The advent of the Internet has led to vastly increased levels of data accessibility to both users and would-be attackers. The privacy paradox is an established phenomenon wherein users express concern about resultant security and privacy threats to their data, but nevertheless fail to enact the host of protective measures that have steadily become available. The precise nature of this phenomenon, however, is not a settled matter. Fortunately, risk communication theory, a discipline devoted to understanding the factors involved in risk-oriented decision-making and founded in years of empirical research in public health and disaster awareness domains, presents an opportunity to seek greater insight into this problem. In this dissertation, we explore the application of principles and techniques from risk communication theory to the question of factors in the grassroots adoption of secure communication technologies. First, we apply a fundamental first-step technique in risk communication—mental modeling—toward understanding users' perceptions of the structure, function, and utility of encryption in day-to-day life. Second, we apply principles of risk communication to system design by redesigning the authentication ceremony and its associated messaging in the Signal secure messaging application. Third, we evaluate the applicability of a core decision-making theory—protection motivation theory—toward the problem of secure email adoption, and then use this framework to describe the relative impact of various factors on secure email adoption. Finally, we evaluate perceptions of risk and response with respect to the adoption of secure email features in email scenarios of varying sensitivity levels. Our work identifies positive outcomes with respect to the impact that risk messaging has on feature adoption, and mixed results with respect to comprehension. We highlight obstacles to users' mental interactions with encryption, but offer recommendations for progress in the adoption of encryption. We further demonstrate that protection motivation theory, a core behavioral theory underlying many risk communication approaches, has the ability to explain the factors involved in users' decisions to adopt or not adopt in a way that can at least partially explain the privacy paradox phenomenon. In general, we find that the application of even basic principles and techniques from risk communication theory do indeed produce favorable research outcomes when applied to this domain.



College and Department

Physical and Mathematical Sciences; Computer Science



Date Submitted


Document Type





privacy paradox, risk communication, online privacy, usable security