When the biggest threat is you: privacy risks of uninformed users
October 28, 2019
That people find it hard to make choices in their own self interest, to protect their online privacy and security, troubles Idris Adjerid, an associate professor of business information technology whose research focus is on the intersection of behavioral economics and privacy decision making.
“It’s particularly shocking,” Adjerid says, “given the extent to which users of technology platforms in this country are asked to manage their own privacy risks.”
And there’s more bad news: “People often and consistently underestimate the extent to which their personal information is being collected and used, and the importance of the implications.”
The human struggle to manage personal privacy and security risk has a lot to do with knowledge and time constraints. “I think a big part is that most of us don’t really know how to make these choices and are uncertain about our preferences,” Adjerid says.
“For example, how much is our data worth? How bad are the potential downsides? Will they impact us or someone else? All of this uncertainty results in us having to use heuristics to simplify the choices.”
Such mental strategies or processes — trial and error, intuition, or guessing — can lead to flawed decision making, he says. “In addition, it is taxing, time-wise and cognitively, to make all these choices for the many different services that use our data.”
Privacy and security aside, Adjerid’s research interests are in the realm of health care: information technology, analytics, information exchanges, and how it all affects patient outcomes and health care costs.
He received the Young Researcher Award at the 2017 Conference on Health IT and Analytics for his work on health care economics, including a co-authored study, when he was on the faculty at the University of Notre Dame, that found that a health information exchange could potentially save billions of tax dollars if implemented nationally.
“The potential cost savings and quality improvements from technology are astounding,” Adjerid says. “Because the health care system is so large, even a few percentage point changes can mean dramatic improvements for society.”
Adjerid, who received his doctorate in information systems and management from Carnegie Mellon University, was recruited to Virginia Tech in 2018 as part of an effort to strengthen faculty expertise in integrated security, a focus area for the university.
His hire was actually a homecoming for Adjerid, who moved to Blacksburg as a high school student after his father joined the math faculty at Virginia Tech. “Growing up in this area, I loved Virginia Tech and the environment of scholarship and community.”
As a Pamplin undergraduate, he majored in business information technology after deciding that it balanced his interest in technology with his desire to understand how it can affect the world around him.
He completed an MBA on a part-time basis at the university’s Northern Virginia Center while working at his first job as a technology analyst at the Government Accountability Office (GAO). “It was really important to me to continue developing and learning after I started working,” Adjerid says, adding that Virginia Tech’s MBA program helped him acquire the additional skills he sought.
At the GAO, Adjerid became interested in privacy and security issues. But he was inspired to pursue a Ph.D., he says, by his academician father. “He instilled in me a desire to learn and excel from an early age. I also observed how passionate he was about his students learning and conducting exciting original research.”
Adjerid gets to motivate his own students now at Virginia Tech. He is teaching two courses that he developed in a brand-new academic option in cybersecurity management and analytics that his department began offering this semester: cybersecurity analytics in business; and data governance, privacy, and ethics.
As a researcher, Adjerid has a new privacy and security project under way that holds promise for greater social good; he and his research team are evaluating the potential of machine learning for addressing security vulnerabilities more efficiently.
They will be making their practical approaches publicly available for use by organizations seeking new ways to manage security risk.