Alexandra Xinran Li (Carnegie Mellon University), Tian Wang (University of Illinois Urbana-Champaign), Yu-Ju Yang (University of Illinois Urbana-Champaign), Miguel Rivera-Lanas (Carnegie Mellon University), Debeshi Ghosh (Carnegie Mellon University), Hana Habib (Carnegie Mellon University), Lorrie Cranor (Carnegie Mellon University), Norman Sadeh (Carnegie Mellon University)
Privacy regulations impose requirements on data collection and use, including obligations to disclose practices and provide choices free of deceptive patterns, emphasizing usercentric notice and choice delivery. The UsersFirst framework introduces a threat taxonomy to guide organizations in identifying where notices and choices fail to adequately support users. This paper presents an experiment evaluating its effectiveness. Twenty-six participants with privacy expertise analyzed usercentric threats in one of two scenarios, either with or without the taxonomy. Our results show that participants using the taxonomy identified significantly more relevant threats: over twice as many in one scenario and 50% more in the other. While the UsersFirst threat taxonomy helped privacy analysts more effectively identify areas where privacy notices and choice mechanisms fall short, we also identified areas for possible improvements to the taxonomy. Finally, we demonstrate an approach to assessing privacy threat analysis tools that may be useful to other researchers.