after September 19th may be biased because some of them already updated to iOS 6 which requires runtime consent for more data types than location. However, as we noticed no signiﬁcant diﬀerences in the two data sets (data before the introduction of iOS 6 and afterwards), we used all the data for our analysis. Our participant’s sample was biased towards well-educated young people, as most of them were students, so the generalization of the results cannot be guaranteed. We are investigating other population of participants in our ongoing work.

4.6 Conclusion

The conducted study gave some insights into the interplay between security and privacy awareness and smartphone choice. Android users seem to be more security and privacy aware, mostly because they notice Android permissions. This may indicate that users need to be presented with a clear overview of the data access by the apps and that this overview may indeed improve their awareness.

4.7 Summary

In this chapter, we analyzed Android and iOS users regarding their security and privacy awareness with special focus on their app usage. According to our study results, we can see that Android users are more security and privacy aware than iOS users. Directly connected to smartphone applications are the permission models of Apple and Google. As Google used to have a permission model quite diﬀerent to the runtime permission model of Apple, it is of interest to investigate whether Android and iOS users diﬀer in their security and privacy awareness and decisions. As Google has changed its permission model in October 2015 and adapted the iOS runtime permission model, it is possible to analyze whether the old or the new permission model is perceived as more useful and positive. These questions shape the following Chapter5.

61 Chapter 5

Perception and Usage of Smartphone Permission Models

The official app stores of Android and iOS show differences in how they manage access to smartphone data by applications. The permission systems have evolved over time and thus provide an opportunity to investigate how different approaches of apps accessing private user data are perceived and used by smartphone users. In this chapter, we analyze how users perceive and interact with the different permissions systems of Apple and Google.

5.1 Introduction

Smartphones store and process a large amount of sensitive personal data. Until recently, Android and iOS took different approaches to protect this information from unwanted access by third-party apps. Following the terminology by Bonnéet al. [33], we call these approaches old Android permission model and runtime permission model, respectively. Runtime permission model was introduced in iOS 6 in September 20121. If an installed app needs access to sensitive data for the first time, the user is presented with a permission request for this data type and can grant or refuse access. Moreover, users can adjust (grant or revoke) permissions in the smartphone’s settings. Thus, the runtime permission model allows for fine-grained control over the data access by the apps. The old Android permission model was used by Android prior to the introduction of Android 6.0 (Marshmallow). During the installation process of any app, Android users are shown permission requests by this app. If the users do not want an app to access one or more of the required data types, they have to cancel the installation process. However, if users install the app, they permanently grant all permissions. This permission model has been repeatedly criticized for its poor usability. User studies have shown that many users do not notice and do not understand permissions. Moreover, the users are required to take an “all-or-nothing” decision at a psychologically inconvenient time point, as they are shown the permission screen after they already decided to install an app [68, 99, 84]. Maybe in response to the above critique, the old Android permission model was changed to the runtime permission model starting with Android 6.0 in October 2015. Referring to Android’s permission model before and after version 6.0 (Marshmallow), researchers have used different terminology, as presented in Table 5.1. We use the terminology of Bonnéet al. [33] and thus refer to the Android permission model before version 6.0 as

1 Previous iOS versions asked for runtime permissions for location data, but most other data types could be accessed freely by the apps.

62 5 Perception and Usage of Smartphone Permission Models the old Android permission model and to the permission model for version 6.0 and later as the runtime permission model.

Before Android 6.0 After Android 6.0

Tsai et al. [198] ask-on-install (AOI) ask-on-ﬁrst-use (AOFU) Bonne et al. [33] old permission model runtime permission model Micinski et al. [131] install-time permission lists run-time dialogue boxes Andriotis et al. [7] binary model (accept-reject) runtime permission model

Table 5.1: Various terminology used for Android permission models

It seems that the runtime permission model is considered to be “better” by both, Google and Apple. However, it is not clear whether users also perceive the runtime permission model to be “better”, and whether these perceptions diﬀer for diﬀerent smartphone operating systems, Android and iOS. The goal of this work is to investigate these questions. Currently, some users have smartphones with the old Android permission model, whereas others already use the new one. Thus, we have a unique opportunity to compare usage and perception of permissions of these two user groups. Additionally, if we capture the same data from iOS users, we may be able to see whether usage and perception of runtime permissions are similar across both smartphone operating systems. More precisely, we consider the following research questions:

• RQ1: How are diﬀerent permission models reportedly used in practice?2 • RQ2: How are diﬀerent permission models perceived by the users?

To answer RQ1, we consider the reported role of the old Android permissions in the installation process and the reported behavior of users when they encounter runtime permissions: how they usually react and whether they adjust permissions in the smartphone’s settings. To specify RQ2 more concretely, we formulate the following hypotheses:

• RQ2-H1: Runtime permissions are perceived as more useful than old Android permissions. • RQ2-H2: Runtime permissions are perceived more positively than old Android permissions.

2 “Reportedly” means that we ask users how they utilize permissions, but do not measure their actual behavior, which is out of the scope of this study.

63 5 Perception and Usage of Smartphone Permission Models

To answer these research questions, we conducted an online survey with 864 participants: 339 users of old Android permissions, 211 users of runtime Android permissions and 314 iOS users. We found that both permission types are reportedly utilized by users for decision making regarding app installations and usage. However, runtime permissions in Android and iOS are perceived as more useful than the old Android permissions. Users also show a more positive attitude towards the runtime permission model. Outline. This chapter is organized as follows. We discuss related work in the next section, and outline study design and participants’ demographics in Section 5.3. Study results are presented in Section 5.4 and discussed in Section 5.5. We conclude in Section 5.6.

5.2 Related Work

User perceptions, attitudes, and behavior concerning various aspects of smartphone security and privacy have been an active research topic in the last decade. Here we focus on research regarding permissions. iOS runtime permissions have received limited research attention so far. Tan et al. [194] investigated how developer-specified reasons for iOS permission requests influence user behavior. They found that users are significantly more likely to grant permission requests when an explanation was available, even if the content of that explanation was not relevant for the app usage. Previous research mainly focused on Android permissions. We provide an overview of research on the perception of the old Android permission model and possible design improvements. We then consider research on alternative presentation forms and extensions of the old Android permission model, and finally on the runtime permissions. Regarding the old Android permission model, users are confronted with making privacy related decisions at installation time of an app by either granting all requested permissions or aborting the app installation. This process often induces users to grant all permissions without reading them or without understanding the consequences [68, 99]. Android users seem also unaware of the frequency of apps collecting personal data e.g. regarding tracking data points [98] and of apps continuing to access smartphone’s resources when running in the background [195]. Kelley et al. [99] report that the permission display is read in general, but rarely understood. Even text-based warnings which explain the access of an app do not show a strong effect on decisions about app installations [26]. In order to improve the comprehension of applications accessing and changing data and settings on users’ smartphones, many alternative interfaces and extensions to existing permission systems have been developed [100, 109, 198]. Some research efforts tried to increase the understanding and usage of permissions for decision making by providing additional information next to the permission screen. Kelley et al. [100] designed a display with privacy information to help users to make better decisions on security and privacy in choosing applications with fewer permissions. As a

64 5 Perception and Usage of Smartphone Permission Models result, they could support users in selecting apps with fewer permissions. Kraus et al. [109] supplied users with statistical information: the number of permissions compared to other apps with similar functionality. Tsai et al. [198] argue that Android permission privacy interfaces are insufficient in helping users making informed decisions about privacy desires and needs because they disregard contextual factors. Therefore, they present TurtleGuard, a privacy feedback interface based on machine-learning techniques. Overall, Android users have consistently expressed surprise about apps’ data access and a desire to have more control over it [84,5, 212]. The first study on the adaptation of Android users to the runtime permission model was conducted by Andriotis et al. [7]. They designed an application which was installed by 50 Android Marshmallow users. This app gathered the smartphone’s current information about permission settings for each installed app. Additionally, participants were asked six multiple choice questions about their understanding and perception of the new model. This study shows that the majority of users prefer the new permission system as it enabled them to better control their data being accessed by apps. Bonnéet al. [33] examine reasons why Android users install or remove apps from their smartphones in the runtime permission model. The authors collected data using questionnaires and observed real app usage behavior through the use of an Android app. They conclude that requested permissions are less important for user’s app choice and that 15% of users uninstalled apps due to permissions. We further discuss the work of Andriotis et al. and Bonnéet al. in Section 5.5. To summarize, usage and usefulness of Android permissions have been a very active research topic, whereas iOS permissions have not received much attention. Although runtime permissions have been positively received by the Android users, it is not clear whether research results concerning Android runtime permissions can be generalized to the iOS runtime permissions as well, and to possible future uses of runtime permissions in other systems. We take the first step in closing this research gap by comparing usage, usefulness, and attitude to permissions by the three major smartphone user groups available today: users of old Android permissions and users of runtime permissions for both, Android and iOS.

5.3 Method

In the following, we describe the survey design, data analysis approach, the recruiting process and the characteristics of the participants.

5.3.1 Survey Design

The survey focused on users’ reported handling of permissions at installation and during runtime, on the perception of permissions’ usefulness and on the positive or negative attitude towards them. It consisted of the following question groups:

65 5 Perception and Usage of Smartphone Permission Models

• Smartphone usage: OS version, duration of usage, OS of the previous smartphone3, number of self-installed apps, frequency of app installations; • Usage of permissions: important factors in the app choice process, canceling of installations due to permissions requests, handling of runtime permissions; • Usefulness of permissions and attitude towards permissions; • Demographics: age, sex, education, occupation, aﬃnity towards technology. The latter was measured using the psychometric scale by Zawacki-Richter et al. [218] (in German). This scale rates eight statements by using a 5-point Likert scale (from “disagree” to “agree”). The statements cover experience, competence, attitude, knowledge, interest, and acceptance towards technology.

In the questions about usage of permissions, users were first shown a screenshot of the respective app store and asked to indicate which interface elements are important to them when choosing an app. The participants were shown the list of interface elements (e.g., app name, app size, price, reviews) in randomized order and asked to order the elements by importance. For the users of the old Android model, this list contained the item Requested permissions and was used to establish the role of the old Android permission model in the app choice process. We also asked whether users sometimes cancel installation of apps and for what reason. Afterward, we explicitly asked about canceling of app installations due to permissions. With respect to runtime permissions, we first showed to the users example situations that arise if an app asks for permissions. We asked whether the users are familiar with similar situations, and how they usually react to them (latter as a free-text question). Furthermore, we asked users of runtime permissions whether they have ever changed permissions in the settings of their smartphones. The usefulness of permissions was assessed with the statement “I find permissions useful”. It was rated on a 5-point Likert scale from 1=“disagree” to 5=“agree”. To assess users’ attitude towards permissions, they were asked to complete the following statements on a 5-point Likert scale (from 1=“negative” to 5=“positive”):

• My attitude toward permissions is generally ... • My overall experience with permission requests is ...

We conducted several pretest runs with Android and iOS users during the survey design process. We ﬁrst tested individual questions with users of both operating systems and adjusted them accordingly. Finally, the complete questionnaire was tested by ﬁve Android and two iPhone users. The online questionnaire can be found in the Appendix in Section 10.4. 3 We were concerned that users that recently switched from Android to iOS or vice versa might confound both permission models in their answers, and thus might not be able to provide consistent answers regarding permissions. However, this threat to validity was later mitigated by the data analysis, see Section 5.3.3.

66 5 Perception and Usage of Smartphone Permission Models

5.3.2 Data Analysis

We calculated Chi-squared tests (χ2) for nominally scaled variables or Analyses of Variance (ANOVA) for interval scaled variables, respectively. Significant differences are indicated if p < .05. Because of the large sample size, even small effects reach statistical significance. Therefore, we also report η2 as estimate of effect size in ANOVAs, and 2 Cramer’s V (ϕc) for χ tests. According to Cohen [43], effect size is considered to be 2 2 2 small at η = 0.01 or ϕc = 0.07, medium at η = 0.09 or ϕc = 0.21, and large at η = 0.25 or ϕc = 0.35. The reliability of the scale “affinity for technology” was assessed by Cronbach’s α as a measurement for internal consistency. With a Cronbrach’s α = 0.85, the reliability is good. The survey also contained open-ended questions, which were categorized using MAXQDA. We applied an inductive approach, meaning that categories were derived from the data material. A given answer could be assigned to more than one category. As the most free-text answers were very short and unambiguous, the categorization codebook was compiled by one researcher. The resulting categories were then discussed by the research team, and thereafter one researcher coded all answers.

5.3.3 Participants

The questionnaire was available online for 30 days in October 2016. It was approved by the data protection office of the Friedrich-Alexander University of Erlangen-Nuremberg (FAU). We advertised the study on the mailing lists of the economics and the social sciences departments and at the official Facebook group of the FAU. To avoid self-selection and priming issues, the recruitment message stated that the study was about smartphone usability. The average completion time of the questionnaire was fifteen minutes. The users did not receive any compensation for participation. Overall 1164 people took part in the study. 208 answers were sorted out because these participants did not complete the survey. Additionally, 92 participants either did not have a smartphone with Andorid or iOS or did not provide their Android version in the questionnaire.4 Both types of participants were not asked any further questions. This yielded a dataset of 864 utilizable responses.

Consistency of smartphone usage As described in Section 5.3.1, we asked participants how long they have been using their current smartphone, and which kind of smartphone they had before (if any). We did this in order to identify users that recently switched from Android to iOS or vice versa, as we were afraid that they might confound

4 We took special care to guide participants through the process of ﬁnding out the version of their operating system, accounting for diﬀerent interfaces of various Android manufacturers.

67 5 Perception and Usage of Smartphone Permission Models

All users Old Runtime iOS Android Android Participants 864 339 211 314 68% female 71% female 61% female 69% female Average age 23 (σ = 6.2) 23 (σ = 6.3) 23 (σ = 5.7) 23 (σ = 6.5) Educational degree High school 612 (71%) 238 (70%) 149 (71%) 225 (72%) Bachelor’s degree 167 (19%) 73 (22%) 44 (21%) 50 (16%) Master’s degree 64 (7%) 20 (6%) 12 (6%) 32 (10%) Other 19 (2%) 8 (2%) 4 (2%) 7 (2%) Occupation Student 773 (89%) 314 (93%) 186 (88%) 273 (87%) Employee 63 (7%) 17 (5%) 18 (9%) 28 (9%) Other 24 (3%) 8 (2%) 5 (2%) 12 (4%) Aﬃnity towards 2.86 2.67 3.05 2.93 technology (σ = 0.76) (σ = 0.76) (σ = 0.82) (σ = 0.77)

Table 5.2: Demographics of the participants (N = 864), σ denotes standard deviation. Some values are missing in the dataset, therefore values do not always add up to 864. both permission systems in their answers. However, this fear was not justiﬁed by the data, as we discuss below. We deﬁne users that consistently used operating system OS ∈ {Android, iOS} if and only if they satisfy one of the following conditions:

• currently use OS & it is their ﬁrst smartphone; • have been using OS since 20145 or earlier; • currently use OS & previous smartphone had OS.

Out of 864 users, 760 users (88%) used their operating system consistently. Comparing their answers with the answers of all 864 users, we found no statistically significant differences in any of the results that we present in Section 5.4 (mostly, the descriptive statistics were exactly the same). Thus, we conclude that the answers to “inconsistent” users did not influence the results. This may be due to the low number of these users, or possibly consistency of usage is not important for our research questions. In any case, in the following, we present results based on the dataset of all 864 users.

5 The study was conducted in October 2016, such that users that have been using OS since 2014 have more than 1,5 years of experience with it.

68 5 Perception and Usage of Smartphone Permission Models

Demographics The sample characteristics are presented in Table 5.2. Two-thirds of participants are female, most of them are students in the lower semesters, before Bachelor’s degree. On average, their affinity for technology is low (under 3). Our research questions include a statistical comparison of the three user groups with the permission model as independent variable and usefulness of permissions (RQ2-H1) and attitude towards them (RQ2-H2) as the dependent variable. Therefore, we need to make sure that the results of the analysis are not confounded by the differences in the demographic characteristics of the three groups. To determine whether the three groups differ in their demographic characteristics, we calculated the corresponding statistic measures with permission model as the between-subjects factor and a demographic characteristic as the dependent variable. In rare cases, some values are missing in the dataset, therefore we report sample sizes for each statistic result separately. The groups were similar in their average age (F (2, 860) < 2 1), educational degree (χ (6,N = 862) = 8.315, p = .216, ϕc = .07), and occupation 2 (χ (4,N = 861) = 6.084, p = .193, ϕc = .06). However, their affinity towards technology significantly correlated with operating system (and thus permission model) they used, F (2, 863) = 17.150, p < .001, η2 = .04. It was lowest for participants with the old Android permission model, p < .001, whereas participants with runtime Android permissions or iOS did not differ, p = .233. As men in the sample were more affine towards technology than women, F (1, 862) = 221.227, p < .001, we also observed a small but not significant 2 effect of sex, χ (2,N = 863) = 5.256, p = .072, ϕc = .08. Because this difference in the affinity towards technology might confound the effects of the permission model, we controlled for this variable statistically. In the following, we calculated Analyses of Covariance (ANCOVA) with affinity for technology as covariate. Because this was not possible for Chi-squared tests, we calculated the correlation between the affinity for technology and the respective dependent variable to assess whether there was a confound. This was not the case (all r < .10).

App usage All three user groups have similar experiences with app installations: most installed 30 or fewer apps. The majority of participants installs apps several times per month or per year. Overall, users of old Android versions install fewer apps than the other groups.

5.4 Results

We present the ﬁndings of our study according to the two research questions in the following.

69 5 Perception and Usage of Smartphone Permission Models

5.4.1 RQ1 – Usage of Permission Models

To answer RQ1, we consider the role of the old Android permissions in the installation process, and the reported behavior of the users when they encounter runtime permissions: how they usually react, and whether they adjust permissions in the smartphone’s settings.

Usage of permissions for installation decisions When asked to place some elements of user interfaces of the respective app stores in the order of their importance for app choice, the three user groups reported similar behavior. Top 3 elements in all groups were “Price”, “Reviews” and “App Description”. Both groups of Android users put “Permissions” at the fourth place (iOS users do not have this interface element in their app store). 9% of old Android permissions users and 10% of runtime Android users put “Permissions” into the ﬁrst place. We also asked the participants an open question about additional factors that they consider when choosing an app. Permissions were mentioned by 5% of iOS users, including three users that never used an Android smartphone.

Waiving of app usage due to permissions When asked whether they have ever canceled app installations or usage because of permissions, 45% of old Android permissions users, 46% of new Android permissions users, and 31% of iOS users answered in the aﬃrmative. The close similarity between the answers of the users of old Android permissions and runtime Android permissions may be due to the fact that, according to the survey results, all but 11 Android users encountered both permission models. In an open-ended question about the canceling reasons, users across all permission models most often reported that they waive app usage when there is no understandable reason why an app should access certain resources. Users expressed concerns about data security and privacy and criticized lack of transparency why apps need certain permissions. Users often hesitate to use apps if they require permissions that are obviously not related to the functionality, e.g., a calculator app requiring access to the contact list. Furthermore, the participants mentioned speciﬁc sensitive data types which, when being accessed by apps, lead to their non-usage or deinstallation. Permissions such as location, photos, and contact lists were mentioned most often by users of all permission models.

Usage of Runtime Permissions Survey participants were shown examples of runtime permission requests and asked whether they are familiar with such situations (see Section 5.3.1). The overwhelming majority of runtime Android and iOS users (99%) answered in the aﬃrmative. The participants were subsequently asked an open question about how they usually react in these situations. Their strategies can be subdivided into three categories (see Table 5.3). The majority of runtime permission users say that they usually take situational decisions. This means that they decide on whether to allow or decline permissions based on the necessity for the app or depending on the permissions type. Some users feel that some

70 5 Perception and Usage of Smartphone Permission Models

Runtime Android iOS Allow 38 (18%) 62 (20%) Decline 58 (27%) 60 (19%) Depends on the situation 100 (47%) 157 (50%) No answer provided 15 (7%) 35 (11%)

Table 5.3: Usual behavior towards runtime permissions requests (211 runtime Android users and 314 iOS users; percentages not always add up to 100% due to rounding)

Old Android Runtime Android iOS

I ﬁnd permissions useful 3.39 (σ = 1.15) 3.74 (σ = 1.14) 3.74 (σ = 1.17)

Table 5.4: Results of participants’ ratings on a 5-point Likert scale from 1=“disagree” to 5=“agree”(N = 864) permissions, such as location, camera, contact list or microphone, are more sensitive than the others. Some users reported the strategy of first denying all runtime permissions and then granting them if the app does not work as expected. A notable minority of users (around 20%) report that they usually grant permissions. In this case, some users commented that as they download apps from the official stores, they trust these apps. Users were furthermore asked whether they use the possibility to change their permission decisions in the settings of their smartphones. A strong majority of users, 83% for iOS and 71% for Android, answered in the affirmative. The difference between user groups may be due to the fact that the Android users have not fully adapted to the new permissions model yet.

5.4.2 RQ2 – Perception of Permission Models

Both hypotheses formulated in Section 5.1 could be supported:

• RQ2-H1: Runtime permissions are perceived as more useful than old Android permissions. • RQ2-H2: Runtime permissions are perceived more positively than old Android permissions.

The usefulness of permissions was assessed by asking the participants to rate the statement “I ﬁnd permissions useful” on a 5-point Likert scale from 1=“disagree” to 5=“agree”. The results are shown in Table 5.4. The permissions model correlates signiﬁcantly with the perceived usefulness of the permissions, F (2, 860) = 5.987, p = 0.003, η2 = 0.014.

71 5 Perception and Usage of Smartphone Permission Models

Old Android Runtime Android iOS

General attitude towards 2.40 (σ = 0.88) 2.76 (σ = 1.00) 2.87 (σ = 0.94) permissions Overall experience with 3.01 (σ = 0.67) 3.23 (σ = 0.75) 3.23 (σ = 0.76) permissions

Table 5.5: Attitude and experiences with permissions on a 5-point Likert scale from 1=“negative” to 5=“positive”(N = 864)

In particular, users with runtime Android or iOS systems rated permissions similarly useful, and as more useful than users with the old Android system. Attitude to permissions was assessed by two items, both rated on a 5-point Likert scale from 1=“negative” to 5=“positive”. The results are shown in Table 5.5. The permission model is signiﬁcantly correlated with the attitude, i.e., with the general attitude, F (2, 860) = 15.309, p < 0.001, η2 = 0.034, as well as with the overall experience, F (2, 860) = 5.233, p = 0.006, η2 = 0.012. Although, users perceive permissions as slightly negative on average, this emotion is weaker for runtime permissions, nearing the neutral attitude. Moreover, the overall experience with permissions is reported as neutral, but with a more positive reaction from the runtime permissions users.

5.5 Discussion

According to the reported usage of permissions, both permission types are utilized by the users when they decide on installation and usage of apps. Old Android permissions seem to play an important role in the app choice process for a notable amount of Android users: they put permissions at the fourth place in the app choice process (after price, reviews and app description), and almost half of them (45%) reported that they canceled app installations because of permissions. Users of the runtime permissions report that they cancel usage of apps that request unreasonable (from the user’s point of view) permissions. The request for unreasonable permissions could diminish trust in the app. Another possible explanation might be that if the app is not important for the users, they may decide that additional eﬀort required for management of runtime permissions is not worth the beneﬁt they get from the app. However, users of runtime permissions cancel app usage less frequently. This may be due to the fact that many apps still work as expected if the users are free to manage the permissions. Andriotis et al. [7] found in a within-subjects study that Android users encountering both permission models prefer the runtime permission model to the old Android model. The authors used an Android app to collect data from participants’ smartphones regarding permission settings for each installed application. Additionally, participants were asked

72 5 Perception and Usage of Smartphone Permission Models six multiple choice questions about their understanding and perception of the new model. In comparison to Andriotis et al. we used a more extensive questionnaire including also open questions, analyzed a larger user sample and included iOS users in our data collection process. Therefore, we were able to investigate the perception of permission systems independent of the smartphone operating system. However, we did not ask our participants to download an app, and therefore we could not observe their actual behavior. Our results confirm the findings of Andriotis et al. Corroborating their evidence, we find in a between-subject study with Android and iOS users that runtime permissions are perceived more useful and more positively than the old Android permissions. A more extended study that uses both, Android and iOS apps, could build on our findings and provide further insights into permission perception and usage. Bonnéet al. [33] examine how Android users of version 6.0 or higher decide on installing or removing apps from their smartphones. They also logged grant and denial rates of permissions. The authors used data from questionnaires as well as data from observed real app usage behavior through the use of an Android app. Regarding app choice, requested permissions were found to play the least important role in the survey results. This is in contrast to our survey where permissions were ranked fourth after app price, reviews and app description. However, logged data revealed that 15% of all users uninstalled apps due to permissions. In our survey, 30% of iOS and 46% of Android runtime model users stated that they at least once cancelled app usage because of permission requests. As our question was formulated without time boundaries, but Bonnéet al. observed their users for a limited amount of time, we think that our survey results are reasonably close to reality, corroborating the results by Bonnéet al. To summarize, we find that the runtime permissions provide users with both, the benefits of the old Android permissions (as they can decide to cancel app usage in case of unreasonable permissions requests), and with more control over apps that they want to use despite some unwelcome permissions requests.

5.6 Conclusion

We conducted a survey with over 800 respondents comparing perception and reported usage of the respective permission models by three groups: users of old Android, runtime Android and iOS permissions. Both permission types are reportedly utilized in users’ decision making concerning app installation and usage. However, runtime permissions in Android and iOS are perceived as more useful and evoke a more positive emotional attitude than the old Android permissions. Our study has several limitations. We use a convenience sample, mostly consisting of students, and two-thirds of participants are female. Furthermore, the three user groups diﬀer in their aﬃnity towards technology (we control for the latter in our statistical analysis). Therefore, it is not clear how our results can be generalized to other population groups. Additionally, as we used an online survey, we could not assess the actual behavior of the users, but only their reported behavior.

73 5 Perception and Usage of Smartphone Permission Models

Future work is especially needed to understand the actual eﬀectiveness of the runtime permission model, that is, how well it prevents users from the unintended installation of privacy-invasive or malicious apps.

5.7 Summary

In this chapter, we extended our investigation of smartphone users’ perception and behavior regarding security and privacy mechanisms (which are visible to the users), by looking at the perception, usage, and usefulness of different permission models. We will further enhance our analysis by expanding the focus to smartphone usage with regard to smartphone security and privacy in a business context. Organizational objectives, goals, and regulations constitute a different context in which users, whose primary goal is not security, have to fulfil their work tasks including smartphone security mechanisms. These mechanisms differ from the private context as companies are able to restrict, e.g., access to certain smartphone functions (availability of official app stores) and impose certain rules for smartphone handling by technical or organizational measures. We first analyze relevant scientific literature regarding smartphone security measures and their possible effects on individuals and on the organization and describe this process by developing the Dynamic Security Success Model in Chapter6. Additonally, we formulate research questions representing identified research gaps of the literature. Second, we investigate organizational smartphone security from an organizational view by observing how security managers develop, implement and evaluate security measures in large-scale organizations (Chapter7). Finally, we analyze the effects of smartphone security measures on the behvaior of employees with regard to their daily work tasks (Chapter8).

Part II

Business Smartphone Usage

Chapter 6

Smartphone Security Processes in Organizations

Despite their widespread private usage, smartphones also play an important role in the business context. Security requirements of organizations are driven by several factors such as laws, organizational standards and the danger to lose organizational data. This often leads organizations to implement additional security mechanisms next to those being available by the smartphone operating system providers. In this chapter, we develop a model, which presents a theoretical understanding of smartphone security measures including the impact on individuals and on an organizational level. We further present a structured literature review, which is based on this model including research gaps and research questions.

6.1 Introduction

Mobile devices such as smartphones have found their way into our private lives. They facilitate communication, orientation and most important provide mobile access to the Internet. Using smartphones in a business context seems to be a logical consequence. Smartphones, especially privately owned, are used in all kind of organizations, independent of the company. This integration of smartphones, however, implies several security risks for organizational data, such as data leakage by sharing data in the cloud [200]. Smartphones are an interesting attack vector due to the huge amount and quality of personal and business data they store, their internal sensors and because they accompany us in daily life [138]. There exist diﬀerent approaches to integrate smartphones in organizations, of which one can think of as a continuum with employee handled devices on the one end and corporate handled devices on the other end. This image illustrates that smartphone integration can also be realized by a combination of employee and corporate responsibilities. Smartphone usage in companies is often realized by “Bring Your Own Device” policies, enabling employees to use their private smartphone also for business purposes. However, there are several hybrid forms, for example, devices which are bought by the company but conﬁgured and maintained by the employee. Another example is smartphones acquired by employees but with corporate software to enable two separate accounts on the device. It is this diversity that hampers a secure integration of smartphones in organizations. Using smartphones in organizations includes the traditional characteristics of a mobile phone - making phone calls, saving contacts and writing short messages. But it includes further functionalities such as accessing the internet, corporate data and sharing these data. We consider the integration of smartphones from a security perspective.

78 6 Smartphone Security Processes in Organizations

Previous research on smartphone integration into organizations has covered a broad field of topics, often related to the benefits and risks of smartphones in a business context as well as different security solutions (e.g., Mobile Device Management). However, the field of smartphone security is continuously changing. Thus organizations have to adapt to these changes dynamically and learn from previous experiences, especially regarding individual behavior. Therefore, an understanding of smartphone security measures and their effects on the individuals and on the organization is needed. To the best of our knowledge, there does not exist any theoretical model dealing with this dynamical process. We contribute to the IS research area by presenting a new theoretical understanding of smartphone security measures and their impact on an individual and on an organizational level, as well as by presenting a literature review. The underlying research questions are: What are the effects of smartphone security measures on employees and on the organization developed in IS literature? How can organizations learn from experiences with smartphone security measures? The theoretical foundation is based on the Organizational Learning Theory (OLT) [12] and the Information Systems Success Model (ISSM) [54], being well established theory and model respectively. The OLT contributes the dynamic of responding to an unintended result of security measures affecting the company in the form of learning. This learning component is based on feedback and enables the company to adapt to IT security risks especially regarding smartphones. The ISSM contributes to our theoretical foundation by including the individual impact into the organizational context, which is of great importance as the security of a company is highly dependent on the behavior of the employees. We present this theoretical foundation - the Dynamic Security Success Model - and provide a structured literature review based on this model including research gaps and research questions for future work. This chapter is organized as follows: Section 6.2 focuses on the theoretical background, consisting of the Information Systems Success Model and the Organizational Learning Theory. In Section 6.3, the Dynamic Security Success Model is presented, explaining all model constructs and their effects. The underlying methodical approach of the literature review is outlined in Section 6.4. The results of this literature review (synthesis) are described in Section 6.5 as well as the research gaps and the research questions. Section 6.6 presents the overall conclusions.

6.2 Theoretical Background

There exist diﬀerent, recognized approaches for managing organizational information using security frameworks such as ISO/IEC standards (27000 series), COBIT, ITIL, etc. Those frameworks provide guidelines, best practices and control objectives in order to achieve information security. Although, employees are recognized as a resource which has to be managed including training, awareness and competence within the ISO standard for example [121], it is not clear which inﬂuence such measures have on the

79 6 Smartphone Security Processes in Organizations

Figure 6.1: DeLone’s and McLean’s Information Systems Success Model (Adapted from McLean,[54]). individual, whether those measures are usable or whether they may cause dissatisfaction and therefore lead to an unintended behavior (e.g. circumventing security) even weakening organizational security. Those conventional approaches mainly concentrate on a more technical level [204], while the individual, behavioral level is not considered. It is necessary, to also include the user into the security design [173] next to security goals and technology, because “the human factor is the Achilles heel of information security” [73, p. 1]. This means that although technology may be able to provide a secure organizational environment, the individual may be the weakest point by circumventing or incorrectly applying security measures. As the previously mentioned security frameworks do not or not sufficiently consider human behavior as a consequence of applied security measures, we propose the Dynamic Security Success Model, which combines the organizational as well as the individual effects of IT security measures. We briefly explain the Information Systems Success Model and the Organizational Learning Theory in the following, which we combine and adapt to construct the Dynamic Security Success Model (DSSM) in the next section.

6.2.1 Information Systems Success Model

The Information Systems Success Model (ISSM) of DeLone and McLean [54, 56] is an established IS theory that provides an integrated view on IS success by explaining the relationships between six of the most critical dimensions of success (Figure 6.1): System Quality, Information Quality, Use, User Satisfaction, Individual Impact and Organizational Impact and their relationships to each other as depicted by arrows. This widely cited model is considered as a standard model in the field of information systems research for measuring success [55]. It is particularly applicable to the field of smartphone security because it refers to the individual context: Security in general and smartphone security in particular highly depend on the behavior of individuals. This issue is represented by the dimension Individual Impact which directly influences the organization. A short description of the model components can be found in Table 6.1. In the ISSM, System Quality represents “the desired characteristics of the information system itself which produces information” [54, p. 62]. System Quality in the context of smartphone security could be measured by the flexibility of security measures, such as permitting the user to access corporate data from outside the company.

80 6 Smartphone Security Processes in Organizations

Information Quality concentrates on the information system output “namely, the quality of the information that the system produces, primarily in the form of reports” [54, p. 64]. Examples of smartphone security are the policies and guidelines for employees explaining permitted and prohibited applications, e.g., white and black lists of apps. The model component Use refers to the reported as well as to the actual usage of an information system and its output. Use in the smartphone security context refers to the activities the smartphone is used for, such as making phone calls and accessing corporate data under the condition of applied security measures which may restrain these activities. User Satisfaction represents the interaction with the information system and evaluation whether this interaction is successful or not. In the context of smartphone security, this means measuring employee satisfaction with smartphone use including the influence of security measures. With the component Individual Impact, DeLone and McLean aim to measure the effect of the information system on the individual, e.g., regarding performance, which may also result in a changed organizational performance. Regarding smartphone security, this means that for example, a positive effect of security measures on employee behavior, such as higher security awareness, may lead to a change in employee handling of data also regarding other corporate information systems. Organizational Impact consequently measures the effect of the information system on organizational performance. DeLone and McLean present several measures of Organizational Impact used by other authors including profit performance, profitability and overall cost-effectiveness of the information system. However, in the (smartphone) security context, quantifying the return on security investment is a challenging task [32]. An example for the Organizational Impact of smartphone security is the reduction or avoidance of mobile security breaches including loss of corporate data and money.

6.2.2 Organizational Learning Theory

The Organizational Learning Theory is an established theory in the field of information systems which considers a company’s ability to learn from mistakes and improve over time. This theory was developed by Chris Argyris whose representation plays a key role in the theory of how organizations learn. He defines organizational learning as the detection and correction of errors over time and describes individuals as agents whereby organizations learn through their agents [12]. The schematic frame of the Organizational Learning Theory can be found in Figure 6.2 and a summary of the model components and their description is presented in Table 6.2. The model consists of three constructs (Governing Variable, Action Strategy and Conse- quences) as well as of two feedback loops (Single-loop learning and Double-loop learning). The Governing Variable represents a value which the company tries to satisfy and can be interpreted “as a continuum with a preferred range” [15, p. 84]. Examples for Gov- erning Variables in our scenario for smartphone security could be the confidentiality

81 6 Smartphone Security Processes in Organizations

Construct Description Examples System Quality Measurement of the quality of Reliability of virus scanner the information system Information Quality Quality of the information sys- Accuracy of biometric authen- tem’s output tication, e.g. using ﬁngerprint as authentication for the smartphone Use Usage of a system and its out- User scenarios, e.g. accessing put the company’s database from outside User Satisfaction User satisfaction with the sys- Satisfaction with authentica- tem tion policy, e.g. change of passwords every month Individual Impact Impact on individual behav- Security measures may increase ior/performance the security awareness and behavior Organizational Impact Impact on organizational per- Ensuring the conﬁdentiality of formance corporate knowledge after a smartphone has been lost or stolen by a remote wipe function

Table 6.1: Description and Examples of Model Constructs of the ISSM according to DeLone and McLean [54].

Figure 6.2: Organizational Learning Theory (adapted from Argyris [15]).

82 6 Smartphone Security Processes in Organizations

Construct Description Examples Governing Variable Defined values or goals which Security goals of the company con- should be reached [15] cerning the usage of smartphones e.g. consideration of legal conditions Action Strategy Measures taken in order to satisfy Password policies to control user the defined values and goals [15] access to the smartphone and to corporate data Consequences Results of the action strategy; can Decrease in work performance, be intended or unintended [15] fewer security breaches Single-loop learning Adjustment of unintended conse- Increase of password expiration pe- quences by changing the action riods to decrease user authentica- strategy [193] tion effort Double-loop learning Adaption of the governing variable Adaption of security goals due to due to a change of circumstances changed legal conditions in order to achieve intended consequences [193]

Table 6.2: Description and Examples of Model Constructs of the Organizational Learning Theory. of organizational data, while the continuum could be represented by a classification scheme for different data. The Action Strategy is a “sequence of moves” which is used to satisfy the Governing Variables by obtaining intended Consequences [12]. In our case, an Action Strategy could be organizing workshops for employees about selecting safe passwords for their smartphones. The chosen Action Strategy results in Consequences for the company which can be intended or unintended, as well as positive or negative for the organization. Consequences could be fewer security incidents or higher costs for security measures. In order to learn from past mistakes or to improve consequences, the company uses one of the two learning strategies: Single-loop learning is the simplest and most common learning technique and only changes the Action Strategy without critical refection. Double-loop learning is a more complex approach and means the re-evaluation of the goals and circumstances by considering the current Governing Variables [12]. The Organizational Learning Theory is suited for our literature review on smartphone security because (1) it is an established IS theory which considers the company’s ability to learn from the past; (2) it has been already used for literature reviews (e.g. [206]) and (3) it has been already used in connection with information security for example by Van Niekerk and von Solms [201]. These authors define the Governing Variable regarding information security as an acceptable level of risk. Action Strategies are defined as procedures which guide employee behavior in specific scenarios. The Consequences are the outcome of the Action Strategies including intended and unintended results.

83 6 Smartphone Security Processes in Organizations

Figure 6.3: Dynamic Security Success Model based on DeLone and McLean [54] and Argyris [12].

6.3 Dynamic Security Success Model

We combined the Organizational Learning Theory and the Information Systems Success Model and adapted it resulting in the Dynamic Security Success Model (DSSM). Literature reviews using a combination of models have already been realized, e.g. by Weishäupl et al. [210]. The model is displayed in Figure 6.3 and the constructs and effects are explained in the following and summarized in Table 6.3. The aim of the Dynamic Security Success Model is to associate the effects of individual consequences with the effects of organizational consequences regarding smartphone use and smartphone security measures. This also includes feedback loops aiming to generate knowledge and learn from experiences with individual and organizational consequences of security measures. The boundary conditions of our model are organizations (1) with employees using smartphones for business purposes and (2) having organizational and/or technical security measures for smartphones in place. The model is independent of the smartphone integration concept, meaning whether a “bring your own device” policy is in place or whether corporate owned devices are used or any hybrid form. The Organizational Learning Theory has the advantage to observe whether taken actions cause intended Consequences and if not result in a change of the Action Strategy or of the Governing Variable respectively. The advantage of the Information Systems Success Model is the more fine-grained view including both, Individual and Organizational Impacts. The new model combines the advantages of both theories: the characteristics of the individual context and the possibility and dynamic to learn from feedback.

84 6 Smartphone Security Processes in Organizations

6.3.1 Model Components

We interpret the dimensions System Quality and Information Quality of the ISSM as reliability and accuracy of security measures based on the findings of DeLone and McLean [54]. The quality of security is dependent and influenced by further factors (framing conditions) such as the company size, the data processed within the company, the underlying attacker model, etc. Therefore, it is necessary to consider the aspect of quality together with the framing conditions. This is the reason for adapting the presentation of System and Information Quality of the original ISSM. We do not drop the effect of System and Information Quality on Use and on User Satisfaction. Instead, we extend the construct resulting in the Security Objective construct. Although indirect, the relationship between the Quality dimension and Use/User Satisfaction still exists in our model. The Action Strategy is represented by the applied security measures, for example, the establishment of policies relating to the usage of smartphones for employees. The constructs Use, User Satisfaction, Individual Impact and Organizational Impact can be modelled as Consequences for the organization. The Governing Variable, as well as the Action Strategy, refer to security related issues only, while the Consequences also cover non-security related topics. The restriction for the Governing Variable and for the Action Strategy provides the framework regarding security aspects of smartphones in companies. The Consequences are interpreted more broadly in favor of also revealing non-security related implications of smartphones in general and of security measures in particular. In compliance with the Information Systems Success Model, relationships between the constructs symbolize the impact or effect on another construct, e.g., security objectives of a company are implemented in security measures such as using Mobile Device Management software to manage smartphones. These effects are displayed as arrows in the model presentation (E1-E8) and are described in the following.

6.3.2 Relationships between the Constructs • E1: Security Objectives refer to issues related to the integration of smartphones into organizations, e.g., confidentiality and availability of organizational data. Se- curity Objectives determine which security measures are applied within a company. The effects of the Security Measures on employees and on the whole company are summarized within the Consequences part of our model. • E2: Security Measures are implemented in order to fulfill the Security Objectives and goals of a company. An example of such strategies is the enforcement of smartphone disc encryption. According to Van Niekerk and von Solms [201], security controls can be divided into physical, technical and operational controls. Physical controls refer to physical security such as a lock on the door. Technical controls refer to software based security solutions, e.g., the enforcement of user authentication by user name and password. Operational controls take the human behavior component into consideration by imposing behavioral rules, e.g., policies and guidelines defining

85 6 Smartphone Security Processes in Organizations

password rules for authentication on the smartphone. Action Strategies lead to certain Consequences, which affect individuals (employees) and also the organization e.g., authentication policies (regular change of password) which lead to dissatisfaction among employees, reduce the use of smartphones and have a negative effect on working efficiency and on organizational performance. • E3 + E4: Use describes the tasks the smartphone is used for including the net benefit which is provided by the usage of these devices, for example being able to access corporate data at customer sides. User Satisfaction summarizes the responses of the employees to smartphone usage and to the applied smartphone security measures, for example being dissatisfied with the exclusion of private use on a company owned smartphone. Use and User Satisfaction mutually influence each other. For example, positive experiences with smartphone use can lead to a higher degree of satisfaction. Positive user satisfaction can then increase the use. • E5: The Individual Impact represents the effects of smartphone integration including security related effects on the employees such as decreased working productivity due to authentication policies. Smartphone Use and User Satisfaction with the smartphone and the applied security measures have an impact on the individuals. This individual impact can be positive or negative. An example of a positive effect is increased security awareness affecting also the behavior of employees regarding other information systems. Examples for negative effects are security measures conflicting with work when corporate emails are not allowed on the smartphone due to security policies. • E6: Organizational Impact describes the effects of smartphone integration, also including security related effects, on the company and on its performance, e.g., a decrease of security risks by smartphones which are connected to the corporate network by means of applied security measures. The Individual Impact can lead to Organizational Impact when smartphone security measures are circumvented putting company data and knowledge at risk. • E7 + E8: Single-loop learning within a company occurs when the Action Strategy has to be adapted. In the smartphone context, this means that the consequences generated an unintended outcome to which the company should react to, e.g., when security policies and procedures limit the functionality of smartphones to being able to make phone calls only. These security measures limit the smartphone integration in a way which may not be intended and consequently would lead to an adaption of the policies. Double-loop learning occurs when the framework conditions of the company have changed, e.g., due to a change in legal regulations, which results in an adjustment of the security objectives.

86 6 Smartphone Security Processes in Organizations

Construct Description Examples Governing Variable Ensure confidentiality, integrity and availability of corporate Enterprise security goals related information [46]; Legal regu- Security Objectives to smartphone integration into lations in the EU e.g., Gen- the company network eral Data Protection Regulation concerning smartphone policies [170] Effect of the security objectives To fulfill legal requirements, or- E1 on the applied security mea- ganizations have to implement sures security controls [170] Action Strategy Introducing security policies Security measures and controls and software on smartphones to used to protect access to smart- enforce policies such as MDM Security Measures phones and their data and infor- software; appliance of security mation resources, e.g., technical awareness training; mobile de- and operational controls [201] vice risk assessment and management [150] Authentication procedures [170] Effect of applied security mea- can decrease user satisfaction E2 sures on the individual and or- and lead to circumventing secu- ganizational consequences rity measures putting organizational data at risk Consequences Management of information, Operation purposes and actual e.g., contact details and ap- Use usage of smartphones in a busi- pointment [203]; share files and ness context data [39] Employees’ work satisfaction Security policies negatively in- with smartphones, smartphone User Satisfaction fluence mobile device usability usage and with smartphone se- [167] curity measures

87 6 Smartphone Security Processes in Organizations

Positive experiences with a smartphone use can lead to a high degree of work satisfaction Effect of Use on User Satisfac- E3 [86]; Convenience increases with tion the use of smartphones by being able to connect to the internet easily [133] Positive user satisfaction with Effect of User Satisfaction on E4 security policies can increase Use the actual usage [114] Impact of smartphones and se- Employees are connected to curity related impact on em- their office and available any- Individual Impact ployees, e.g., regarding work ef- time which improves working ficiency efficiency [167] Use and user satisfaction influ- Effect of Use and User Satisfac- ence the degree to which smart- E5 tion on Individuals phones are used and therefore influence the working efficiency Impact of smartphones and se- Reduced risk of lost or stolen curity related impact on the smartphones causing security Organizational Impact company, e.g., increase of busi- breaches and leading to costs ness operations, increase of data [114] security Increased security awareness Effect of Individuals on the Or- through smartphone security E6 ganization measures may increase the company’s overall security Feedback Applied security measures can lead to a restriction of smart- Single-loop learning / Adaption of action strategy due phone functionality which neg- E7 to unintended consequences atively affects its benefit [167], making an adaption necessary Adaption of governing variable Changes in legal regulations af- Double-loop learning / due to changed framework con- fecting the security objectives E8 ditions resulting in its adaption

Table 6.3: Description and Examples of Model Constructs of the DSSM

88 6 Smartphone Security Processes in Organizations

6.4 Research Methodology

We conducted a structured literature review according to Okoli and Schabram [141]. We developed and tested a protocol including research questions, search strategy, practical screen, quality appraisal, and data extraction strategy. The complete protocol can be found in the Appendix in Section 10.5. For our research, we selected appropriate electronic databases including peer-reviewed leading journals and conference proceedings, because these sources include the major contributions [209]. We refined the selection by analyzing the editorial statements. Databases which were included are: ACM Digital Library, IEEE Xplore Digital Library, Ebsco Host Business Source Complete, Ebsco Host Business Source Premier and AIS Electronic Library. We further searched within Science Direct und Google Scholar to complete the search. Levy and Ellis [115] propose a forward and backward search due to “the diversification and multidisciplinary nature of IS literature” (p. 189) in order to extend the search. Therefore, we checked the references of the identified articles and used Google Scholar to find relevant articles citing our identified papers (backward and forward search according to Webster and Watson [209]). The backward search revealed 37 additional results and the forward search revealed 15 additional results. Our literature search revealed 569 papers in total. We did not limit the time covered for our search. A keyword search was used on the titles and the abstracts by developing a Boolean search string1. Keywords were chosen according to our model. We included both, articles dealing with company owned smartphones as well as with personally owned devices. According to our defined inclusion and exclusion criteria for content and quality (practical screen and quality appraisal pilot tested and defined in the literature protocol), a subset of the initially 569 articles was identified. One reviewer therefore read all titles and abstracts, while a second independent reviewer analyzed a 10% sample of the 569 identified articles. The sample was randomly chosen among all articles and databases. Papers which focused on risk assessment of smartphones in companies were excluded, e.g., Yazid et al. [214]. We further excluded papers which deal with smartphone security and privacy aspects for private usage as well as papers dealing with smartphone security and technical frameworks, e.g. Lo et al. [119]. The Kappa statistic was used to measure inter-rater reliability as suggested by Fink [69], who recommends aiming for a kappa between 0.6 and 1.0. Agreement between the two reviewers whether to exclude or include an article in the literature review reached a kappa value of 0.6 for the 10% sample. After this identification phase, two reviewers read all remaining 95 articles in detail in order to determine their inclusion in the review. Disagreement was resolved by discussion. Relevant data were extracted into a coding sheet, independently performed by the two reviewers. For the data extraction phase, 74 articles were considered. Finally, a synthesis was developed revealing research gaps. The structured literature review was an exhaustive search with a selective citation. 1 (enterprise OR firm OR company OR organization OR employee) AND (smartphone OR “smart phone” OR “smart phones” OR “mobile device” OR “mobile devices” OR “mobile phone” OR “mobile phones”) AND (security OR secure OR attack OR risk OR breach OR protect OR misuse).

89 6 Smartphone Security Processes in Organizations

6.5 Synthesis and Identiﬁcation of Research Gaps

In the following Section, we present the results of the synthesis phase of our literature review. The presentation of the results is structured according to the previously introduced Dynamic Security Success Model (Figure 6.3). We conclude each subsection with the identiﬁcation of research gaps as recommended by Webster and Watson [209] and therefore formulate research questions for the eﬀects E1 to E8.

6.5.1 Eﬀect of Security Objectives on Security Measures (E1)

Security Objectives refer to enterprise security goals concerning the smartphone integration into a company network. These security goals relate to the protection of corporate information stored on and being accessible by the smartphones and the company’s network as well [19]. The focus is on the protection of sensitive corporate information and services while ensuring confidentiality, integrity, and availability [171, 127]. These sensitive information need to be protected against unauthorized access in case of loss or theft of the device itself [213]. The importance of securing access to this sensitive information depends on the specifications made in the Security Objectives, i.e., the more likely an attack on corporate information, the stronger security measures have to be applied. Consequently, information security is part of the Security Objectives. According to von Solms, “the aim of information security is to ensure business continuity and [to] minimize business damage by preventing and minimizing the impact of security incidents” [205, p. 224]. Security Objectives are subject to a wide range of influences such as legal regulations, the knowledge, and education of employees regarding security, the sensitivity of corporate data and the likelihood of an attack. Samaras et al. [170] describe the legal conditions for organizations located in the EU. The (planned) General Data Protection Regulation (GDPR) forms the framework for the processing of personal data. Whenever personal (employee) data and corporate data are mixed, e.g., when introducing bring your own device (BYOD) policies, the organization has to ensure that this sensitive information are secure by installing appropriate security controls. Otherwise, the organization can be made responsible for data breaches. These legal regulations differ between countries and have to be considered when integrating smartphones and applying related security measures. Organizations not only are subject to different legal constraints, but also to different potential threats. To minimize the potential damage for a company, appropriate Security Measures and tools have to be developed, including information security management [171, 46]. Literature dealing with the knowledge and education of employees regarding security issues in organizations or for the influence of the sensitivity of corporate data on Security Measures is rare. The research questions we focus on are therefore:

• What are the Security Objectives that inﬂuence the company’s decisions regarding smartphone security? • How are Security Measures derived from these Security Objectives?

90 6 Smartphone Security Processes in Organizations

6.5.2 Eﬀect of Security Measures on the Consequences (E2)

Most articles do not put a major focus on the effect of applied Security Measures for smartphones on the Consequences for the individual and the company. Landman [114] describes the conflict between security and efficiency, which describes a tradeoff: implementing effective security procedures mutually exclude efficient business operations and high employee acceptability. Usability may also be reduced as a consequence of protection measures [167], for example by introducing time-consuming security policies for user authentication. However, papers dealing with the effect of Security Measures on Use of smartphones in organizations and on User Satisfaction of employees are rare. We therefore formulate the following research question:

• What are the consequences of applied Security Measures on the Use and on User Satisfaction of employees?

6.5.3 Eﬀect of Use on User Satisfaction and vice versa (E3+E4)

The model component Use refers to the operation purposes and to the actual use of smartphones in the business context. We do not regard Use in direct correlation with security measures, as their usage is not voluntarily [54]. We found many papers describing the areas of applications, e.g., using email and calendar applications [108, 97, 60], accessing and sharing company files and data [169, 185, 27, 133, 39, 60] and conducting traditional telephone communication including phone calls and short text messages [60, 192, 148]. We only found very few papers dealing with the effect of Use on User Satisfaction. Scarfo [174] claims that User Satisfaction increases when employees are allowed to use their personal devices. The possibility to choose the devices themselves increases the opportunities to collaborate and consequently increases User Satisfaction. Eslahi et al. [66] also state that personal devices used in a company context can increase User Satisfaction. Mimbi et al. [133] describe that employees feel more convenient when using smartphones for work, due to the possibility of easy internet access. The effect of User Satisfaction on smartphone Use could only be identified in the paper of Idemudia et al. [94]. The authors developed a model based on visual perception theories in order to understand the factors influencing smartphone use at the individual level in organizations. They concluded that 79% of smartphone use can be explained with users being familiar with a smartphone and with cognitive trust in the integrity of a smartphone [94]. However, the effect of employee satisfaction on applied security measures is not covered by the literature yet. The following research questions thus need further investigation:

• How does smartphone Use inﬂuence User Satisfaction? • How does User Satisfaction with smartphone Security Measures aﬀect actual usage?

91 6 Smartphone Security Processes in Organizations

6.5.4 Eﬀect of Use and User Satisfaction on Individual Impact (E5)

Individual Impact is being directly affected by Use and User Satisfaction. We identified both positive and negative consequences for the employees. Using smartphones in organizations has a positive impact on employee’s productivity and efficiency [192, 167] enabling an increase of 40% in productivity [213]. The reasons for this increase is due to being always updated while on the move [219] and to work location-independent [72] by sharing data and collaborate on these files with colleagues and customers [39, 133]. Smartphones also lead to higher flexibility [66] and availability [132] by being able to conduct business more flexibly [46] and improve turnaround times for problem resolution [213]. These positive consequences are not related to security measures but to advantages of smartphones in organizations in general. As we stated in the beginning, we are not only interested in security related, but also in non-security related consequences. However, information on the positive effect of security measures on smartphones for the individual e.g., causing employees to feel more secure or increasing security awareness is scarce. Negative consequences of smartphone integration into the business context are especially related to BYOD solutions. Allowing employees to use their own personal devices for business purposes increases the workload for the IT department [4] as it becomes necessary to cover a wide range of different devices concerning threat detection and threat mitigation mechanisms [151, 174, 107]. This approach can also be negative for the employees as personal devices lead to a constantly accessible workforce resulting in higher stress levels [143]. The BYOD approach can also be invasive of employee’s privacy [151, 133] as security mechanisms may enable the employer to monitor the personal device and track the employee’s location for example [196]. Our research question to address this issue is:

• What are positive as well as negative consequences of security measures for individuals in organizations?

Independent of the smartphone integration approach (device personally owned or company owned), security measures can lead to a decrease in productivity [4] when authentication policies prescribe a high complexity for passwords which increases the workload and equally decreases productivity. The eﬀect of User Satisfaction with smartphones in general and with applied smartphone Security Measures in particular on employees are not dealt with in literature, resulting in the research question:

• How does User Satisfaction with smartphones and with smartphone Security Measures inﬂuence individuals?

6.5.5 Eﬀect of Individual Impact on Organizational Impact (E6)

Individual Impact of smartphones in organizations is directly related to the Organizational Impact. This means that all advantages and disadvantages for the individuals directly

92 6 Smartphone Security Processes in Organizations affect the organization. The articles analyzed revealed both positive and negative consequences for the organization. The possibility to access current customer information via smartphone independently from the employee’s location accelerates the process of responding to customer needs and therefore leads to a significant improvement of customer satisfaction [213]. Smartphones and smartphone apps enable more productive business processes e.g., within inventory management or technical support [208]. From the point of view of the company, it is beneficial when employees use their personal smartphones for business purposes because they are always accessible, even outside working hours, building a constantly connected workforce [142, 4]. However, it is unclear whether this argument is exclusively positive, as constant accessibility may also have negative effects such as stress for the individual [143] and consequently, may lead to negative effects for the company as well. Russello et al. [169] argue that despite the benefits of increasing productivity when using smartphones, companies have to consider that corporate data is vulnerable to malicious applications leaking sensitive data. These security issues, including loss of data and data being compromised, can result in decreased market shares [78] and consequently in loss of money [114]. This risk is particularly severe for the BYOD solution, where employees may be confronted with situations involving external services over an external network and may not have the adequate level of awareness and knowledge to configure their device appropriatly [4]. The most often mentioned effect on the organization is the increase in employees’ productivity. However, papers describing the measurement of the increase in productivity when using smartphones in organizations are scarce at best as well as a description of how security measures affect this increase in productivity. It is not clear to what extent security measures, on the one hand, affect individuals and on the other hand affect the organization. These influences can be positive (reduce or avoid security breaches) or negative (increased workload leading employees to circumvent security measures and decreasing organizational security). Brodin et al. [35] suggest research directions for BYOD management issues including developing methodologically techniques to measure the influence of smartphones on personal productivity. The authors point out that a lot of previous research on this topic was conducted by large industry players (Intel and Cisco) who are interested in promoting the BYOD approach. Therefore, independent research is proposed for evaluating the benefits and costs of smartphones in companies [35]. We extend this proposal by including the security perspective in the evaluation for smartphones in organizations. This leads us to the following research question:

• How does the Individual Impact of smartphone security measures aﬀect the organization?

6.5.6 Eﬀect of Single-loop Learning (E7)

Single-loop learning within a company takes place when the action strategy has to be adapted. This can be the case when the consequences contradict the original goal. As an example of Single-loop learning one can think of security policies for user authentication

93 6 Smartphone Security Processes in Organizations on smartphones. If these policies prescribe a periodically change of passwords e.g., every month, employees may tend to reuse passwords or use weaker passwords if possible. Therefore, the intended consequence of the Security Measure authentication policy may not be reached. Instead, the measure might reduce IT security. As a result, this Security Measure has to be adapted to achieve the intended security goal. Another example for Single-loop learning is the possibility to share corporate data. If it is prohibited to save corporate data on the smartphone, employees may circumvent this security measure by using ﬁle hosting services such as Dropbox. This can lead to uncontrolled access to corporate data and is not intended by the security measure. Unintended positive consequences are also a conceivable outcome. Employees may feel more secure when appropriate security measures are applied. This can lead to higher user satisfaction and increase the possibility that employees follow security guidelines of other information systems. We propose the following research question:

• How can a company learn from the consequences of past smartphone security measures and incidents in the future through Single-loop learning?

6.5.7 Eﬀect of Double-loop Learning (E8)

Double-loop learning indicates a re-evaluation of the goals and circumstances by considering the current governing variables [12]. A re-evaluation may become necessary, when the factors which determine the governing variables have changed, e.g., the legal regulations. Mattia and Dhillon [125] describe the importance of Double-loop learning regarding security in organizations. They state that a result of Double-loop learning is increased eﬀectiveness in decision making leading to eﬀective security within the company. We found evidence that Security Measures have to be constantly adapted. This necessity results from the changes in smartphone operating systems (e.g., Android, iOS, BlackBer- ryOS), from application development and also from mobile threats [116], whereas the latter such as malware is probably the greatest issue for adaption. Yu et al. [216] present a threat monitoring system in order to reveal threats for mobile devices in organizational networks. The system was developed to detect malware on Android devices including unknown malware detection by applying machine learning algorithms. This research indicates that approaches for Double-loop learning already exist by responding to changes from the outside. In view of the analyzed literature, we propose the following research questions:

• When is Double-loop learning more appropriate than Single-loop learning? • How does Double-loop learning aﬀect an organization’s security regarding smartphones?

6.6 Conclusion

We contribute to the IS research community by developing the Dynamic Security Success Model, which is a combination of the Organizational Learning Theory [12] and the

94 6 Smartphone Security Processes in Organizations

Information System Success Model of DeLone and McLean [54]. The model includes a fine-grained view of the effects of individual and organizational impacts regarding smartphone security measures on the organization. It also includes the dynamic to learn according to feedback, either by adapting the action strategy or if necessary the governing variable. On the basis of this model, we further present a structured and exhaustive literature review (according to Okoli and Schabram [141]), which synthesizes the literature on smartphone security in organizations. For reasons of brevity, we highlight the most interesting aspects. We finally included 74 relevant articles in our review and presented the results in a concept-centric way structured by our introduced Dynamic Security Success Model as suggested by Webster and Watson [209]. We conclude each presentation of the model components and their effects on each other with the identification of research gaps in order to point out directions for future work. Although we applied a structured approach, we might have missed relevant articles in our literature review. This may be also owed to the fact that the number of selected sources (journal and conference proceedings) was limited. Regarding the synthesis of our literature review, we will concentrate our future research on the identified research gaps, especially single-loop and double-loop learning of organizations according to the consequences of smartphone security measures. This learning process is probably the most important aspect for organizations in order to stay competitive and secure information and knowledge as the field of IT security is subject to constant change.

6.7 Summary

In this chapter, we lay the foundation for investigating user interaction with smartphone security mechanisms in a business context. By developing the Dynamic Security Success Model we are able to display the effects of security measures on the individuals as well as on the organization and point out loops for organizational learning processes. By visualizing this security process and assigning scientific literature to the model components, we can identify research gaps. We use these research questions in order to shape the following chapters of this thesis. Chapter7 analyzes the development and implementation of security measures in large- scale German companies by security managers with particular emphasis on the role of the individual (employee) within this process. We further look at how organizational learning takes place in these companies. In Chapter8 the effects of smartphone security measures on the individuals are considered as well as the perception of those security measures by the users.

95 Chapter 7

Smartphone Security from an Organizational View

Establishing smartphone security in large-scale organizations involves the decisions and work of security managers. In this chapter, we investigate how security managers, i.e., leading employees who decide which security measures should be implemented, make decisions regarding security mechanisms. The focus is especially on how users (employees) are considered within this process.

7.1 Introduction

Smartphones have become an indispensable work tool in organizations, being a constant companion to employees, replacing landline phones today and maybe personal computers tomorrow. Smartphones in a business context are used for accessing personal information such as e-mails, calendar and contacts [108, 97, 61], for telecommunication purposes [61, 192, 148] as well as for accessing company files and data [169, 185, 27, 41, 39, 61]. Along with usage of these devices, the number of security incidents increases, with incidents caused by staff accounting for the majority of security problems [157]. Although, information security has developed manifold techniques to prevent and detect attacks on company data, the task of accounting for human behavior remains unsolved, due to the diversity and unforeseeability of human actions. Starting with the seminal work by Adams and Sasse “Users Are Not The Enemy” in 1999 [1], research in human-centered security has often portrayed a tension between leading employees who are responsible for security in organizations (we call them “security managers”) and employees whose primary tasks in the organization do not involve security (we call them “users”). Since then, a multitude of studies showed that users act insecurely due to the lack of user-centered security rather than out of carelessness or ill will [31, 96, 2, 21, 62, 49, 165]. Accordingly, the negative perception of security by users (the users’ side of the above-mentioned “tension”) arises from conflicts of the requirements of their primary work tasks with unusable security measures. In this work, we are asking the question: How does this tension arise on the side of security managers, and what are its consequences? The main recommendation of the user-centric security research is that users and their working requirements should be considered when developing security measures. But how do security managers think of securing an organization while at the same time

96 7 Smartphone Security from an Organizational View considering user needs? How can security managers fulfil their task while being limited in their freedom of action by the organizational and personal context? Security managers’ decisions influence all employees in an organization and therefore, understanding how these decisions are shaped is important. There is little research on security managers’ attitudes to the users, how these attitudes arise, and how they influence decisions in security development processes. To investigate the above issues, we conducted semi-structured interviews with seven security managers in large-scale German companies. These companies belong to different industry sectors and cumulatively employ about 680,000 employees for whose security our respondents are responsible. Our analysis shows that security managers are not the enemy as well. They think and act within their scope which is mainly shaped by the organizational structures in place. As these structures do not facilitate including users into the security development process and promote a negative view on users, the resulting security measures, although created with good intentions, nevertheless become unusable.

7.2 Background

Prior research on user-centered security in organizations has mostly focused on how users perceive and interact with security measures [1, 144, 96, 105, 122, 31], how they can be motivated to comply [184, 183, 89, 202], factors influencing compliance [37, 122], as well as advice for security managers on how to implement security in organizations [59, 156, 153, 20]. However, there exists much less research regarding security managers’ approaches of developing and implementing security in organizations. The existing research can be roughly classified into learning about security managers and helping them. In this Section, we focus on what we know about security managers’ attitudes to the users and to the usability and effectiveness of security, as this is the topic of our study. In the “Implications” section we connect our findings to the literature that discusses how to help security managers in developing user-friendly security. In the past decade, several works compared security professionals’ attitudes toward security with those of employees’ whose primary tasks lie outside of the security domain [3, 88, 154]. Uniformly, the main finding is that values and security attitudes differ sharply between the two groups. Moreover, both groups seem to know very little about each others’ values, views and everyday work realities, a situation that Albrechtsen and Hovden call the “digital divide” [3]. They found that whereas security managers consider users as a security threat and want to control user behavior, the users report that they are willing to protect their organizations, but do not know how, or are hindered by poor usability of security measures and policies. Posey et al. [154] report very similar results from interviews based on the Protection Motivation Theory. The employees most often mention hackers as a threat, whereas security professionals are most concerned about unintentional employee mistakes. Moreover,

97 7 Smartphone Security from an Organizational View an overwhelming majority of the interviewed employees found that the main obstacles to compliance are restrictiveness and difficulty of security measures, but the security professionals greatly underestimated these sources of non-compliance. The security professionals also expressed a desire to control user behavior: “[t]he professionals appear to believe in the effectiveness of authority and enforcement more than [the users]” [154, p. 27]. Hedströmet al. [88] also note that information security management is mostly based on a control compliance model, meaning that user behavior has to be controlled. Based on the assumption that users and security managers in organizations have different and sometimes conflicting values, the authors propose a value compliance model. There, users are part of the security development process and non-compliant behavior is seen as a cause for changing and improving security management. Although the above research describes the wish of the security professionals to control the users, this issue is not discussed in depth. Our study contributes to this research stream by analyzing how the controlling attitude arises. Another issue uniformly documented in the above research is the predominance of the one-way communication with the users, where the users receive security tools, guidelines and policies from the security practitioners, but do not have possibilities to give feedback to security measures. Studies that explicitly focus on security professionals document this phenomenon as well. For example, Botta et al. [34] and Werlinger et al. [211] examine security professionals’ tools, activities, and interactions. In a case study on how security policies are created, they document that users are not involved in the creation of the policies, but just receive the resulting guidelines and are supposed to comply, although they can also ask for a revision of policies. Nevertheless, the communication with end users is mostly one-way, such that security professionals do not get feedback during the development phase. Ashenden and Sasse [18] conducted five in-depth interviews with Chief Information Security Officers (CISOs) in order to gain insights into the role of CISOs in establishing organizational information security culture. They emphasize that CISOs are unable to effectively communicate with the employees and feel remote from them. Meanwhile, Haney and Lutters [83] assert that communication skills and service orientation are very important for successful security advocates, i.e., security professionals that engage with users. We further investigate the engagement of security managers with users. Although researchers uniformly recommend that security managers should consider user feedback when developing security measures, how this advice can be implemented is not quite clear. In the following, we show how security managers think about including users into the security development processes, and what are current impediments to the implementation of this advice.

98 7 Smartphone Security from an Organizational View

7.2.1 The Relation of Security and Usability in Literature

The question of how to secure systems dates back to its treatment in the military. There, following orders and rules is standard procedure, the security of data paramount and as such usability a secondary goal [223]. In IT-security research, the relation between security and usability is often described as a trade-off, meaning that a system can either be secure or usable, but usable security is unachievable [215]. This portrayal of usability and security suggests a form of thinking in which developers have to decide between how much security and usability they want a system to possess [48]. Despite this rather traditional view on the relationship between security and usability [178], other authors argue that these two goals do not necessarily have to be in conflict. Yee [215] describes security as restriction of access to operations and usability as improvement of access to operations. In a system with usable security, the system manages access and restrictions to operations dynamically and dependent on user action. Why should software developers raise questions of usability when uniting security and usability seems so difficult to achieve? If security is unusable, users will ignore or circumvent it, thus reducing the effectiveness of security measures [21]. But if security is usable, security can be improved, as users are more likely to securely use secure systems [172, 38]. Usable security is achieved by implementing security that does not limit or restrict the work of users [178]. Caputo et al. define usable security in relation to its ISO definition as “delivering the required levels of security and also user effectiveness, efficiency, and satisfaction” [38, p. 3]. Cranor and Buchler argue that in order to achieve usable security, “researchers must go beyond adopting human-centered design principles and embrace user decision making” [48, p. 92]. Yee [215] states that security has to be incorporated in the conception of a system and cannot be added afterwards, as this would diminish its usability.

7.2.2 Why Smartphone Security?

When collecting our data, we focused our interviews on smartphones in organizations. Although smartphones may appear similar to other mobile devices such as laptops, they carry some diﬀerences important to organizational security. Smartphones need to be handled with special attention regarding their integration into the company network, as they pose a great risk to company security. This risk is based on a combination of factors which make smartphones a primary point of attack:

1. Smartphones possess a large variety of internal sensors such as GPS, microphone and camera, which enable these devices to collect diﬀerent kind of information. This is even possible without requiring any user permission of accessing sensor data by the use of in-browser attacks [129]. Regarding their threat to organizations, these devices could be misused, e.g. to collect sensitive organizational data in negotiations.

99 7 Smartphone Security from an Organizational View

2. Smartphones are hardly ever switched oﬀ and are constantly connected to the internet. This ability can be misused by malicious applications. Such applications do not only collect sensitive data but can also send this data to locally unbound receivers. 3. Applications installed by users, especially those downloaded from unveriﬁed sources, make the smartphone a device hard to control.

These differences situate the smartphone as a device that introduces a specific set of vulnerabilities into organizations. These dangers and their prevalence led us to tackle the problem of data security from the vantage point of the smartphone. While the specificity of smartphones is not addressed in the course of the analysis, it was a major driver during data collection and is underpinning the whole discussion in so far as smartphones introduce dangers that force organizations to react and make the introduction of many security measures necessary.

7.3 Method

Our empirical analysis is based on interviews with seven IT security managers. Our respondents are leading employees of ﬁve large-scale German companies that in total employ about 680,000 employees.1 As recruiting high-level managers for a study is challenging due to their high workload and poor reachability for outsiders, we used snowball sampling. Three former colleagues put us in touch with security managers of their organizations, who in turn recommended further colleagues from their or other organizations. Table 7.1 presents details regarding the respondents’ industry sector and job title. All respondents hold a leading position in the IT department of their company.

Industry Job Title Participant number Technology Group Security Manager P1 Healthcare Security Manager P2, P3 Telecommunication Project Security Manager P4, P6 Consulting Senior IT Consultant P5 Semiconductors Managing Director P7

Table 7.1: Industry sector, position in the IT department of their organization and participant number.

We conducted exploratory semi-structured interviews with the following open questions:

• How are security goals developed in your company? • How are security measures developed?

1 The number of employees is reported cumulatively for anonymity reasons.

100 7 Smartphone Security from an Organizational View

• What is the role of the users in the security development process?

We sent these questions to our participants in advance so that they could familiarize themselves with the topic. The interview guide can be found in the Appendix in Section 10.6. All interviews were conducted by phone, except for one which was conducted personally. Data material included 371 minutes of raw audio data. Audio recordings were transcribed and approved by the respondents. All data were stored and processed in accordance with the German data protection laws. The participants provided informed consent to the data processing. Data analysis employed techniques elaborated on by Corbin and Strauss [47]. The interview material was first coded by two researchers independently, creating codes and memos. After a general picture of the data material was established, the findings were discussed, designing a final coding scheme. This coding scheme featured three major categories, that now represent major points of our argument: attitudes, practices and context. The category “attitudes” entailed codes that marked interviewees’ attitudes towards various phenomena, such as security, threats, or usability. The category “practices” included codes for descriptions of the way security measures are designed and how the users are involved in these processes. The codes in the category “context” referred to interviewees’ context for action in organizations, i.e., explicit or implicit rules on how things can or have to be done in a specific organization. After the material was coded, we condensed this material to case descriptions. One case represents one interview. Through joint analysis and discussion, we decided what is most relevant to a case, considering factors such as the length and degree of detail an interviewee dedicated to a topic, the importance an interviewee assigns to that topic, what we understand from the interview text to be the typical context of actions for this security practitioner. Thus, a case description is a condensed form of the interview, achieved through abstraction. These case descriptions lent the basis to compare the material and led us to our results.

7.4 Findings

We describe the process of security development in organizations with close attention to the role of the user in this process, including the views of the security managers regarding usability, and their understanding of user behavior.

7.4.1 The Role of Users and Usability in the Development and Evaluation of Security Measures

None of the companies reportedly include considerations of users’ goals and daily workload at the point of the conceptual design of security measures, although the importance of

101 7 Smartphone Security from an Organizational View usability for security is salient to our participants: “I’ve come to believe that a high level of security can only be achieved through a combination of measures which do not restrict usability. And therefore are not perceived as disturbing.” (P6) While the importance of usability is stressed in the majority of interviews, participants also stated that organizational structures to support the consideration of usability are missing: “There are no special surveys, which are conducted in advance to assess whether features are suitable for most of the users. The [security] team is making the decisions and is responsible for it.” (P4) Organizational structures refer to relatively stable rules which would enable security managers to design security in a user-friendly way. The existence of such structures would imply that there are certain methods, for example for requirement engineering, or for getting systematic feedback from the users. These methods might be supported by tools (e.g., an online platform for getting feedback). Only the company of P5 tried to include users in the development process of security measures as beta testers: “We have tried [the security solution] in a pilot study to see how [the users] work with it and how satisfied they are.” (P5) User feedback was very negative, such that this security solution was rejected, and the company started looking for a replacement. In the other cases, however, security measures are tested through regular use: “There is no official evaluation. But we see it indirectly by receiving all these requests, this means that we see relatively quickly how many users are satisfied or dissatisfied with the security measure.” (P1) We note that P1 implicitly assumes that if the users do not complain, then they are satisfied. Feedback concerning existing measures is received sporadically and through indirect channels, such as word of mouth, company owned social media or helpdesk. This feedback is usually negative, e.g., a use case does not work anymore due to new security measures, or an operation takes more time and effort because of new security settings. Managers feel frustrated and powerless because they don’t know how to account for usability in a systematic way, and there is no organizational support: “What now is hanging on the walls are posters with “design thinking” [...]. That’s why we have this great “security made easy” blah. This is of course always a nice management promise, but how to implement it?” (P6)

7.4.2 Perception of Users by Security Managers

Knowledge about the users is built through observation and is generally based on participants’ own interpretation (or the shared understanding between colleagues) of how users act and what users need: “When I meet my colleagues, I watch how they are using [a system]. How do they act? Then I get a feeling if they ever intend to update their device. Or do I have to educate them?” (P4)

102 7 Smartphone Security from an Organizational View

The perception of users is based on a feeling of distrust, which is rooted in three main opinions:

1. Corporate security plays a minor role for users: “The user says: information security again, this is just hindering me.” (P2) 2. Users act out of self-interest, and the fulﬁlment of security tasks does not provide any use for them: “Each individual, whether he admits or not [...], is always going to act in the direction: What’s in it for me?” (P6) 3. Users act insecurely and are therefore the primary attack vector: “Out of a hundred people there are guaranteed two clicking [on a phishing link]. If I wanted to attack a company, I would take on the user.” (P7)

To summarize, users are broadly viewed as volatile elements, hard to control but in need of control (and education). They are assumed to have objectives different from the organizational goal to secure its information. This difference in goals is a constant, no matter whether the user is described as someone egoistically following their own interest, plain naive or just preoccupied with the successful completion of their daily workload. Users are viewed as fundamentally disinterested in, lacking understanding of or even showing disregard towards the organization’s security. Since feedback to security measures received by the managers is indirect, impersonal and negative, the view that the user is someone who makes the creation of security difficult and has no concern for the security objectives of the organization is reinforced.

7.4.3 Coping with User Behavior

The feeling of distrust results in the opinion that users have to be monitored and controlled in order to achieve compliant behavior. This goal is reached by implementing technical security measures that allow the security managers to monitor and to actively influence user actions. For example, MDM solutions2 provide the possibility to check whether employees have changed settings, such as activating debug interfaces: “Depending on the settings which were changed, [we are able to] wipe all company data from the device, which would be the worst case, or just disable email.” (P1) Organizational measures (such as guidelines) are perceived as less effective, as their compliance cannot be enforced. Although not complying with organizational measures can be penalized, this possibility might induce the users to conceal their behavior: “And if the only benefit [from complying with security policies] is to not get a written warning, then they will conceal [their non-compliant behavior].” (P6) In summary, the users are considered to be fundamentally uncontrollable and might, despite all security measures, still fall into traps set by the attackers. While users show

2 MDM means Mobile Device Management, which is a security solution for corporate smartphone usage.

103 7 Smartphone Security from an Organizational View little interest in security measures, those security measures still need to be legitimized in front of users. If a security measure is not up to their taste, they will “man the palisades” (P6), creating a problem for the security manager. Thus, users are (not very cooperative) partners in establishing (never fully secure) security measures.

7.5 Implications

We present a security development cycle that reﬂects our ﬁndings and discuss our results in the light of related work. Finally, we discuss the limitations of our study.

7.5.1 Missing Structures Lead to a Negative Perception

The interviews indicate that security managers consider users when designing and implementing security measures in an incomplete and indirect way. Users are not included in a structured, organized process, as there are no such structures in place. While security managers recognize the need to provide usable security to users, they do not know how to do this. Understanding what exactly makes a security measure usable in the context of an employee’s workload is a complex endeavor that requires adequate skills, organizational structures, methods, and tools. The organizational production of security we found in our interviews leaves security managers to their own devices and necessarily reliant on incomplete information. We visualize the process of security development as described by our security managers in Figure 7.1. When security measures are put in place, managers receive user feedback. As the users are not actively and systematically asked for feedback, this feedback is most likely unstructured and negative, reporting problems and expressing dissatisfaction. When confronted with the negative feedback, security managers perceive users as uninterested in security and lacking understanding and motivation to behave securely. This negative view on the users results in the wish to control the users as much as possible by means of rigid technical security measures. Those security measures, in consequence, have an impact on the efficiency and effectiveness of users’ daily work tasks and therefore result in negative feedback. By unpacking the security development process in this way, we highlight how the lack of user feedback is connected to the wish of security professionals to rigidly control user behavior. Although both phenomena, the absence of two-way communication between users and security professionals, and the controlling attitude are extensively documented in related work [3, 211, 88, 154, 18] (see also the Background section 7.2), previous work does not make their relation explicit. Coles-Kemp et al. [45] point out that trust and collaboration are essential for effective security. Thus, controlling attitude of security professionals, as well as the absence of a dialogue with the users is definitely counter-productive. In the following, we investigate how to break through the above vicious cycle.

104 7 Smartphone Security from an Organizational View

Figure 7.1: Security development cycle as emerged by the interview analysis

7.5.2 Security as Organizational Learning Process

We connect our findings to the organizational learning theory by Argyris [12, 13]. Ac- cording to our analysis, security managers and their organizations seem to be in the single-loop learning situation with regard to security. This situation is characterized by unilateral definition of security goals by managers. They also develop means to achieve the intended goals. If these objectives are not achieved, the organization in general and the security managers specifically change their methods in a way that should (hopefully) result in the initial intended goals. Thus, the organizations learn from unintended results (that can comprise security incidents or negative employee feedback) and try to improve their actions, but do not challenge their security objectives. Development of security measures should become more efficient if the organizations move to double-loop learning which is characterized by going further than just adapting the means and methods. Instead, the organization and the security managers should evaluate whether their security goals are appropriate for achieving the intended consequences. If not, the initial goals have to be changed. Such changes, although they may include major changes in organizational security, are the only possibility to develop effective security. However, double-loop learning has non-trivial cost in time, resources and expertise, according to Argyris’ account of his lifelong experience with action research on organizational change [14]. At the roots of the double-loop learning model are “valid information, informed choice, and vigilant monitoring of the implementation of the choice in order to detect and correct error” [14, p. 22]. Especially collection of valid information about organizational security and the subsequent monitoring of the implementations can be very resource-consuming, as current research in effective organizational security presented in the next section seems to corroborate.

105 7 Smartphone Security from an Organizational View

7.5.3 Ways of Creating Eﬀective Security

Hedströmet al. [88] directly ground their value-based compliance model in the organizational learning theory. They assert that values of security managers, when imposed on employees by means of security policies and measures, constitute for them the “espoused theories”, i.e., ideal theories of action that are not followed. The employees, on the other hand, act according to their “theories-in-action” that embed their professional and personal values. For example in a hospital, the value of providing efficient patient care compels nurses and doctors to write some passwords on the wall or share accounts with each other. The authors discover value conflicts in the hospital environment through an interview study, several observational studies and three expert panels. Considering research on developing tools for security managers, Parkin et al. [149] developed and tested mock-up prototypes with a focus on the management of password composition policies to help security managers to integrate security, usability and an economic perspective on information security policy management. Unfortunately, we are not aware of a real-world tool with similar capabilities. This may be due to the difficulty of populating such tools with realistic and useful data for decision making. Beautement et al. [20] developed a methodology that helps organizations to assess their security culture including prevailing security attitudes and behavior using interviews and a scenario-based survey. Identifying different user groups can be used to inform targeted interventions, plan further training and thus increase the organizational security level. This approach fits well into the requirement of the double-loop learning for gathering valid information. Another promising approach for gathering data about the ineffective security mechanism is the “shadow security” methodology by Kirlappos et al. [104]. Through analysis of interviews with around 100 employees in a multinational organization, researchers gather information about workarounds that the employees use when they want to work securely, but the security measures offered by the organization turn out to be unworkable in a particular situation. This method can lead an organization to reconsider its security processes and co-design them with user participation. Considering the participatory security design, the question arises how to choose employees for the engagement in security feedback and design. One possibility is, according to Becker et al. [22], to find “security champions” in an organization. Using a scenario-based questionnaire developed by Beautement et al. [20], the researchers identify various types of employees who have the potential to be valuable allies in the creation of effective security. Those are not only users that blindly follow the security policies, but also those who criticize or circumvent them. Heath et al. [87] describe a participatory security design process where a system and its security were physically modeled using LEGO. Coles-Kemp [44] describes further techniques for creative security, called “collaborative collage” and “storytelling”. All these techniques require a skilled facilitator. They can be used to make various stakeholders engage with different security perspectives and with each others’ goals and values.

106 7 Smartphone Security from an Organizational View

Ashenden and Lawrence [17] report on the iterative development of a “security dialogues” workshop. A workshop comprises three days of intensive training. This endeavor is directed at mitigation of the core problem in today security development: it teaches security professionals skills they need to engage with the users.

7.5.4 Research Directions

Current research in effective organizational security provides some excellent examples on how to organize double-loop learning in security. However, the application of these approaches by security managers seems to be beyond their skills. Previous research [3, 18, 17] as well as our study show that security practitioners feel rather helpless when they are asked to engage with the users. This is not surprising as, according to the current research presented above, this engagement requires extensive “people skills” [83] as well as non-trivial expertise in qualitative and quantitative usable security research, such as interview and survey conduction and analysis, ethnographic observations or participatory design techniques. This situation is similar to the situation of the users 20 years ago: they were required to possess security skills that were beyond their human capacities, skills and work realities. The field of usable security moved forward since then, such that security professionals now take the responsibility for producing effective security. However, they cannot proceed without appropriate help. They need organizational structures, methods and tools that facilitate systematic engagement with the users. One of the most important research directions for future work is to conceptualize and develop these structures, methods, and tools. An accompanying research question is: what skills should be realistically required from security managers to use these methods and tools? Finally, returning to the double-loop learning, Argyris [13] states that the organizational change must start on the top managerial level, as otherwise, the changes will not be stable. Thus, future research should investigate what level of commitment is required from the top management in order to implement effective organizational security.

7.5.5 Limitations

Our data analysis is based on interviews with seven IT security managers from large-scale German organizations. This limited amount of interviews makes the study explorative in nature. That said, we think that our results can show the breadth of factors in play (without making claims about their quantitative representativeness). While it is not certain if theoretical saturation was reached, we found little variety in our sample concerning major themes. We also think that it is likely that our results apply outside of Germany, as most considered companies operate internationally.

107 7 Smartphone Security from an Organizational View

7.6 Conclusion

Our interviews revealed that security managers rely on knowledge built through experience and generally build on their own understanding of how users act and what they need. This knowledge is apparently an incomplete representation of how security inﬂuences users. We showed how missing organizational structures for including users in the security development process leads to a negative perception of the users by security managers, and thus to a control-oriented approach rather than to a user-oriented approach. Implementing organizational structures for developing user-centric corporate security and providing security managers with appropriate methods and tools is an important research direction that needs future development.

7.7 Summary

In this chapter, we investigate the process of smartphone security development in large- scale German organizations. We present ﬁndings from interviews with security managers from these organizations and especially focus on the role of the users regarding the development and evaluation of security measures. In the following Chapter8, we extend the investigation of smartphone security in a business context by considering possible eﬀects of security solutions on employees regarding their perception and behavior.

108

Chapter 8

Organizational Smartphone Security from the Employees’ View

Smartphone security mechanisms in a business context often aﬀect user interaction with the device. These mechanisms may negatively impact users’ daily work tasks and thus lead to behavioral patterns which do not comply with organizational security regulations. In this chapter, we analyze whether and how smartphone security mechanisms aﬀect user interaction with the device.

8.1 Introduction

The borders between private and business use of smartphones have started to blur with the introduction of BYOD (Bring Your Own Device), COPE (Corporate Owend, Personally Enabled) and other policies that allow personal and business use of a device. Despite the manifold advantages of mobile devices in the business context [97], they also pose novel threats to organizations. Smartphones can provide remote access to a variety of sensitive information, are rarely switched off, face an increased risk of being lost or stolen due to their small size and ubiquitous usage. Additionally, they are equipped with several sensors such as GPS, microphone, camera and motion sensor, which could turn the smartphone into a monitoring device. Although there exist diverse smartphone security measures such as mobile device management systems, VPN connections, firewalls, intrusion prevention systems, and anti- virus [145, 36], smartphone security also depends on employee behavior. Especially, when smartphone security measures are circumvented or not applied appropriately, smartphones pose a risk to organizations. Introduction of smartphones, similarly to any other information system, has the goal of increasing effectiveness and efficiency within an organization [90]. However, one has to consider the interaction of this technology with the organization and its environment [182] in order to fully understand the consequences of its usage. This also means considering the effects of smartphone security measures. We investigate the processes surrounding secure smartphone integration and its consequences for the employees and, ultimately, for the organizations. In the following, we first introduce background information and our research questions in Section 8.2. We then present the methodology of an explorative qualitative interview study, which considers smartphone security from the employees’ point of view (Section 8.3). Subsequently, we present findings from the study to provide insights into the

110 8 Organizational Smartphone Security from the Employees’ View smartphone security development process (Section 8.4). Finally, we discuss our results (Section 8.5) and directions for future research in Section 8.6.

8.2 Background

Looking at the effects of organizational smartphone security measures on employee behavior, we have to consider that those behavioral patterns may not be clearly evident to the IT department. Using workarounds [6] may be the consequence or organizational specifications and guidelines interfering with employees’ primary working tasks leading to shadow IT. Shadow IT is defined as the extended use of soft- and hardware by employees for business purposes and needs other than originally intended by the organization’s IT department [221, 70]. Those solutions which are applied by the employees are nontransparent and are therefore neither known nor approved or controlled by the IT management [166, 80]. Applying these characteristics of shadow IT on our research interest, we define shadow IT regarding smartphone use and smartphone security measures as the extended use of smartphone functionalities especially the use of applications (which use is not intended) as well as the circumvention of smartphone security measures. Smartphone security measures may be circumvented by not using them at all (e.g. deactivating password authentication) or by using alternative soft- and hardware such as the personal mobile device in order to fulfil user-driven business needs. One reason for the existence of shadow IT are unfulfilled business needs [221], which means that available soft- and hardware solutions are not sufficient or not available at all in order for the employees to fulfil their working tasks. This leads to the implementation of shadow IT in order to bridge the gap between business needs and available support by the IT department. Zimmermann and Rentrop [220] enumerate several examples for shadow IT occurrences including mobile devices as a typical instance. Shadow IT is further proposed if the transaction and production costs of the exchange with the IT department are higher than the costs of developing an own solution by the employee [220]. This may especially be the case when there is time pressure on the employee to fulfil a certain business task, as it is often faster to implement an own solution than waiting for the IT department to provide an appropriate solution [70, 146]. As shadow IT is not controlled by any centralized organizational management, it implies several risks for the organization. Panko and Port [147] showed that shadow IT systems such as spreadsheets often contain errors and are used in a way they were not designed to be used [158]. IT shadow solutions developed by employees may not only include errors but further lack any form of quality assurance and monitoring which may result in false business assumptions and decisions [70]. Other consequences, as stated by Fürstenau and Rothe [70], are that if those solutions fail, they may cause decay, unintended ripple effects, and service interruptions. Operational problems may be the result of system breakdowns which are caused by insufficient professionalism [23, 221]. Considering those consequences, shadow IT solutions are a major threat to organizations including financial,

111 8 Organizational Smartphone Security from the Employees’ View legal and reputational issues [24], ”as they are not verified to comply with any of the organisation’s information security or architectural policies“ [80]. Especially regarding the organization’s information security, shadow IT poses a risk due to employee driven solutions which are not controlled or monitored by the IT department [80]. However, user-driven IT solutions can also be interpreted as an alternative, adjusted user behavior in order to fulfil business needs. With capacity for teamwork and adaptability being important characteristics in today’s business life, shadow IT can also be considered from a positive point of view. It can be used in order to solve local challenges and as a driver for innovations. It may further improve the productivity and flexibility of the employees [70, 23, 221]. If employees need to find an own solution, this may be an indicator that the existing IT solutions provided by the organization are not sufficient. Therefore, shadow IT can also be used to recognize the potential for improvement [23, 80]. Despite all the risks and chances of shadow IT based on the findings in the literature, shadow IT solutions do exist in organizations but are only relatively superficial examined. Approaches to handle shadow IT are scarce and represent a growing challenge for practitioners [80]. As a first step to develop such approaches, it is essential to study the characteristics and specifications of shadow IT solutions in the business context. Only if we are able to identify and understand why shadow IT exists in a specific case, we are able to learn from it and thus avoid negative consequences. We, therefore, address this research field by collecting and analyzing empirical data with regard to smartphone usage, especially regarding the interaction between smartphone use and smartphone security measures. We think that this topic provides an interesting gain of knowledge, as organizational security is extremely dependent on employees’ behavior [176]. We formulate the following research questions, which we address in our empirical study. In order to understand shadow IT solutions, it is necessary to also consider the business context of the employees, which is reflected by the additional questions:

• What are smartphones used for in an organizational context? • Which kinds of security measures are mentioned by the employees? • What are the consequences of smartphone security measures on employees? • What are the alternative actions (shadow IT solutions) taken by the employees due to consequences of smartphone security measures?

8.3 Research Methodology

In order to investigate the eﬀects of smartphone security measures on employee’s behavior, we conducted ten semi-structured interviews with employees of various business sectors. We therefore designed and pre-tested an interview guide enabling the participants to provide a comprehensive overview of their daily working routines including the use of the smartphone. The data collection process can be divided into three main steps: (1)

112 8 Organizational Smartphone Security from the Employees’ View

Participant Business Sector Position Gender Age P1 Automotive suppliers Production team leader Male 50 P2 Electrical engineering Branding manager Female 35 P3 Electrical engineering Marketing manager Female 39 P4 Medical technology Application manager Male 28 P5 Medical technology Project manager Female 44 P6 Technical engineering Marketing manager Female 41 P7 Telecommunication Employee ﬁeld service Male 55 P8 Butcher Manager Male 50 P9 IT development Financial manager Female 37 P10 Electrical engineering Manager Male 45

Table 8.1: Demographic data of interview participants task description, (2) smartphone security measures and (3) influencing security measures. The first part, task description, refers to an explanation by the respondents what their working tasks look like in their company. This includes, but is not limited to, the role of the smartphone when performing the working tasks. The second part, smartphone security measures refer to the guidelines and security measures which are used by the company as stated by the respondent. The last part, influencing security measures, explores the possibility of the employee to shape the smartphone security measures, either in the development phase or after they have been implemented. The interview guide can be found in the Appendix in Section 10.7. As we were interested in the variety of smartphone usage within the business context, the different smartphone security measures and the different reactions to those measures, we tried to cover various business sectors and employees’ working positions, as well as different age groups. An overview of our participants’ demographic data can be found in Table 8.1. We interviewed five male and five female participants, who were between 28 to 55 years old. The interviews were held via telephone and lasted 17 minutes on average. All interview data were transcribed verbatim covering 371 minutes of audio material. In order to explore the data, we applied qualitative data analysis according to Schreier (2012). We, therefore, developed a coding frame, consisting of 33 main and sub categories, which are derived by an inductive approach. All categories were developed and defined by two researchers who solved discrepancies by discussion. All relevant text passages were paraphrased, compressed and summarized. The developed coding frame was pretested in a pilot phase. Afterwards, the data material was coded by two independent researchers. Agreement was reached by discussion after all interviews were coded (Cohen’s Kappa = 0.91).

113 8 Organizational Smartphone Security from the Employees’ View

8.4 Results

In this section, we present the results of our study. First, we describe the work tasks of the individuals where smartphones are used. Second, we describe the smartphone security measures which were mentioned by the respondents. And third, we discuss the eﬀects of smartphone security measures on the employees and their behavior and reactions to those measures.

8.4.1 Smartphone Usage

We identified different working processes for which the smartphone was used for. In the following, we briefly describe the purpose smartphones were used in the different companies within our study:

• Increasing mobility: Smartphones enable their users to work location independent, which is especially important for those employees who are travelling and still need to access their data such as e-mail. However, this category also includes an increase in availability while inside the company building, e.g. when being in a meeting or at another colleague’s office. Further, it includes the availability in one’s own office as it seems that smartphones start to replace the landline in the office working place. • Communication: All applications which can be used to directly communicate with other people are summarized within this category. This includes making and receiving phone calls, e-mails, short messages such as SMS and WhatsApp, videoconferencing, etc. • Collecting data: The smartphone is used for the purpose of collecting data by not directly communicating with other people. This category describes the functionality of being able to gather information by using the internet or the intranet for internal data searches such as for a room search within the company building. Further examples are using the camera or the microphone in order to document important information. • Managing data: Besides the functionalities of communication and collection of data, the smartphone can also be used for managing data. This category summarizes all activities which enable the employee to administer his or her information, e.g. calendar entries, reminders, appointments etc. The category also includes more work and company specific activities such as approving an application for leaves and administering accountings and invoices.

8.4.2 Security Measures

Our study revealed two kinds of security measures which were mentioned by our respondents concerning established smartphone security measures within their company:

114 8 Organizational Smartphone Security from the Employees’ View preventive and reactive security measures. Preventive smartphone security measures are measures, which are implemented in order to prevent or to reduce the risk of data loss. Reactive smartphone security measures are measures, which are taken into consideration when physical access is no longer possible, e.g. when the smartphone got lost or stolen. Table 8.2 gives an overview of these security measures and provides examples for each type. As our data collection is limited to the statements of our respondents, the results may be biased and may not accurately reﬂect the smartphone security measures implemented by the corresponding company. However, the security measures mentioned by the respondents are not less interesting, as they seem to be important to the employee, because he or she explicitly mentioned them.

115 8 Organizational Smartphone Security from the Employees’ View

Class Factor Example Access restriction Preventive and access control: Smart- • Internet is not accessible with the smartphone Only particular persons phone (P1) have access to certain Security applications or only Measures • WhatsApp cannot be installed on the smart- particular services are phone (P1) available • Only restricted access to apps and app store (P3, P6, P7) • Encrypted e-mails cannot be read on the smartphone (P4) • Intranet is not accessible with the smartphone (P4, P6) • Corporate e-mails cannot be accessed if software updates are not installed (P4)

Data protection policy: Guidelines and • Data protection agreement has to be signed policies which specify (P1) employee behavior regarding smartphone and • Corporate data must not leave the company data use (P1) • Passwords have to be changed every three months (P3, P4, P5) • PIN needs to be at least 6 characters long (P4) • Telephone and video conferences are not allowed via the smartphone (P6) • Smartphone must privately only be used for communication (P7) • Only corporate software is allowed to be installed on the smartphone (P7) • SIM card PIN must not be disabled (P7) • Smartphone must not be left unattended (e.g. in the car at night) (P7, P9)

116 8 Organizational Smartphone Security from the Employees’ View

Awareness and Training: Measures • Annual training for data security (P1) which build awareness for security risks and for • Training regarding passwords (P1) secure behavior • Security information is sent via e-mail (P1) • Instructions for using the smartphone (P2) • Training for smartphone security measures (P2)

Cryptography: Mea- sures which use cryptog- • E-mails are sent encrypted using the smart- raphy to ensure conﬁ- phone (P2, P3, P4, P10) dentiality • A special app is used for encrypting and de- crypting e-mails (P6)

Authentication: Mea- sures which use authenti- • Passwords are used for e-mail encryption (P3, cation in order to access P6) certain services • PIN is used to access smartphone (P4, P7) • Password is used to access e-mails (P4, P5, P6, P10) • Password is used to access apps (P4, P6) • PIN is used to access calendar (P5) • PIN is used to activate SIM card (P7) • Smartphone is used to authenticate at the corpo-rate system (P9) • Password is used to enable updates (P10)

117 8 Organizational Smartphone Security from the Employees’ View

Data Control: Mea- sures which ensure that • In-house developed apps and app stores are the organization is in used (P3, P6, P7) control of corporate data • Corporate server is used for corporate e-mails (P3) • Two diﬀerent e-mail accounts on the smartphone - private and corporate account (P4)

Reactive Remote Access: Mea- Smart- sures which ensure ac- • Corporate e-mail account can be remotely phone cess to the smartphone, locked (P4) Security although physical access Measures is no longer possible • Password of the smartphone can be changed without physical access to the device (P4) • Remote wipe of smartphone data (P9)

Table 8.2: Smartphone Security Measures mentioned by the respondents of our study

8.4.3 Eﬀects of Smartphone Security Measures on Employees

The effects and consequences of smartphone security measures on the employees are described in the following. We analyze and demonstrate individual situations and reactions as we think that it is essential to look at those instances in order to be able to develop and implement effective smartphone security. Only if we discover the reasons for employee shadow behavior, we are able to design more appropriate solutions which are on the one hand more secure and on the other hand more suitable for the individual employee working context increasing efficiency and satisfaction. We provide examples from our interviews regarding the existing constraints of smartphone security measures and resulting alternative behavior patterns. Implications of smartphone security measures are divided into three categories: implications with no constraints, implications with constraints and implications with behavioral change. Implications with no constraints: Although participants reported that certain functionalities are not available due to security reasons, they did not feel that this had negative implications, as this did not impact their tasks: “In order to access the internet you need a certain user login which you have to apply for. But we don’t need the Internet.” (P1). It was further mentioned that the missing access to the organizational intranet was not disturbing (P2), or that security measures, in general, did not limit smartphone use in any way (P1, P2).

118 8 Organizational Smartphone Security from the Employees’ View

Implications with constraints: Participants reported that some smartphone security measures were experienced as disturbing but did not result in changed behavior, as the respondents did not see any possibilities to circumvent them, e.g.: “We have to change our password every 90 days in order to access our mails on the smartphone.” (P5). If P5 forgets to update her password, she cannot receive any new emails on her smartphone, which already has happened before. P4 reported on missing access to the intranet that complicates work, and P3 mentioned faulty updates which are corrected only after some time. Implications with behavioral change: Smartphone security measures can have implications constraining the work task of the employee leading to a behavioral change. This means that due to the implemented security measures employee may face obstacles when using the smartphone. These obstacles may lead to diﬀerent user behavior. Security measures are then either not used at all (e.g., encryption of emails is removed, as, according to P2, it does not work on smartphones) or an alternative possibility is used. For example, P7 reports: “We have a policy (...) that we are not allowed to install any apps which are not from the company. I, therefore, use my private smartphone for useful apps which I also use for my work.” P7 is mainly working while on the move and uses his smartphone to facilitate his work (e.g., ﬁnding gas stations). However, the company does not allow to install appropriate apps, which results in P7 using his private smartphone and thus circumventing the company policy. Further respondents described the use of alternative communication tools, e.g., using WhatsApp instead of SMS (P3), or the use of laptops instead of the smartphone, e.g., when encrypted emails cannot be read on the smartphone (P3, P4, P10). All constraints resulting from organizational security measures provoked a negative feeling when they were connected to a behavioral change in order to get the work done. Security measures were then either not used at all (removing encryption of e-mails) or an alternative possibility was used (using another device such as the private smartphone). Feedback from employees: We asked our participants if they knew about any form of smartphone security evaluation within their company. We were interested whether the companies considered their end users (employees) within their security development and maintenance processes because we think that their opinion can be of great value to the organizations. Five respondents described possibilities such as contacts forms, hotlines and e-mail addresses to provide the IT department with feedback. However, those respondents did not know what impact their feedback had on security processes. The other respondents were not aware if their company collected data from their employees on applied security measures.

8.5 Discussion

The results of our study show that shadow IT with regard to smartphone security can have multiple forms. Smartphone security is dependent on the organizational context, the speciﬁc working context of the employee and the eﬀect on employee behavior. While there

119 8 Organizational Smartphone Security from the Employees’ View exists research on the phenomenon of shadow IT in organizations, especially regarding the reasons why shadow IT exists [70], detailed insights into how shadow IT emerges and what kinds of different forms exist in organizations are scarce. Smartphone usage by employees can expose the company at risk when smartphone security measures are not applied appropriately or circumvented. Considering the reports of the employees, it seems that many security conflicts are related to smartphones crossing perimeter security of the companies in an unexpected way and having different technical characteristics than laptops and PCs. Thus, when smartphones are used on the move, users need to install apps that facilitate travel, which is not allowed for the fear of malicious apps gaining access to internal resources of the company. Within the company, employees need access to the intranet, but smartphones do not have this access, as they seem to be considered as external devices even within a company’s physical boundaries. Moreover, different password expiration policies are applied to email usage on smartphones versus on other devices, and email encryption works on laptops, but not on smartphones. Coping strategies sometimes result in the usage of shadow IT [23], where employees use unapproved hardware (e.g., private smartphones) or software (e.g., WhatsApp) to complete their tasks. We, therefore, believe that it is essential for companies to also govern actually applied security by their employees in order to control this risk. It is further of interest to study possible and available evaluation mechanisms which should be used in order to collect feedback from the employees about the applied security measures and their consequences for their daily work. Only if we consider the conditions in which employees are fulfilling their work, we are able to understand their behavior regarding security and therefore can develop appropriate measures.

8.6 Conclusion

We have gained insights from 10 interviews with employees from various industry fields regarding smartphone security measures and their effects and consequences. We argue that it is essential to analyze individual situations and behavior as we can learn from those instances for future smartphone security measure development. However, further research is needed to provide a more detailed picture of the interaction of smartphone security and individual employee behavior. Further, our interviews may not have revealed actual behavior, as we did not observe their actions. We, therefore, think of our study as a starting point in order to collect more data from more employees in a field study. However, our results show that even within a small sample size, shadow IT regarding smartphone security is omnipresent and should therefore be considered for future research.

8.7 Summary

In this chapter, we provide insights into the eﬀects of applied security measures on employees including possible reactions such as shadow IT solutions. Although our sample

120 8 Organizational Smartphone Security from the Employees’ View size is limited, it is still observable that security measures affect employees regarding the fulfilment of their work tasks. Deepening the findings from our study can help organizations to improve their security level as employee behavior is decisively influencing the effectiveness of the overall organizational security. In the next chapter, we provide a brief summary of our overall findings and contributions.

121 Chapter 9

Summary and Conclusion

Smartphones play a decisive role in how people are connected with each other by enabling new forms of communication. Information is not only exchanged by voice calls but through diverse kinds of communication. This technology has been available for consumers for about ten years. Due to the intense competition on the smartphone market, devices are affordable and available to the broad population. Being able to share and disseminate all kinds of data also implicates the necessity to secure those data in an appropriate way. While the end users may not always consider the management of data as important, smartphone manufacturers and organizations, in particular, have recognized the need for effective security mechanisms. However, those mechanisms often require user interaction, which makes their effectiveness dependent on user behavior. In this thesis, we investigated how users interact with smartphone security mechanisms from a private and a business perspective. We analyzed internal and external drivers that influence user behavior (see Figure 9.1). Regarding the private perspective, we concentrated on Android and iOS as they are the market leader and focused on user interaction with security and privacy mechanisms. These smartphone operating systems build unique ecosystems, which on the one hand attract certain kinds of users. On the other hand they provide security and privacy related portfolios of measures available which affect user perception and behavior. Therefore, we investigated how security and privacy mechanisms provided by Android and iOS relate to user perception, awareness, and behavior. For this purpose, we concentrated on security measures being visible to the users such as the permission systems, application handling, authentication procedures and further security settings provided by the operating system providers. Regarding the business perspective, we focused on large-scale German organizations from various business sectors representing use cases within our analysis. As a first step, we analyzed academic research literature by conducting a structured literature review. The aim of this analysis, on the one hand, was to visualize the development process of smartphone security in large-scale organizations. On the other hand, we identified research gaps referring to our model in order to show possible directions for further research approaches. Secondly, we took the insights gained from the literature review up and applied the approach in firstly analyzing the organizational smartphone security development process from the security managers’ view. Then, we changed the perspective and investigated the effects of implemented organizational security mechanisms on employees regarding their daily work task.

122 9 Summary and Conclusion

Figure 9.1: Research picture

In generating detailed knowledge about smartphone users regarding their perception, awareness, and behavior of security and privacy mechanisms, we contribute to the understanding of how smartphone operating systems should be designed with respect to security and privacy to be more effective. The role of users in establishing and maintaining security is essential and dependent on the usability of the respective security measures, regardless of the context smartphones are used in. For example, if security measures are not transparent to users, meaning that their usefulness is not clearly visible, they may not be used or misused. In an organizational context, this may lead users to circumvent security mechanisms, which may result in loss of organizational data, loss of reputation and consequently in the loss of money. In a private context, misinterpreted security measures may lead to a wrong understanding of smartphone security, and thus, result either in too much trust into the operating system providers or lead to a changed behavior. There we showed that users’ mistrust in smartphone security culminated in even owning two separated devices for making phone calls and for accessing the internet. Too much trust may also have negative consequences, for example, by overestimating the operating system’s ability to identify and block malicious apps. This belief enables attackers to gain access to users’ smartphones and harm the users financially. To sum it up, we apply quantitative and qualitative methods in order to investigate user interaction with smartphone security mechanisms. This thesis provides insights and knowledge about user behavior to enable current and future development of smartphone security to become more effective regardless of the context.

123 Chapter 10

Appendices

10.1 Proﬁle Matrix

In this section, we present detailed information on the participants from our study as described in Section3. We provide a proﬁle matrix for all 20 participants which is presented in Table 10.1 in the following.

124 10 Appendices S&P type P U P P Protective behavior keylock; anti-virus; is no: nothing tounimportant data, hide, no bad experience; is watchful keylock; local backup; selective cloud backup ender); phone”-app anti-virus; no keylock effort);backup no tant data); is watchful watchful (notes, cal- (too much (unimpor- “find my Decision against app yes:evance rel- of data no yes:tacts, con- so- cial media accounts no Sensitive data N. a. bank account; movement profile contacts; personal data; communication content bank account Knowledge of app data access location, contacts location calender; all data saved on the phone don’t know Consequences of S&P awareness appavoidance of rejection; free none app rejection; restriction of data input private information: only phone calls; restriction of data input Wi-Fi S&P aware- nesstions situa- app installation / updates; Internetcess; ac- influence social app installation / update app installation / updates; online banking online banking RoleS&P of app choice in scansmissions, per- thinks they are terms of use thinks permissions areLAs, looks there EU- subscription for traps gamesnot are critical; relevance ofrequests data none RoleS&P of device in choice used to have iPhone, now has tomore careful be =system) none open trust i store none (Android T Y N N N OS A A iOS A 7.0.x 4.2.2 4.1.2 4.1.2 Age 22 38 29 25 G F M F F #P 1 2 3 4

125 10 Appendices P U P P noknowledge); anti- keylock; local backup; data on old device; some- timesout goes without smartphone no anti-virus sary),keylock no (effort); backup cloud); is phone” noknowledge); anti- no keylock hide); is no anti-virus essary); keylock; backup cloud); “find my iPhone” virus (no virus (no watchful; watchful (unneces- (local and (nothing to (unnec- (local and “find my yes: location yes:tacts, con- reg- istration no yes:evance rel- of data contacts; communication contents; relevance of data contacts; relevance ofpersonal data; data contacts; pictures; personal data contacts; personal data location; contacts; microphone contacts; pictures; social media accounts calender; all data saved on the phone microphone; movement profile private information: only phone calls; restriction of data input none restrictiondata input of app rejection; restriction of data input media reports none online banking app installation / updates; online banking truststore, does not in derstand permissions un- reviews none trust in store yes, aversion against Ap- ple’ data collection none none closedtem sys- secure more Y N Y Y A iOS iOS iOS 7.0.2 7.0.4 7.0.4 4.2.2 34 25 27 52 M F M M 5 6 7 8

126 10 Appendices F P P F no anti-virus keylock; no backup (no important data); some- timesout goes without smartphone nonecessary); anti- keylock; backup cloud); insurance keylock; no anti-virus edge); is backup is watchful; anti-virus; keylock; no backup tant data); phone”; second mobile for contacts and calls virus (not watchful; (“snake oil”); (local and (no knowl- (local) (unimpor- “find my yes: calender; microphone yes:tacts, con- loca- tion yes: data access (not specified) yes:evance rel- of data movement profile; contacts none location; relevance of data location; contacts; relevance of data location; contacts; pictures; microphone; movement profile; communication contents; social media accounts location; contacts location; contacts; all data saved on the phone location; contacts; all data saved on the phone app rejection; restriction of data input app rejection; restriction of data input; private information: only phone calls; none restrictiondata input of app installation / updates; media reports online banking none Internet access unaided: permis- sionsimportant; are disabling specific permissions not possible none none permissions aretant impor- Google is even worse; more flexible; iPhonemore secure is iPhonenot is secure is secure) mistrust in Linux none Apple is Android is Apple; likes (Blackberry “nosy”, but Y Y Y Y A iOS A N. a. A 7.0.4 4.1.2 4.1.2 44 50 44 53 M M F M 9 10 11 12

127 10 Appendices U U F U anti-virus no keylock ful); backup on anphone; “find old my phone” anti-virus; no keylock backup tant data) is watchful; no anti-virus essary); keylock; no backup tant data, no knowledge) no anti-virus essary), keylock; backup watchful (on advice); (is watch- (cloud); data (effort); no (unimpor- (unnec- (unimpor- (unnec- (cloud); is no no yes:tacts, con- rel- evance of data no none contacts; pictures; communication content contacts; personal data; social media accounts location; pictures contacts; pictures; calender; all data saved on the phone social media accounts contacts; personal data;cial so- accounts media location; contacts; pictures; calender; movement profile;cial so- accounts media none private information: only phone calls app rejection no none mediaports; online banking re- applation instal- updates; / online banking none none reads, but often does not understand permissions, uses onlyfew a apps none none none none none Y N N Y A A A iOS 2.3.3 7.0.4 4.4 4.1.2 30 25 24 23 F F F M 13 14 15 16

128 10 Appendices P U P no anti-virus essary); keylock; backup (local);my “find phone” no anti-virus sary);keylock no (is backup cloud); phone”-app noknowledge); anti- keylock; backup cloud) virus (no watchful); (unnec- (unneces- (local and (local and “find my yes:cation, lo- contacts, social media accounts, relevance of data no yes: social media accounts, registration, relevance of data location; pictures; movement profile; relevance ofcontacts; data; location; bank account; relevance of data location; contacts; camera; microphone; movement profile; social media accounts; relevance of data location; contacts; pictures; movement profile location location; contacts; camera; microphone; movement profile;cial so- accounts media private information: only phone calls restrictiondata input of private information: only phone calls; app rejection; restriction of data input applation instal- /dates; talking up- to friends Internetcess; ac- banking online app installation / updates; media reports trust in store none data access requests; truststore; social influence in use the apps, too) (other people aversion against Google’s data collection none none Y Y N iOS iOS 5.1.1 iOS 8.1.2 7.0.4 22 35 28 M M F 17 18 19

129 10 Appendices P is watchful; no anti-virus riences); keylock; backup (no bad expe- (local) no location; contacts; pictures; allsaved data onphone; the calender; camera; microphone; movement profile; social media accounts; relevance of data location; allsavedthe data on camera; phone; social media accounts restrictiondata of private information: input; only phone calls; media reports; Internetcess; ac- banking online data access requests Pragmatic / Unconcerned as defined in Table 3.2 on page 34 none N iOS 8.1.2 37 F 20 Table 10.1 : Profile matrix for participants 1-20; G = Gender, T = Technical background, S&P type = Fundamentalist /

130 10 Appendices

10.2 Interview Guide of Chapter3

In this section, we provide the interview guides (in German) for Android and iOS as used within the study as presented in Chapter3. Instructions written in italic are information for the interviewer.

10.2.1 Einleitung

Sehr geehrter Herr ..., / Sehr geehrte Frau ..., Zunächst möchten wir uns bei Ihnen bedanken, dass Sie uns für ein Interview zur Verfügungstehen und somit einen wertvollen Beitrag fürunser Forschungsprojekt leisten. Mein Name ist ... und ich bin Mitarbeiterin am Lehrstuhl fürInformatik der Friedrich- Alexander- UniversitätErlangen. Im Rahmen eines Forschungsprojektes beschäftigenwir uns mit dem Thema “Smartphone Nutzung”. Bei dieser Befragung handelt es sich um ein qualitatives Interview. Es geht dabei um Ihre Meinung - es gibt daher keine richtigen oder falschen Antworten. Das Gespräch wird ca. 45 Minuten Ihrer Zeit in Anspruch nehmen. Mit Ihrem Einverständnis,würdeich dieses Gespräch gerne aufzeichnen, um die anschließende Auswertung zu vereinfachen. Selbstverständlich werden sämtliche Daten streng vertraulich behandelt und anonymisiert ausgewertet, so dass kein Rückschluss auf Ihre Person möglich ist. Wenn Sie dies wünschen, erhalten Sie vorab eine Abschrift dieses Interviews zur Freigabe. Haben Sie dazu noch Fragen? Falls nicht, möchte ich jetzt das Interview beginnen. Einleitend werde ich Ihnen einige allgemeinen Fragen stellen.

10.2.2 Fragen zur Person

Bevor wir in das Thema einsteigen, h¨atteich von Ihnen gerne ein paar Angaben zu Ihrer Person, damit wir in der Analyse auch auf eventuell auftretende demographische Unterschiede eingehen k¨onnen.

1. Wie alt sind Sie, wenn ich fragen darf? 2. Was machen Sie beruﬂich?

a) Falls Schüler, welche Leistungskurse? Bzw. was wollen Sie anschließend machen? b) Falls Student, welchen Studiengang? c) Falls nicht Student, in welcher Fachrichtung sind Sie derzeit tätig? 3. Haben Sie einen technischen Hintergrund? (Technische Ausbildung, früherer Beruf in technischem Bereich)

131 10 Appendices

4. Was haben Sie fürein Smartphone (Hersteller)? Könnten Sie es mir bitte zeigen? 5. Welche Version von Android/iOS haben Sie derzeit auf ihrem Smartphone installiert? (Wenn dies nicht bewusst ist: Sie könnendies unter Einstellungen - über das Telefon/Info - Android-Version/iOS-Version nachschauen) 6. Hatten Sie vorher schon ein Smartphone?

a) Falls ja, welches? b) Warum anderer/selber Hersteller? 7. Seit wann besitzen Sie grunds¨atzlich ein Smartphone? 8. Haben Sie vor sich in n¨achster Zeit ein neues Smartphone zuzulegen?

a) Falls ja, welches? b) Warum anderer/selber Hersteller? 9. Interessieren Sie sich grunds¨atzlich f¨uraktuelle Entwicklungen auf dem Smartphone- Markt? Falls ja, woher beziehen Sie Ihre Informationen?

10.2.3 Entscheidungsfaktoren beim Smartphone-Kauf 10. Haben Sie dieses Smartphone gekauft bzw. aktiv an der Entscheidung mitgewirkt?

a) Falls nein, warum? b) Falls ja, wann und zu welchem Zweck? (beruﬂich, privat) 11. Worauf haben Sie beim Smartphone-Kauf geachtet? Welche Aspekte waren Ihnen wichtig?

Ungestützt- Hinweise fürInterviewer: • Kostenaspekte (Anschaffungskosten, Zusatzkosten) • Marke (grds. Präferenz Markenprodukte, Prestige, Einstellung gegenüber Marke, Kundenbindung, Vertrauen, Risiko, Emotionen) • Design, Aussehen und Handling • Externe Einflüsse(Werbung, Meinung Freunde und Familie, Empfehlung Verkäufer, Bewertungen und Testergebnisse) • Technische Aspekte (Betriebssystem, Technologie, Funktionalität) • Verwendungszweck • Bindung durch Verträgeund Kompatibilitätzu anderen Produkten

132 10 Appendices

• Aspekte der Datensicherheit und Privatsph¨are (App Store Konzept, Berechtigun- gen) 12. Wie haben Sie die Kaufentscheidung getroﬀen?

Ungest¨utzt- Hinweise f¨urInterviewer

• Spontan • Beratung Verk¨aufer • Informationssuche vorab

10.2.4 App Auswahl 13. Haben Sie schon mal eine App runtergeladen?

a) Nein, warum nicht? b) Ja, z.B.? 14. Haben Sie auch schon mal eine App gekauft?

a) Nein, warum nicht? b) Ja, z.B.? Wie haben Sie bezahlt? 15. Wenn Sie ein Verhältnisangeben müssten:Wie viele Ihrer Apps sind gekauft und wie viele waren kostenlos? 16. Wo kaufen bzw. laden Sie Apps runter? Ausschließlich dort? 17. Welche Apps nutzen sie am häufigsten? 18. Was ist Ihnen bei der Auswahl einer App wichtig? Auf welche Aspekte legen Sie wert?

Ungest¨utzt- Hinweise f¨urInterviewer:

• Verwendungszweck, Nutzen • Kostenaspekte (Anschaffungskosten, Zusatzkosten) • Design, Aussehen und Handling • Externe Einflüsse(Werbung, Meinung Freunde und Familie) • Technische Aspekte (Technologie, Funktionalität) • Aspekte der Datensicherheit und Privatsphäre (Berechtigungen)

133 10 Appendices

10.2.5 Privacy und Security Awareness 19. Denken Sie nun bitte an ein besonders positives oder negatives Ereignis bei dem Sie innerhalb der letzten 6 Monate mit Aspekten der Datensicherheit bzw. des Datenschutzes w¨ahrendder Benutzung ihres Smartphones in Kontakt gekommen sind. Bitte beschreiben Sie uns dieses konkrete Ereignis so genau wie m¨oglich. Punkte, die uns dabei besonders interessieren, sind:

• War Ereignis positiv oder negativ • Worum ging es • Warum könnenSie sich daran erinnern • Auswirkungen, Reaktionen und Konsequenzen • Einfluss auf Zufriedenheit, Einstellung, Aufmerksamkeit 20. Bestehen fürSie Unterschiede zwischen Datensicherheit (Sicherheit der Daten, IT- Sicherheit) und Datenschutz in Bezug auf Smartphones? Ggf. beide Aspekte separat ansprechen im Folgenden. 21. Achten Sie währendder Smartphone-Nutzung grundsätzlich auf Aspekte der Daten- sicherheit bzw. des Datenschutzes? 22. In welchen Situationen der Smartphone-Nutzung fallen Ihnen Aspekte der Daten- sicherheit bzw. des Datenschutzes besonders auf? 23. Haben die geschilderten Aspekte der Datensicherheit bzw. des Datenschutzes eine Auswirkung auf Ihre Smartphone-Nutzung? (z.B. auf die Wahl von Apps) 24. Falls schon mal Smartphone-Wahl getroffen und ungestütztPrivacy und Security nicht genannt: Wir sprachen vorhin über Ihre Smartphone-Wahl Entscheidung. Haben dabei Aspekte der Datensicherheit bzw. des Datenschutzes ihre Entscheidung beeinflusst? Falls ja, inwiefern? 25. Haben die geschilderten Aspekte der Datensicherheit bzw. des Datenschutzes eventuell eine Auswirkung auf Ihre zukünftigeSmartphone Wahl-Entscheidung? Falls ja, inwiefern? 26. Falls schon mal App-Wahl getroffen und ungestütztPrivacy und Security nicht genannt: Wir sprachen vorhin auch darüber, wie Sie Apps auswählen. Beeinflussen dabei auch Aspekte der Datensicherheit bzw. des Datenschutzes ihre Entscheidung? Falls ja, inwiefern? 27. Die meisten Apps benötigensogenannte “Permissions” bzw. “Berechtigungen”. WürdenSie mir bitte erklärenwas sich dahinter verbirgt, bzw. worum es dabei geht. 28. Falls Wissen über Permissions vorhanden: Wissen Sie, auf welche Daten Apps Zugriff verlangen können?

134 10 Appendices

29. Achten Sie bei beim Download oder der Installation einer App darauf, auf welche Informationen die App zugreifen kann? Welche Daten sind dabei fürSie besonders sensibel? 30. Haben Sie sich jemals gegen die Benutzung einer App entschieden, weil diese Zugriff auf bestimmte Informationen verlangt? Um welche Daten handelte es sich dabei? Wie sind Sie dann vorgegangen? Gab es Alternativen zu dieser App? 31. KönnenSie mir die Sicherheitseinstellungen auf ihrem Smartphone zeigen? Zur Dokumentation wärees sehr hilfreich, wenn Sie Ihr Vorgehen hierbei bitte erläutern könnten. 32. Haben Sie schon mal Anderungen¨ in Ihren Sicherheitseinstellungen vorgenommen? Falls direkt von 3.6 kommend - zurückzu Frage 4.1; Weitere Fragen: 4.2, ggf. 4.6 und 4.7 Nun noch einige abschließende Fragen zum Schluss: 33. Schützen Sie sich im Allgemeinen vor fremdem Zugriff auf Ihrem Smartphone? Wenn ja, wie? 34. Haben Sie konkret einen Virenscanner oder sonstige Sicherheitssoftware auf Ihrem Smartphone installiert?

a) Nein, warum nicht? b) Ja, warum und welche Software? K¨onnenSie sie mir vielleicht direkt auf Ihrem Smartphone zeigen? Was genau macht die Software? War die Software schon vorinstalliert oder haben Sie sie runtergeladen? 35. Haben Sie konkret eine Tastensperre oder sonstige Zugriﬀsbarrieren auf Ihrem Smart- phone eingerichtet?

a) Nein, warum nicht? b) Ja, warum und welche Art von Barriere? K¨onnenSie sie mir vielleicht direkt auf Ihrem Smartphone zeigen? Was genau macht die Barriere? 36. Haben Sie Ihre Daten im Smartphone gegen Datenverlust gesch¨utzt?

a) Nein, warum nicht? Welche Auswirkungen hätteein Verlust Ihrer Smartphone- Daten fürSie? b) Ja, warum? Wie? 37. Haben Sie Ihr Smartphone gegen Verlust geschützt?

a) Nein, warum nicht? Welche Auswirkungen h¨atteein Verlust Ihres Smartphones f¨urSie? b) Ja, warum? Wie?

135 10 Appendices

38. Wissen Sie was rooten/jailbreaken bedeutet? Falls ja, k¨onnenSie es mir bitte erkl¨aren?

a) Haben Sie das schon gemacht? Ja, warum? Nein, warum nicht? b) WürdenSie es wieder tun? Ja, warum? Nein, warum nicht? c) Hatten Sie Bedenken dabei? Ja, weil? Nein, weil? 39. Welches Betriebssystem haben Sie auf Ihrem Computer installiert? 40. Haben Sie auf Ihrem Computer einen Virenscanner installiert? 41. War die Software schon vorinstalliert oder haben Sie sie sich runtergeladen bzw. gekauft? 42. Welche grundsätzliche Einstellung haben Sie gegenüber dem Thema Datensicherheit und Datenschutz, unabhängigvon Ihrem Smartphone? 43. Gibt es zum Thema Datensicherheit und Datenschutz bei der Smartphone-Nutzung“ ” noch wichtige Aspekte, die wir bisher noch nicht angesprochen haben, die aber aus Ihrer Sicht entscheidend sind?

Wir bedanken uns nochmals herzlich f¨urIhre Unterst¨utzungund Teilnahme an diesem Interview!

10.3 Online Questionnaire of Chapter4

In the following, we provide the online questionnaire (in German) as used within the Chapter4 of this thesis. Answer options with a circle indicate that the participant has to provide exactly one answer, while a box indicates that several answers can be chosen.

10.3.1 Umfrage zur Smartphone-Nutzung 1. Haben Sie ein Smartphone? (Hinweis: Smartphones sind mobile Telefone mit gr¨oßerem Display, die eine Symbiose aus Handy, Media-Player, MP3- Player, Personal Information Manager (PIM), Digitalkamera, Smartphone-Browser, E-Mail-System, GPS-System und anderen Funktionseinheiten bilden.)

◦ Ja ◦ Nein ◦ Weiß ich nicht 2. Bitte w¨ahlen Sie den Hersteller (z.B. Apple, Samsung, Nokia, etc.) ihres Smartphones aus.

◦ Apple

136 10 Appendices

◦ Samsung ◦ Nokia ◦ Sony Ericsson ◦ HTC ◦ BlackBerry ◦ Motorola ◦ Anderer Hersteller ◦ Weiß ich nicht 3. Welches dieser Icons (Symbole) ist auf ihrem Smartphone vorhanden?

◦ Apple App Store Icon ◦ Google Play Store Icon ◦ Google Marketplace Icon ◦ Windows Phone Marketplace Icon ◦ Nokia Store Icon 4. Welches Betriebssystem (z.B. wie Microsoft Windows, MacOS oder Linux) l¨auft derzeit auf Ihrem Smartphone?

◦ Android ◦ iOS ◦ Windows ◦ Symbian ◦ BlackBerry OS ◦ Weiß ich nicht ◦ Anderes: 5. Das Unternehmen, welches das Betriebssystem meines Smartphones entwickelt und verwaltet, ist mir bekannt.

◦ Ja ◦ Nein ◦ Weiß ich nicht 6. Das Unternehmen, welches das Betriebssystem meines Smartphones entwickelt und verwaltet, lautet: 7. Bitte geben Sie im Folgenden an, wie sehr die Aussagen auf Sie zutreffen (Trifft völlig zu; Trifft ziemlich zu; Weder noch; Trifft nicht zu; Trifft gar nicht zu).

◦ Technische Geräteinteressieren mich ◦ In Bezug auf Technik bin ich anderen Menschen oft einen Schritt voraus ◦ Es fälltmir schwer, die Bedienung eines elektrischen Gerätes zu erlernen ◦ Andere Leute fragen mich bei technischen Angelegenheiten um meine Meinung oder bitten mich um Hilfe ◦ Ich lege Wert darauf, dass die Ausstattung meiner elektronischen Geräteauf dem neuesten Stand der Technik ist

137 10 Appendices

8. Bitte geben Sie im Folgenden an, wie sehr die Aussagen auf Sie zutreffen. (Trifft völligzu; Trifft ziemlich zu; Weder noch; Trifft nicht zu; Trifft gar nicht zu).

◦ Bei der Auswahl meines Smartphones hat mich die Herstellermarke (z.B. Apple, Samsung, Nokia, etc.) beeinflusst ◦ Bei der Auswahl meines Smartphones haben mich technische Leistungsmerkmale beeinflusst ◦ Bei der Auswahl meines Smartphones haben mich die Meinungen von Freunden/- Familie /Kollegen beeinflusst 9. Was ist Ihnen bei der Auswahl einer neuen App wichtig? Hinweis: App (Kurzform für Application) bezeichnet Anwendungsprogramme, die über einen Onlineshop erhältlich sind und spezielle Funktionen beinhalten, z.B. Wettervorhersage, Nachrichten, Spiele, etc. 10. Haben Sie einen Virenscanner oder sonstige Sicherheitssoftware auf ihrem Smartphone installiert?

◦ Ja ◦ Nein ◦ Weiß ich nicht 11. Haben Sie sich jemals gegen die Benutzung einer App entschieden, weil diese Zugriﬀ auf ihre pers¨onlichen Informationen verlangt?

◦ Ja ◦ Nein ◦ Weiß ich nicht 12. Wenn eine App eine oder mehrere der folgenden Informationen abrufen m¨ochte, benutze ich die App nicht: 13. Ich bin

◦ Weiblich ◦ M¨annlich ◦ Keine Angabe 14. Ich bin

◦ Unter 14 Jahren ◦ Zwischen 14-17 Jahren ◦ Zwischen 18-21 Jahren ◦ Zwischen 22-25 Jahren ◦ Zwischen 26-30 Jahren ◦ Zwischen 31-40 Jahren ◦ 41 Jahre und ¨alter ◦ Keine Angabe

138 10 Appendices

15. In welchem Bereich sind oder waren Sie beruﬂich t¨atig?

◦ Betriebswirtschaft, Volkswirtschaft ◦ Bauwesen, Bauwirtschaft ◦ Erziehung, Pädagogik ◦ Medizin ◦ Informationstechnologie ◦ Management, Personalführung ◦ Landwirtschaft, Gartenbau ◦ Werbung, Marketing ◦ Rechtswissenschaft ◦ Ingenieurwissenschaft ◦ Mode, Design ◦ Kulturwesen ◦ Journalismus, Publizistik, Verlagswesen ◦ Naturwissenschaften ◦ Politik ◦ Sportwissenschaft ◦ Keine Angabe 16. Welche Studienrichtung lässtsich Ihr Studiengang, in dem Sie zurzeit eingeschrieben sind, zuordnen?

2 Agrar- und Forstwirtschaften 2 Geisteswissenschaften 2 Gesellschafts- und Sozialwissenschaften 2 Kunst, Gestaltung und Musik 2 Lehramt und Erziehungswissenschaften 2 Medien- und Kommunikationswissenschaften 2 Medizin und Gesundheitswesen 2 Naturwissenschaften und Mathematik 2 Rechtswissenschaft 2 Sprach- und Kulturwissenschaften 2 Technik-, Ingenieurwissenschaften und Informatik 2 Wirtschaftswissenschaften 2 Sonstiges 2 Keine Angabe 17. Wie hoch ist Ihr eigenes monatliches Nettoeinkommen? (Es ist hier der Betrag nach Abzug von Steuern und Sozialbeitr¨agegemeint)

◦ Unter 500 Euro ◦ Zwischen 500 bis unter 1000 Euro ◦ Zwischen 1000 bis unter 2000 Euro ◦ Zwischen 2000 bis unter 3000 Euro

139 10 Appendices

◦ Zwischen 3000 bis unter 4000 Euro ◦ 4000 Euro und mehr ◦ Keine Angabe 18. Was sind Ihre Lieblingsschulf¨acher?

10.4 Online Questionnaire of Chapter5

In the following, we provide the online questionnaire as used within the Chapter5 of this thesis.

10.4.1 Umfrage zur Benutzbarkeit von Smartphones 1. Welches Smartphone nutzen Sie?

◦ Android-Smartphone ◦ iPhone ◦ Ich besitze kein Smartphone ◦ Weiß nicht ◦ Sonstiges 2. Wie lange nutzen Sie bereits Ihr aktuelles Smartphone?

◦ Seit 2007 ◦ Seit 2008 ◦ Seit 2009 ◦ Seit 2010 ◦ Seit 2011 ◦ Seit 2012 ◦ Seit 2013 ◦ Seit 2014 ◦ Seit 2015 ◦ Seit 2016 ◦ Weiß nicht 3. Welche Android-Version läuftzur Zeit auf Ihrem Smartphone? (Falls Sie Ihre genaue Android Version nicht wissen, könnenSie diese anhand folgender Schritte herausfinden: 1. Offnen¨ Sie zunächstdie Einstellungen Ihres Android-Geräts. 2. In der Regel finden Sie ganz unten den Punkt mit ähnlichemNamen wie Uber¨ das Telefon oder Telefoninfo. 3. Bei HTC - Gerätenbefindet sich der Einstellungspunkt im Unterpunkt Software-Informationen. 4. Bei Samsung - Gerätenbefindet sich der Punkt Android-Version unter dem Reiter Optionen im Unterpunkt Geräteinformatio- nen. 5. Dort finden Sie die Android-Version des Geräts.)

140 10 Appendices

◦ 1.5 ◦ 1.6 ◦ 2.0/ 2.0.1 ◦ 2.1 ◦ 2.2/ 2.2.1/ 2.2.2 ◦ 2.3/ 2.3.1/ 2.3.2/ 2.3.3/ 2.3.4/ 2.3.5/ 2.3.6/ 2.3.7 ◦ 3.0 ◦ 3.1 ◦ 3.2/ 3.2.1 ◦ 4.0/ 4.0.1/ 4.0.2/ 4.0.3/ 4.0.4 ◦ 4.1/ 4.1.1/ 4.1.2 ◦ 4.2/ 4.2.1/ 4.2.2 ◦ 4.3/ 4.3.1 ◦ 4.4/ 4.4.1/ 4.4.2/ 4.4.3/ 4.4.4 ◦ 5.0/ 5.0.1/ 5.0.2/ 5.1/ 5.1.1 ◦ 6.0/ 6.0.1 ◦ Keine der aufgelisteten Versionen 5. Welche iOS-Version läuftzur Zeit auf Ihrem iPhone? (Hinweis: Falls Sie Ihre iOS Version nicht wissen, könnenSie diese anhand folgender Schritte herausfinden: 1. Tippen Sie im Home-Bildschirm auf Einstellungen -Allgemein - Info. 2. Daraufhin sollte die iOS-Version Ihres Gerätsunter dem Punkt Version angezeigt werden.)

141 10 Appendices

◦ iOS 1 ◦ iOS 2 ◦ iOS 3 ◦ iOS 4 ◦ iOS 5 ◦ iOS 6 ◦ iOS 7 ◦ iOS 8 ◦ iOS 9 ◦ iOS 10 ◦ Weiß nicht 6. Verwendeten Sie vor Ihrem aktuellen Smartphone ein anderes Smartphone?

◦ Ja, ein iPhone ◦ Nein, ein Android-Smartphone ◦ Dies ist mein erstes Smartphone ◦ Sonstiges 7. Verwendeten Sie vor Ihrem aktuellen Smartphone ein anderes Smartphone?

◦ Ja, ein Android-Smartphone ◦ Nein, ein iPhone ◦ Dies ist mein erstes Smartphone ◦ Sonstiges 8. Warum haben Sie auf Android gewechselt? 9. Warum haben Sie auf iOS gewechselt? 10. Verwendeten Sie vor Version 6.0 bzw. 6.0.1 eine ¨altereAndroid-Version?

◦ Ja ◦ Nein ◦ Weiß nicht 11. Wie viele Apps haben Sie auf Ihrem Smartphone selbst installiert?

◦ Noch nie eine App selbst installiert ◦ 1 bis 5 Apps ◦ 6 bis 10 Apps ◦ 11 bis 20 Apps ◦ 21 bis 30 Apps ◦ 31 bis 40 Apps ◦ 41 bis 50 Apps ◦ Mehr als 50 ◦ Weiß nicht

142 10 Appendices

12. Wie h¨auﬁginstallieren Sie Apps auf Ihrem Smartphone?

◦ Jeden Tag ◦ Mehrmals pro Woche ◦ Mehrmals im Monat ◦ Mehrmals im Jahr ◦ Seltener ◦ Niemals ◦ Keine Angabe 13. Auf was achten Sie im Google Play Store, wenn Sie eine App herunterladen und installieren wollen? Bitte ordnen Sie die unten genannten Elemente nach Wichtigkeit. (Mit Berechtigungen sind hier Daten oder Funktionen gemeint, auf die eine App Zugriﬀ erhalten will.)

◦ Beschreibung ◦ Symbol der App ◦ Entwickler ◦ Angefragte Berechtigungen ◦ Name der App ◦ Preis ◦ Gr¨oßeder App ◦ Bewertungen 14. Gibt es f¨urSie noch weitere Faktoren, auf die Sie im Google Play Store bei App- Installationen achten?

143 10 Appendices

15. Auf was achten Sie im App Store, wenn Sie eine App herunterladen und installieren wollen? Bitte ordnen Sie die unten genannten Elemente nach Wichtigkeit.

◦ Beschreibung ◦ Symbol der App ◦ Entwickler ◦ Name der App ◦ Preis ◦ Gr¨oßeder App ◦ Bewertungen 16. Gibt es f¨ur Sie noch weitere Faktoren, auf die Sie im App Store bei App- Installationen achten? 17. Kommt es vor, dass Sie App-Installationen bewusst abbrechen?

◦ Ja ◦ Nein 18. Aus welchen Gr¨undenhaben Sie App-Installationen bewusst abgebrochen? 19. Haben Sie schon mal eine App-Installation aufgrund der geforderten Berechtigungen abgebrochen?

◦ Ja ◦ Nein 20. Warum haben Sie App-Installationen aufgrund der geforderten Berechtigungen bewusst abgebrochen? 21. Bitte geben Sie in Prozent an, wie viele der App-Installationen Sie bereits aufgrund der angeforderten Berechtigungen abgebrochen haben.

144 10 Appendices

22. Kommen Ihnen diese Situationen bekannt vor?

◦ Ja ◦ Nein 23. Wie verhalten Sie sich normalerweise in ¨ahnlichen Situationen und aus welchen Gr¨unden? 24. Kommen Ihnen diese Situationen bekannt vor?

◦ Ja ◦ Nein 25. Wie verhalten Sie sich normalerweise in ähnlichen Situationen und aus welchen Gründen? 26. Haben Sie schon mal die Möglichkeit genutzt, Ihre Entscheidungen bezüglich der Berechtigungenin den Einstellungen nachträglich zu ändern?

◦ Ja ◦ Nein

145 10 Appendices

27. Haben Sie schon mal die Möglichkeit genutzt, Ihre Entscheidungen bezüglich der Berechtigungen in den Einstellungen nachträglich zu ändern?

◦ Ja ◦ Nein 28. Haben Sie schon mal die Möglichkeit genutzt, Ihre Entscheidungen bezüglich der Berechtigungen in den Einstellungen nachträglich zu ändern?

◦ Ja ◦ Nein 29. Bitte bewerten Sie folgende Aussagen (Stimme nciht zu; Stimme eher nicht zu; Teils - teils, Stimme eher zu; Stimme zu)

◦ Ich bin mit der allgemeinen Benutzbarkeit meines Smartphones zufrieden. ◦ Berechtigungen lese ich aufmerksam durch. ◦ Berechtigungen beachte ich. ◦ Berechtigungen finde ich nützlich. 30. Was verstehen Sie unter Android Berechtigungen? 31. Mit welchem der folgenden Begriffe würdenSie Android Berechtigungen am ehesten assoziieren?

◦ Informationen ◦ Warnungen ◦ AGB’s (Allgemeine Geschäftsbedingungen) ◦ Genehmigungen ◦ Nutzungsbedingungen ◦ Kleingedrucktes ◦ Sonstiges 32. Was verstehen Sie unter Berechtigungen? 33. Mit welchem der folgenden Begriffe würdenSie Berechtigungen am ehesten assoziieren?

◦ Informationen ◦ Warnungen ◦ AGB’s (Allgemeine Gesch¨aftsbedingungen) ◦ Genehmigungen ◦ Nutzungsbedingungen ◦ Kleingedrucktes ◦ Sonstiges 34. Bitte bewerten Sie folgende Aussagen (Negativ, Eher negativ, Neutral, Eher positiv, Positiv).

146 10 Appendices

◦ Meine Einstellung zu Berechtigungen ist grunds¨atzlich... ◦ Meine Erfahrungen, die ich mit der Vergabe von Berechtigungen gemacht habe, sind insgesamt... 35. Wie stark stimmen Sie folgenden Aussagen zu? (Stimme nicht zu; Stimme eher zu; Teils - teils; Stimme eher zu; Stimme zu)

◦ Ich rede oft mit Freunden oder mit meiner Familie über technische Produkte, die mich interessieren. ◦ Mit neuen Technologien Schritt zu halten, ist anstrengend. ◦ Ich suche regelmäßignach neuer Software und neuen Apps. ◦ Ich lese gerne über neue elektronische Geräteund digitale Medien. ◦ Technik ist fürmich frustrierend. ◦ Das Internet begeistert mich. ◦ Ich begeistere mich fürelektronische Geräteund digitale Medien. ◦ Meine Freunde würdenmich als “Techy” beschreiben 36. Bitte geben Sie Ihr Geschlecht an.

◦ Weiblich ◦ M¨annlich 37. Bitte geben Sie Ihr Alter in Jahren an. 38. Was ist der h¨ochste Bildungsabschluss, den Sie bisher erlangt haben?

◦ Kein allgemeiner Schulabschluss ◦ Noch in schulischer Ausbildung ◦ Hauptschulabschluss ◦ Mittlere Reife ◦ Abitur, Fachabitur, Fach-/ Hochschulreife ◦ Bachelor ◦ Master, Diplom, Staatsexamen, Magister ◦ Promotion ◦ Sonstiges 39. Was ist Ihre aktuelle T¨atigkeit?

◦ Schüler/in ◦ Student/in ◦ Angestellte/r, Arbeiter/in, Beamtin/Beamter ◦ Selbstständige/r ◦ Arbeitslos ◦ Hausfrau, Hausmann, oder in Elternzeit ◦ Renter/in, Pensionär/in ◦ Sonstiges

147 10 Appendices

40. Welche Fachrichtung studieren bzw. studierten Sie? 41. Sollten Sie noch weitere Anmerkungen zu dieser Umfrage haben, k¨onnenSie diese sehr gerne nachfolgend hinterlassen.

10.5 Literature Review Protocol

The underlying literature review protocol of Chapter6 is presented in the following.

10.5.1 Introduction

We present a review protocol in order to deﬁne our approach to conduct a systematic literature review [141]. According to Kitchenham and Brereton [106], a systematic review protocol is “[a] plan that describes the conduct of a proposed systematic literature review” ([106], p. vi) in order to “reduce the possibility of researcher bias” ([106], p. 12). The objective of this research is to identify literature which contributes to security in companies regarding smartphone usage and its consequences for employees as well as for the company according to the presented Dynamic Security Success Model.

10.5.2 Background

Webster and Watson [209] warn researchers about the risk of conducting a literature review and resulting with a listing of literature. The authors therefore recommend structuring the literature search by using a model for example. Our model, as presented in Figure 6.3, is a combination of the Information Systems Success Model by DeLone and McLean [54], and the Organizational Learning Theory of Argyris [12]. It is adapted to fit the purpose of smartphone usage in companies. The governing variable of our model can be described as security objectives of organizations. The words “company” and “organization” are interchangeable. The action strategies in our model context refer to all kinds of security measures which are applied or applicable by the companies to protect and fulfill their security objectives. Consequences are separated into use, user satisfaction, individual impact and organizational impact. Use refers to all possible use cases for smartphones in organizations. User satisfaction describes employees’ satisfaction with smartphone usage in their company including positive as well as negative effects. Individual impact summarizes the consequences of smartphone usage for employees in a business context. Organizational impact reflects the implications of smartphone usage on the company which can be also positive and negative.

10.5.3 Research Questions

Based on our model we deﬁne the following research questions which we try to answer with our literature review:

148 10 Appendices

RQ1: What are the security objectives of companies using smartphones for business? RQ2: Which security measures are used by companies to protect their security objectives? RQ3: What is the intended purpose of smartphone usage in companies (use cases)? RQ4: Which effects do smartphones have on employees’ satisfaction? RQ5: Which effects have smartphones on employees and on the company? RQ6: Which effects have security measures on employees and on the company?

10.5.4 Search Strategy

The structured search for relevant literature is divided into a primary search and a secondary search. The goal of the search is to cover all relevant literature and to identify research gaps for future research.

Primary Search We selected appropriate electronic data bases including peer-reviewed leading journals and conference proceedings, because these sources include the major contributions [209]. We refined the selection by analyzing the editorial statements. Databases which were included are: ACM Digital Library, IEEE Xplore Digital Library, Ebsco Host Business Source Complete, Ebsco Host Business Source Premier and AIS Electronic Library. We further searched within Science Direct und Google Scholar to complete the search. We did not limit the time covered for our search. We used a keyword search on the titles and the abstracts by developing a Boolean search string: (enterprise OR firm OR company OR organization OR employee) AND (smartphone OR “smart phone” OR “smart phones” OR “mobile device” OR “mobile devices” OR “mobile phone” OR “mobile phones”) AND (security OR secure OR attack OR risk OR breach OR protect OR misuse), which results from our DSSM. The search string differs for the databases due to different search guidelines. However, we did use the same keywords and searched within title and abstract only. If articles were found repeatedly, only the first search hit was considered. We identified 517 articles to be relevant based on the keywords search on titles and abstracts of the papers.

Secondary Search Levy and Ellis [115] propose a forward and backward search due to “the diversification and multidisciplinary nature of IS literature” ([115], p. 189) in order to extend the search. Therefore, we checked the references of the identified articles and used Google Scholar to find relevant articles citing our identified papers (backward and forward search according to Webster and Watson [209]). The backward search revealed 37 additional results and the forward search revealed 15 additional results. Our literature search revealed 569 papers in total.

149 10 Appendices

10.5.5 Selection Criteria

In order to determine which of the 569 articles found are relevant for the literature review, inclusion and exclusion criteria were developed (so called practical screen) and are described in the following subsection. These criteria were applied to the titles and to the abstracts. Papers which did not fulfill the inclusion criteria (and/or met the exclusion criteria) were not considered for further analysis. One reviewer read all abstracts, while a second reviewer analyzed a subset of the findings. Mistiaen et al. [134] suggest a subset of 10% for the second reviewer, which correspond 57 abstracts. These are randomly chosen among all papers and all databases. If the agreement upon inclusion and exclusion of papers is lower than 95%, the second reviewer needs to review all of the papers. Inter-rater reliability is measured using the Kappa statistics. The value of Kappa should be between 0.6 and 1.0 ([69], p. 174). In order to increase reliability, Fink [69] proposes a pilot test of the practical screen in advance of the literature review. We therefore randomly selected 6 articles and categorized them according to the literature protocol independently. We compared the resulting list of identified paper. We further discussed disagreements and considered changes to the protocol. After the identification phase, both reviewers read all selected papers (95 papers) in order to verify the inclusion in the literature review.

Inclusion Criteria Articles will be included when they are related to the following topics (we only consider papers in English):

• Security objectives and requirements of companies • Security measures recommended, analyzed or used for smartphones in companies • User scenarios and actual usage of smartphones for business purposes • Satisfaction with smartphones and smartphone usage in business context • Satisfaction with security measures of smartphones in business context • Effects of smartphones in companies on employees • Effects of smartphone usage in business context for the companies • Benefits of employees’ smartphone usage for companies • Security risks of employees’ smartphone usage for companies

Exclusion Criteria Articles will be excluded if they cover topics such as:

• Risk assessment of smartphones in companies • Articles not subject to the topic

150 10 Appendices

• Security frameworks for smartphones • Smartphone security • Smartphone security and privacy aspects for private usage • Articles not subject to smartphones usage in companies

10.5.6 Quality Assessment

The resulting ﬁndings are assessed for their quality. We, therefore, also used inclusion and exclusion criteria (I: Inclusion, E: Exclusion):

• Are the security measures solely based on expert opinion? Yes (E), No (I) • Is the literature peer-reviewed? Yes (I), No (E)

The two reviewers assess the quality of the identiﬁed paper according to the inclusion and exclusion criteria. Articles which do not meet the quality standard are excluded from further analysis. Any disagreement will be resolved by discussion. For the quality assessment the full paper text is used. The inclusion and exclusion criteria are also pilot tested in order to resolve inaccuracies and lack of understanding.

10.5.7 Data Extraction Strategy

The review will be conducted by two independent researchers. Disagreement will be solved by discussion, if necessary a third researcher will be included. A coding sheet will be used in order to achieve comparability and completeness. This coding sheet is subdivided into the constructs of the Smartphone Security Success Model. Relevant articles and text passages are assigned to the corresponding model constructs. Inter-rater reliability will be measured using the Kappa statistics.

10.5.8 Data Synthesis

The data from the coding sheets of the two reviewers will be summarized into one data sheet, which is again divided into the diﬀerent model components. The corresponding references will be listed as well. Disagreement will be resolved by discussion. This synthesis is supposed to serve as the foundation for the literature review and to identify research gaps for future work.

10.6 Interview Guide of Chapter7

In the following, we provide the interview guide as used within the Chapter7 of this thesis.

151 10 Appendices

10.6.1 Einleitung

Vielen Dank, dass Sie sich die Zeit nehmen, mit mir über Smartphones in ihrem Un- ternehmen zu sprechen. In diesem Interview, möchte ich herausfinden, wie Smartphones in Unternehmen gehandhabt werden. Dabei ist es mir wichtig Meinungen und Erfahrungen von Mitarbeitern zu sammeln. Hierbei gibt es keine richtigen oder falschen Antworten. Die Daten werden anonymisiert, sodass keine Rückschlüsse auf Ihre Person und Ihr Unternehmen möglich sind. Es werden lediglich die Antworten verwendet, die fürdie Auswertung meiner Forschungsfrage relevant sind. Bevor wir anfangen, möchte ich Sie fragen, ob ich dieses Gespräch aufzeichnen darf (nur Audio). Dies dient lediglich dazu, die Auswertung der Daten nachvollziehbar und leichter zu machen. Sind Sie damit einverstanden? Gibt es noch Fragen bevor ich starte?

10.6.2 Fragen 1. Beschreiben Sie bitte Ihre Aufgaben in Ihrem Unternehmen. 2. Erz¨ahlenSie bitte, welche Rolle das Smartphone bei der Erledigung ihrer allt¨aglichen Aufgaben spielt.

Hinweise fürInterviewer: Alternativfragen • ErzählenSie bitte welche Funktion Ihr Smartphone bei der Erledigung ihrer alltäglichenAufgaben einnimmt. • Erzählen Sie bitte, wie Sie ihr Smartphone bei der Erledigung ihrer alltäglichen Aufgaben benutzen. 3. Gibt es Aufgaben, fürdie das Smartphone besonders wichtig ist? KönnenSie bitte Schritt fürSchritt beschreiben wie Sie eine dieser Aufgaben erledigen (Beispiele erklären lassen; wichtigste Aufgabe erklären lassen)

a) Inwiefern spielen hier Sicherheitsmaßnahmen eine Rolle? 4. Welche Vorgaben gibt es f¨urden Umgang mit Smartphones in Ihrem Unternehmen?

a) K¨onnenSie bitte anhand eines Beispiels erkl¨aren,in welchen Bereichen der Arbeit diese Vorgabe relevant ist? (Falls allgemein beantwortet wird, konkret nachfragen) b) Wie wirkt sich diese Vorgabe auf Ihre Arbeit/Erledigung der Arbeit aus? 5. Welche (sonstigen) Smartphone-Sicherheitsmaßnahmen gibt es in Ihrem Unternehmen?

a) Gibt es Aufgaben, bei deren Erledigung Sie Ihr Smartphone als st¨orend/hinderlich empﬁnden? b) Gab es in letzter Zeit Anderungen¨ der Sicherheitsmaßnahmen? Wie haben Sie diese erlebt?

152 10 Appendices

6. Was w¨urdenSie ver¨andern,um die “Nutzung” des Smartphones zu verbessern?

a) Beschreibung der Fragen: Können Sie eine Anderung¨ beschreiben, die Ihren Arbeitsalltag erleichtern würde? b) Alternativfrage: Was würdenSie verändern,um Ihren Arbeitsalltag zu erleichtern? (Was und warum verändernin Bezug auf Einschränkungen) c) Alternativfrage: Wie würdenSie die Sicherheitsmaßnahmen verändern,um die Benutzbarkeit des Smartphones zu verbessern? d) Warum würdenSie das verändern? 7. Inwiefern haben Sie die Möglichkeit Sicherheitsmaßnahmen mitzugestalten?

a) Wenn neue Sicherheitsmaßnahmen eingeführtwerden, werden Sie bei der Gestal- tung berücksichtigt? b) Gibt es eine Evaluation von Sicherheitsmaßnahmen? Inwiefern wird ihr Feedback bei der Evaluation von Sicherheitsmaßnahmen berücksichtigt? c) Wie sieht die Mitbestimmung genau aus? 8. Demographische Daten

• Alter • Geschlecht • Position im Unternehmen • Branche des Unternehmens • Im Unternehmen t¨atigseit

10.7 Interview Guide of Chapter8

In the following, we provide the interview guide as used within the Chapter8 of this thesis.

10.7.1 Einleitung

Vielen Dank fürdie Bereitschaft mit mir über Smartphone-Sicherheit in Ihrem Un- ternehmen zu sprechen. Es geht hierbei um Ihre Erfahrung und Meinung, dabei gibt es keine richtigen oder falschen Antworten. Gibt es noch Fragen bevor ich starte? Ich würdedann jetzt die Aufnahme starten.

153 10 Appendices

10.7.2 Fragen 1. Erz¨ahlenSie bitte von Smartphone-Sicherheit in Ihrem Unternehmen

a) ErzählenSie bitte, wie Smartphone-Sicherheit in Ihrem Unternehmen aussieht. b) Welche Rolle spielt Smartphone-Sicherheit in Ihrem Unternehmen. c) Welche Funktionen nimmt Smartphone-Sicherheit in Ihrem Unternehmen ein. Hinweise fürInterviewer: Hier keine strukturellen Eingriffe. Falls Frage nicht ver- standen wird, die Unterfragen zu Hilfe nehmen. Befragter soll hier selbst strukturieren. 2. KönnenSie mir bitte anhand eines Beispiels erzählen,wie eine Smartphone-Sicherheitsmaßnahme entwickelt und umgesetzt wurde. 3. Wie werden Smartphone-Sicherheitsmaßnahmen im Allgemeinen in Ihrem Unternehmen entwickelt und umgesetzt?

a) Wie ist das Vorgehen? b) Beschreiben Sie bitte den Prozess. 4. Welche Rolle spielt der Anwender in der Entwicklung von Sicherheitsmaßnahmen? 5. Welche Faktoren spielen dabei eine Rolle? Wie wichtig sind diese Faktoren?

a) Gibt es eine Beeinflussung durch den Nutzer? b) Werden Smartphone-Sicherheitsmaßnahmen aufgrund von Nutzerreaktionen verändert? c) Wird Nutzerfeedback erhoben? d) Wird Nutzerfeedback bei der Entwicklung berücksichtigt? Hinweise fürInterviewer: Hier strukturierend leiten: • Sicherheitsziele: Woher kommen die Sicherheitsziele? • Dimensionen des Modells • Sicherheitsziele (ISO-Normen) • Sicherheitsmaßnahmen (organisatorische und technische) • Nutzerzufriedenheit • Angreifermodell/Angriffe • Feedback • Technologieveränderung • Smartphone Use Cases 6. Gibt es eine Evaluation der Sicherheitsmaßnahmen? (Was passiert danach? Was macht ihr dann?)

154 10 Appendices

a) Werden die Sicherheitsmaßnahmen getestet?

i. Werden die Auswirkungen der Sicherheitsmaßnahmen erfasst? ii. Werden die Auswirkungen der Sicherheitsmaßnahmen analysiert? iii. Werden die Auswirkungen der Sicherheitsmaßnahmen bewertet? b) Werden die Maßnahmen ¨uberarbeitet? 7. Demographische Daten

• Unternehmensbranche • Unternehmensgr¨oße • Position im Unternehmen • In Position t¨atigseit

155 Bibliography

[1] Anne Adams and Martina Angela Sasse. Users are not the enemy. Communications of the ACM, 42(12):40–46, 1999. [2] Eirik Albrechtsen. A qualitative study of users’ view on information security. Computers & security, 26(4):276–289, 2007. URL: http://www.sciencedirect. com/science/article/pii/S0167404806002033. [3] Eirik Albrechtsen and Jan Hovden. The information security digital divide between information security managers and users. Computers & Security, 28(6):476–490, 2009. [4] Sean Allam, Stephen V. Flowerday, and Ethan Flowerday. Smartphone information security awareness: A victim of operational pressures. Computers & Security, 42:56–65, 2014. [5] Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. Your location has been shared 5,398 times!: A ﬁeld study on mobile app privacy nudging. In Proceedings of the 33rd annual ACM conference on human factors in computing systems, pages 787–796. ACM, 2015. [6] Steven Alter. Theory of Workarounds. CAIS, 34:55, 2014. URL: http://aisel. aisnet.org/cais/vol34/iss1/55. [7] Panagiotis Andriotis, Martina Angela Sasse, and Gianluca Stringhini. Permissions Snapshots: Assessing Users’ Adaptation to the Android Runtime Permission Model. In IEEE International Workshop on Information Forensics and Security (WIFS), 2016. [8] Android. Encryption, 2018. Accessed: 29.11.2018. URL: https://source.android. com/security/encryption. [9] Android. File-based encryption, 2018. Accessed: 29.11.2018. URL: https:// source.android.com/security/encryption/file-based. [10] Android. Full-disk encryption, 2018. Accessed: 29.11.2018. URL: https://source. android.com/security/encryption/full-disk. [11] Ivan Arce. The weakest link revisited [information security]. IEEE Security & Privacy, 99(2):72–76, 2003. [12] Chris Argyris. Single-loop and double-loop models in research on decision making. Administrative science quarterly, pages 363–375, 1976. [13] Chris Argyris. Double loop learning in organizations. Harvard business review, 55(5):115–125, 1977.

156 Bibliography

[14] Chris Argyris. Action science and organizational learning. Journal of managerial psychology, 10(6):20–26, 1995. [15] Chris Argyris, Robert Putnam, and Diana McLain Smith. Action science, volume 13. Jossey-Bass Inc Pub, 1985. [16] Charles Arthur and Stuart Dredge. iOS v Android: why Schmidt was wrong and developers still start on Apple, 2012. Accessed: 17.02.2013. URL: www.guardian. co.uk. [17] Debi Ashenden and Darren Lawrence. Security dialogues: Building better relationships between security and business. IEEE Security & Privacy, (3):82–87, 2016. [18] Debi Ashenden and Angela Sasse. CISOs and organisational culture: Their own worst enemy? Computers & Security, 39:396–405, 2013. [19] Ken Barr, Prashanth Bungale, Stephen Deasy, Viktor Gyuris, Perry Hung, Craig Newell, Harvey Tuch, and Bruno Zoppis. The VMware mobile virtualization platform: is that a hypervisor in your pocket? ACM SIGOPS Operating Systems Review, 44(4):124–135, 2010. [20] Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. Productive security: A scalable methodology for analysing employee security behaviours. In 12th Symposium on Usable Privacy and Security (SOUPS), pages 253–270, 2016. [21] Adam Beautement, M. Angela Sasse, and Mike Wonham. The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 workshop on New security paradigms, pages 47–58. ACM, 2009. [22] Ingolf Becker, Simon Parkin, and M. Angela Sasse. Finding security champions in blends of organisational culture. Proc. USEC, 11, 2017. [23] Sandy Behrens. Shadow systems: the good, the bad and the ugly. Commun. ACM, 52(2):124–129, 2009. URL: https://doi.org/10.1145/1461928.1461960, doi:10.1145/1461928.1461960. [24] Sandy Behrens and Wasana Sedera. Why Do Shadow Systems Exist after an ERP Implementation? Lessons from a Case Study. In Pacific Asia Conference on Information Systems, PACIS 2004, Shanghai, China, July 8-11, 2004, page 136. AISeL, 2004. URL: http://aisel.aisnet.org/pacis2004/136. [25] Noam Ben-Asher, Niklas Kirschnick, Hanul Sieger, Joachim Meyer, Asaf Ben- Oved, and Sebastian Möller.On the need for different security methods on mobile phones. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services, pages 465–473. ACM, 2011.

157 Bibliography

[26] Kevin Benton, L. Jean Camp, and Vaibhav Garg. Studying the effectiveness of android application permissions requests. In 2013 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops), pages 291–296, March 2013. [27] Igor Bernik and BlaˇzMarkelj. Blended threats to mobile devices on the rise. In Information Society (i-Society), 2012 International Conference on, pages 59–64. IEEE, 2012. [28] Rasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. Biometric authentication on iphone and android: Usability, perceptions, and influences on adoption. 2015. [29] Andrea Bianchi, Ian Oakley, Vassilis Kostakos, and Dong Soo Kwon. The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In Proceedings of the fifth international conference on Tangible, embedded, and embodied interaction, pages 197–200. ACM, 2011. [30] Robert Biddle, Sonia Chiasson, and Paul C Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (CSUR), 44(4):19, 2012. [31] John M. Blythe, Lynne M. Coventry, and Linda Little. Unpacking Security Policy Compliance: The Motivators and Barriers of Employees’ Security Behaviors. In SOUPS, pages 103–122, 2015. [32] Rainer Böhmeand Thomas Nowey. Economic security metrics. In Dependability metrics, pages 176–187. Springer, 2008. [33] Bram Bonné,Sai Teja Peddinti, Igor Bilogrevic, and Nina Taft. Exploring decision making with Android’s runtime permission dialogs using in-context surveys. USENIX Association, 2017. [34] David Botta, Rodrigo Werlinger, AndréGagné,Konstantin Beznosov, Lee Iverson, Sidney Fels, and Brian Fisher. Towards understanding IT security professionals and their tools. In Proceedings of the 3rd symposium on Usable privacy and security, pages 100–111. ACM, 2007. [35] Martin Brodin, Jeremy Rose, and Rose-Mharie Ahlfeldt.˚ Management issues for bring your own device. In European, Mediterranean & Middle Eastern Conference on Information Systems 2015 (EMCIS2015), 1-2 June, Athens, Greece. European, Mediterranean & Middle Eastern Conference on Information Systems (EMCIS), 2015.

158 Bibliography

[36] Dirk Van Bruggen, Shu Liu, Mitch Kajzer, Aaron Striegel, Charles R. Crowell, and John D’Arcy. Modifying smartphone user locking behavior. In Lujo Bauer, Kon- stantin Beznosov, and Lorrie Faith Cranor, editors, Symposium On Usable Privacy and Security, SOUPS ’13, Newcastle, United Kingdom, July 24-26, 2013, pages 10:1–10:14. ACM, 2013. URL: https://doi.org/10.1145/2501604.2501614, doi:10.1145/2501604.2501614. [37] Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3):523–548, 2010. [38] Deanna D. Caputo, Shari Lawrence Pfleeger, M. Angela Sasse, Paul Ammann, Jeff Offutt, and Lin Deng. Barriers to usable security? three organizational case studies. IEEE Security & Privacy, 14(5):22–32, 2016. [39] Puneesh Chaudhry. Needed: A corporate mobile device policy. Financial Executive, 28(5):69–71, 2012. [40] Pern Hui Chia, Yusuke Yamamoto, and N. Asokan. Is this app safe?: A large scale study on application permissions and risk signals. In Proceedings of the 21st international conference on World Wide Web, WWW ’12, 2012. [41] Wallace Chigona, B. Robertson, and L. Mimbi. Synchronised smart phones: The collision of personal privacy and organisational data security. South African Journal of Business Management, 43(2):31–40, 2012. [42] Erika Chin, Adrienne Porter Felt, Vyas Sekar, and David Wagner. Measuring user confidence in smartphone security and privacy. In SOUPS, 2012. [43] Jacob Cohen. Statistical power analysis for the behavioral sciences. Lawrence Earlbaum Asssociate, 2:20–26, 1988. [44] Lizzie Coles-Kemp. Practising creative securities, 2018. URL: https://bookleteer. com/collection.html?id=28. [45] Lizzie Coles-Kemp, Debi Ashenden, Kieron O’Hara, et al. Why should i? cybersecurity, the security of the state and the insecurity of the citizen. Politics and Governance, 6(2):41–48, 2018. [46] Wes Copeland and Chia-Chu Chiang. Securing enterprise mobile information. In Computer, Consumer and Control (IS3C), 2012 International Symposium on, pages 80–83. IEEE, 2012. [47] Juliet Corbin and Anselm Strauss. Basics of qualitative research. Sage, 2014. [48] Lorrie Faith Cranor and Norbou Buchler. Better together: Usability and security go hand in hand. IEEE Security & Privacy, 12(6):89–93, 2014. [49] John D’Arcy, Tejaswini Herath, and Mindy K. Shoss. Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2):285–318, 2014.

159 Bibliography

[50] Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 987–996. ACM, 2012. [51] Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. Now you see me, now you don’t: protecting smartphone authentication from shoulder surfers. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2937–2946. ACM, 2014. [52] Alexander De Luca, Emanuel Von Zezschwitz, Ngo Dieu Huong Nguyen, Max- Emanuel Maurer, Elisa Rubegni, Marcello Paolo Scipioni, and Marc Langheinrich. Back-of-device authentication on smartphones. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2389–2398. ACM, 2013. [53] Horace Dediu. Android economics: An introduction, 2012. Accessed: 17.02.2013. URL: www.asymco.com. [54] William H. DeLone and Ephraim R. McLean. Information systems success: The quest for the dependent variable. Information systems research, 3(1):60–95, 1992. [55] William H. DeLone and Ephraim R. McLean. Information systems success revisited. In System Sciences, 2002. HICSS. Proceedings of the 35th Annual Hawaii International Conference on, pages 2966–2976. IEEE, 2002. [56] William H. Delone and Ephraim R. McLean. The DeLone and McLean model of information systems success: a ten-year update. Journal of management information systems, 19(4):9–30, 2003. [57] Statistisches Bundesamt Destatis. Nutzung von Informations- und Kommunika- tionstechnologien in Unternehmen, 2017. Accessed: 07.11.2018. URL: https:// www.destatis.de/DE/Publikationen/Thematisch/UnternehmenHandwerk/ Unternehmen/InformationstechnologieUnternehmen.html. [58] Statistisches Bundesamt Destatis. 90% der Bev¨olkerung in Deutschland sind online, 2018. Accessed: 07.11.2018. URL: https://www.destatis.de/DE/ PresseService/Presse/Pressemitteilungen/2018/09/PD18_330_634.html. [59] Gurpreet Dhillon and Gholamreza Torkzadeh. Value-focused assessment of information system security in organizations. Information Systems Journal, 16(3):293–314, 2006. [60] Georg Disterer and Carsten Kleiner. BYOD - Bring Your Own Device. HMD - Praxis Wirtschaftsinform., 290, 2013. URL: http://www.dpunkt.de/hmdissues/ 290/10.php. [61] Georg Disterer and Carsten Kleiner. BYOD bring your own device. Procedia Technology, 9:43–53, 2013.

160 Bibliography

[62] Paul Dourish, E. Grinter, Jessica Delgado De La Flor, and Melissa Joseph. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6):391–401, 2004. [63] Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Apllications. In NDSS, 2011. [64] Philip Elmer-DeWitt. 6 ways iPhone and Android users differ, 2010. Accessed: 08.01.2013. URL: tech.fortune.cnn.com. [65] Satu Elo and Helvi Kyngäs.The qualitative content analysis process. Journal of advanced nursing, 62(1):107–115, 2008. [66] Meisam Eslahi, Maryam Var Naseri, H. Hashim, NM. Tahir, and Ezril Hisham Mat Saad. BYOD: Current state and security challenges. In Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on, pages 189–192. IEEE, 2014. [67] Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steven Hanna, and David Wagner. A Survey of Mobile Malware in the Wild. In SPSM, 2011. [68] Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS ’12, pages 3:1–3:14, New York, NY, USA, 2012. ACM. [69] Arlene Fink. Conducting research literature reviews: From the Internet to paper. Sage Publications, 2013. [70] Daniel Fürstenauand Hannes Rothe. Shadow IT Systems: Discerning the Good and the evil. In Michel Avital, Jan Marco Leimeister, and Ulrike Schultze, editors, 22st European Conference on Information Systems, ECIS 2014, Tel Aviv, Israel, June 9-11, 2014, 2014. URL: http://aisel.aisnet.org/ecis2014/proceedings/ track15/9. [71] Howard Gardner and Katie Davis. The App Generation: How Today’s Youth Navigate Identity, Intimacy, and Imagination in a Digital World. Yale University Press, 2013. [72] Gabriela Gheorghe and Stephan Neuhaus. Poster: Preserving privacy and account- ability for personal devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1359–1362. ACM, 2013. [73] Jose J. Gonzalez and Agata Sawicka. A framework for human factors in information security. In Wseas international conference on information security, Rio de Janeiro, pages 448–187, 2002. [74] Google. Protect against harmful apps, 2014. Accessed: 17.03.2014. URL: https:// support.google.com/accounts/answer/2812853?hl=en.

161 Bibliography

[75] Google. Google Account Help, 2018. Accessed: 05.12.2018. URL: https:// support.google.com/accounts/answer/6160491?hl=en. [76] Google. Google Play Protect, 2018. Accessed: 30.11.2018. URL: https://www. android.com/intl/en_us/play-protect/. [77] Ulla HällgrenGraneheim and Berit Lundman. Qualitative content analysis in nursing research: concepts, procedures and measures to achieve trustworthiness. Nurse education today, 24(2):105–112, 2004. [78] Andy Green. Management of security policies for mobile devices. In Proceedings of the 4th annual conference on information security curriculum development, page 22. ACM, 2007. [79] Greg Guest, Arwen Bunce, and Laura Johnson. How many interviews are enough? An experiment with data saturation and variability. Field methods, 18(1):59–82, 2006. [80] Andreas Györy, Anne Cleven, Falk Uebernickel, and Walter Brenner. Exploring the Shadows: IT Governance Approaches to User-Driven Innovation. In 20th European Conference on Information Systems, ECIS 2012, Barcelona, Spain, June 10-13, 2012, page 222, 2012. URL: http://aisel.aisnet.org/ecis2012/222. [81] Jin Han, Su Mon Kywe, Qiang Yan, Feng Bao, Robert Deng, Debin Gao, Yingjiu Li, and Jianying Zhou. Launching generic attacks on iOS with approved third- party applications. In Applied Cryptography and Network Security, pages 272–289. Springer, 2013. [82] Jin Han, Qiang Yan, Debin Gao, Jianying Zhou, and Robert H. Deng. Comparing Mobile Privacy Protection through Cross-Platform Applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2013. [83] Julie M. Haney and Wayne G. Lutters. Skills and Characteristics of Success- ful Cybersecurity Advocates. In Thirteenth Symposium on Usable Privacy and Security, SOUPS 2017, Santa Clara, CA, USA, July 12-14, 2017. USENIX Associ- ation, 2017. URL: https://www.usenix.org/conference/soups2017/workshop- program/wsiw2017/haney. [84] Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pages 2647–2656. ACM, 2014. [85] Marian Harbach, Emanuel Von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. It’s a hard lock life: A field study of smartphone (un) locking behavior and risk perception. In Symposium on usable privacy and security (SOUPS), pages 213–230, 2014.

162 Bibliography

[86] Jeanne Harris, Blake Ives, and Iris Junglas. IT consumerization: When gadgets turn into enterprise IT tools. MIS Quarterly Executive, 11(3), 2012. [87] Claude PR Heath, Peter A. Hall, and Lizzie Coles-Kemp. Holding on to dissensus: Participatory interactions in security design. Strategic Design Research Journal, 11(2):65–78, 2018. [88] Karin Hedström,Ella Kolkowska, Fredrik Karlsson, and Jonathan P. Allen. Value conflicts for information security management. The Journal of Strategic Information Systems, 20(4):373–384, 2011. [89] Tejaswini Herath and H. Raghav Rao. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2):106–125, 2009. [90] Alan R. Hevner, Salvatore T. March, Jinsoo Park, and Sudha Ram. Design Science in Information Systems Research. MIS Quarterly, 28(1):75–105, 2004. URL: http://misq.org/design-science-in-information-systems-research. html. [91] Jerry Hildenbrand. How to enable encryption in android, 2016. Accessed: 29.11.2018. URL: https://www.androidcentral.com/how-enable-encryption-android. [92] Andrew Hoog and Katie Strzempka. iPhone and iOS forensics: Investigation, analysis and mobile security for Apple iPhone, iPad and iOS devices. Elsevier, 2011. [93] Hsiu-Fang Hsieh and Sarah E. Shannon. Three approaches to qualitative content analysis. Qualitative health research, 15(9):1277–1288, 2005. [94] Efosa C. Idemudia, Mahesh S. Raisinghani, and Alice Batch. Empirical investigation of the cognitive factors that influence the continued use of smartphones by college students who are using smartphones to participate in the future global distributed teams. In System Sciences (HICSS), 2014 47th Hawaii International Conference on, pages 289–299. IEEE, 2014. [95] Apple Inc. ios security ios 12.1, 2018. Accessed: 30.11.2018. URL: https://www. apple.com/business/site/docs/iOS_Security_Guide.pdf. [96] Philip G. Inglesant and M. Angela Sasse. The true cost of unusable password policies: password use in the wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 383–392. ACM, 2010. [97] Grant A. Jacoby, J. Scot Ransbottom, Thadeus Hickman, and Maxwell Potasznik. Screening Mobile Devices to Examine Network Health. In 40th Hawaii Interna- tional International Conference on Systems Science (HICSS-40 2007), CD-ROM / Abstracts Proceedings, 3-6 January 2007, Waikoloa, Big Island, HI, USA, page 164. IEEE Computer Society, 2007. URL: https://doi.org/10.1109/HICSS.2007. 474, doi:10.1109/HICSS.2007.474.

163 Bibliography

[98] Jaeyeon Jung, Seungyeop Han, and David Wetherall. Short paper: enhancing mobile application permissions with runtime feedback and constraints. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 45–50. ACM, 2012. [99] Patrick Gage Kelley, Sunny Consolvo, Lorrie Faith Cranor, Jaeyeon Jung, Norman Sadeh, and David Wetherall. A Conundrum of Permissions: Installing Applications on an Android Smartphone, pages 68–79. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012. [100] Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. Privacy As Part of the App Decision-making Process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’13, pages 3393–3402, New York, NY, USA, 2013. ACM. [101] Orin S. Kerr and Bruce Schneier. Encryption workarounds. Geo. LJ, 106:989, 2017. [102] Rohit Ashok Khot, Ponnurangam Kumaraguru, and Kannan Srinathan. Wyswye: shoulder surfing defense for recognition based graphical passwords. In Proceedings of the 24th Australian Computer-Human Interaction Conference, pages 285–294. ACM, 2012. [103] Jennifer King. How Come I’m Allowing Strangers to Go Through My Phone? Smartphones and Privacy Expectations. 2012. [104] Iacovos Kirlappos, Simon Parkin, and M. Angela Sasse. Shadow security as a tool for the learning organization. ACM SIGCAS Computers and Society, 45(1):29–37, 2015. [105] Iacovos Kirlappos and M. Angela Sasse. What usable security really means: Trusting and engaging users. In International Conference on Human Aspects of Information Security, Privacy, and Trust, pages 69–78. Springer, 2014. [106] Barbara Kitchenham and Pearl Brereton. A systematic review of systematic review process research in software engineering. Information and software technology, 55(12):2049–2075, 2013. [107] Hope Koch and Patrick Curry. IT Consumerization’s Impact on Enterprise IT. 2014. [108] Palanivel Kodeswaran, Vikrant Nandakumar, Shalini Kapoor, Pavan Kamaraju, Anupam Joshi, and Sougata Mukherjea. Securing enterprise data on smartphones using run time information flow control. In Mobile Data Management (MDM), 2012 IEEE 13th International Conference on, pages 300–305. IEEE, 2012. [109] Lydia Kraus, Ina Wechsung, and Sebastian Möller.Using statistical information to communicate android permission risks to users. In Socio-Technical Aspects in Security and Trust (STAST), 2014 Workshop on, pages 48–55. IEEE, 2014.

164 Bibliography

[110] Udo Kuckartz. Qualitative Text Analysis: A Guide to Methods, Practice and Using Software. Publications Ltd, Los Angeles, 2014. [111] Stefanie Külz. Smartphone-Sicherheitsmaßnahmen und deren Auswirkungen auf das Verhalten von Nutzern im Unternehmen. Master’s thesis, Friedrich-Alexander- UniversitätErlangen-Nürnberg, Germany, 2016. [112] Ponnurangam Kumaraguru and Lorrie Faith Cranor. Privacy indexes: a survey of Westin’s studies. Technical Report Paper 856, Carnegie Mellon University, Institute for Software Research, January 2005. [113] Andreas Kurtz. Malicious iOS Apps, 2014. Accessed: 16.12.2014. URL: http:// www.andreas-kurtz.de/2014/09/malicious-apps-ios8.html. [114] Max Landman. Managing smart phone security risks. In 2010 Information Security Curriculum Development Conference, pages 145–155. ACM, 2010. [115] Yair Levy and Timothy J. Ellis. A systems approach to conduct an effective literature review in support of information systems research. Informing Science: International Journal of an Emerging Transdiscipline, 9(1):181–212, 2006. [116] Qing Li and Greg Clark. Mobile security: a look ahead. IEEE Security & Privacy, 11(1):78–81, 2013. [117] Jialiu Lin, Norman Sadeh, Shahriyar Amini, Janne Lindqvist, Jason I. Hong, and Joy Zhang. Expectation and purpose: Understanding users’ mental models of mobile app privacy through crowdsourcing. In ACM UbiComp, 2012. URL: http://doi.acm.org/10.1145/2370216.2370290. [118] Andrew Lipsman and Carmela Aquino. 2013 Mobile Future in Focus. Accessed: 15.07.2013. URL: www.comscore.com. [119] Johnny Li-Chang Lo, Judith Bishop, and Jan HP. Eloff. SMSSec: an end-to-end protocol for secure SMS. Computers & Security, 27(5-6):154–167, 2008. [120] Hiroshi Lockheimer. Android and security, 2012. Accessed: 10.12.2018. URL: http://googlemobile.blogspot.com/2012/02/android-and-security.html. [121] COMMERCIAL LOGICAL. Information technology–Security techniques– Information security management systems–Requirements. 2005. [122] Michaela Luecke and Judith Simon. A Self-Regulatory Approach to Behavioral Compliance with IS Security Policies–“Come on, Baby, do the Locomotion”. In Twentieth Americas Conference on Information Systems, 2014. [123] Joseph Maguire and Karen Renaud. You only live twice or the years we wasted caring about shoulder-surfing. In Proceedings of the 26th Annual BCS Interaction Specialist Group Conference on People and Computers, pages 404–409. British Computer Society, 2012.

165 Bibliography

[124] Naresh K. Malhotra, Sung S. Kim, and James Agarwal. Internet Users’ Informa- tion Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information Systems Research, 15(4):336–355, 2004. [125] Angela Mattia and Gurpreet Dhillon. Applying double loop learning to interpret implications for information systems security design. In Systems, Man and Cyber- netics, 2003. IEEE International Conference on, volume 3, pages 2521–2526. IEEE, 2003. [126] Philipp Mayring. Qualitative Inhaltsanalyse. In Handbuch qualitative Forschung in der Psychologie, pages 601–613. Springer, 2010. [127] Oleksiy Mazhelis and Seppo Puuronen. A framework for behavior-based detection of user substitution in a mobile context. computers & security, 26(2):154–176, 2007. [128] Annegret Mehlfeld. Play Protect: Google startet schutz fürAndroid-Smartphones, 2017. Accessed: 30.11.2018. URL: https://www.connect.de/news/google-play- protect-android-smartphones-sicherheit-apps-3197492.html. [129] Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. Stealing PINs via mobile sensors: actual risk versus user perception. International Journal of Information Security, 17(3):291–313, 2018. [130] Nicholas Micallef, Mike Just, Lynne Baillie, Martin Halvey, and Hilmi Güne¸sKay- acik. Why aren’t users using protection? investigating the usability of smartphone locking. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, pages 284–294. ACM, 2015. [131] Kristopher Micinski, Daniel Votipka, Rock Stevens, Nikolaos Kofinas, Michelle L Mazurek, and Jeffrey S Foster. User interactions and permission use on android. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pages 362–373. ACM, 2017. [132] Patricia Mayer Milligan and Donna Hutcheson. Business risks and security assessment for mobile devices. In Proceedings of the 8th Conference on 8th WSEAS Int. Conference on Mathematics and Computers in Business and Economics-Volume 8, pages 189–193. World Scientific and Engineering Academy and Society (WSEAS), 2007. [133] L. Mimbi, W. Chigona, and B. Robertson. Synchronised smart phones: The collision of personal privacy and organisational data security. South African Journal of Business Management, 43(2):31–40, 2012. [134] Patriek Mistiaen, Anneke L. Francke, and Else Poot. Interventions aimed at reducing problems in adult patients discharged from hospital to home: a systematic meta-review. BMC health services research, 7(1):47, 2007. [135] Kevin D. Mitnick and William L. Simon. The art of deception: Controlling the human element of security, 2002.

166 Bibliography

[136] David L. Morgan. Qualitative content analysis: A guide to paths not taken. Qualitative health research, 3(1):112–121, 1993. [137] Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin Beznosov. Understanding users’ requirements for data protection in smartphones. In Data Engineering Workshops (ICDEW), 2012 IEEE 28th International Conference on, pages 228–235. IEEE, 2012. [138] Alexios Mylonas, Stelios Dritsas, Bill Tsoumas, and Dimitris Gritzalis. Smartphone Security Evaluation-The Malware Attack Case. SECRYPT, 11:25–36, 2011. [139] Alexios Mylonas, Dimitris Gritzalis, Bill Tsoumas, and Theodore Apostolopoulos. A qualitative metrics vector for the awareness of smartphone security users. In Trust, Privacy, and Security in Digital Business, pages 173–184. Springer Berlin Heidelberg, 2013. [140] Alexios Mylonas, Anastasia Kastania, and Dimitris Gritzalis. Delegate the smartphone user? Security awareness in smartphone platforms. Computers & Security, 34:47–66, 2013. [141] Chitu Okoli and Kira Schabram. A guide to conducting a systematic literature review of information systems research. 2010. [142] Morufu Olalere, Mohd Taufik Abdullah, Ramlan Mahmod, and Azizol Ab- dullah. A review of bring your own device on security issues. Sage Open, 5(2):2158244015580372, 2015. [143] Kevin Ortbach, Sebastian Köffer,Carl Philipp Friedrich Müller,and BjörnNiehaves. How IT Consumerization Affects the Stress Level at Work: A Public Sector Case Study. In PACIS, page 231, 2013. [144] Seppo Pahnila, Mikko Siponen, and Adam Mahmood. Employees’ behavior towards IS security policy compliance. In System sciences, 2007. HICSS 2007. 40Th annual hawaii international conference on, pages 156b–156b. IEEE, 2007. [145] Jonathan Pan and Chun Che Fung. An offensive containment strategy based on Malware’s attack patterns. In International Conference on Machine Learn- ing and Cybernetics, ICMLC 2013, Tianjin, China, July 14-17, 2013, pages 1631–1636. IEEE, 2013. URL: https://doi.org/10.1109/ICMLC.2013.6890860, doi:10.1109/ICMLC.2013.6890860. [146] Raymond R. Panko. Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks. CAIS, 17:29, 2006. URL: http://aisel.aisnet.org/cais/ vol17/iss1/29. [147] Raymond R. Panko and Daniel N. Port. End user computing: The dark matter (and dark energy) of corporate IT. pages 4603–4612, 2012. [148] Abbie Gail Parham, J. Lowell Mooney, and Timothy D. Cairney. When BYOD Meets Big Data. Journal of Corporate Accounting & Finance, 26(5):21–27, 2015.

167 Bibliography

[149] Simon Parkin, Aad Van Moorsel, Philip Inglesant, and M. Angela Sasse. A stealth approach to usable security: helping IT security managers to identify workable security solutions. In Proceedings of the 2010 New Security Paradigms Workshop, pages 33–50. ACM, 2010. [150] Karen P. Patten and Mark A. Harris. The need to address mobile device security in the higher education IT curriculum. Journal of Information Systems Education, 24(1):41, 2013. [151] Wei Peng, Feng Li, Keesook J. Han, Xukai Zou, and Jie Wu. T-dominance: Prioritized defense deployment for BYOD security. In Communications and Network Security (CNS), 2013 IEEE Conference on, pages 37–45. IEEE, 2013. [152] Nicholas J. Percoco and Sean Schulte. Adventures in BouncerLand. In Black Hat USA, 2012. [153] Shari Lawrence Pfleeger, M. Angela Sasse, and Adrian Furnham. From weakest link to security hero: Transforming staff security behavior. Journal of Homeland Security and Emergency Management, 11(4):489–510, 2014. [154] Clay Posey, Tom L. Roberts, Paul Benjamin Lowry, and Ross T. Hightower. Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & management, 51(5):551–567, 2014. [155] Stefanie Pötzsch. Privacy awareness: A means to solve the Privacy Paradox? In FIDIS, volume 298 of IFIP Advances in Information and Communication Technology, pages 226–236. Springer, 2008. [156] Petri Puhakainen and Mikko Siponen. Improving employees’ compliance through information systems security training: an action research study. Mis Quarterly, pages 757–778, 2010. [157] PwC. 2015 Information Security Breaches Survey, 2015. Accessed: 17.11.2017. URL: http://www.pwc.co.uk/services/audit-assurance/insights/2015- information-security-breaches-survey.html. [158] Neil Raden. Shedding light on shadow IT: Is Excel running your business. DSSRe- sources. com, 26, 2005. [159] JR Raphael. How Google’s Android security is about to get even smarter, 2014. Accessed: 17.03.2014. URL: http://blogs.computerworld.com/android/23590/ google-android-security. [160] Lena Reinfelder and Zinaida Benenson. Exploring Security Processes in Orga- nizations: the Case of Smartphones. In Manuel Burghardt, Raphael Wimmer, Christian Wolff, and Christa Womser-Hacker, editors, Mensch und Computer 2017 - Workshopband, Regensburg, Germany, September 10-13, 2017. Gesellschaft für Informatik e.V., 2017. URL: https://doi.org/10.18420/muc2017-ws05-0403, doi:10.18420/muc2017-ws05-0403.

168 Bibliography

[161] Lena Reinfelder, Zinaida Benenson, and Freya Gassmann. Differences between Android and iPhone Users in Their Security and Privacy Awareness. In Trust, Privacy, and Security in Digital Business - 11th International Con- ference, TrustBus 2014, Munich, Germany, September 2-3, 2014. Proceedings, pages 156–167, 2014. URL: https://doi.org/10.1007/978-3-319-09770-1_14, doi:10.1007/978-3-319-09770-1\_14. [162] Lena Reinfelder, Robert Landwirth, and Zinaida Benenson. Security Managers Are Not the Enemy Either. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pages 1–7. ACM, 2019. URL: https://doi.org/ 10.1145/3290605.3300663. [163] Lena Reinfelder, Andrea Schankin, Sophie Russ, and Zinaida Benenson. An Inquiry into Perception and Usage of Smartphone Permission Models. In Trust, Privacy and Security in Digital Business - 15th International Conference, TrustBus 2018, Regensburg, Germany, September 5-6, 2018, Proceedings, pages 9–22, 2018. URL: https://doi.org/10.1007/978-3-319-98385-1_2, doi:10.1007/978-3- 319-98385-1\_2. [164] Lena Reinfelder and Eva Weishäupl.A Literature Review on Smartphone Security in Organizations using a New Theoretical Model - the Dynamic Security Success Model. In 20th Pacific Asia Conference on Information Systems, PACIS 2016, Chiayi, Taiwan, June 27 - July 1, 2016, pages 59–76, 2016. URL: http://aisel. aisnet.org/pacis2016/59. [165] Karen Renaud. Blaming noncompliance is too convenient: What really causes information breaches? IEEE Security & Privacy, 10(3):57–63, 2012. [166] Christopher Rentrop and Stephan Zimmermann. Shadow IT. Management and Control of Unofficial IT. ICDS, pages 98–102, 2012. [167] Yoav Rubin, Nili Guy, Gal Shachor, Samuel Kallner, and Idan Ben-Harrush. Puremeap–a mobile enterprise application platform: a bird’s-eye view of the software architecture. In Proceedings of the 2013 ACM workshop on Mobile development lifecycle, pages 17–18. ACM, 2013. [168] Sophie Russ. Analyse der Nutzerwahrnehmungen von Permissions vor und nach Android Marshmallow sowie von iOS basierten Smartphones. Bachelor’s thesis, Friedrich-Alexander-UniversitätErlangen-Nürnberg, Germany, 2017. [169] Giovanni Russello, Mauro Conti, Bruno Crispo, and Earlence Fernandes. MOSES: supporting operation modes on smartphones. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pages 3–12. ACM, 2012. [170] Vasileios Samaras, Semir Daskapan, Rizwan Ahmad, and Sayan Kumar Ray. An enterprise security architecture for accessing SaaS cloud services with BYOD. In Telecommunication Networks and Applications Conference (ATNAC), 2014 Australasian, pages 129–134. IEEE, 2014.

169 Bibliography

[171] Puspita Kencana Sari, Nurvita Trianasari, et al. Information security awareness measurement with confirmatory factor analysis. In Technology Management and Emerging Technologies (ISTMET), 2014 International Symposium on, pages 218– 223. IEEE, 2014. [172] M. Angela Sasse, Matthew Smith, Cormac Herley, Heather Lipford, and Kami Vaniea. Debunking security-usability tradeoff myths. IEEE Security & Privacy, 14(5):33–39, 2016. [173] Martina Angela Sasse, Sacha Brostoff, and Dirk Weirich. Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT technology journal, 19(3):122–131, 2001. [174] Antonio Scarfo. New security perspectives around BYOD. In Broadband, Wireless Computing, Communication and Applications (BWCCA), 2012 Seventh Interna- tional Conference on, pages 446–451. IEEE, 2012. [175] Florian Schaub, Ruben Deyhle, and Michael Weber. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proceedings of the 11th international conference on mobile and ubiquitous multimedia, page 13. ACM, 2012. [176] Bruce Schneier. Beyond fear - thinking sensibly about security in an uncertain world. Springer, 2006. URL: https://doi.org/10.1007/b97547, doi:10.1007/b97547. [177] Bruce Schneier. The psychology of security. In Progress in Cryptology– AFRICACRYPT 2008, pages 50–79. Springer, 2008. [178] Bruce Schneier. Stop Trying to Fix the User. IEEE Security & Privacy, 14(5):96–96, 2016. [179] Nicolas Seriot. iPhone Privacy. In Black Hat USA, 2010. [180] Muhammad Shahzad, Alex X Liu, and Arjmand Samuel. Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In Proceedings of the 19th annual international conference on Mobile computing & networking, pages 39–50. ACM, 2013. [181] Irina Shklovski, Scott D Mainwaring, Halla Hrund Skúladóttir,and Höskuldur Borgthorsson. Leakiness and creepiness in app space: perceptions of privacy and mobile app use. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pages 2347–2356. ACM, 2014. [182] Mark S. Silver, M. Lynne Markus, and Cynthia Mathis Beath. The Information Tech- nology Interaction Model: A Foundation for the MBA Core Course. MIS Quarterly, 19(3):361–390, 1995. URL: http://misq.org/the-information-technology- interaction-model-a-foundation-for-the-mba-core-course.html. [183] Mikko Siponen. Six design theories for IS security policies and guidelines. Journal of the Association for Information systems, 7(1):19, 2006.

170 Bibliography

[184] Mikko Siponen, Seppo Pahnila, and Adam Mahmood. Factors influencing protection motivation and IS security policy compliance. In Innovations in Information Technology, 2006, pages 1–5. IEEE, 2006. [185] Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode. Working set-based access control for network file systems. In Proceedings of the 14th ACM symposium on Access control models and technologies, pages 207–216. ACM, 2009. [186] Sofos. Security Threat Report 2013. Accessed: 06.01.2013. URL: http://www.sophos.com/en-us/security-news-trends/reports/security- threat-report. [187] Sofos. Mobile Security Threat Report 2014, 2014. Accessed: 06.01.2014. URL: http://www.sophos.com/en-us/threat-center/mobile-security-threat- report.aspx. [188] Michael Spreitzenbarth and Felix Freiling. Android Malware on the Rise. Technical Report CS-2012-04, University of Erlangen, April 2012. [189] statista. Absatz von Smartphones weltweit in den Jahren 2009 bis 2018 (in Millionen Stück), 2018. Accessed: 05.03.2019. URL: https://de.statista. com/statistik/daten/studie/173049/umfrage/weltweiter-absatz-von- smartphones-seit-2009/. [190] statista. Marktanteile der führendenmobilen Betriebssysteme an der Internet- nutzung mit Mobiltelefonen weltweit von September 2009 bis September 2018, 2018. Accessed: 28.11.2018. URL: https://de.statista.com/statistik/ daten/studie/184335/umfrage/marktanteil-der-mobilen-betriebssysteme- weltweit-seit-2009/. [191] statista. Marktanteile der mobilen Betriebssysteme am Absatz von Smart- phones in Deutschland im 3. Quartal der Jahre 2017 und 2018, 2018. Ac- cessed: 28.11.2018. URL: https://de.statista.com/statistik/daten/ studie/198435/umfrage/marktanteile-der-smartphone-betriebssysteme- am-absatz-in-deutschland/. [192] Qingqing Sun, Tao Qi, Tan Yang, and Yidong Cui. An android dynamic data protection model based on light virtualization. In Communication Technology (ICCT), 2013 15th IEEE International Conference on, pages 65–69. IEEE, 2013. [193] John Tagg. The learning-paradigm campus: From single-to double-loop learning. New Directions for Teaching and Learning, 2010(123):51–61, 2010. [194] Joshua Tan, Khanh Nguyen, Michael Theodorides, Heidi Negrón-Arroyo, Christo- pher Thompson, Serge Egelman, and David Wagner. The effect of developer- specified explanations for permission requests on smartphone user behavior. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pages 91–100. ACM, 2014.

171 Bibliography

[195] Christopher Thompson, Maritza Johnson, Serge Egelman, David Wagner, and Jennifer King. When it’s better to ask forgiveness than get permission: attribution mechanisms for smartphone resources. In Proceedings of the Ninth Symposium on Usable Privacy and Security, page 1. ACM, 2013. [196] Julie A. Totten and Melissa C. Hammock. Personal electronic devices in the workplace: Balancing interests in a BYOD world. ABA Journal of Labor & Employment Law, pages 27–45, 2014. [197] Darcy Travlos. Five Reasons Why Google Android versus Apple iOS Market Share Numbers Don’t Matter, 2012. Accessed: 08.01.2013. URL: www.forbes.com. [198] Lynn Tsai, Primal Wijesekera, Joel Reardon, Irwin Reyes, Serge Egelman, David Wagner, Nathan Good, and Jung-Wei Chen. Turtle Guard: Helping Android Users Apply Contextual Privacy Preferences. In Symposium on Usable Privacy and Security (SOUPS), 2017. [199] Dirk Van Bruggen, Shu Liu, Mitch Kajzer, Aaron Striegel, Charles R Crowell, and John D’Arcy. Modifying smartphone user locking behavior. In Proceedings of the Ninth Symposium on Usable Privacy and Security, page 10. ACM, 2013. [200] Rob Van der Meulen and Janessa Rivera. Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes. Gartner. com, 1, 2013. [201] Johan Van Niekerk and Rossouw von Solms. Organisational learning models for information security. In The ISSA 2004 Enabling Tomorrow Conference, volume 30, 2004. [202] Anthony Vance, Mikko Siponen, and Seppo Pahnila. Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 49(3-4):190–198, 2012. [203] Rakesh Kumar Verma, Deepak Singh Tomar, and Shashi Kant Rathore. Extraction and veriﬁcation of mobile message integrity. In Communication Systems and Network Technologies (CSNT), 2011 International Conference on, pages 49–53. IEEE, 2011. [204] Basie Von Solms. Information Security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2):99–104, 2005. [205] Rossouw Von Solms. Information security management (3): the code of practice for information security management (BS 7799). Information Management & Computer Security, 6(5):224–225, 1998. [206] Catherine L. Wang and Pervaiz K. Ahmed. Organisational learning: a critical review. The learning organization, 10(1):8–17, 2003.

172 Bibliography

[207] Tielei Wang, Kangjie Lu, Long Lu, Simon P Chung, and Wenke Lee. Jekyll on iOS: When Benign Apps Become Evil. In USENIX Security Symposium, volume 78, 2013. [208] Mark R. Waterfill. BYOD: Where the Employee & the Enterprise Intersect. Res Gestae, 59:24, 2015. [209] Jane Webster and Richard T. Watson. Analyzing the past to prepare for the future: Writing a literature review. MIS quarterly, pages xiii–xxiii, 2002. [210] Eva Weishäupl,Emrah Yasasin, and Guido Schryen. A multi-theoretical literature review on information security investments using the resource-based view and the organizational learning theory. In ICIS. Association for Information Systems, 2015. [211] Rodrigo Werlinger, Kirstie Hawkey, David Botta, and Konstantin Beznosov. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. International Journal of Human-Computer Studies, 67(7):584– 606, 2009. [212] Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proceedings of the 24th USENIX Conference on Security Symposium, SEC’15, pages 499–514, Berkeley, CA, USA, 2015. USENIX Association. [213] Harry R. Wright Jr, J. Lowell Mooney, and Abbie Gail Parham. Your firm’s mobile devices: How secure are they? Journal of Corporate Accounting & Finance, 22(5):13–21, 2011. [214] S. A. I. Yazid, M. A. Faizal, A. Rabiah, S. Shahrin, and S. Solahuddin. Enhancement of Asset value classification for Mobile devices. In Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on, pages 106–110. IEEE, 2012. [215] Ka-Ping Yee. Aligning security and usability. IEEE Security & Privacy, 2(5):48–55, 2004. [216] Wei Yu, Zhijiang Chen, Guobin Xu, Sixiao Wei, and Nnanna Ekedebe. A threat monitoring system for smart mobiles in enterprise networks. In Proceedings of the 2013 Research in Adaptive and Convergent Systems, pages 300–305. ACM, 2013. [217] Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security, page 6. ACM, 2011. [218] Olaf Zawacki-Richter, Günter Hohlfeld, and Wolfgang Müskens. Mediennutzung im Studium. Schriftenreihe zum Bildungs-und Wissenschaftsmanagement, 1(1), 2014.

173 Bibliography

[219] Yury Zhauniarovich, Giovanni Russello, Mauro Conti, Bruno Crispo, and Earlence Fernandes. Moses: supporting and enforcing security proﬁles on smartphones. IEEE Transactions on Dependable and Secure Computing, 11(3):211–223, 2014. [220] Stephan Zimmermann and Christopher Rentrop. On the Emergence of Shadow IT - a Transaction Cost-Based Approach. In Michel Avital, Jan Marco Leimeister, and Ulrike Schultze, editors, 22st European Conference on Information Systems, ECIS 2014, Tel Aviv, Israel, June 9-11, 2014, 2014. URL: http://aisel.aisnet.org/ ecis2014/proceedings/track15/11. [221] Stephan Zimmermann, Christopher Rentrop, and Carsten Felden. A multiple case study on the nature and management of shadow information technology. Journal of Information Systems, 31(1):79–101, 2016. [222] Lena Reinfelder Zinaida Benenson and Freya Gassmann. Exploring interaction between smartphone choice and human aspects of security and privacy. In Pro- ceedings of the 2nd Workshop on Usable Privacy and Security for Mobile Devices (U-PriSM 2), Munich, Germany, August 27, 2013, 2013. [223] Mary Ellen Zurko and Richard T. Simon. User-centered security. In Proceedings of the 1996 workshop on New security paradigms, pages 27–33. ACM, 1996.

174