Research Project · Published · ASSETS 2026
"I'm trying not to get hacked:" How Adults with IDD Navigate Security and Privacy Notifications
Abstract
Security and privacy notifications—such as login alerts, spam e-mail warnings, and cookie consent requests—play a critical role in shaping how users respond to digital risks. Yet most notifications overlook cognitive accessibility, limiting their effectiveness for people with intellectual and developmental disabilities (IDD). In this work, we investigate how adults with IDD perceive and respond to common security and privacy notifications across mobile and web applications. Through a user study involving six adults with IDD, we identified key factors that influenced their understanding and decision-making, including reliance on visual or symbolic cues, simplification of complex terms, interdependence with support persons, and familiarity with everyday functions. We further highlight interaction challenges, including misunderstandings of notification purpose and flow, misinterpretations of language and terminology, and misalignments of action-outcome expectations. Our results contribute design recommendations to advance usable privacy and security, supporting safer and more autonomous digital engagement for users with IDD.Security and privacy warnings, like login alerts, spam email notices, and cookie pop-ups, are meant to help people stay safe online. But most are not designed with accessibility in mind, which can make them hard to understand for some people with intellectual and developmental disabilities (IDD). We studied how six adults with IDD responded to these kinds of warnings on phones and websites. We found they relied on visual cues, got help from trusted people, and used their familiarity with everyday apps. We also found that some warnings were hard to understand: it was not always clear what the warning was for, what the words meant, or what would happen when pressing a button. Our findings offer design ideas to make these warnings clearer and safer for everyone.