Towards a Broadening of Privacy Decision-Making Models: The Use of Cognitive Architectures

. Over the last decades, people’s behaviour and attitudes towards privacy have been thoroughly studied by scholars, approaching the issue from different perspectives. To address privacy-related decisions, it is necessary to consider aspects of human cognition, employing, for instance, methods used in Human-Computer Interaction and Information Science research. This paper analyses findings and contributions of existing privacy decision-making research, and suggests filling gaps in current understanding by applying a cognitive architecture framework to model privacy decision-making. This may broaden the range of factors and their relationships that can be integrated into the models of privacy decisions, beyond those in existing decision models.


Introduction
Privacy issues have been a matter of growing importance for individuals, as well as for business entities and regulators.
The key element in privacy-related interactions with technology is the end-user (i.e., data subject), who is entitled to make, supposedly well-informed, choices about how to deal with one's own personal information.For the most part, decisions concerning privacy are decisions of people giving or revoking their consent.These decisions are imposed on the users whenever they desire to interact with an information service, as well as with some more traditional services.
Other, more particular, decisions can result from the users' initiative (e.g., requesting deletion of their personal information, instituting changes in the data they have shared or in the way the system is allowed to process it, requesting a report on their privacy status, etc.).Such decisions are not usually forced upon the users, and they can be made by users without prior notifications and requests from systems or data holders.Therefore, to address these important issues, it is useful to be able to model human behaviour, when it comes to making decisions on privacy-related interactions.
This paper investigates the state-of-the-art in privacy decision-making literature and suggests the use of ACT-R (Active Control of Thought -Rational) modelling framework to bridge the identified gaps and provide for a better understanding of people's information disclosure behaviour.
Section 2 introduces the current stage of research and outlines and compares main approaches in privacy decision-making.Section 3 introduces the field of cognitive architectures, discusses applicability and potential contributions of models constructed with ACT-R framework.Section 4 provides concluding remarks and challenges of proposed modelling paradigm.

2
Research on Privacy-Related Decision-Making Models Section 2.1 provides an outline of the literature selection process.In Section 2.2 I discuss identified approaches and theories, traversing privacy decision-making research.Section 2.3 gives more attention to the literature on the privacy calculus, which prevails in the state-of-the-art literature on privacy decision-making.Section 2.3 contains further comparisons of the state-of-the-art research and discusses opportunities for improvement.

Literature Selection
As the first step, I identify the existing literature on privacy-related decision-making that should form the body of work, through which we parse in this paper (see Table 1).In my approach, I relied on the guidelines by Webster and Watson [58].For the review I used broad multi-disciplinary databases.I included papers that did not draw significant attention from other scholars over the years.It was important for the purposes of this paper to try and highlight all the ideas applied to study privacy decision-making that had been tested so far.

Approaches and Theories in Privacy-Related Decision-Making
Researchers have studied human decision-making from a psychological and economic standpoints, using a variety of models, based on classical economics (i.e., expected value and expected utility theory) and its generalized extensions, as well as behavioural economics (see Fig. 1).
Acquisti, Taylor and Wagman [1] discuss how privacy has been being regarded as an economic good and provide an explanation on how individuals' informed decisions about their privacy are being hindered, because of asymmetry of the information available to people, when they make privacy-related decisions.
Behavioural economics is a permeant theme in the more recent papers (e.g., Adjerid and Peer [2]; Dinev, McConnell, and Smith [10]; Dong, Jin, and Knijnenburg [12]; etc.).Arguably, it may be applicable for modelling human decisions in privacyrelated interactions as an instance of decision-making under risk.Barberis [6] provides multiple examples of how it has been used to model decisions in areas spanning from finance and insurance to understanding betting markets, pricing, consumptionsaving decisions, etc.
Overall, I identified 40 papers on user decisions on online privacy.Nine papers reported surveys, positions, system prototypes, case-studies or user-study experiments and did not deal with model development.They are still included in this paper, representing the current developments in the subject domain.The outline of the families of theories and frameworks used so far is presented in Table 2.  [51] Altman-Westin privacy, privacy concerns and attitudes constructs are the underlying theories in most of the reviewed papers.Since they are not directly related to model development, they are not mentioned in Table 2.

Fig. 1. The relations of approaches to modelling decision-making in Economics
Looking at applied theories and frameworks, we can infer that, in general, research on privacy decision-making can be divided by subject areas into four major methodological groups: (1) most pronounced so far, an information science approach with the privacy calculus and its extensions; (2) a psychological, social and information science approach beyond the privacy calculus; (3) a mathematical-economic approach; and (4) a machine learning approach.
The overwhelming majority of research is based on the privacy calculus and its extensions.Hence, I deem appropriate to "detach" this bulk of research from subjectwise division and discuss this theory in more detail in the following Section 2.3.We return to the grand comparison and analysis of existing approaches in Section 2.4.

Privacy Calculus Modelling Approach
Multiple empirical and methodological studies on privacy decision-making draw from economic constructs such as expected utility theory, employing the privacy calculus (e.g., in Malhotra et al. [37]; Hann et al. [21]; Xu et al. [59]).Their results provide insights for understanding the "privacy paradox" and individuals' attitudes towards privacy-related preferences and decisions, and contribute to the assessment of privacy concerns.Dinev and Hart [9] attempt to measure privacy concerns and estimate dependencies between factors and privacy constructs ("concerns of information finding" and "concerns of information abuse").Later, Dinev and Hart [8] provide more ground for the use of an extended privacy calculus, showing that, at least for the example of ecommerce, Internet trust and personal interest can outweigh privacy concerns constructs.After employing common statistical methods of dimensionality reduction and supervised learning in the first work, structural equation modelling in the second, and joined by other researchers, a bigger collective of authors investigates privacy perceptions and develops a theoretical framework for understanding Internet privacy attitudes (Dinev, Xu, Smith and Hart [11]), with an empirically developed structural model attesting to the validity of proposed constructs.
In a set of studies of privacy-related issues in social networking services, Krasnova et al. [28,29] turn to the privacy calculus and produce structural models to investigate Internet users' privacy concerns and motivations regarding personal information disclosure.The former research develops and justifies categorisation of privacy concerns, and, then, tests it against self-disclosure dimensions to explore inter-relations between defined privacy concerns and postulated self-disclosure strategies.The latter paper commences in an attempt to build a model of self-disclosure in social networking services.Exploratory in nature, this paper identifies factors of self-disclosure, noting, however, that "(…) other factors beyond those investigated in our study can also have an impact on individual self-disclosure" (Krasnova et al. [29], p. 123).
Krasnova et al. [30] account for users' mental patterns and uncover cultural implications of privacy attitudes and behaviour.Here the authors address individualism and avoidance of uncertainty as two (out of commonly adopted five) cultural factors of self-disclosure that seem most relevant in terms of social networking services.The paper, as recognised by the authors, is limited in the scope of possible influencing effects.The model itself abstains from considering spatial and temporal factors, as well as cognitive effects and biases at the point of making a decision.
Keith et al. [24] apply the privacy calculus to show that consumer age is not a significant factor in decisions on online self-disclosure, and the relationship between decisions on personal information disclosure and the intention to disclose such information is weak, while still statistically significant.More practical conclusions reveal that privacy-concerned users do not necessarily properly understand the link between first-and second-order privacy risks of the same nature.Notwithstanding, authors admit that their research "does not account for a consumer's long-term intentions or disclosure behaviour" and "privacy calculus might be better modelled as a sub-theory within a larger framework aiming to elucidate how long term information disclosure relationships form."(Keith et al. [24], p. 1172).Moreover, the researchers name Kahneman and Tversky's Prospect Theory as a better way than the existing rational privacy calculus for accounting for bounded rationality and obtaining an insight on privacy-related decision-making.Lastly, another take-away from the paper is a seemingly valid point favouring exploration of possible non-linearity of relationship between perceived benefits and risks in self-disclosure decisions.
More and more attempts are made to extend the privacy calculus, apart from the aforementioned works (e.g., Y. Li [34]).A paper by Wang et al. [56] is one successful example.The research probes extending the privacy calculus with more psychological factors and adds evidence of the importance of contextual factors in privacy decisionmaking.Relying on a structural model, the authors argue that users value benefits more than risks.The need for cognition effect has been studied, showing a significant relationship with risks and a non-significant relation with benefits.
The vast majority of decision-making models powered by the privacy calculus were built with expected utility or expected value in their core.To scrutinise decisionmaking behind disclosure in exchange for personalisation of services in e-commerce, Zhu et al. [60] introduce a rank-dependent generalised expected utility model.The authors run their mathematical model through a set of simulations for users with different levels of privacy concerns and companies with different reputation.

Comparison and Discussion
The existing theoretical body of research behind privacy decision-making draws from various subject areas.Let us look closer at the approaches scholars used to study privacy decision-making.Overall, achievements and limitations of the existing models, grouped by prevailing approaches, are represented in a comparative Table 3.
Li [34] designs a decision-making matrix, based on an elaborate overview of approaches and theories used in privacy research, and on the derived concept of a "dualcalculus model", which is defined as a combination of privacyand risk-calculi for decision-making in privacy-related issues.Researchers try to probe privacy decision-making beyond privacy calculus as well.In that way, Van Gool et al. [51] base their research of disclosure behaviour in adolescents on a Prototype Willingness Model 1 .The authors study adolescents' relationship disclosure in online social networks, and they manage to show that said selfdisclosure is a product of an analytical reasoned process, which can be more or less influenced by the situational context.Li, Sarathy, and Xu [33] adopt the S-O-R paradigm 2 in their attempt to model privacy-related decision-making.The authors find that decisions regarding personal information disclosure depend on impressions that users internalize during the first interaction with a website that prompts the users for said decisions to be made.
Mahmood and Desmedt [36] carry out an attempt to develop mathematical models of privacy, which results in devising a game theoretical model (stochastic almost combinatorial) and a graph theory model (attack and defence multigraphs with certain 1 Prototype Willingness Model (PWM) is a framework from the family of so called "dualprocessing models".It operates under the assumption that there are two paths of decisionmaking: a reasoned path (rational), and a social reaction path (heuristics-based).PWM was developed by M. Gerrard, F. X. Gibbons and their colleagues.It was aimed to be used for health studies, originating in Gibbons and Gerrard [18]. 2 Stimulus-organism-response (S-O-R) model postulates that environmental factors affect cognitive reactions in organisms, thusly affecting behaviour (Mehrabian and Russell [39]).
simplifications).The researchers argue that users cannot always be careful and thorough, due to bounded rationality and limitations of working memory.Egelman and Peer [13] study privacy decision-making from a psychological standpoint.The authors consider the influence of such factors as personality dimensions on online privacy concerns and self-disclosure behaviour.As a result, they argue that individual differences are better predictors of decisions than the personality traits approach, testing their hypothesis against the Five Factor Model3 .
Koohikamali et al. [27] extend the modelling literature by addressing selfdisclosure with the premises of Rest's ethical decision-making model 4 .In contrast with majority of research concerned with self-disclosure, the authors attempt to model decisions about disclosure of personal information about others.They show that disclosure about others is driven by the attitudes towards social network sites and concerns about others' privacy, and is not influenced by the social norms.
Griffin et al. [20] formulate a mathematical model, acknowledging behavioural economics arguments and presumably able to predict privacy decisions.Through treating user behaviour as an optimization of comfort with sharing and perceived control, the model reconciles maximization of perceived user control and costs associated with providing that control by social networks.Validation and testing is needed to evaluate the quality of the model.
Eling, Krasnova, Widjaja and Buxmann [15] take an inductive approach to build a decision-making model, linking trust in a service provider and intrusiveness of requested information to highlight the decisional calculus proposed in their paper.Although the authors manage to obtain (and corroborate with an experiment) a depiction of the cognitive process underlying the decisions about application acceptance, the paper does not proceed to construct a cognitive model behind situational decisionmaking.Overall, decisional calculus, unveiled in Eling et al. [15], is in line with the privacy calculus.
Ghosh and Singh [17] provide one of the use cases for applying machine learning to build a predictive model of privacy concerns.Feeding phone usage metadata, refined through classification algorithms, they manage to achieve enough accuracy (for their classification design) to predict users' privacy attitude category.
As particularly mentioned, most authors admit the limitations in their sets of influencing factors; unaccounted possible relations between factors, risks and benefits; and unexplored effects of cognition.Such usually unaddressed aspects may include the momentary awareness of privacy issues, the current level of fatigue and (or) mental workload, attention span and sense-making of privacy indications, and other mental effects (e.g., information overload, cognitive laziness, etc.).
Additionally, there is a discussion on the more convenient ways to convey privacyrelated information to the individuals.As suggested by Wang et al. [55] regarding mobile applications, privacy notices requesting self-disclosure from users, inadequately reflect the scope of privacy intrusion or request unreasonable amounts of selfdisclosure.In a survey comparing the effect of fine-grained privacy indications to the effect of coarse-grained ones Eling, Rasthofer, Kolhagen, Bodden and Buxmann [16] hypothesise that more concrete privacy indications may influence users' willingness to disclose information.In a controlled experiment Egelman, Tsai, Cranor and Acquisti [14] demonstrate that the temporal aspect of privacy indications impacts the acceptable amount of costs that users are willing to bear to preserve their privacy.
The issue of defining a better way to communicate privacy-related information to assist users' decision-making is addressed in Bal et al. [4,5].Reflecting upon "privacy consequences" and echoing the problematic nature of "second-order privacy risks" with the aforementioned Keith et al. [24], the researchers argue that communicating privacy outcomes from privacy-related actions to mobile users should facilitate better decisions.

Opportunity for Future Research: Cognitive Architectures
In order to include various effects of internal and external factors influencing decision-making 5 , as well as different interdependencies, we can try a broader model of cognitionone that simulates dynamic cognitive processes as functions in a system, consisting of input and data acquisition, memory, attention, decision-making, and output generation.The modelling of complex cognitive phenomena is widely and rigorously addressed in cognitive architectures.Most notable and well-established examples of cognitive architectures in use include ACT-R, SOAR, LIDA and EPIC. 6OAR and LIDA focus on artificial general intelligence (Samsonovich [46]).SOAR specialises on task execution and problem-solving, providing software agents with spatial reasoning, anticipation and real-time strategy definition.LIDA has been applied to create software agents replacing human operators in certain tasks, but lacking visual and auditory input modalities and being limited in terms of learning capabilities (Ramamurthy et al. [43]).EPIC is poised as a framework for human-system interactions simulation, assisting in the development and validation of systems interfaces.Another example -4CAPShas been used to describe behavioural patterns in neuropsychology related to executive functions of cognitive control (Just et al. [22]).
When it comes to privacy decision-making, the research model should be able to simulate dynamic cognitive processes as functions in complex systems, comprised of elements accounting for input and data acquisition, memory, attention, decisionmaking, and output generation.One of the most well-established cognitive architectures, which offers sufficient flexibility of application, is the ACT-R framework.Section 3.1 introduces ACT-R in the field of human decision-making.Section 3.2 discusses possible contributions of ACT-R to privacy decision-making, and provides a comparison of ACT-R with the modelling approaches discussed in Chapter 2.

3.1
The ACT-R Modelling Framework ACT-R is one of the most detailed frameworks for modelling perception, procedural cognition and decision processes (Anderson et al. [3]).As argued by Gonzalez and Lebiere [19], there are numerous benefits to the modelling of economic decisionmaking by using cognitive architectures, where ACT-R outcompetes its rivals, being in possession of a "more realistic characterization of the flexibility and adaptability of human behavior" (p.26).
Attempts have been made to create a comprehensive integrated theory to approach modelling of the recognition heuristics and judgments (Marewski, Pohl and Vitouch [38]).Here the authors address issues of an "ecological model of decision-making", pointing out how scarce the research is on real-world decisions with utilizing "sense of prior encounter".Thomson, Lebiere, Anderson and Staszewski [50] argue that modelling paradigms (Taatgen, Lebiere and Anderson [48]) enabled in ACT-R, namely instance-based learning, can be applicable to modelling intuitive decision-making.Authors manage to show that by using this cognitive architecture it is possible to implement risk aversion in learned (not forced) strategy choice.Veksler, Gray and Shoelles [52] demonstrate that the ACT-R framework can be used to implement human decision-making arising from "associative learning", not involving an a-priori notion of rewards and punishments.
Overall, the theoretical background and existing body of empirical research indicate that using ACT-R to model human decision-making can attain new value over the so far prevalent approaches.ACT-R is capable of modelling long-term (both declarative and procedural) and working memory functioning, perception and logic processes and, as shown by Peebles and Banks [41], it is suitable for dynamic decision-making, even though with certain limitations.

ACT-R: Applicability and Discussion
Aforementioned features may help to build a model that can accommodate the context, in which the decisions are made, including but not limited to, simulating momentary awareness, as well as the individual's attention and judgment processes, and other cognitive functions. 7Additionally, incorporating the Cumulative Prospect Theory to model deviations from rational micro-economic decision-making with the ACT-R architecture seems as plausible as it may prove fruitful.A summary of modelling opportunities enabled in ACT-R is outlined in Table 4.It should be clearly stated, that, beyond any doubt, I am not denying the existing body of research all its achievements in formulation of the initial understanding of antecedents of privacy decision-making, and the inter-relations of various factors.As we have seen, though, with other approaches, their applicability can be limited by their theoretical background and, oftentimes, by the goal of each particular study.Additionally, each study usually does not allow for broader generalisations orto the other extreme particularisations (true for most of the mathematical economic models).ACT-R may be capable of contributing to the field of human decision-making entailing privacy consequences in several ways.Consider a situation: "A person X with a fatigue F in a situation S with environmental noise E, surrounded by the amount of people N, while exercising an activity A, is asked to disclose information M and receives a warning W with the properties T." What will be the X's response?
The comprehensiveness of the ACT-R modelling framework theoretically allows us to model the entire problem space of this situation.It makes it possible to come up with specific predictions about individual decisions of people, usually described by person-specific sets of features.
The extendibility of the ACT-R framework should help with building models in stages.Starting up with a certain simplistic basis of privacy-concerned decisionmaking, new features can be gradually added to account for additional effects and factors of the situation, extending its complexity.
Scalability of the ACT-R framework may be used to "switch off" chosen features impacting decisions.That can shed light on some emergent effects and interactions between features, which might have been left obscured and unexplored otherwise.
Features like the learning process, larger sets of user characteristics, attention mechanism, fatigue dynamics and cognitive capacity, task-distraction conflict, environmental noise, and others are extremely cumbersome to address with other approaches.These features, including their inter-dependence, can be addressed with ACT-R in a more structured and explicit, less demanding fashion.With ACT-R we may tackle problems like: ─ studying effects of factors in different combinations with each other; ─ modelling non-linear relationships in people's perceptions of costs, benefits and risks of personal information disclosure; ─ studying human privacy decisions in different mental states; ─ modelling decisions made by users with different privacy attitudes according to various attitude taxonomies; ─ accounting for intertemporal nature of privacy-related decisions; ─ incorporating lower-level mental processes into the picture; ─ comparing different models within ACT-R framework against each other.
Overall, at the current stage of developments in the field of privacy-concerned decision-making, we have obtained substantial knowledge about antecedents and factors of users' disclosure behaviour.Thus, based on what we have learnt so far, it be possible, in principle, to build a decision-making model with the ACT-R framework, which should be able to contribute new knowledge and provide better understanding of situational privacy-concerned decision-making under various restrictions.

Conclusion
This paper provides an attempt to identify gaps in the current stage of research exploring users' decision-making with privacy considerations.The state-of-the-art models of decision-making under privacy restrictions show limitations attributed to their levels of flexibility, practical applicability, and comprehensiveness.A possible idea to overcome some limitations of existing models is proposed in the current paper.This idea of using cognitive architectures may also be a solution that can advance our understanding of human decision-making regarding such a "fuzzy" issue as privacy.
However, the mapping of the behavioural economics approach and (or) extended privacy calculus to decision-making onto the ACT-R cognitive architecture creates major challenges.Economic modelling does not provide a generalised method for defining the costs and benefits for every problem.Additional problems that should be resolved in order to apply, for instance, Cumulative Prospect Theory include: determining the reference point, from which gains and losses can be defined; quantifying the benefits and costs of personal information disclosure; and devising justified probability weighting.
Simultaneously, ACT-R modelling can be a challenge in and of itself, as it is developed to be a comprehensive architecture, simulating human cognitive processes at large.To be successful in developing an ACT-R model, one needs to apply domainspecific knowledge to the architecture and conduct a proper scoping of the problem to be resolved.Of course, the biggest challenge "is that it takes a substantial intellectual commitment to learn to understand models of a particular architecture and to learn to construct models" (Taatgen and Anderson [49], p. 699).
Accompanied by empirical validation, the implementation of the ACT-R cognitive architecture in the field of privacy will be a major challenge that can help privacy research, as well as enrich the ACT-R modelling methods.

Table 1 .
The outline of the selection process

Table 2 .
Theories and Frameworks in privacy decision-making literature

Table 3 .
Summary of approaches to studying privacy decision-making

Table 4 .
Comparison of modelling capabilities of the identified approaches and the ACT-R functionalities.8