Re-designing Permission Requirements to Encourage BYOD Policy Adherence

  • Lotus LeeEmail author
  • Jeremiah D. StillEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Many corporations and organizations support a Bring Your Own Device (BYOD) policy, which allows employees to use their personal smartphones for work-related purposes. Access to proprietary company data and information from an employee’s smartphone raises serious privacy and security concerns. Companies are vulnerable to data breaches if employees are unable to discern which applications are safe to install. Situating privacy requirements ought to encourage safer application install decisions and decrease risker ones. This study examines the use of context-relevant warning messages, which alert employees to be cautious when the company’s BYOD policy may be violated. We also explore the impact of presenting permission requirements before and after making the install decision. We provide evidence that the presence of warnings, despite the timing of when they were presented, facilitated a lower number of risky installations. In situations when it was safe to install an application, warning messages presented before the install decision drastically encouraged installations compared to when there were no warnings. Interestingly, the opposite pattern was found when warning messages were presented after the decision. Overall, better privacy and security decisions will be made if permission requirements are displayed with relevant warning messages. In addition, safe installations will be encouraged through the placement of these meaningful warnings on the description page of a mobile application before a user has decided to install it.


Decision-making Interface design Mobile security Privacy Trust User experience 



This research was supported by the Psychology of Design laboratory. We thank Auriana Shokrpour, Dorian Berthoud, Felicia Santiago, Jarad Bell, Michelle Gomez, and Peter McEvoy for their assistance collecting data.


  1. Akhawe, D., Felt, A.P.: Alice in Warningland: a large-scale field study of browser security warning effectiveness. In: Usenix Security, pp. 257–272 (2013)Google Scholar
  2. Balebako, R., Marsh, A., Lin, J., Hong, J., Cranor, L.F.: The privacy and security behaviors of smartphone app developers. In: Workshop 2014 Usable Security Experiments (USEC) (2014)Google Scholar
  3. Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 73–84 (2010)Google Scholar
  4. Bohme, R., Kopsell, S.: Trained to accept? a field experiment on consent dialogs. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, pp. 2403–2406 (2010)Google Scholar
  5. Chia, P.H., Yamamoto, Y., Asokan, N.: Is this app safe? a large scale study on application permissions and risk signals. In: Proceedings of the 21st International Conference on World Wide Web, pp. 311–320 (2012)Google Scholar
  6. Choe, E.K., Jung, J., Lee, B., Fisher, K.: Nudging people away from privacy-invasive mobile apps through visual framing. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013, Part III. LNCS, vol. 8119, pp. 74–91. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. Cialdini, R.B., Cacioppo, J.T., Bassett, R., Miller, J.A.: Low-ball procedure for producing compliance: commitment then cost. J. Pers. Soc. Psychol. 36, 463–476 (1978)CrossRefGoogle Scholar
  8. Egelman, S., Tsai, J., Cranor, L.F., Acquisti, A.: Timing is everything?: the effects of timing and placement of online privacy indicators. In: Proceedings of the Conference on Human Factors in Computing Systems, pp. 319–328 (2009)Google Scholar
  9. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th on Computers and Communications Security, pp. 627–638 (2011)Google Scholar
  10. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Symposium on Usable Privacy and Security, pp. 1–14 (2012)Google Scholar
  11. Jian, J.-Y., Bisantz, A.M., Drury, C.G.: Foundations for an empirically determined scale of trust in automated systems. Int. J. Cogn. Ergon. 4(1), 53–71 (2000)CrossRefGoogle Scholar
  12. Jou, J., Shanteau, J., Harris, R.J.: An information processing view of framing effects: the role of causal schemas in decision making. Mem. Cogn. 24, 1–15 (1996)CrossRefGoogle Scholar
  13. Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing application on an android smartphone. In: Conference of Financial Cyptography and Data Security, Workshop on Usable Security, pp. 1–12 (2012)Google Scholar
  14. Kelley, P.G., Cranor, L.F., Sadeh, N.: Privacy as part of the app decision-making process. In: Proceedings of the 2013 ACM Annual Conference on Human Factors in Computing Systems, pp. 3393–3402 (2013)Google Scholar
  15. Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? security awareness in smartphone platforms. J. Comput. Secur. 34, 47–66 (2013)CrossRefGoogle Scholar
  16. Mylonas, A., Theoharidou, M., Gritzalis, D.: Assessing privacy risks in Android: a user-centric approach. In: Proceedings of the 1st International Workshop on Risk Assessment and Risk-Driven Testing, pp. 21–37 (2014)Google Scholar
  17. Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Comput. Secur. 31(4), 597–611 (2012)CrossRefGoogle Scholar
  18. Solove, D.J.: Privacy self-management and the consent dilemma. Harv. Law Rev. 126, 1880–1903 (2013)Google Scholar
  19. Yee, K.P.: Guidelines and strategies for secure interaction design. In: Russell, D. (ed.) Security and Usability: Designing Secure Systems that People can Use, pp. 247–273. O’Reilly Media Inc., Sebastopol (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.San José State UniversitySan JoseUSA

Personalised recommendations