Ethical guidelines for nudging in information security & privacy

There has recently been an upsurge of interest in the deployment of behavioural economics techniques in the information security and privacy domain. In this paper, we consider first the nature of one particular intervention, the nudge, and the way it exercises its influence. We contemplate the ethical ramifications of nudging, in its broadest sense, deriving general principles for ethical nudging from the literature. We extrapolate these principles to the deployment of nudging in information security and privacy. We explain how researchers can use these guidelines to ensure that they satisfy the ethical requirements during nudge trials in information security and privacy. Our guidelines also provide guidance to ethics review boards that are required to evaluate nudge-related research

Guidelines for ethical nudging in password authentication

Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context

Designing the Health-related Internet of Things: Ethical Principles and Guidelines

The conjunction of wireless computing, ubiquitous Internet access, and the miniaturisation of sensors have opened the door for technological applications that can monitor health and well-being outside of formal healthcare systems. The health-related Internet of Things (H-IoT) increasingly plays a key role in health management by providing real-time tele-monitoring of patients, testing of treatments, actuation of medical devices, and fitness and well-being monitoring. Given its numerous applications and proposed benefits, adoption by medical and social care institutions and consumers may be rapid. However, a host of ethical concerns are also raised that must be addressed. The inherent sensitivity of health-related data being generated and latent risks of Internet-enabled devices pose serious challenges. Users, already in a vulnerable position as patients, face a seemingly impossible task to retain control over their data due to the scale, scope and complexity of systems that create, aggregate, and analyse personal health data. In response, the H-IoT must be designed to be technologically robust and scientifically reliable, while also remaining ethically responsible, trustworthy, and respectful of user rights and interests. To assist developers of the H-IoT, this paper describes nine principles and nine guidelines for ethical design of H-IoT devices and data protocols

Ethical Guidelines for the Construction of Digital Nudges

Under certain circumstances, humans tend to behave in irrational ways, leading to situations in which they make undesirable choices. The concept of digital nudging addresses these limitations of bounded rationality by establishing a libertarian paternalist alternative to nudge users in virtual environments towards their own preferential choices. Thereby, choice architectures are designed to address biases and heuristics involved in cognitive thinking. As research on digital nudging has become increasingly popular in the Information Systems community, an increasing necessity for ethical guidelines has emerged around this concept to safeguard its legitimization in distinction to e.g. persuasion or manipulation. However, reflecting on ethical debates regarding digital nudging in academia, we find that current conceptualizations are scare. This is where on the basis of existing literature, we provide a conceptualization of ethical guidelines for the design of digital nudges, and thereby aim to ensure the applicability of nudging mechanisms in virtual environments

POINTER:a GDPR-compliant framework for human pentesting (for SMEs)

Penetration tests have become a valuable tool in any organisation’s arsenal, in terms of detecting vulnerabilities in their technical defences. Many organisations now also “penetration test” their employees, assessing their resilience and ability to repel human-targeted attacks. There are two problems with current frameworks: (1) few of these have been developed with SMEs in mind, and (2) many deploy spear phishing, thereby invading employee privacy, which could be illegal under the new European General Data Protection Regulation (GDPR) legislation. We therefore propose the PoinTER (Prepare TEst Remediate) Human Pentesting Framework. We subjected this framework to expert review and present it to open a discourse on the issue of formulating a GDPR- compliant Privacy-Respecting Employee Pentest for SMEs

Status Quo, Critical Reflection, and the Road Ahead of Digital Nudging in Information Systems Research: A Discussion with Markus Weinmann and Alexey Voinov

Research on digital nudging has become increasingly popular in the information systems (IS) community. In this paper, we overview the current progress of, critically reflect on, and discuss further research on digital nudging in IS. To do so, we reviewed the literature and interviewed Markus Weinmann from Rotterdam School of Management at Erasmus University, one of the first scholars who introduced digital nudging to the IS community, and Alexey Voinov, Director of the Centre on Persuasive Systems for Wise Adaptive Living at University of Technology Sydney. We uncovered a gap between what we know about what constitutes digital nudging and how we can actually put consequent requirements into practice. In this context, the original nudging concept bears inherent challenges about, for example, the focus on individuals’ welfare, which, thus, also apply to digital nudging. Moreover, we need to better understand how nudging in digital choice environments differs from that in the offline world. To further distinguish itself from other fields that already tested various nudges in many different domains, digital nudging research in IS may benefit from a design science perspective in order to go beyond testing effectiveness and provide specific design principles for the different types of digital nudges

How to Achieve Ethical Persuasive Design: A Review and Theoretical Propositions for Information Systems

Persuasive system design (PSD) is an umbrella term for designs in information systems (IS) that can influence people’s attitude, behavior, or decision making for better or for worse. On the one hand, PSD can improve users’ engagement and motivation to change their attitude, behavior, or decision making in a favorable way, which can help them achieve a desired outcome and, thus, improve their wellbeing. On the other hand, PSD misuse can lead to unethical and undesirable outcomes, such as disclosing unnecessary information or agreeing to terms that do not favor users, which, in turn, can negatively impact their wellbeing. These powerful persuasive designs can involve concepts such as gamification, gamblification, and digital nudging, which all have become prominent in recent years and have been implemented successfully across different sectors, such as education, e-health, e-governance, e-finance, and digital privacy contexts. However, such persuasive influence on individuals raises ethical questions as PSD can impair users’ autonomy or persuade them towards a third party’s goals and, hence, lead to unethical decision-making processes and outcomes. In human-computer interaction, recent advances in artificial intelligence have made this topic particularly significant. These novel technologies allow one to influence the decisions that users make, to gather data, and to profile and persuade users into unethical outcomes. These unethical outcomes can lead to psychological and emotional damage to users. To understand the role that ethics play in persuasive system design, we conducted an exhaustive systematic literature analysis and 20 interviews to overview ethical considerations for persuasive system design. Furthermore, we derive potential propositions for more ethical PSD and shed light on potential research gaps

Autonomy in the AAL : between law and ethics

The growth of Silver Economy calls for a paradigm shift in senior care, where active and healthy ageing is a primary goal. It also coincides with the rapid development of new technologies – AAL being one of them. The AAL combines the advances in the emerging technologies with the need to promote healthy and active ageing experience. This master thesis focuses on the value of individual autonomy and its importance in the context of senior care. The main argument of this research is that individual autonomy is a crucial element in attaining the goal of active and healthy ageing. However, the impact of AAL technology on individual autonomy is uncertain. On one side, AAL's main goal is to enable independent and autonomous living for as long as possible, while on the other side, the AAL by its very design limits individual autonomy. Individual autonomy in the AAL is enabled through legal and ethical norms. The nature of the AAL technology and the contexts and norms under which it operates are dynamic and constantly changing. Therefore, legal regulation needs to be augmented by ethical norms that are fit to meet the ever-changing character of this emerging technology. In particular, ethical technology design principles have a great potential to address the novelty of the AAL and the challenges that European data protection legislation is failing to tackle