Schuler Scott et al. Processing Model for Android Access Control [PDF]

Schuler Scott et al.

Processing Model for Android Access Control Messages

DECISION SCIENCES INSTITUTE A Heuristic-Systematic Processing Model for Android Application Permission Messages (Full Paper Submission) Arianna Schuler Scott Virginia Tech [email protected] Tabitha L. James Virginia Tech [email protected] Linda Wallace Virginia Tech [email protected] Stephane Collignon Virginia Tech [email protected] ABSTRACT It has become second nature to many users to allow third party applications to access personal information on their mobile phones, opening them up to the dissemination of private data without conscious consent. The access and use of personal data by third party entities exposes the user to the risk of experiencing privacy violations. In this research we develop a model to illustrate how individuals evaluate Android permission messages from third party applications. The evaluation of such messages may influence decisions regarding the acceptance and installation of applications on the Android market, which is of interest to application developers.

KEYWORDS:

Android, security, privacy, processing model, survey research

INTRODUCTION Android is an open-source Linux-based operating system (OS) for mobile devices (VaughanNichols, 2014). The development of this full-featured mobile OS originated at a company founded as Android in 2003; however, Google quickly purchased the company in 2005 (Kovach, 2013). By the end of 2013, the Android OS had captured almost 80% of the mobile OS market (Fingus, 2014). The closest competitor is Apple’s iOS, which retains approximately 16% of the market share (Fingus, 2014). According to the Pew Research Center, 58% of American adults report having a smartphone as of January 2014 (Pew Research Center, 2014). Of adult cell phone owners, 63% use their phone for Internet access and 34% report that they go online more often by using their phone rather than another device, such as a laptop or desktop (Pew Research Center, 2014). From a business standpoint, this makes smartphones increasingly important for e-commerce and advertising. As one article from Forbes put it, “there is no other device that is as personal (everybody has their own phone), as pervasive (is with you all of the time), and provides the opportunity for proximity (Whitler, 2013).”

Schuler Scott et al.

Processing Model for Android Access Control Messages

Operating systems that run on traditional form factor computing equipment have to be extensively modified in order to meet the needs of mobile devices. Although Android is based on a Linux kernel, this distinction describes the foundations of the OS rather than the user interface. Linux does not have a large share of the personal computing (PC) market (less than 2%), whereas Microsoft Windows holds the majority of the PC market (approximately 90%) (Anthony, 2014; Nield, 2014). These statistics illustrate that the average user has had to adapt to new platforms as more of their everyday computing has moved onto mobile devices. Applications (or “apps”), which provide the majority of the applied functionality of the phone, are also quite different as far as the user experience is concerned. Furthermore, the applications on mobile devices are typically obtained from a centralized application store or “app store” that provides the user a digital storefront to shop for an application. These app stores provide the shopping experience for the user and serve as a distribution platform for the application providers. The applications can be written and offered for sale by anyone subject to a variety of approval processes. In an app store, the user can search for an application, make his or her selection, and then instantly download the application (either for free or a small fee). To guide the user, the app store typically provides such information as: company information for the application provider, rating information, and comments from other users of the application. On the Android platform, the app store (called Google Play) is much less controlled (the vetting process for the application and the application provider are less strict) than the one provided by Apple (Mitroff, 2012). There are many implications of the characteristics of the mobile computing and application space to an end users’ security and privacy. Although the Figure 1: Android Application Android mobile OS is developed and maintained by Google, Permission Message the applications may be developed by anyone and submitted (Declaration) to Google Play (the app store) for approval. Once approved, that application is available for sale (or for free) to anyone with an Android phone. Because each application requires interaction with the OS, the application will often request access to data on the phone in order to provide the desired functionality. On the Android platform, “each Android application runs in its own space and can’t access data from other applications without explicit user permission (Butler, 2011).” When the user downloads an application, the application makes a declaration for permission to access various services and data from the phone (see Figure 1). For example, to use Gmail as shown in Figure 1, the application is declaring it needs access to the user’s contact information, network information, mail accounts, storage, and system tools. As Butler states, “a legitimate application will use these services only for the intended purpose, but malicious software could use them to communicate personal information to a website (Butler, 2011).” Malicious applications have been a large problem for the Android platform. Reports suggest that the number of malicious applications in Google’s app store has “nearly quadrupled between 2011 and 2013 (Miners, 2013),” stating that more than 42,000 apps contained Source 1: malware (Miners, 2013). The choice of installing an app and http://www.androidcentral.com/and accepting its permission declarations belongs to the user. roid-permissions-privacy-security Thus, it is the user that is ultimately in control of his or her

Schuler Scott et al.

Processing Model for Android Access Control Messages

own security and privacy through the application installation decisions he or she makes (Butler, 2011). As can be seen in Figure 1, the declaration message presented to the user when they install an application requires what could be considered sophisticated evaluation of relevant information. The heuristic-systematic model (HSM) of information processing is a dual-process theory that evolved from the social sciences (Chaiken 1980, 1987). The HSM has been previously used to study the evaluation of messages received from an information system. Specifically, the model suggests that individuals use two information-processing modes when making judgments; systematic or heuristic. Systematic processing uses careful scrutiny and comparison of information to reach a decision, while heuristic processing uses cues to more easily make a judgment (Trumbo 1999). In this study, we develop and propose a heuristic-systematic processing model for Android permission messages. Exploring how permission messages are processed by mobile phone owners will be helpful in determining how to best promote and educate users about mobile platform security and privacy. It will also provide useful information to application developers regarding the consideration of these declarations, which ultimately impact a user’s decision to download and install applications. In the following sections we will present the literature review, the proposed model and hypotheses, and the scale development. This work is a research-in-progress and the first round of data collection is currently under way. LITERATURE REVIEW Heuristic-Systematic Model The heuristic-systematic model (HSM) of information processing was developed by Chaiken (1980, 1987) to examine how people process messages. The major contribution of this theory was the introduction of dual modes of processing information. The heuristic mode of information processing requires minimum cognitive investment and is constrained by the subset of available data from which the individual infers a conclusion (Todorov et al., 2002). In the heuristic mode, the individual bases their judgment largely on previous experience and simple decision rules. Non-verbal cues like an argument’s source are considerably more important than the strength of the argument itself. Alternatively, the rationale for systematic information processing is based on the idea that an individual must be motivated in order to engage in deeper levels of thinking. When lower effort heuristics fail to give enough confidence in a judgment, an individual is likely to close the knowledge gap systematically. In order to process information in a systematic way, an individual would need to apply his or herself in an analytical capacity. This would enable the individual to deliberately consider the available information in order to identify its relevance to his or her ‘task’, or requirement, and build a judgment based on that (Todorov et al., 2002). Non-verbal cues are less important in the systematic mode of processing, as the emphasis is placed more directly on the strength of the argument itself than its source. The modes of processing can co-occur (Chaiken et al., 1989). In other words, when an individual evaluates a message, he or she may apply heuristic processing, systematic processing, or both. The HSM also suggests that information sufficiency can affect the choice of processing mode. Information sufficiency is “the difference between the amount of information an individual thinks he or she needs to make an accurate decision and the amount of information currently held” (Davis and Tuttle, 2013). The theory proposes that an individual’s perception of information sufficiency (the difference between the individual’s desired and actual confidence in the subject) can serve as a trigger for the selection of processing mode (Todorov et al., 2002). This concept

Schuler Scott et al.

Processing Model for Android Access Control Messages

is referred to as “satisficing” as it indicates that the individual does not wish to expend resources to make an optimal decision but rather “searches through the available options just long enough to find one that reaches a preset threshold of acceptability” (Colman, 2009). In cases where an individual believes that he or she is not lacking in information sufficiency (i.e., there is a small difference between his or her desired and actual confidence), he or she is more likely to be satisfied with the results of heuristic processing. However, in cases of a significant gap between the desired and current levels of knowledge, the individual would be more likely to engage in systematic processing. The HSM also suggests that motivational and cognitive resources play a crucial role in information processing. To some extent this relationship can be explained using the “metaphor of the cognitive miser” (Fiske and Taylor, 1991). The metaphor suggests, “people are economyminded, investing cognitive effort in a task only when given sufficient motivation and cognitive resources (Todorov et al., 2002).” Following this logic, the HSM proposes that “people engage in systematic processing of persuasive information only when they are sufficiently motivated (Todorov et al., 2002).” In comparison, if people are not motivated or if they lack adequate cognitive resources they would more likely elicit a heuristic processing approach (Todorov et al., 2002). There are a variety of motivational and cognitive resource variables that have been shown to affect the mode of information processing, including: personal relevance of the persuasion message, the need for cognition, task importance, accountability for one’s attitudes, exposure to unexpected message content, distraction, message repetition, time pressure, communication modality, and knowledge and expertise (Todorov et al., 2002). Motivational and cognitive factors are discussed in more detail in the following section. Motivational and Cognitive Resource Factors Motivational factors in the HSM have been described using three broad categories: accuracy, defensive, and impression. Accuracy motivated people strive to be right or, in other words, they want to “make judgments that square with the relevant objective facts” (Todorov et al., 2002). Defensive motivated individuals hold a particular belief and are motivated to make the situation map to that belief. Todorov et al. (2002) describe this as striving to “defend beliefs and attitudes that are consistent with the person’s vested interest or self-definitional attitudes and beliefs.” Impression motivation “refers to the desire to express socially acceptable attitudes or attitudes and beliefs that satisfy the person’s immediate social goals” (Todorov et al., 2002). At a high level, these are the three general categories of motivational factors that have been suggested to influence information processing. Various researchers have studied specific motivational variables (or constructs) within this framework. Motivational variables are often related to the context or situation being examined (such as the personal relevance of the message or the perceived importance of the task at hand). However, personal values and characteristics, such as an individual’s need for cognition, can also be motivational (Chaiken and Stangor, 1987). For example, in our case, an individual’s disposition towards privacy may be an important influencing factor in determining whether they would be satisfied with heuristic processing or if they would be more motivated to take a systematic approach to processing the permission message they are presented with during download. As previously mentioned, several motivational factors have been proposed in the social science literature along with the original model. Other motivational variables, although typically related to those we will discuss here, have been added in other fields (Chaiken and Stangor, 1987; Davis and Tuttle, 2013; Luo et al., 2013; Trumbo, 1999). The variables presented in the general social science perspective include: personal relevance of the persuasion message, the need for

Schuler Scott et al.

Processing Model for Android Access Control Messages

cognition, task importance, accountability for one’s attitudes, and exposure to unexpected message content. As alluded to earlier, it is important to note that some of these variables are situational (i.e., dependent upon the task or context) and some are individual (i.e., personal characteristics of the individual). For example, need for cognition describes the person’s desire to cognitively engage (or rather, his or her enjoyment in thinking). In contrast, task importance relates to the individual’s view of the importance of a particular situation (i.e., the task being currently considered). Cognitive resource factors are those factors that relate to the ability of an individual to expend cognitive resources on information processing. These factors are fairly self-evident. For example, an individual that feels that they are under time pressure is less likely to process a message in a sophisticated fashion. Other often cited cognitive resources factors that influence processing are distraction, message repetition, communication modality, and knowledge/expertise. Figure 2 shows a typical HSM model, which presents many of the variables described by Todorov et al (2002). The original form of each of these variables is described in Table 1, along with corresponding references. Figure 2: Theoretical Model of Heuristic-Systematic Processing

CONSTRUCT Personal Relevance Task Importance

Exposure to Unexpected Message

Table 1: Proposed Constructs and Definitions DEFINITION REFERENCES the extent to which the message Petty and Cacioppo (1979) under consideration is of personal importance the extent to which an individual Maheswaran & Chaiken (1991) believes that his or her processing task and judgment is important the extent to which information Maheswaran & Chaiken (1991) received is congruent or

Schuler Scott et al.

Content Need for Cognition Attitude Accountability Distraction

Message Repetition

Time Pressure

Communication Modality Knowledge/Expertise

Processing Model for Android Access Control Messages

incongruent with previous information received an individual's tendency to engage in and enjoy effortful cognitive endeavors an individual’s perceived need to justify their views to others the extent to which an individual is distracted by irrelevant tasks while considering the implications of an important message moderate message repetition provides more opportunities for individuals to scrutinize an argument the extent to which the need to quickly reach a decision intensifies the tendency to seek cognitive closure and to refrain from critical probing of a message the extent to which the mode of communication affects an individual’s choice of information processing mode the extent to which an individual already feels they are wellinformed about a particular topic

Cacioppo, Petty and Kao (1984) Tetlock (1983) Festinger and Maccoby (1964)

Cacioppo and Petty (1979); Petty, Wheeler, and Tormala (2003) Ratneshwar and Chaiken (1991); Kruglanski, and Freund(1983)

Pfau et al (2000)

Wood (1982)

MODEL The original theory proposed the major concepts, but there have been many variations and additions to the model since then and the application of the model has varied in different domains. We consulted the information systems (IS) literature for previous operationalized HSMs and located two recent articles (Davis and Tuttle, 2013; Luo et al., 2013). The Davis and Tuttle (2013) study is the closest in context to ours. In their study, information system exceptions (error messages) were examined through the HSM lens. We borrow the general form of our operational model from this study. One major distinction arises in that Davis and Tuttle (2013) examined only systematic processing in their model and we will examine both heuristic and systematic processing. There are also differences in how the information sufficiency concept is operationalized. Luo et al. (2013) suggested that “people can adjust the sufficiency threshold and their decision-making effort based on their perceptions of importance and risks, available time and cognitive resources, social pressures, their own skill levels, and the results of initial heuristic processing” (Luo et al, 2013). Although Luo et al. (2013) discuss the influence of information sufficiency, they do not model it. Davis and Tuttle (2013) do model information sufficiency as a mediating construct that examines the divergence between desired and actual confidence. We adopt the approach suggested in Luo et al. (2013) and modeled in Davis and Tuttle (2013). There were differences in the antecedents and interpretation of the motivational and cognitive resource factors in the two IS studies. Luo et al. (2013) use need for cognition and time

Schuler Scott et al.

Processing Model for Android Access Control Messages

pressure as moderating variables on the relationships between their three independent variables (argument quality, source credibility, and genre conformity) and their dependent variable (victimization occurring from phishing messages). Davis and Tuttle (2013) use perceived severity, message ambiguity, task importance, subjective norm and computer selfefficacy as antecedents to information sufficiency in their study examining IS exceptions. Our model attempts to stay close to what has been proposed in the HSM literature, but we adapt to our IS context by using the Luo et al. (2013) and Davis and Tuttle (2013) studies as guides. The model we propose to examine Android permission messages is shown in Figure 3. In our model, we borrow the situational motivational factors personal relevance and task importance from the HSM literature and adapt them to our context. Task importance was also used in Davis and Tuttle (2013). Furthermore, we examine the individual motivational factor need for cognition, which was developed in the HSM literature and used in Luo et al. (2013). To adapt the model to our specific context, we added two constructs from the information privacy literature. The first, privacy concern, could be considered a situational variable. This variable examines the user’s perception of their concern for his or her privacy in our context. This construct and the associated scale were developed in Xu et al. (2011). Similarly, we adapt the disposition to value privacy construct and scale suggested in Xu et al. (2011) to serve as an individual motivational variable in our model. This construct explores the value the individual places on information privacy. The variable is contextually appropriate and explores an individually held belief or value, but it is not tied to the specific situation (Android access control). Figure 3: Operationalized HSM for Processing Android Access Control Messages

Lastly, within the motivational factors, we turn to subjective norm. Earlier discussions of the HSM suggested that attitude accountability could motivate individuals to put more effort into their information processing (i.e., to use systematic processing rather than heuristic processing), particularly if they needed to justify their views to someone else with attitudes that were different from their own (Todorov, et al 2002,Tetlock 1983). This concept is similar to the construct

Schuler Scott et al.

Processing Model for Android Access Control Messages

“subjective norm”, which comes from the theory of planned behavior. Subjective norm refers to the degree to which an individual believes that people who are important to him/her believes that s/he should perform a particular behavior. David and Tuttle (2013) used subjective norm as a motivating factor in their HSM model, rather than focusing specifically on attitude accountability. The underlying belief, however, is the same: individuals are more likely to use complex processing methods (i.e. systematic processing) when they are considering an action that they believe they may have to justify to others close to them (i.e., when they are considering an action that is not in line with the “norm”).

Within the cognitive resources factors, we adopt time pressure from the HSM literature. Time pressure was also used as a moderator in the Luo et al. (2013) study. Message repetition is very relevant to our context, and thus, was also used as suggested in the HSM theory. Following Davis and Tuttle (2013), self-efficacy was used in place of knowledge and expertise. Self-efficacy is commonly used in the IS literature to obtain the user’s perception of their ability to perform a task. Since measuring a user’s actual knowledge is often difficult to do in behavioral research, self-efficacy it a way to determine the user’s belief in their abilities. Also following Davis and Tuttle, we borrowed their message ambiguity construct to examine the perceived clarity of the message. This is appropriate due to the similarity between our context and the one explored by Davis and Tuttle (2013). The exposure to unexpected message content and communication modality constructs were excluded from our study because the messages in our context are very standardized in format and type so there is no reason to believe that these constructs would vary in any significant way. These two constructs were also not utilized in either of the prior IS studies that we were drawing from to develop our model. We also excluded the distraction construct because distractions would be dependent on the situational environment of the user and could not easily be measured with a survey. To the best of our knowledge, distraction has only been measured in an experimental setting in prior HSM research. METHODS We developed a survey to test the model in Figure 3. We used existing scales or contextual adaptations of existing scales wherever possible. Where existing scales were not available, we developed items. We paneled the survey by asking several content experts to provide their observations on the items. The content experts assessed the instrument for technical detail (to ensure the items corresponded correctly to the Android platform) and for grammar/comprehensibility of the questions. Items were modified based upon the reviews of the panel. Table 2 provides the resulting scales for the first pilot. We are currently in the process of running our first data collection. We expect to make modifications to our scales and possibly to our model as a result of our pilot study. Once we finish the pilot phase and make changes to the scales and/or the model, a full-scale data collection will be conducted and the model will be tested using PLS.

CONSTRUCT Personal Relevance

Table 2: Scale Development ITEMS SCALE ADAPTED FROM: 1. The protection of the information Petty and Cacioppo (1979); Celsi, et contained on my Android phone is al (1992) important to me.

Schuler Scott et al.

Processing Model for Android Access Control Messages

2. I think that making sure that others cannot access the information on my Android phone is important. 3. It is important to me that the information on my Android phone is safe from being accessed by others. 4. It is essential to me that the information on my Android phone remains private. 5. I am the kind of person that values the privacy of the information on my Android phone. Task Importance

1. I think it is important that I am able to restrict access to the information stored on my Android phone. 2. Specifying what information an application is granted access to on my Android phone is an important thing to do. 3. It is crucial that I specify what information an application has access to on my Android phone. 4. It is important that I stipulate what information an application is granted access to on my Android phone.

Davis et al. (2006)

Need for Cognition

1. I only think as hard as I have to. 2. I don’t like to have to do a lot of thinking. 3. I try to avoid situations that require thinking in-depth about something. 4. I prefer to do something that challenges my thinking abilities rather than something that requires little thought. 5. I prefer complex problems to simple problems. 6. Thinking hard and for a long time about something gives me little satisfaction.

Cacioppo, Petty, and Kao (1984) and Tam and Ho (2005)

Subjective Norm (Attitude Accountability)

1. People who are important to me believe that it is critical to protect the information on an Android phone. 2. People who are important to me believe that it is imperative to

Adapted from Davis and Tuttle (2013)

Schuler Scott et al.

Processing Model for Android Access Control Messages

ensure that information on an Android phone is safe. 3. People who are important to me do not care about protecting access to the information on an Android phone. 4. It is typical that the people who are important to me think that protecting the information on an Android phone is essential Message Ambiguity

1. The message I receive on my Android phone when an application I am downloading wants to access my information is unclear. 2. When an application I am downloading on my Android phone asks if it can access my information, the message I receive is confusing. 3. The information in the message I receive when an application I am downloading on my Android phone wishes to access my information could mean different things to different people. 4. I think that the message received when I download an application on my Android phone that wants access to my information could be interpreted in several ways.

Adapted from Davis and Tuttle (2013)

Privacy Concern

1. I am concerned that information accessed by applications on my Android phone could be misused. 2. I am concerned that others could find private information about me if I allow applications to access information on my Android phone. 3. Because of how the information might be used, I am concerned about letting applications access information on my phone. 4. I am concerned about letting applications access information on my phone because it could be used in a way I did not foresee.

Adapted from Xu et al. (2011)

Disposition to

1. Compared to other people, I am

Adapted from Xu et al. (2011)

Schuler Scott et al.

Processing Model for Android Access Control Messages

Value Privacy

more sensitive about the way companies handle my personal information. 2. To me, keeping my information private is the most important thing. 3. Compared to other people, I tend to be more concerned about threats to my information privacy.

Message Repetition

1. I have been presented with access control questions from applications I was downloading on my Android phone many times. 2. I have frequently seen the message saying that an application on my Android phone wishes to access my information. 3. I have downloaded many applications that ask for my permission to access information on my Android phone. 4. I regularly see the message that asks if an application on my Android phone can access my information.

Developed for this study

Time Pressure

1. I usually feel like I have to make a decision right away when an application I am downloading on my Android phone asks if it can access my information. 2. If an application I am downloading on my Android phone asks if it can access my information, I think that I should answer immediately. 3. I think that I should instantly answer when an application I am downloading on my Android phone asks if it can access my information. 4. I feel rushed to answer when an application I am downloading on my Android phone asks if it can access my information.

Developed for this study

Self-Efficacy

I feel confident with: 1. using my Android phone 2. downloading applications on my Android phone 3. understanding the messages that

Adapted from Davis and Tuttle (2013)

Schuler Scott et al.

Processing Model for Android Access Control Messages

I receive from my Android phone 4. using the help on my Android phone 5. installing applications on my Android phone 6. using applications on my Android phone 7. using the security settings on my Android phone 8. using the application store on my Android phone 9. navigating the menus and settings on my Android phone 10. locating information on my Android phone 11. knowing what personal information my applications use on my Android phone 12. understanding the installation process of applications on my Android phone Actual Confidence

1. I am very confident that I know what to do when an application I am downloading on my Android phones asks if it can access my information. 2. I am certain that I make the correct choice when an application I am downloading on my Android phone asks if it can access my information. 3. When I get the screen that asks me if an application can access information on my Android phone, I am confident that I know what to do.

Adapted from Davis and Tuttle (2013)

Desired Confidence

1. I need to be very confident that I know what choice to make when an application I am downloading on my Android phone asks if it can access my information. 2. I would like to be certain that I know what to do when I receive a message on my Android phone that asks if an application I am downloading can access my information. 3. Before I proceed, I need to

Adapted from Davis and Tuttle (2013)

Schuler Scott et al.

Processing Model for Android Access Control Messages

understand what it means when the application I am downloading for my Android phone wants to access my information. Heuristic Processing

When an application I am downloading on my Android phone asks me if it can access information on my phone, I: 1. consult online documentation for information about what the application is trying to access. 2. consult the user manual for my phone about what the application is trying to access. 3. ask someone I consider knowledgeable about Android phones for advice. 4. go through each request in detail to figure out what information the application is asking to access. 5. go to the website of the application to research how the application uses my data. 6. read comments written by other users to research how the application uses its access to my information.

Developed for this study

Systematic Processing

When an application I am downloading on my Android phone asks me if it can access information on my phone, I consider; 1. the rating information for the application. 2. the reputation of the company that is providing the application. 3. what my friends have said about the application. 4. the type of application I am downloading. 5. what I know about the type of information the application is asking to access. 6. what I have heard in the media about letting applications access my information. 7. how much I want the application

Adapted from Davis and Tuttle (2013)

Schuler Scott et al.

Processing Model for Android Access Control Messages

DISCUSSION AND CONCLUSIONS This paper presents the development of an operational model for processing Android application permission messages. We also develop an instrument to test the proposed model. Our data collection for the first pilot is currently underway. While the HSM has recently been used to explore contexts in the IS arena, its use is still relatively novel. However, it is incredibly important, as more of our online activity moves to mobile platforms and different distribution patterns, to explore how messages that impact our privacy are handled. Our research is preliminary but our model has promise in explaining how people process the messages that they quite frequently see regarding their information privacy from applications on their mobile devices. We look forward to going through the iterations of survey development and model testing to obtain a robust model to fully investigate this phenomenon. REFERENCES Anthony, S. (2014). Windows 8’s Market Share Finally Reaches 10%, but is Overshadowed by Linux’s Big Gain and XP’s Decline. Obtained online April 2014 from: http://www.extremetech.com/computing/173804-windows-8s-market-share-finally-reaches-10but-is-overshadowed-by-linuxs-big-gain-and-xps-decline. Butler, M. (2011). Android: Changing the Mobile Landscape. IEEE Pervasive Computing, 10(1): 4-7. Cacioppo, J. T. and Petty, R.E. (1979). Effects of Message Repetition and Position on Cognitive Response, Recall, and Persuasion, Journal of Personality and Social Psychology, 37(1): 97109. Cacioppo, J.T., Petty, R.E. and Kao, C. F. (1984) The Efficient Assessment of Need for Cognition. Journal of Personality Assessment , 48(3): 306-307. Celsi, R., Chow, S., Olson, J., & Walker, B. (1992). The Construct Validity of Intrinsic Sources of Personal Relevance: An Intra-Individual Source of Felt Involvement. Journal of Business Research, 25: 165-185. Chaiken, S. (1980). Heuristic Versus Systematic Information Processing and the Use of Source Versus Message Cues in Persuasion. Journal of Personality and Social Psychology, 39: 752766. Chaiken, S. (1987). The Heuristic Model of Puersuasion. In M.P. Zanna, J.M. Olson, & C.P. Herman (Eds.), Social influence: The Ontario Symposium (Vol. 5, pp. 3-39). Hillsdale, NJ: Lawrence Erlbaum. Chaiken, S., Liberman, A. and Eagly, A. H. (1989). Heuristic and Systematic Information Processing Within and Beyond the Persuasion Context. Unintended thought, 212. Chaiken, S., and Stangor, C. (1987). Attitudes and Attitude Change. Annual Review of Psychology, 38: 575-630.

Schuler Scott et al.

Processing Model for Android Access Control Messages

Davis, F., Bagozzi, R., and Warshaw, P. (2006). Extrinsic and Intrinsic Motivation to Use Computers in the Workspace. Journal of Applied Social Psychology. 22(14): 1111-1132. Davis, J.M. and Tuttle, B.M. (2013). A heuristic–systematic model of end-user information processing when encountering IS exceptions. Information & Management, 50(2): 125-133. Colman, A. (2009). Satisficing. Oxford Reference. Retrieved 30 Apr. 2014, from http://www.oxfordreference.com/view/10.1093/acref/9780199534067.001.0001/acref9780199534067-e-7333. Festinger, L, and Maccoby, N. (1964). On Resistance to Persuasive Communications. Journal of Abnormal and Social Psychology, 68: 359-366. Fingas, J. (2014). Android Climbed to 79 Percent of Smartphone Market Share in 2013, but its Growth has Slowed. Engadget. Obtained online April 2014 from: http://www.engadget.com/2014/01/29/strategy-analytics-2013-smartphone-share/. Fiske, S.T., & Taylor, S.E. (1991). Social Cognition (2nd ed.), New York: McGraw Hill. Kovach, S. (2013). How Android Grew to be More Popular than the iPhone. Business Insider. Obtained online April 2014 from: http://www.businessinsider.com/history-of-android-20138?op=1. Kruglanski, A.W., and Freund, T..(1983) The freezing and unfreezing of lay-inferences: Effects on impressional primacy, ethnic stereotyping, and numerical anchoring. Journal of Experimental Social Psychology, 19(5): 448-468. Luo, X., Zhang. W., Burd, S. and Seazzu (2013). Investigating Phishing Victimization with the Heuristic-Systematic Model: A Theoretical Framework and an Exploration. Computers & Security, 38: 28-38. Maheswaran, D. & Chaiken, S. (1991). Promoting Systematic Processing in a Low-Motivation Setting: Effect of Incongruent Information on Processing and Judgment. Journal of Personality and Social Psychology. 61: 13-25. Miners, Z. (2014). Report: Android Malware and Spyware Apps Spike in the Google Play Store. InfoWorld. Obtained online April 2014 from: http://www.infoworld.com/d/security/report-androidmalware-and-spyware-apps-spike-in-the-google-play-store-236702. Nield, D. (2014). Windows Market Share Dips Below 90 Percent as Mac OS X Climbs. Obtained online April 2014 from: http://www.digitaltrends.com/computing/windows-market-share-dips-90percent-mac-os-x-climbs/#!GfhFb. Petty, R.E., and Cacioppo, J.T. (1979). Issue involvement can increase or decrease persuasion by enhancing message-relevant cognitive responses. Journal of Personality and Social Psychology, 37(10):1915-1926. Petty, R.E., Wells, G.L, and Brock, T.C. (1976). Distraction Can Enhance or Reduce Yielding to Propaganda: Thought Disruption Versus Effort Justification. Journal of Personality and Social Psychology, 34(5):874-884.

Schuler Scott et al.

Processing Model for Android Access Control Messages

Petty, R E., Wheeler. C. and Tormala, Z. L. (2003). Persuasion and attitude change. In Comprehensive Handbook of Psychology (2nd ed.), T. Millon and M.J. Lerner (Eds). New York. John Wiley &Sons. 1-59. Pew Research Center. (2014). Mobile Technology Fact Sheet. Pew Research Internet Project. Obtained online April 2014 from: http://www.pewinternet.org/fact-sheets/mobile-technology-factsheet/. Pfau, M., Holbert, M., Zubric, S, Pasha, N., and Lin, W-K. (2003). Role and Influence of Communication Modality in the Process of Resistance to Persuasion. Mediapsychology, 2: 1-33. Ratneshwar, S, and Chaiken, S. (1991). Comprehension’s Role in Persuasion: The Case of Its Moderating Effect on the Persuasive Impact of Source Cues. Journal of Consumer Research. 18: 52-62. Tam, K. Y., and Ho, S.Y. (2005) Web Personalization as a Persuasion Strategy: An Elaboration Likelihood Model Perspective. Information Systems Research, 16(3): 271-291 Tetlock, P.E. (1983). Accountability and Complexity of Thought. Journal of Personality and Social Psychology, 45(1): 74-83. Todorov, A., Chaiken, S., & Henderson, M. D. (2002). The Heuristic-Systematic Model of Social Information Processing. The Persuasion Handbook: Developments in Theory and Practice, 195211. Trumbo, C. W. (1999). Heuristic-Systematic Information Processing and Risk Judgment. Risk Analysis, 19(3): 391-400. Vaughan-Nichols, S. (2014). Debunking Four Myths About Android, Google, and Open-Source. ZDNet. Obtained online April 2014 from: http://www.zdnet.com/debunking-four-myths-aboutandroid-google-and-open-source-7000026473/. Whitler, K. (2013). Why Should Marketers Care About Mobile Marketing? Forbes. Obtained online April 2014 from: http://www.forbes.com/sites/kimberlywhitler/2013/04/25/why-shouldmarketers-care-about-mobile-marketing/. Wood, W. (1982). Retrieval of Attitude-Relevant Information from Memory: Effects on Susceptibility to Persuasion and on Intrinsic Motivation. Journal of Personality and Social Psychology. 42: 798-810. Xu, H., Dinev, T., Smith, J., and Hart, P. (2011). Information Privacy Concerns: Linking Individual Perceptions with Institutional Privacy Assurances. Journal of the Association for Information Systems, 12(12): 789-824.