Abstract
Nudging is a promising approach, in terms of influencing people to make advisable choices in a range of domains, including cybersecurity. However, the processes underlying the concept and the nudge’s effectiveness in different contexts, and in the long term, are still poorly understood. Our research thus first reviewed the nudge concept and differentiated it from other interventions before applying it to the cybersecurity area. We then carried out an empirical study to assess the effectiveness of three different nudge-related interventions on four types of cybersecurity-specific decisions. Our study demonstrated that the combination of a simple nudge and information provision, termed a “hybrid nudge,” was at least as, and in some decision contexts even more effective in encouraging secure choices as the simple nudge on its own. This indicates that the inclusion of information when deploying a nudge, thereby increasing the intervention’s transparency, does not necessarily diminish its effectiveness.
A follow-up study explored the educational and long-term impact of our tested nudge interventions to encourage secure choices. The results indicate that the impact of the initial nudges, of all kinds, did not endure. We conclude by discussing our findings and their implications for research and practice.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity Decisions
- Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, Yang Wang, and Shomir Wilson. 2017. Nudges for privacy and security: Understanding and assisting users’ choices online. ACM Computing Surveys 50, 3 (2017), 1--41. Google ScholarDigital Library
- Reed Albergotti. 2014. Facebook Rolls Out Privacy Checkups to All 1.3 Billion Users. Retrieved May 13, 2018 from https://blogs.wsj.com/digits/2014/09/04/facebook-rolls-out-privacy-checkups-to-all-1-3-billion-users/.Google Scholar
- Alberto Salazar. 2012. Libertarian paternalism and the dangers of nudging consumers. King’s Law Journal 23, 1 (2012), 51--67.Google Scholar
- Hunt Allcott. 2011. Social norms and energy conservation. Journal of Public Economics 95, 9–10 (2011), 1082--1095.Google ScholarCross Ref
- Hunt Allcott and Sendhil Mullainathan. 2010. Behavior and energy policy. Science 327, 5970 (2010), 1204--1205.Google Scholar
- Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. 2015. Your location has been shared 5,398 times!: A field study on mobile app privacy nudging. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’15). ACM, New York, NY, 787--796. Google ScholarDigital Library
- American Psychological Association. 2016. Ethical Principles of Psychologists and Code of Conduct. Retrieved from http://www.apa.org/ethics/code/index.aspx.Google Scholar
- AndroidCentral. 2017. More Android phones are using encryption and lock screen security than ever before. Retrieved December 4, 2019 from https://www.androidcentral.com/more-android-phones-are-using-encryption-and-lock-screen-security-ever.Google Scholar
- Terrence August, Robert August, and Hyoduk Shin. 2014. Designing user incentives for cybersecurity. Communications of the ACM 57, 11 (2014), 43--46. Google ScholarDigital Library
- Ian Ayres, Sophie Raseman, and Alice Shih. 2013. Evidence from two large field experiments that peer comparison feedback can reduce residential energy usage. The Journal of Law, Economics, and Organization 29, 5 (2013), 992--1022.Google ScholarCross Ref
- Rebecca Balebako, Pedro G. Leon, Hazim Almuhimedi, Patrick Gage Kelley, Jonathan Mugan, Alessandro Acquisti, Lorrie Faith Cranor, and Norman Sadeh. 2011. Nudging users towards privacy on mobile devices. In Proceedings of the CHI Workshop on Persuasion, Nudge, Influence and Coercion. ACM, New York, NY, 1--4.Google Scholar
- Adrien Barton and Till Grüne-Yanoff. 2015. From libertarian paternalism to nudging - and beyond. Review of Philosophy and Psychology 6, 3 (2015), 341--359.Google ScholarCross Ref
- Yoav Benjamini and Yosef Hochberg. 1995. Controlling the false discovery rate: A practical and powerful approach to multiple testing. Journal of the Royal Statistical Society: Series B (Methodological) 57, 1 (1995), 289--300.Google ScholarCross Ref
- Avril Blamey, Nanette Mutrie, and Aitchison Tom. 1995. Health promotion by encouraged use of stairs. British Medical Journal 311, 7000 (1995), 289--290.Google ScholarCross Ref
- Elcomsoft Blog. 2017. Android Encryption Demystified. Retrieved December 4, 2019 from https://blog.elcomsoft.com/2017/05/android-encryption-demystified/.Google Scholar
- Jennifer Swindell Blumenthal-Barby and Hadley Burroughs. 2012. Seeking better health care outcomes: The ethics of using the “nudge”. The American Journal of Bioethics 12, 2 (2012), 1--10.Google ScholarCross Ref
- Jennifer s Blumenthal-Barby and Aanand D. Naik. 2015. In defense of nudge–autonomy compatibility. The American Journal of Bioethics 15, 10 (2015), 45--47.Google ScholarCross Ref
- Jürgen Bortz and Christof Schuster. 2011. Statistics for Human and Social Scientists: Limited Special Edition (Statistik für Human-und Sozialwissenschaftler: Limitierte Sonderausgabe). Springer, Berlin.Google Scholar
- Thom Brooks. 2013. Should we nudge informed consent? The American Journal of Bioethics 13, 6 (2013), 22--23.Google ScholarCross Ref
- Patrick Brown. 2012. A nudge in the right direction? Towards a sociological engagement with libertarian paternalism. Social Policy and Society 11, 3 (2012), 305--317.Google ScholarCross Ref
- Ryan Calo. 2014. Code, nudge or notice? Iowa Law Review 99, 2 (2014), 773--801.Google Scholar
- Ana Caraban, Evangelos Karapanos, Daniel Gonçalves, and Pedro Campos. 2019. 23 ways to nudge: A review of technology-mediated nudging in human-computer interaction. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’19). ACM, New York, NY, 503. Google ScholarDigital Library
- Pew Research Center. 2017. Many smartphone owners don’t take steps to secure their devices. Retrieved December 4, 2019 from https://www.pewresearch.org/fact-tank/2017/03/15/many-smartphone-owners-dont-take-steps-to-secure-their-devices/.Google Scholar
- Eun Kyoung Choe, Jaeyeon Jung, Bongshin Lee, and Kristie Fisher. 2013. Nudging people away from privacy-invasive mobile apps through visual framing. In Proceedings of the IFIP Conference on Human-Computer Interaction. Springer, Berlin, 74--91.Google ScholarCross Ref
- Robert B. Cialdini and Melanie R. Trost. 1998. Social influence: Social norms, conformity and compliance. In The Handbook of Social Psycholog (4 ed.). Daniel T. Gilbert, Susan T. Fiske, and Gardner Lindzey (Eds.). McGraw-Hill, New York, 151--192.Google Scholar
- Jacob Cohen. 2013. Statistical Power Analysis for the Behavioral Sciences. Routledge, London, UK.Google Scholar
- Russell DiSilvestro. 2012. What does not budge for any nudge?The American Journal of Bioethics 12, 2 (2012), 14--15.Google Scholar
- Paul Dolan, Michael Hallsworth, David Halpern, Dominic King, Robert Metcalfe, and Ivo Vlaev. 2012. Influencing behaviour: The mindspace way. Journal of Economic Psychology 33, 1 (2012), 264--277.Google ScholarCross Ref
- Paul Dolan, Michael Hallsworth, David Halpern, Dominic King, and Ivo Vlaev. 2010. MINDSPACE: Influencing behaviour for public policy. Retrieved December 5, 2019 from https://www.instituteforgovernment.org.uk/publications/mindspace.Google Scholar
- Marc Dupuis and Faisal Khan. 2018. Effects of peer feedback on password strength. In Proceedings of the APWG Symposium on Electronic Crime Research (eCrime’18). IEEE, New York, NY, 1--9.Google ScholarCross Ref
- Serge Egelman and Eyal Peer. 2015. Scaling the security wall: Developing a security behavior intentions scale (SEBIS). In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’15). ACM, New York, NY, 2873--2882. Google ScholarDigital Library
- EU GDPR Compliant. 2018. Cookies Consent under the GDPR. Retrieved December 5, 2019 from https://eugdprcompliant.com/cookies-consent-gdpr/.Google Scholar
- Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking connection security indicators. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’16). Usenix, Berkeley, CA, 1--14. Google ScholarDigital Library
- Thomas Franke, Christiane Attig, and Daniel Wessel. 2019. A personal resource for technology interaction: Development and validation of the affinity for technology interaction (ATI) scale. International Journal of Human–Computer Interaction 35, 6 (2019), 456--467.Google ScholarCross Ref
- Gerd Gigerenzer, Ralph Hertwig, and Thorsten Pachur. 2011. Heuristics: The Foundations of Adaptive Behavior.Oxford University Press. Google ScholarDigital Library
- Paul A. Grassi, Michael E. Garcia, and James L. Fenton. 2017. Digital identity guidelines. NIST Special Publication 800-63-3.Google Scholar
- Pelle Guldborg Hansen. 2016. The definition of nudge and libertarian paternalism: Does the hand fit the glove? European Journal of Risk Regulation 7, 1 (2016), 155--174.Google ScholarCross Ref
- Pelle Guldborg Hansen and Andreas Maaløe Jespersen. 2013. Nudge and the manipulation of choice: A framework for the responsible use of the nudge approach to behaviour change in public policy. European Journal of Risk Regulation 4, 1 (2013), 3--28.Google ScholarCross Ref
- Marian Harbach, Alexander De Luca, Nathan Malkin, and Serge Egelman. 2016. Keep on lockin’ in the free world: A multi-national comparison of smartphone locking. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’16). ACM, New York, NY, 4823--4827. Google ScholarDigital Library
- Daniel M. Hausman and Brynn Welch. 2010. Debate: To nudge or not to nudge. Journal of Political Philosophy 18, 1 (2010), 123--136.Google ScholarCross Ref
- Crawford Hollingworth and Liz Barker. 2017. BE360: Protecting Consumers from ‘SLUDGE’. Retrieved January 2020 from https://www.research-live.com/article/features/be360-protecting-consumers-from-sludge/id/5031182.Google Scholar
- Julian House, Elizabeth Lyons, and D. Soman. 2013. Towards a Taxonomy of Nudging Strategies. Rotman School of Management, University of Toronto.Google Scholar
- Eric J. Johnson, Suzanne B. Shu, Benedict G.C. Dellaert, Craig Fox, Daniel G. Goldstein, Gerald Häubl, Richard P. Larrick, John W. Payne, Ellen Peters, David Schkade, Brian Wansink, and Elke U. Weber. 2012. Beyond nudges: Tools of a choice architecture. Marketing Letters 23, 2 (2012), 487--504.Google ScholarCross Ref
- Daniel Kahneman and Patrick Egan. 2011. Thinking, Fast and Slow. Vol. 1. Farrar, Straus and Giroux, New York, NY.Google Scholar
- Floor M. Kroese, David R. Marchiori, and Denise T. D. de Ridder. 2015. Nudging healthy food choices: A field experiment at the train station. Journal of Public Health 38, 2 (2015), e133–e137.Google ScholarCross Ref
- Dominik J. Leiner. 2014. SoSci survey (Version 2.5. 00-i) [Computer software]. https://www.soscisurvey.de/.Google Scholar
- Yiling Lin, Magda Osman, and Richard Ashcroft. 2017. Nudge: Concept, effectiveness, and ethics. Basic and Applied Social Psychology 39, 6 (2017), 293--306.Google ScholarCross Ref
- Paul Lindhout and Genserik Reniers. 2017. What about nudges in the process industry? Exploring a new safety management tool. Journal of Loss Prevention in the Process Industries 50, Part A (2017), 243--256.Google Scholar
- David R. Marchiori, Marieke A. Adriaanse, and Denise T. D. De Ridder. 2017. Unresolved questions in nudging research: Putting the psychology back in nudging. Social and Personality Psychology Compass 11, 1 (2017), e12297.Google ScholarCross Ref
- Philipp Mayring. 2014. Qualitative Content Analysis: Theoretical Foundation, Basic Procedures and Software Solution. SSOAR Open Access Repository, Klagenfurth, Austria. Retrieved on January 2, 2021 from https://nbn-resolving.org/urn:nbn:de:0168-ssoar-395173.Google Scholar
- Donald McMillan, Alistair Morrison, and Matthew Chalmers. 2013. Categorised ethical guidelines for large scale mobile HCI. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’13). ACM, New York, NY, 1853--1862. Google ScholarDigital Library
- Adam W. Meade and S. Bartholomew Craig. 2012. Identifying careless responses in survey data.Psychological Methods 17, 3 (2012), 437.Google Scholar
- Gabriela Michalek, Georg Meran, Reimund Schwarze, and Özgür Yildiz. 2016. Nudging as a New “Soft” Policy Tool: An Assessment of the Definitional Scope of Nudges, Practical Implementation Possibilities and Their Effectiveness. Technical Report. Economics Discussion Papers.Google Scholar
- Gregory Mitchell. 2004. Libertarian paternalism is an oxymoron. Northwestern University Law Review 99, 3 (2004), 1245--1277.Google Scholar
- Philippe Mongin and Mikaël Cozic. 2018. Rethinking nudge: Not one but three concepts. Behavioural Public Policy 2, 1 (2018), 107--124.Google ScholarCross Ref
- NSW Government. 2016. NSW Behavioural insights team. Retrieved December 5, 2019 from https://www.dpc.nsw.gov.au/programs-and-services/behavioural-insights/.Google Scholar
- Thomas R. V. Nys and Bart Engelen. 2017. Judging nudging: Answering the manipulation objection. Political Studies 65, 1 (2017), 199--214.Google ScholarCross Ref
- European Federation of Psychologists’ Association. 2005. Meta-Code of Ethics. Retrieved from https://www.bdp-verband.de/binaries/content/assets/beruf/efpa_metacode_en.pdf.Google Scholar
- Takahiro Ohyama and Akira Kanaoka. 2015. Password strength meters using social influence. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’15). Usenix, Berkely, CA, 1--2.Google Scholar
- Folke Ölander and John Thøgersen. 2014. Informing versus nudging in environmental policy. Journal of Consumer Policy 37, 3 (2014), 341--356.Google ScholarCross Ref
- Magda Osman. 2004. An evaluation of dual-process theories of reasoning. Psychonomic Bulletin 8 Review 11, 6 (2004), 988--1010.Google Scholar
- Magda Osman. 2016. Nudge: How far have we come?Œconomia. History, Methodology, Philosophy 6, 4 (2016), 557--570.Google Scholar
- Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Computers 8 Security 66 (2017), 40--51. Google ScholarDigital Library
- Charlie Pinder, Jo Vermeulen, Benjamin R. Cowan, and Russell Beale. 2018. Digital behaviour change interventions to break and form habits. ACM Transactions on Computer-Human Interaction 25, 3 (2018), 15. Google ScholarDigital Library
- Thomas Ploug and Søren Holm. 2015. Doctors, patients, and nudging in the clinical context-four views on nudging and informed consent. The American Journal of Bioethics 15, 10 (2015), 28--38.Google ScholarCross Ref
- Android Open Source Project. n.d.. Encryption. Retrieved December 4, 2019 from https://source.android.com/security/encryption/full-disk.Google Scholar
- Fahimeh Raja, Kirstie Hawkey, Steven Hsu, Kai-Le Clement Wang, and Konstantin Beznosov. 2011. A brick wall, a locked door, and a bandit: A physical security metaphor for firewall warnings. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’11). ACM, New York, NY, 1. Google ScholarDigital Library
- Amon Rapp, Maurizio Tirassa, and Lia Tirabeni. 2019. Rethinking technologies for behavior change: A view from the inside of human change. ACM Transactions on Computer-Human Interaction 26, 4 (2019), 1--30. Google ScholarDigital Library
- Imran Rasul and David Hollywood. 2012. Behavior change and energy use: Is a ‘nudge’ enough?Carbon Management 3, 4 (2012), 349--351.Google Scholar
- Karen Renaud and Marc Dupuis. 2019. Cyber security fear appeals: Unexpectedly complicated. In Proceedings of the New Security Paradigms Workshop. 42--56. Google ScholarDigital Library
- Karen Renaud, Joseph Maguire, Verena Zimmermann, and Steve Draper. 2017. Lessons learned from evaluating eight password nudges in the wild. In Proceedings of the LASER Workshop. USENIX, Berkeley, CA, 25--37.Google Scholar
- Karen Renaud and Verena Zimmermann. 2018. Ethical guidelines for nudging in information security 8 privacy. International Journal of Human-Computer Studies 120 (2018), 22--35.Google ScholarCross Ref
- Karen Renaud and Verena Zimmermann. 2019. Nudging folks towards stronger password choices: Providing certainty is the key. Behavioural Public Policy 3, 2 (2019), 228--258.Google ScholarCross Ref
- Patrick Rössler. 2017. Content Analysis (Inhaltsanalyse). Vol. 2671. UTB.Google Scholar
- Evan Selinger and Kyle Powys Whyte. 2012. What counts as a nudge?The American Journal of Bioethics 12, 2 (2012), 11--12.Google Scholar
- Diana K. Smetters and Rebecca E. Grinter. 2002. Moving from the design of usable security technologies to the design of useful secure applications. In Proceedings of the Workshop on New Security Paradigms (NSPW’02). ACM, New York, NY, 82--89. Google ScholarDigital Library
- Keith E. Stanovich and Richard F. West. 2000. Individual differences in reasoning: Implications for the rationality debate? Behavioral and Brain Sciences 23, 5 (2000), 645--665.Google ScholarCross Ref
- Cass R. Sunstein. 2015. Nudges do not undermine human agency. Journal of Consumer Policy 38, 3 (2015), 207--210.Google ScholarCross Ref
- Cass R. Sunstein. 2017. Forcing people to choose is paternalistic. Missouri Law Review 82, 3 (2017), 643--667.Google Scholar
- Cass R. Sunstein. 2017. Nudges that fail. Behavioural Public Policy 1, 1 (2017), 4--25.Google ScholarCross Ref
- Cass R. Sunstein and Richard H. Thaler. 2003. Libertarian paternalism is not an oxymoron. The University of Chicago Law Review 70, 4 (2003), 1159--1202.Google ScholarCross Ref
- Behavioural Insights Team. 2011. Behavioural Insights Team Annual Update 2010–11. Cabinet Office: London, UK. Retrieved October 14, 2020 from https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/60537/Behaviour-Change-Insight-Team-Annual-Update_acc.pdf.Google Scholar
- Richard H. Thaler and Cass R. Sunstein. 2008. Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven, CT.Google Scholar
- The British Psychological Society. 2014. Code of Human Research Ethics. Retrieved on January 2, 2021 from http://www.bps.org.uk/publications/policy-and-guidelines/research-guidelines-policy-documents/research-guidelines-poli.Google Scholar
- James Turland, Lynne Coventry, Debora Jeske, Pam Briggs, and Aad van Moorsel. 2015. Nudging towards security: Developing an application for wireless network selection for Android phones. In Proceedings of the British HCI Conference. ACM, New York, NY, 193--201. Google ScholarDigital Library
- James Kevin Turland. 2016. Aiding Information Security Decisions with Human Factors Using Quantitative and Qualitative Techniques. Ph.D. Dissertation. School of Computing Science, Newcastle University.Google Scholar
- Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and evaluation of a data-driven password meter. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’17). ACM, New York, NY, 3775--3786. Google ScholarDigital Library
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proceedings of the USENIX Security Symposium (USENIX Security’12). USENIX, Berkeley, CA, 65--80. Google ScholarDigital Library
- Anthony Vance, David Eargle, Kirk Ouimet, and Detmar Straub. 2013. Enhancing password security through interactive fear appeals: A web-based field experiment. In Proceedings of the Hawaii International Conference on System Sciences (HICSS’13). IEEE, New York, NY, 2988--2997. Google ScholarDigital Library
- Emanuel von Zezschwitz, Malin Eiband, Daniel Buschek, Sascha Oberhuber, Alexander De Luca, Florian Alt, and Heinrich Hussmann. 2016. On quantifying the effective password space of grid-based unlock gestures. In Proceedings of the International Conference on Mobile and Ubiquitous Multimedia (MUM’16). ACM, New York, NY, 201--212. Google ScholarDigital Library
- Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for Facebook. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’14). ACM, New York, NY, 2367--2376. Google ScholarDigital Library
- Brian Wansink. 2004. Environmental factors that increase the food intake and consumption volume of unknowing consumers. Annual Review of Nutrition 24 (2004), 455--479.Google ScholarCross Ref
- Markus Weinmann, Christoph Schneider, and Jan vom Brocke. 2016. Digital nudging. Business 8 Information Systems Engineering 58, 6 (2016), 433--436.Google Scholar
- Mark White. 2013. The Manipulation of Choice: Ethics and Libertarian Paternalism. Palgrave Macmillan, New York, NY.Google Scholar
- Karen Yeung. 2016. The forms and limits of choice architecture as a tool of government. Law 8 Policy 38, 3 (2016), 186--210.Google Scholar
Index Terms
- The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity Decisions
Recommendations
The Nudge Deck: A Design Support Tool for Technology-Mediated Nudging
DIS '20: Proceedings of the 2020 ACM Designing Interactive Systems ConferenceThe idea of nudging - that subtle changes in the 'choice architecture' can alter people's behaviors in predictable ways - was eagerly adopted by HCI researchers and practitioners over the past decade. Yet, the design of effective nudging interventions ...
Nudge or Restraint: How do People Assess Nudging in Cybersecurity - A Representative Study in Germany
EuroUSEC '21: Proceedings of the 2021 European Symposium on Usable SecurityWhile nudging is a long-established instrument in many contexts, it has more recently emerged to be relevant in cybersecurity as well. For instance, existing research suggests nudges for stronger passwords or safe WiFi connections. However, those ...
Can We Nudge Users Toward Better Password Management?: An Initial Study
CHI EA '18: Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing SystemsNudge theory has been widely used in government and health interventions for the subtlety with which it positively influences choices. But, can this gentle nudge influence users to exhibit secure online account behaviors? And further, which of the nudge ...
Comments