Skip to main content
Springer Nature Link
Log in

Data Guardians’ Behaviors and Challenges While Caring for Others’ Personal Data

  • Conference paper
  • First Online:
HCI for Cybersecurity, Privacy and Trust (HCII 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14045))

Included in the following conference series:

  • 1294 Accesses

Abstract

Many professional domains require the collection and use of personal data. Protecting systems and data is a major concern in these settings, making it necessary that workers who interact with personal data understand and practice good security and privacy habits. However, to date, there has been little examination of perceptions, behaviors, and challenges among these professionals. To address this gap, we conducted an interview study of 19 individuals working in the education, finance, and health fields. We discovered an overarching theme centered on caring in relation to how these professionals feel responsible for protecting other people’s personal data and take on a “data guardian” role. The identification of the experiences and challenges of data guardians can aid organizations in recognizing and supporting this critical role. Study insights can also help designers of systems that process personal data to better align with the needs and constraints of data guardians.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The terminology used to describe sensitive, personal data varies within different laws, e.g., personally identifiable information (PII) in the Privacy Act [2], personal health information (PHI) in the Health Insurance Portability and Accountability Act [11], personal data in the General Data Protection Regulation [12], and personal information in the California Consumer Privacy Act [30]. For simplicity, within this document, we standardize on the term personal data.

  2. 2.

    The term “data guardian” does not describe a formalized cybersecurity or privacy work role (e.g., like those described in the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity [22]), but rather encompasses a range of professionals using large amounts of personal data as part of their jobs.

References

  1. 106th Congress: S.900 - Gramm-Leach-Bliley Act (1999). https://www.congress.gov/bill/106th-congress/senate-bill/900

  2. 113th Congress: S.607 - Electronic communications privacy act amendments act of 2013 (2013). https://www.congress.gov/bill/113th-congress/senate-bill/607/text

  3. Alotaibi, M., Furnell, S., Clarke, N.: Information security policies: a review of challenges and influencing factors. In: 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 352–358 (2016)

    Google Scholar 

  4. Bada, M., Sasse, M.A., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? (2019). https://arxiv.org/ftp/arxiv/papers/1901/1901.02672.pdf

  5. Barbour, R.S.: Checklists for improving rigour in qualitative research: a case of the tail wagging the dog? BMJ 322(7294), 1115–1117 (2001)

    Article  Google Scholar 

  6. Barth, S., de Jong, M.D., Junger, M., Hartel, P.H., Roppelt, J.C.: Putting the privacy paradox to the test: online privacy and security behaviors among users with technical knowledge, privacy awareness, and financial resources. Telematics Inform. 41, 55–69 (2019)

    Article  Google Scholar 

  7. Busse, K., Schäfer, J., Smith, M.: Replication: ‘...no one can hack my mind’ - revisiting a study on expert and non-expert security practices and advice. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pp. 117–136 (2019)

    Google Scholar 

  8. Caldwell, T.: Making security awareness training work. Comput. Fraud Secur. 6, 8–14 (2016)

    Google Scholar 

  9. Congressional Research Service: Financial services and cybersecurity: The federal role (2016). https://crsreports.congress.gov/product/pdf/R/R44429

  10. D’Arcy, J., Teh, P.L.: Predicting employee information security policy compliance on a daily basis: the interplay of security-related stress, emotions, and neutralization. Inf. Manag. 56(7), 103151 (2019)

    Article  Google Scholar 

  11. Department of Health and Human Services: The HIPAA privacy rule (2021). https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

  12. European Union: General data protection regulation (2016). https://gdpr.eu/

  13. Gabriel, T., Furnell, S.: Selecting security champions. Comput. Fraud Secur. 8, 8–12 (2011)

    Article  Google Scholar 

  14. Haney, J.M., Lutters, W.G.: “It’s scary...it’s confusing...it’s dull”: how cybersecurity advocates overcome negative perceptions of security. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 411–425 (2018)

    Google Scholar 

  15. Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: 2009 Workshop on New Security Paradigms, pp. 133–144 (2009)

    Google Scholar 

  16. Ion, I., Reeder, R., Consolvo, S.: ‘...no one can hack my mind’: comparing expert and non-expert security practices. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), pp. 327–346 (2015)

    Google Scholar 

  17. Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015) (2015)

    Google Scholar 

  18. Kirlappos, I., Parkin, S., Sasse, M.A.: “Shadow security’’ as a tool for the learning organization. Comput. Soc. 45(1), 29–37 (2015)

    Article  Google Scholar 

  19. Lee, C., Lee, C.C., Kim, S.: Understanding information security stress: focusing on the type of information security compliance activity. Comput. Secur. 59, 60–70 (2016)

    Article  Google Scholar 

  20. McDonald, N., Schoenebeck, S., Forte, A.: Reliability and inter-rater reliability in qualitative research: norms and guidelines for CSCW and HCI practice. In: ACM on Human-Computer Interaction, p. 72. ACM (2019)

    Google Scholar 

  21. Merriam, S.B., Tisdell, E.J.: Qualitative Research: A Guide to Design and Implementation, 4th edn. Wiley, San Francisco (2016)

    Google Scholar 

  22. Petersen, R., Santos, D., Smith, M.C., Wetzel, K.A., Witte, G.: NIST Special Publication 800-181 Revision 1: Workforce Framework for Cybersecurity (NICE Framework) (2020). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf

  23. Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Comput. Secur. 31(4), 597–611 (2012)

    Article  Google Scholar 

  24. Post, G.V., Kagan, A.: Evaluating information security tradeoffs: restricting access can interfere with user tasks. Comput. Secur. 26(3), 229–237 (2007)

    Article  Google Scholar 

  25. Prettyman, S.S., Furman, S., Theofanos, M., Stanton, B.: Privacy and security in the brave new world: the use of multiple mental models. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 260–270. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_24

    Chapter  Google Scholar 

  26. Racine, E., Skeba, P., Baumer, E.P., Forte, A.: What are PETs for privacy experts and non-experts. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020) (2020)

    Google Scholar 

  27. Seberger, J.S., Llavore, M., Wyant, N.N., Shklovski, I., Patil, S.: Empowering resignation: there’s an app for that. In: 2021 CHI Conference on Human Factors in Computing Systems, pp. 1–18 (2021)

    Google Scholar 

  28. Smith, S.W., Koppel, R., Blythe, J., Kothari, V.: Mismorphism: a semiotic model of computer security circumvention. In: 2015 Symposium and Bootcamp on the Science of Security, pp. 1–2 (2015)

    Google Scholar 

  29. Stanton, B., Theofanos, M.F., Prettyman, S.S., Furman, S.: Security fatigue. IT Prof. 18(5), 26–32 (2016)

    Article  Google Scholar 

  30. State of California: SB-327 Information privacy: connected devices (2018). https://leginfo.legislature.ca.gov

  31. Stickland, R., Haimson, L.: The state student privacy report card: grading the states on protecting student data privacy. Technical report, Network for Public Education (2019)

    Google Scholar 

  32. Swedberg, R.: Exploratory research. In: Elman, C., Gerring, J., Mahoney, J. (eds.) The Production of Knowledge: Enhancing Progress in Social Science, pp. 17–41. Cambridge University Press (2020)

    Google Scholar 

  33. Tahaei, M., Frik, A., Vaniea, K.: Privacy champions in software teams: understanding their motivations, strategies, and challenges. In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pp. 1–15 (2021)

    Google Scholar 

  34. Theofanos, M., Stanton, B., Furman, S., Prettyman, S.S., Garfinkel, S.: Be prepared: how US government experts think about cybersecurity. In: Workshop on Usable Security (USEC) (2017)

    Google Scholar 

  35. Verizon: 2021 data breach investigations report (2022). https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx

  36. Wash, R.: Folk models of home computer security. In: Sixth Symposium on Usable Privacy and Security (SOUPS 2010), pp. 11–26 (2010)

    Google Scholar 

  37. West, R., Mayhorn, C., Hardee, J., Mendel, J.: The weakest link: a psychological perspective on why users make poor security decisions. In: Social and Human Elements of Information Security: Emerging Trends and Countermeasures, pp. 43–60 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National Institute of Standards and Technology, Gaithersburg, MD, 20899, USA

    Julie M. Haney, Mary F. Theofanos & Susanne M. Furman

  2. Culture Catalyst, Chicago, IL, USA

    Sandra Spickard Prettyman

Authors
  1. Julie M. Haney
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sandra Spickard Prettyman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mary F. Theofanos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Susanne M. Furman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julie M. Haney .

Editor information

Editors and Affiliations

  1. San Jose State University, San Jose, CA, USA

    Abbas Moallem

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Haney, J.M., Spickard Prettyman, S., Theofanos, M.F., Furman, S.M. (2023). Data Guardians’ Behaviors and Challenges While Caring for Others’ Personal Data. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2023. Lecture Notes in Computer Science, vol 14045. Springer, Cham. https://doi.org/10.1007/978-3-031-35822-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35822-7_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35821-0

  • Online ISBN: 978-3-031-35822-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics