To find out why people adopt and then sometimes abandon online safety measures, researchers from the University of Michigan School of Information and NortonLifeLock’s Research Group surveyed more than 900 people about their use of 30 commonly recommended practices to guard against security, privacy and identity theft risks.

The study will appear April 26, 2020 in the Proceedings of the 2020 ACM CHI Conference on Human Factors in Computing Systems, which has been canceled due to COVID-19 but will publish conference research. The U-M paper has been recognized with an Honorable Mention Award.

The team found that security practices like avoiding clicking on unknown links or emails were much more adopted than privacy or ID theft practices (such as using ad blocker or placing a credit freeze on one’s credit reports, respectively). The potential reason behind this might be that the damage from security risks is much more tangible, the researchers said. When it comes to privacy and the information companies collect about people, the harms are more difficult to visualize, they said.

What the researchers found:

  • Of 10 practices with the highest adoption rates, seven were security related.
  • Practices with high partial adoption rates were evenly split between security and privacy.
  • Top privacy risk management practices included cleaning cookies, going incognito on the web and avoiding websites that asked for real names.
  • More than 50 percent of respondents did not follow recommendations for unique or strong passwords.
  • Abandonment was less common than full or partial adoption, with a rate below 20 percent for all surveyed practices.
  • The most abandoned practices included using anonymity systems such as virtual private networks (VPNs), using automated updates for software and using antivirus software.
  • Most participants had not adopted and were not much interested in using an identity monitoring service and placing a fraud alert on credit reports.
  • Top reasons for partial adoption: the practice was inconvenient or unusable (10 percent); users relied on their own judgment, e.g., “I know better than to open a suspicious email” (9 percent); and users only adopted when something bad happened, like a fraudulent charge on an account (8 percent).
  • Reasons for abandonment: the practice was not needed anymore (20 percent); the risk no longer existed (14 percent); the practice interfered with usability (12 percent); trust in own judgment (6 percent); users adopted another service that served a similar purpose, e.g., a tool that clears third-party cookies so the user does not have to do it manually (6 percent).
  • Although 67 percent of respondents reported being a victim of a previous data breach, the respondents overall rarely adopted identity theft protection practices, such as credit freezes and fraud alerts. Even so, those who were victims adopted more protection practices overall.

About the respondents:

  • Men had higher adoption rates than women.
  • Middle-aged respondents adopted more security measures than younger people, but the opposite trend was found for privacy measures.
  • Lower-income participants had higher levels of practice adoption overall.
  • More education led to higher adoption.

For the full study, visit