Empirical Measurement of Perceived Privacy Risk

Personal data is increasingly collected and used by companies to tailor services to users, and to make financial, employment, and health-related decisions about individuals. When personal data is inappropriately collected or misused, however, individuals may experience violations of their privacy. Historically, government regulators have relied on the concept of risk in energy, aviation and medicine, among other domains, to determine the extent to which products and services may harm the public. To address privacy concerns in government-controlled information technology, government agencies are advocating to adapt similar risk management frameworks to privacy. Despite the recent shift toward a risk-managed approach for privacy, to our knowledge, there are no empirical methods to determine which personal data are most at-risk and which contextual factors increase or decrease that risk. To this end, we introduce an empirical framework in this article that consists of factorial vignette surveys that can be used to measure the effect of different factors and their levels on privacy risk. We report a series of experiments to measure perceived privacy risk using the proposed framework, which are based on expressed preferences, and which we define as an individual's willingness to share their personal data with others given the likelihood of a potential privacy harm. These experiments control for one or more of the six factors affecting an individual's willingness to share their information: data type, computer type, data purpose, privacy harm, harm likelihood, and individual demographic factors, such as age range, gender, education level, ethnicity, and household income. To measure likelihood, we introduce and evaluate a new likelihood scale based on construal level theory in psychology. The scale frames individual attitudes about risk likelihood based on social and physical distance to the privacy harm. The findings include predictions about the extent to which the above factors correspond to risk acceptance, including that perceived risk is lower for induced disclosure harms when compared to surveillance and insecurity harms as defined in Solove's Taxonomy of Privacy. We also found that participants are more willing to share their information when they perceive the benefits of sharing. In addition, we found that likelihood was not a multiplicative factor in computing privacy risk perception, which challenges conventional theories of privacy risk in the privacy and security community.