Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices

Users struggle to adhere to expert-recommended security and privacy practices. While prior work has studied initial adoption of such practices, little is known about the subsequent implementation and abandonment. We conducted an online survey (n=902) examining the adoption and abandonment of 30 commonly recommended practices. Security practices were more widely adopted than privacy and identity theft protection practices. Manual and fully automatic practices were more widely adopted than practices requiring recurring user interaction. Participants' gender, education, technical background, and prior negative experience are correlated with their levels of adoption. Furthermore, practices were abandoned when they were perceived as low-value, inconvenient, or when users overrode them with subjective judgment. We discuss how security, privacy, and identity theft protection recommendations and tools can be better aligned with user needs.