Reducing risk to security and privacy in the selection of trigger-action rules: implicit vs. explicit priming for domestic smart devices

Smart home device usage is increasing, as is the diversity of users and range of devices. Additionally, it is becoming increasingly common to interconnect devices (e.g., via trigger-action rules) which, while bringing benefits, can bring unforeseen security and privacy risks. Developing strategies to protect users as well as understanding what biographical or attitudinal characteristics contribute to these risks is a critical step for ensuring empowered, but safe, interconnected smart device usage. Using narrative descriptions of domestic smart devices, two experiments explored how the prevailing security/privacy contexts—priming conditions—in which 20 trigger-action rules (developed via a Delphi Study) were presented influenced the adoption of rules favoring either security or privacy. Both experiments contrasted three priming conditions: no prime, security prime, privacy prime. Experiment 1 (n = 254) used explicit priming, giving direct instruction to maximize a security or privacy outcome while Experiment 2 (n = 325) used implicit priming, with an apparently unrelated security or privacy problem-solving puzzle. Across both experiments, priming promoted safer rule adoption, markedly so when explicit. Explicit priming produced an asymmetry however: privacy priming improved privacy scores with security scores unchanged and security primes improved security scores while worsening privacy scores. Across experiments, two dimensions of user attitudes shaped riskier rule choice: perceived benefits of technology and pre-existing trusting beliefs in online companies. Our novel findings reveal that implicit and explicit priming shape safe use of trigger-action rules in domestic settings and that age, perceived trust and perceived benefits should be considered when designing safety messaging.