Media Effects Research Lab - Research Archive

The nudge made me do it: Exploring nudge effectiveness in password management behavior

Student Researcher(s)

Carlina DiRusso (Ph.D Candidate); Shipi Kankane (Ph.D Candidate); Christen Buckley (Ph.D Candidate)

Faculty Supervisor

Dr. S. Shyam Sundar

This paper was based on a project as part of the “COMM 506” course.

 

INTRODUCTION
Nudging theory has been found to significantly influence decision-making and behavior in offline contexts, and more recently in online contexts, including cybersecurity.  Although common knowledge states creating new and complex passwords is a proactive cybersecurity behavior, most password-protected account holders manage their passwords poorly, reusing the same passwords that often contain personal information (Gaw & Felten, 2006). This study examines nudging theory in the context of password management practices by comparing the effects of five nudges (incentive, norms, default, salience, and ego) on password management attitudes and behavior. These nudges were based on previously defined nudge parameters (Blumenthal-Barby & Burroughs, 2012).

 

RESEARCH QUESTION / HYPOTHESES
H1: There will be differences between the types of nudges and comfort level with keeping an auto-generated password.
H2: There will be differences between the types of nudges and behavior of changing password.
METHOD
A between-subjects experiment was conducted in Qualtrics with five nudge conditions (incentives, norms, defaults, salience, and ego) plus one control condition. The experiment’s cover story required participants to undergo a mock online registration process for a new retail website. Participants provided a username for the site and received an auto-generated password for their site account. Then, they were randomly assigned to one of five nudge conditions that encouraged them to create their own password. Participants indicated their a) comfort level with keeping the auto-generated password, and b) whether they wanted to create their own password now, later, or not at all. Participants then completed a questionnaire measuring the following individual-level covariates: password changing habits, number of password protected accounts, number of compromised accounts, and Internet trust.
 

RESULTS

To test H1, a one-way ANOVA and a one-way ANCOVA were conducted to examine the effects of different types of nudges on participants’ comfort levels with the auto-generated password. Results show that the salience nudge significantly decreases the comfort level with keeping the auto-generated password, thus supporting H1. An ANCOVA revealed that even after controlling for covariates, the salience nudge still significantly reduces comfort level with keeping the auto-generated password. To test H2, a Chi-square test of independence was conducted between types of nudges and the behavior of changing passwords. This test did not reveal significant differences.
Additional analyses show that the number of accounts compromised is positively related to password changing habits and negatively correlated with Internet trust. The lower level of Internet trust, the more often participants change passwords for their online accounts. Further, younger individuals were more comfortable with keeping the auto-generated password. Age and Internet trust were moderately positively related, indicating older participants had higher levels of Internet trust.


CONCLUSIONS/DISCUSSION

This study sought to examine the relationship between different types of nudges and cybersecurity behavior, operationalized as password management attitudes (i.e., comfort level with keeping an auto-generated password) and behavior (i.e., creating a new password). The salience nudge was the only nudge that significantly influenced comfort level with keeping an auto-generated password, and no nudges significantly affected creating a new password. According to nudging theory, a single nudge could induce multiple psychological effects that influence decision-making (Thaler & Sunstein, 2009). The implications of this finding build upon the current understanding of the psychological effects of nudging, specifically affect and salience nudges, and supports the progress towards a better defined typology of nudges. This finding helps to contextualize nudging effectiveness in cybersecurity behavior and also has implications for practical nudge implementation, like privacy cues on social media.

For more details regarding the study contact

Dr. S. Shyam Sundar by e-mail at sss12@psu.edu or by telephone at (814) 865-2173

More Articles From: