{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T02:36:01Z","timestamp":1760150161434,"version":"build-2065373602"},"reference-count":46,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2023,10,28]],"date-time":"2023-10-28T00:00:00Z","timestamp":1698451200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Illinois State University"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>User adoption and usage of end-to-end encryption tools is an ongoing research topic. A subset of such tools allows users to encrypt confidential emails, as well as manage their access control using features such as the expiration time, disabling forwarding, persistent protection, and watermarking. Previous studies have suggested that protective attitudes and behaviors could improve the adoption of new security technologies. Therefore, we conducted a user study on 19 participants to understand their perceptions of an email security tool and how they use it to manage access control to confidential information such as medical, tax, and employee information if sent via email. Our results showed that the participants\u2019 first impression upon receiving an end-to-end encrypted email was that it looked suspicious, especially when received from an unknown person. After the participants were informed about the importance of the investigated tool, they were comfortable sharing medical, tax, and employee information via this tool. Regarding access control management of the three types of confidential information, the expiration time and disabling forwarding were most useful for the participants in preventing unauthorized and continued access. While the participants did not understand how the persistent protection feature worked, many still chose to use it, assuming it provided some extra layer of protection to confidential information and prevented unauthorized access. Watermarking was the least useful feature for the participants, as many were unsure of its usage. Our participants were concerned about data leaks from recipients\u2019 devices if they set a longer expiration date, such as a year. We provide the practical implications of our findings.<\/jats:p>","DOI":"10.3390\/fi15110356","type":"journal-article","created":{"date-parts":[[2023,10,30]],"date-time":"2023-10-30T09:27:28Z","timestamp":1698658048000},"page":"356","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Managing Access to Confidential Documents: A Case Study of an Email Security Tool"],"prefix":"10.3390","volume":"15","author":[{"given":"Elham","family":"Al Qahtani","sequence":"first","affiliation":[{"name":"Department of Software Engineering, University of Jeddah, Makkah 23445, Saudi Arabia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0293-9551","authenticated-orcid":false,"given":"Yousra","family":"Javed","sequence":"additional","affiliation":[{"name":"School of Information Technology, Illinois State University, Normal, IL 61761, USA"}]},{"given":"Sarah","family":"Tabassum","sequence":"additional","affiliation":[{"name":"Department of Software Information Systems, University of North Carolina, Charlotte, NC 28223, USA"}]},{"given":"Lipsarani","family":"Sahoo","sequence":"additional","affiliation":[{"name":"Department of Software Information Systems, University of North Carolina, Charlotte, NC 28223, USA"}]},{"given":"Mohamed","family":"Shehab","sequence":"additional","affiliation":[{"name":"Department of Software Information Systems, University of North Carolina, Charlotte, NC 28223, USA"}]}],"member":"1968","published-online":{"date-parts":[[2023,10,28]]},"reference":[{"key":"ref_1","unstructured":"(2023, February 06). How Much Sensitive Data Is Your Organization Sharing?\u2014Virtru\u2014virtru.com. Available online: https:\/\/www.virtru.com\/blog\/data-sharing-risk-calculator."},{"key":"ref_2","unstructured":"Stokel-Walker, C. (2023, February 06). Almost No One Encrypts Their Emails Because It Is Too Much of a Hassle. Available online: https:\/\/www.newscientist.com\/article\/2289747-almost-no-one-encrypts-their-emails-because-it-is-too-much-of-a-hassle\/."},{"key":"ref_3","unstructured":"Warford, N., Munyendo, C.W., Mediratta, A., Aviv, A.J., and Mazurek, M.L. (2021, January 11\u201313). Strategies and perceived risks of sending sensitive documents. Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Virtual."},{"key":"ref_4","unstructured":"Sjouwerman, S. (2023, February 06). 91 blog.knowbe4.com. Available online: https:\/\/blog.knowbe4.com\/bid\/252429\/91-of-cyberattacks-begin-with-spear-phishing-email."},{"key":"ref_5","first-page":"745","article-title":"I\u2019ve got nothing to hide and other misunderstandings of privacy","volume":"44","author":"Solove","year":"2007","journal-title":"San Diego L. Rev."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Gaw, S., Felten, E.W., and Fernandez-Kelly, P. (2006, January 22\u201327). Secrecy, flagging, and paranoia: Adoption criteria in encrypted email. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montreal, QC, Canada.","DOI":"10.1145\/1124772.1124862"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Abu-Salma, R., Sasse, M.A., Bonneau, J., Danilova, A., Naiakshina, A., and Smith, M. (2017, January 22\u201324). Obstacles to the adoption of secure communication tools. Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.","DOI":"10.1109\/SP.2017.65"},{"key":"ref_8","unstructured":"Ruoti, S., Andersen, J., Zappala, D., and Seamons, K. (2015). Why Johnny still, still can\u2019t encrypt: Evaluating the usability of a modern PGP client. arXiv."},{"key":"ref_9","unstructured":"Sheng, S., Broderick, L., Koranda, C.A., and Hyland, J.J. (2006, January 12\u201314). Why johnny still can\u2019t encrypt: Evaluating the usability of email encryption software. Proceedings of the Symposium On Usable Privacy and Security, Pittsburgh, PA, USA."},{"key":"ref_10","first-page":"187","article-title":"User Perceptions of Gmail\u2019s Confidential Mode","volume":"2022","author":"Javed","year":"2022","journal-title":"Proc. Priv. Enhanc. Technol."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Clark, J., van Oorschot, P.C., Ruoti, S., Seamons, K., and Zappala, D. (2021, January 1\u20135). SoK: Securing email\u2014A stakeholder-based analysis. Proceedings of the Financial Cryptography and Data Security: 25th International Conference, FC 2021, Virtual Event. Revised Selected Papers, Part I 25.","DOI":"10.1007\/978-3-662-64322-8_18"},{"key":"ref_12","unstructured":"(2023, January 27). Virtru. Available online: https:\/\/www.virtru.com\/data-protection-platform\/email-encryption\/gmail#:~:text=End%2Dto%2DEnd%20Encryption%2C%20Simplified&text=Virtru%20equips%20you%20to%20secure,Set%20expiration%20dates."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3313761","article-title":"A usability study of four secure email tools using paired participants","volume":"22","author":"Ruoti","year":"2019","journal-title":"ACM Trans. Priv. Secur. (TOPS)"},{"key":"ref_14","unstructured":"UM, T.S. (2023, September 29). Virtru: Added Security for Your U-M GMail. Available online: https:\/\/safecomputing.umich.edu\/protect-the-u\/safely-use-sensitive-data\/virtru."},{"key":"ref_15","unstructured":"CRUZ, U.S. (2023, September 29). Virtru for Sharing Sensitive Data on and off Campus. Available online: https:\/\/its.ucsc.edu\/virtru\/."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"He, W., Akhawe, D., Jain, S., Shi, E., and Song, D. (2014, January 3\u20137). Shadowcrypt: Encrypted web applications for everyone. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA.","DOI":"10.1145\/2660267.2660326"},{"key":"ref_17","unstructured":"Vaziripour, E., O\u2019Neill, M., Wu, J., Heidbrink, S., Seamons, K., and Zappala, D. (2016, January 22\u201324). Social Authentication for {End-to-End} Encryption. Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Denver, CO, USA."},{"key":"ref_18","unstructured":"(2023, January 27). Virtru Encryption Key Management. Available online: https:\/\/www.virtru.com\/encryption-key-management\/?utm_campaign=2022_US_DataBreach_General&gclid=Cj0KCQiAw8OeBhCeARIsAGxWtUyk2j-CDf10x84XKRWd4XkaGCthgOfzZlVKe6CZiUgQzhgbOex9m7YaAiSiEALw_wcB."},{"key":"ref_19","unstructured":"Ferreira, L., and Anacleto, J. (2017, January 9\u201314). Usability in Solutions of Secure Email\u2014A Tools Review. Proceedings of the Human Aspects of Information Security, Privacy and Trust: 5th International Conference, HAS 2017, Held as Part of HCI International 2017, Vancouver, BC, Canada. Proceedings 5."},{"key":"ref_20","unstructured":"Hogan, B. (2023, September 29). Virtru Review: Easily Protect Data Wherever It\u2019s Created or Shared. Available online: https:\/\/www.softwarepundit.com\/virtru-review."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Ruoti, S., Andersen, J., Hendershot, T., Zappala, D., and Seamons, K. (2016, January 16\u201319). Private webmail 2.0: Simple and easy-to-use secure email. Proceedings of the 29th Annual Symposium on User Interface Software and Technology, Tokyo, Japan.","DOI":"10.1145\/2984511.2984580"},{"key":"ref_22","unstructured":"(2023, September 29). Tutanota. Available online: https:\/\/tutanota.com."},{"key":"ref_23","unstructured":"(2023, September 29). PGP (Mailvelope). Available online: https:\/\/mailvelope.com\/en."},{"key":"ref_24","unstructured":"(2023, September 29). Proton Mail. Available online: https:\/\/proton.me\/mail."},{"key":"ref_25","unstructured":"(2023, September 29). Gmail Confidential Mode. Available online: https:\/\/support.google.com\/mail\/answer\/7674059?sjid=16859918329907772900-NA."},{"key":"ref_26","unstructured":"De Luca, A., Das, S., Ortlieb, M., Ion, I., and Laurie, B. (2016, January 22\u201324). Expert and Non-Expert Attitudes towards (Secure) Instant Messaging. Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Denver, CO, USA."},{"key":"ref_27","unstructured":"Brady, S. (2023, September 29). Survey Shows Sharing Confidential Data in the Workplace is Common. Available online: https:\/\/totalsecurityadvisor.blr.com\/cybersecurity\/survey-shows-sharing-confidential-data-workplace-common\/."},{"key":"ref_28","first-page":"68","article-title":"Sharing sensitive health information through social media in the Arab world","volume":"29","author":"Asiri","year":"2017","journal-title":"Int. J. Qual. Health Care"},{"key":"ref_29","unstructured":"Househ, M. (2011). User Centred Networked Health Care, IOS Press."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Dechand, S., Naiakshina, A., Danilova, A., and Smith, M. (2019, January 17\u201319). In encryption we don\u2019t trust: The effect of end-to-end encryption to the masses on user perception. Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS&P), Stockholm, Sweden.","DOI":"10.1109\/EuroSP.2019.00037"},{"key":"ref_31","unstructured":"Das, S., Kim, T.H.J., Dabbish, L.A., and Hong, J.I. (2014, January 9\u201311). The effect of social influence on security sensitivity. Proceedings of the 10th Symposium On Usable Privacy and Security (SOUPS 2014), Menlo Park, CA, USA."},{"key":"ref_32","unstructured":"Fagan, M., and Khan, M.M.H. (2016, January 22\u201324). Why do they do what they do?: A study of what motivates users to (not) follow computer security advice. Proceedings of the Twelfth symposium on usable privacy and security (SOUPS 2016), Denver, CO, USA."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Al Qahtani, E., Javed, Y., Lipford, H., and Shehab, M. (2020, January 7\u201311). Do women in conservative societies (not) follow smartphone security advice? a case study of saudi arabia and pakistan. Proceedings of the 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genova, Italy.","DOI":"10.1109\/EuroSPW51379.2020.00028"},{"key":"ref_34","unstructured":"Renaud, K., Volkamer, M., and Renkema-Padmos, A. (2014). International Symposium on Privacy Enhancing Technologies Symposium, Springer."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Ruoti, S., Andersen, J., Heidbrink, S., O\u2019Neill, M., Vaziripour, E., Wu, J., Zappala, D., and Seamons, K. (2016, January 7\u201312). \u201cWe\u2019re on the Same Page\u201d A Usability Study of Secure Email Using Pairs of Novice Users. Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, San Jose, CA, USA.","DOI":"10.1145\/2858036.2858400"},{"key":"ref_36","unstructured":"Wu, J., and Zappala, D. (2018, January 12\u201314). When is a tree really a truck? exploring mental models of encryption. Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, USA."},{"key":"ref_37","first-page":"169","article-title":"Why Johnny Can\u2019t Encrypt: A Usability Evaluation of PGP 5.0","volume":"348","author":"Whitten","year":"1999","journal-title":"USENIX Secur. Symp."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Krombholz, K., Busse, K., Pfeffer, K., Smith, M., and Von Zezschwitz, E. (2019, January 19\u201323). \u201cIf HTTPS Were Secure, I Wouldn\u2019t Need 2FA\u201d\u2014End User and Administrator Mental Models of HTTPS. Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP.2019.00060"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"MacFarland, T.W., Yates, J.M., MacFarland, T.W., and Yates, J.M. (2016). Introduction to Nonparametric Statistics for the Biological Sciences Using R, Springer.","DOI":"10.1007\/978-3-319-30634-6"},{"key":"ref_40","first-page":"1","article-title":"Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice","volume":"3","author":"McDonald","year":"2019","journal-title":"Proc. ACM Hum.-Comput. Interact."},{"key":"ref_41","unstructured":"McGregor, S.E., Charters, P., Holliday, T., and Roesner, F. (2015, January 12\u201314). Investigating the computer security practices and needs of journalists. Proceedings of the 24th USENIX Security Symposium (USENIX Security 15), Washington, DC, USA."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Gerber, N., Zimmermann, V., Henhapl, B., Emer\u00f6z, S., and Volkamer, M. (2018, January 27\u201330). Finally johnny can encrypt: But does this make him feel more secure?. Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Germany.","DOI":"10.1145\/3230833.3230859"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Albayram, Y., Liu, J., and Cangonj, S. (2021, January 11\u201312). Comparing the Effectiveness of Text-based and Video-based Delivery in Motivating Users to Adopt a Password Manager. Proceedings of the European Symposium on Usable Security 2021, Karlsruhe, Germany.","DOI":"10.1145\/3481357.3481519"},{"key":"ref_44","unstructured":"Albayram, Y., Khan, M.M.H., Jensen, T., and Nguyen, N. (2017, January 12\u201314). \u201c\u2026 better to use a lock screen than to worry about saving a few seconds of time\u201d: Effect of Fear Appeal in the Context of Smartphone Locking Behavior. Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), Santa Clara, CA, USA."},{"key":"ref_45","unstructured":"Al Qahtani, E., Sahoo, L., and Shehab, M. (2021). International Conference on Human-Computer Interaction, Springer."},{"key":"ref_46","unstructured":"Ruoti, S., Monson, T., Wu, J., Zappala, D., and Seamons, K. (2017, January 12\u201314). Weighing context and trade-offs: How suburban adults selected their online security posture. Proceedings of the Symposium on Usable Privacy and Security (SOUPS), Santa Clara, CA, USA."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/15\/11\/356\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T21:13:20Z","timestamp":1760130800000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/15\/11\/356"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,28]]},"references-count":46,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2023,11]]}},"alternative-id":["fi15110356"],"URL":"https:\/\/doi.org\/10.3390\/fi15110356","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2023,10,28]]}}}