Die University of Waterloo stellte in ihrem Beitrag Anwendergruppen bzw. Personas für Datenschutz-Anforderungen auf Basis von Nutzerverhalten vor. Die Daten für das Clustering der Personas basieren auf einer Interview-Studie, einer Online-Befragung und einer Design-Studie. Die Autoren weisen darauf hin, dass das Studien-Setup Einfluss auf die gefundenen Personas hatte. Beispielsweise werden sich Menschen mit Datenschutz-Bedenken anders an Online-Befragungen beteiligen, als Menschen ohne Datenschutzbedenken. Bei der Verwendung der gefundenen Personas sollte dies berücksichtigt werden. Sie fanden folgende Personas:
Lazy Experts (High Knowledge, Low Motivation)
Lazy Experts are knowledgeable. They are often helpers because they have a positive view of others’ efforts (rather than, as Fundamentalists, viewing others as uneducated). They choose convenience over security, being social over privacy. They rationalize inaction through a belief that they are not a target. They do, however, take certain actions to protect themselves: Their password schemes are strong; they write down passwords securely or not at all; they only share passwords with those they trust; and they treat all information they put online as public domain. While they have advanced software manipulation skills, they use this ability to limit their need to interact with security.
Fundamentalists (High Knowledge, High Motivation)
Fundamentalists are reluctant helpers. They view others as uneducated and unsecure. These participants have little or no trust of security technology and watch carefully for security indicators on websites they visit. Fundamentalists have multi-layer password schemes, and important passwords are unique. They may also extend protection beyond the computer, for example by encrypting external storage devices. They are highly concerned about privacy: They may refuse to sign up for accounts and do not like corporate monitoring. Finally, they have wide ranging security concerns. Fundamentalists have advanced security knowledge and advanced software manipulation skills. They need fine-grained access to security settings.
Technicians (Medium Knowledge, High Motivation)
Technicians are highly motivated but have less knowledge than Lazy Experts and Fundamentalists. They read online news and blogs to inform themselves about security, and they try to understand information before they act on it. They have limited trust of privacy settings on sites like Facebook, are passive users of social networking, and choose privacy over being social online. Passwords are weaker than Lazy Experts or Fundamentalists: participants in this group commonly had just low and high security passwords, and, though unique and personal, passwords were based off of one thing. While technicians have physical security concerns (e.g. intrusion, viruses), they may also put things off or forget about them, despite being concerned. They tend to trust their impressions, stating they will “know that stuff when I see it.” If given enough information, they are willing to change their behaviors.
Amateurs (Medium Knowledge, Medium Motivation)
Amateurs have begun learning about security concepts. The challenge is that these participants are not sufficiently motivated and/or knowledgeable to distinguish good advice from bad, and so still make changes to their practices based
on weak or inaccurate advice. Although they have limited motivation, they use some software tools to protect their security, usually an anti-virus and something else—e.g. a built-in firewall or an ad blocker. They trust but often do not maintain wireless networks they use. They place some limits on the information they give out. They view others (somewhat inaccurately) as uneducated and unsecure compared to them. They typically have one stronger or some mid-level set of layered passwords. Finally, again despite limited motivation, given enough information, they will act to protect themselves.
The Marginally Concerned (Low Knowledge, Motivation)
Marginally concerned participants have limited knowledge of security concepts and what they do know they learned from word of mouth or some other informal source. They trust wireless networks and websites that claim to be secure. These participants like Fallback Authentication. Their only identified software protection is anti-virus. They make changes based on triggers: A common example was switching their password because of a password policy. They have a small set of passwords, with one heavily favoured. These participants know threats exist, but don’t worry about them; they feel it is unlikely something will happen to them, and so are not motivated to do or learn more about security.