Process model to explain the non-secure cookie behaviour problem

The problem in a nutshell

While browser cookies make our internet experience more fluid and help webpages to be more functional, they are still a generally poorly understood concept amongst the general public. Therefore, the problem is not the cookies in themselves, but rather the lack of awareness surrounding personal data. Multiple past researches have shown that internet users have on average a very poor grasp of what browser cookies are (Ha et al. 2006; Hoofnagle, 2005). Even amongst the people that claim to have knowledge on the subject, only about 15% could demonstrate evidence of even a rudimentary understanding of internet cookie functionality (Jensen, Potts & Jensen, 2005). Miyazaki (2008) also shows in his research, that the vast majority of people do not possess the technical knowledge to remove already installed cookies appropriately or install software that would prevent unwanted cookies being installed on their computers. 

In addition to lack of consumer knowledge, there is also a disparity between the cookie usage reported by websites and their actual use. Cookies can be often labeled as having an expiration date, though there often is no actual guarantee of the user’s browser executing this command in an appropriate manner and time. Furthermore, third-party cookie usage is often labeled unclearly, or might be missing altogether (Miyazaki, 2008). For a non-tech savvy person it is naturally easiest to press the option in the cookie selection bar, that allows them to move on and use the website for their intended purpose, without giving it a second thought. This introduces a very worrying problem regarding giving informed consent for the possibly very personal data stored by browser cookies.

Theoretical framework

The next process model aims at explaining the non-secure cookie behaviour problem based on existing literature and social psychological frameworks geared to behaviour change. 

When a user accepts all third-party cookies on websites that they visit then they are behaving in a manner which indicates that they have not given much thought to their personal data awareness online. This certain behaviour is rooted in the person’s intention to use the internet efficiently, further displaying the apparent disregard to their data being used by third-party companies on the internet. The theoretical framework behind human psychology is usually complex, and therefore difficult to fully display (Ajzen 1991, 179).  

The Theory of Planned Behaviour is a psychological model which allows for deeper academic insight into the structure of certain human behaviours. It is a model used to understand the intentions behind people’s actions, and to predict specific behaviours given certain situations (Ajzen 1991, 181). Once successfully identified, these intentions can be altered by affecting three variables. These variables are the attitude of the individual, subjective norms that may have an impact on the individuals decision making process, and the behavioural control that the individual perceives themselves to have over their actions (Ajzen 1991, 182). The Theory of Planned Behaviour revolves heavily around the perceived control an individual has over their behaviour, rather than their actual control. The resources and opportunities available to someone will have an effect on their decision making, subconsciously and otherwise (Ajzen 1991, 183). Therefore, if someone’s perception can be modified then their intentions can be altered, which ultimately impacts their behaviour. The Theory of Planned Behaviour process model provides an ideal canvas to understand the psychological process behind people’s actions with cookie acceptance on the internet. However, the Theory of Planned Behaviour model is best applied in this research in conjunction with the Technology Acceptance Model. 

The Technology Acceptance Model is a psychological process model designed to predict individual adoption of information technology systems, and suggests that someone’s behavioural intention to use such an IT system is determined through two factors (Venkatesh & Bala 2008, 275). These two factors are the perceived usefulness of the IT system, and the perceived ease of use. Namely, the perceived usefulness refers to someone’s belief that an IT system will enhance their professional and/or private life, while the perceived ease of use refers to the degree to which someone believes that an IT system will be free of effort to use. 

Technology Acceptance Model (Venkatesh & Bala 2008, p. 275)

Furthermore, the model recognises external variables that need to be taken into consideration in determining the perceived ease of use and usefulness of an IT system. These variables include the actual user-interface of the IT system, the individual differences amongst users, the social mechanisms which guide individuals to have certain preconditioned perceptions, and conditions which facilitate the use of the new IT system such as organisational support (Venkatesh & Bala 2008, 276). However, the model theories that the effect of external variables on behavioural intention will be mediated by the two factors of perceived ease of use and perceived usefulness (Venkatesh & Bala 2008, 275). The mediation of these external factors is why the process model suggests that the two factors of ease of use and usefulness play a major role in someone’s behavioural intention to adopt a new IT system. The Technology Acceptance Model was originally designed to explain employee’s adoption of new IT systems in large companies, but has shown to be applicable in the general psychological process of using any contemporary information technology system (Riek et al 2016, 262).

A combination of the Theory of Planned Behaviour process model and the Technology Acceptance model allows us to formulate the psychological process behind the decision of individuals to accept third-party cookies on the internet without giving much thought to their actions. Shown below is the adapted process model, which depicts this behaviour by combining factors and external variables from both academic process models.

This model allows to not only predict such behaviour in the future, but also helps to understand which factors can lead to a potential change in such behaviour, thus increasing the cybersecurity awareness of internet users.

Adapted Process Model for Cookie Behaviour from the Theory of Planned Behaviour (Ajzen 1991, p. 182) and the Technology Acceptance Model (Venkatesh & Bala 2008, 275)

References:

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-T

Miyazaki, A. D. (2008). Online Privacy and the Disclosure of Cookie Use: Effects on Consumer Trust and Anticipated Patronage. Journal of Public Policy & Marketing, 27(1), 19–33. https://doi.org/10.1509/jppm.27.1.19

Ha, V., Al Shaar, F., Inkpen, K.,  & Hdeib, L. (2006). “An Examination of User Perception and Misconception of Internet Cookies,” in CHI 2006 Extended Abstracts on Human Factors in Computing Systems. Montréal: Association for Computer Machinery, 833–38

Jensen, C., Potts, C., & Jensen, C. (2005). Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies, 63(1–2), 203–227. https://doi.org/10.1016/j.ijhcs.2005.04.019

Riek, M., Bohme, R., & Moore, T. (2016). Measuring the Influence of Perceived Cybercrime Risk on Online Service Avoidance. IEEE Transactions on Dependable and Secure Computing, 13(2), 261–273. https://doi.org/10.1109/TDSC.2015.2410795

Venkatesh, V., & Bala, H. (2008). Technology Acceptance Model 3 and a Research Agenda on Interventions. Decision Sciences, 39(2), 273–315. https://doi.org/10.1111/j.1540-5915.2008.00192.x