UNO and Michigan State Researchers Find Cybersecurity Carries a Convenience Tax, Until Your Data Is Actually at Stake

OMAHA, Neb. — New research from the University of Nebraska at Omaha (UNO) reveals a critical gap in how people approach online safety: most users fail to recognize visual warning signs of risky websites and are more motivated by convenience than cybersecurity—at least until their personal information is actually at risk of being stolen.

The study, led by UNO criminologist Travis Carter, Ph.D., in collaboration with Michigan State University researcher Rachel McNealey, Ph.D., was recently published in the Journal of Experimental Criminology. The findings offer new insight into why individuals remain one of the most vulnerable points in cybersecurity systems.

The Big Picture

Despite ongoing education and awareness efforts, users are not reliably identifying online threats—and often opt for ease of use over taking protective actions.

Inside the Research

The team conducted a conjoint survey experiment with a nationally representative sample of 1,006 U.S. adults. Participants were shown simulated utility websites with varying manipulated features such as shortened URLs, advertisements, font styles, privacy notices, and security indicators.

They were then asked to evaluate risk and decide whether or not to follow cybersecurity recommendations, such as enabling two-factor authentication.

Key Findings

• Visual cues fall short: Common website elements like ads, font styles, privacy notices, and security icons had little effect on users’ perception of risk.
• Convenience is king: The perceived time and effort required to follow a security recommendation had a greater impact on decision-making than the severity of the potential threat.
• Context matters: When it is the individual’s personal information is at risk, they are more likely to choose security measures they believe are effective—even if they are less convenient—suggesting the usual “convenience trade-off” largely disappears in cybersecurity compliance.

Why it Matters

The study highlights a “convenience tax” in cybersecurity—when protective measures feel burdensome, users are less likely to adopt them. This behavioral pattern helps explain why, despite advances in technology and training, individuals continue to be a primary vulnerability in digital security systems.

“Our findings suggest that people are not always aware of what puts them at risk online,” Carter said. “If security measures are perceived as inconvenient, users may avoid them—even when the stakes are high.”

What’s Next

The research has practical implications for organizations, policymakers, and cybersecurity professionals. Designing systems that minimize user effort—and clearly communicate the effectiveness of security measures—may improve adoption and reduce risk.

Read the Study

The full, open-access article is available via DOI: https://doi.org/10.1007/s11292-025-09717-1