Nudging folks towards stronger password choices:providing certainty is the key

Persuading people to choose strong passwords is challenging. One way to influence password strength, as and when people are making the choice, is to tweak the choice architecture to encourage stronger choice. A variety of choice architecture manipulations i.e. “nudges”, have been trialled by researchers with a view to strengthening the overall password profile. None has made much of a difference so far. Here we report on our design of an influential behavioural intervention tailored to the password choice context: a hybrid nudge that significantly prompted stronger passwords.We carried out three longitudinal studies to analyse the efficacy of a range of “nudges” by manipulating the password choice architecture of an actual university web application. The first and second studies tested the efficacy of several simple visual framing “nudges”. Password strength did not budge. The third study tested expiration dates directly linked to password strength. This manipulation delivered a positive result: significantly longer and stronger passwords. Our main conclusion was that the final successful nudge provided participants with absolute certainty as to the benefit of a stronger password, and that it was this certainty that made the difference

The Dark Side of Privacy Nudging – An Experimental Study in the Context of a Digital Work Environment

In digital environments, individuals tend to share disproportionally more information than in face-to-face communication. Critically, disclosing personal information can yield risks such as unwanted monitoring or discrimination. Privacy nudging is a promising approach to get users to disclose less personal information. In this work, we tested two nudges corresponding to the issue of personal privacy. A framing nudge conveys an intensive message and a social nudge provides social cues. To empirically test these nudges, we evaluated an experiment with 223 participants. The results indicate that privacy nudges negatively influence information disclosure behavior. The social nudge was perceived as a threat. The framing nudge directly affected negative emotions and the social nudge indirectly. Perceived threat and negative emotions have a significant negative effect on information disclosure intention. With this research, we contribute to the discussion of what drives privacy nudge effectiveness and influences information disclosure behavior in digital work environments

Nudging Online Security Behaviour with Warning Messages: Results from an online experiment

This study is part of a larger effort to better understand online behaviour. We tested the effect on people’s security behaviour of different ways of warning them about cybersecurity threats with an online experiment (n=5,065) in Germany, Sweden, Poland, the UK and Spain. Participants had to make a purchase in a mock online store, and their behaviour was observed through four behavioural measures. Results show that making users aware of the steps they can take to minimise their exposure to risk is effective in generating more secure behaviour, as suggested by protection motivation theory. Gain and loss-framed messages, and a message with a male anthropomorphic character, also had some effect on behaviour compared to the control group. The study also included a questionnaire. Results showed that more risk-averse participants exhibited more cautious behaviour. Finally, although they influenced behaviour itself, warning messages based on behavioural insights did not affect participants' self-reported knowledge of how to prevent cyberattacks.JRC.B.4-Human Capital and Employmen

Enhancing cybersecurity awareness through educational games : design of an adaptive visual novel game

Dans un monde qui est en numérisation constante, la dépendance aux outils technologiques est devenue inévitable. La pandémie de COVID-19 a encore accéléré la tendance vers le travail et l'éducation à distance, entraînant une augmentation de l'activité en ligne et de l'échange de données. Cependant, malgré cette augmentation de l'activité en ligne, le niveau de sensibilisation à la cybersécurité chez un nombre important d'utilisateurs reste insuffisant. De nombreux utilisateurs manquent d'une éducation appropriée en matière de cybersécurité et de confidentialité en ligne et démontrent une compréhension insuffisante de la sensibilité de leurs données. Nous avons mené une enquête auprès de plus de 300 utilisateurs qui a confirmé que le besoin de contenu de meilleure qualité était évident. Les jeux éducatifs ont démontré leur efficacité en tant qu'outils d'enseignement et d'apprentissage, en particulier pour vulgariser des sujets qui nécessitent généralement une connaissance approfondie pour être maîtrisés. Cependant, des défis sont associés quant à la qualité et à l'évaluation des jeux sérieux, car plusieurs aspects de l’amusement sont subjectifs et intangibles. Motivée par le besoin de jeux éducatifs "de haute qualité" améliorés, cette thèse construit une échelle pour affiner les critères mentionnés par l'évaluation des jeux sérieux de Caserman et l'applique à 45 jeux de cybersécurité. L'évaluation a révélé une insuffisance dans les critères de l’amusement, en particulier le manque d'adaptation dynamique. En conséquence, cette étude propose le cadre de jeu de cybersécurité EVNAG (Educational Visual Novel Adaptive Game), qui s'articule autour de l'adaptation dynamique de la difficulté comme solution à ce problème. Inspiré par cette architecture, le roman visuel de cybersécurité "Grown-Up Blues" a été implémenté. La thèse contribue au corpus croissant de recherches sur les jeux éducatifs en cybersécurité et fournit des idées pour concevoir des jeux éducatifs efficaces qui améliorent l'éducation en matière de cybersécurité.In a world that continues to be increasingly digitalized, the dependency on technological tools has become unavoidable. The COVID-19 pandemic has further accelerated the trend towards remote work and education, leading to an increase in online activity and data exchange. However, despite this surge in online activity, the level of cybersecurity awareness among a significant number of users remains inadequate. Many users lack proper education on cybersecurity and online privacy and demonstrate a lack of understanding of the sensitivity of their data. A survey we conducted on more than 300 users confirmed that the need for more quality content was blatant. Educational games have demonstrated their effectiveness as teaching and learning tools, particularly in vulgarizing topics generally requiring in-depth knowledge to master. However, challenges are associated with the quality and assessment of serious games, as multiple aspects of game enjoyment are subjective and intangible. Motivated by the need for improved “high quality” educational games, this thesis builds a scale to refine the criteria mentioned by Caserman’s assessment of serious games and applies that to 45 cybersecurity games. The assessment indicated a deficiency in the enjoyment criteria, specifically the lack of dynamic adaptation. As a result, this study proposes the EVNAG (Educational Visual Novel Adaptive Game) cybersecurity game framework, which centers on Dynamic Difficulty Adaptation as a solution to this issue. Inspired by this architecture, the cybersecurity visual novel “Grown-Up Blues” was implemented. The thesis contributes to the growing body of research on educational games in cybersecurity and provides insights for designing effective educational games that enhance cybersecurity education

Self-endorsed Cybersecurity Capability Improvement for SMEs

Low cybersecurity awareness and the lack of good practices have led to a growing number of cyber-attacks and incidents in small and medium-sized enterprises (SMEs). This study introduces CYSEC, a new lightweight Do-It-Yourself (DIY) approach to communicate cybersecurity awareness training to a large number of SMEs and encourage them to improve their capability continuously. CYSEC is a method and tool that implements the Self-Determination Theory (SDT) to motivate SME end-users to sustainable self-endorsed forms of security behavior and guide them to carry out the security improvement on their own. The paper describes the theoretical framework for modeling self-determination and explains how the adoption of cybersecurity recommendations can be internalized step-by-step by an SME by following an iterative process in CYSEC. Finally, significant lessons learned about the use of CYSEC and its intervention in pursuit of cybersecurity adoption in the pilot SMEs are presented

Usable privacy and security in smart homes

Ubiquitous computing devices increasingly dominate our everyday lives, including our most private places: our homes. Homes that are equipped with interconnected, context-aware computing devices, are considered “smart” homes. To provide their functionality and features, these devices are typically equipped with sensors and, thus, are capable of collecting, storing, and processing sensitive user data, such as presence in the home. At the same time, these devices are prone to novel threats, making our homes vulnerable by opening them for attackers from outside, but also from within the home. For instance, remote attackers who digitally gain access to presence data can plan for physical burglary. Attackers who are physically present with access to devices could access associated (sensitive) user data and exploit it for further cyberattacks. As such, users’ privacy and security are at risk in their homes. Even worse, many users are unaware of this and/or have limited means to take action. This raises the need to think about usable mechanisms that can support users in protecting their smart home setups. The design of such mechanisms, however, is challenging due to the variety and heterogeneity of devices available on the consumer market and the complex interplay of user roles within this context. This thesis contributes to usable privacy and security research in the context of smart homes by a) understanding users’ privacy perceptions and requirements for usable mechanisms and b) investigating concepts and prototypes for privacy and security mechanisms. Hereby, the focus is on two specific target groups, that are inhabitants and guests of smart homes. In particular, this thesis targets their awareness of potential privacy and security risks, enables them to take control over their personal privacy and security, and illustrates considerations for usable authentication mechanisms. This thesis provides valuable insights to help researchers and practitioners in designing and evaluating privacy and security mechanisms for future smart devices and homes, particularly targeting awareness, control, and authentication, as well as various roles.Computer und andere „intelligente“, vernetzte Geräte sind allgegenwärtig und machen auch vor unserem privatesten Zufluchtsort keinen Halt: unserem Zuhause. Ein „intelligentes Heim“ verspricht viele Vorteile und nützliche Funktionen. Um diese zu erfüllen, sind die Geräte mit diversen Sensoren ausgestattet – sie können also in unserem Zuhause sensitive Daten sammeln, speichern und verarbeiten (bspw. Anwesenheit). Gleichzeitig sind die Geräte anfällig für (neuartige) Cyberangriffe, gefährden somit unser Zuhause und öffnen es für potenzielle – interne sowie externe – Angreifer. Beispielsweise könnten Angreifer, die digital Zugriff auf sensitive Daten wie Präsenz erhalten, einen physischen Überfall in Abwesenheit der Hausbewohner planen. Angreifer, die physischen Zugriff auf ein Gerät erhalten, könnten auf assoziierte Daten und Accounts zugreifen und diese für weitere Cyberangriffe ausnutzen. Damit werden die Privatsphäre und Sicherheit der Nutzenden in deren eigenem Zuhause gefährdet. Erschwerend kommt hinzu, dass viele Nutzenden sich dessen nicht bewusst sind und/oder nur limitierte Möglichkeiten haben, effiziente Gegenmaßnahmen zu ergreifen. Dies macht es unabdingbar, über benutzbare Mechanismen nachzudenken, die Nutzende beim Schutz ihres intelligenten Zuhauses unterstützen. Die Umsetzung solcher Mechanismen ist allerdings eine große Herausforderung. Das liegt unter anderem an der großen Vielfalt erhältlicher Geräte von verschiedensten Herstellern, was das Finden einer einheitlichen Lösung erschwert. Darüber hinaus interagieren im Heimkontext meist mehrere Nutzende in verschieden Rollen (bspw. Bewohner und Gäste), was die Gestaltung von Mechanismen zusätzlich erschwert. Diese Doktorarbeit trägt dazu bei, benutzbare Privatsphäre- und Sicherheitsmechanismen im Kontext des „intelligenten Zuhauses“ zu entwickeln. Insbesondere werden a) die Wahrnehmung von Privatsphäre sowie Anforderungen an potenzielle Mechanismen untersucht, sowie b) Konzepte und Prototypen für Privatsphäre- und Sicherheitsmechanismen vorgestellt. Der Fokus liegt hierbei auf zwei Zielgruppen, den Bewohnern sowie den Gästen eines intelligenten Zuhauses. Insbesondere werden in dieser Arbeit deren Bewusstsein für potenzielle Privatsphäre- und Sicherheits-Risiken adressiert, ihnen Kontrolle über ihre persönliche Privatsphäre und Sicherheit ermöglicht, sowie Möglichkeiten für benutzbare Authentifizierungsmechanismen für beide Zielgruppen aufgezeigt. Die Ergebnisse dieser Doktorarbeit legen den Grundstein für zukünftige Entwicklung und Evaluierung von benutzbaren Privatsphäre und Sicherheitsmechanismen im intelligenten Zuhause

Publish, Share, Re-Tweet, and Repeat

New technologies allow users to communicate ideas to a broad audience easily and quickly, affecting the way ideas are interpreted and their credibility. Each and every social network user can simply click “share” or “retweet” and automatically republish an existing post and expose a new message to a wide audience. The dissemination of ideas can raise public awareness about important issues and bring about social, political, and economic change. Yet, digital sharing also provides vast opportunities to spread false rumors, defamation, and Fake News stories at the thoughtless click of a button. The spreading of falsehoods can severely harm the reputation of victims, erode democracy, and infringe on the public interest. Holding the original publisher accountable and collecting damages from him offers very limited redress since the harmful expression can continue to spread. How should the law respond to this phenomenon and who should be held accountable? Drawing on multidisciplinary social science scholarship from network theory and cognitive psychology, this Article describes how falsehoods spread on social networks, the different motivations to disseminate them, the gravity of the harm they can inflict, and the likelihood of correcting false information once it has been distributed in this setting. This Article will also describe the top-down influence of social media platform intermediaries, and how it enhances dissemination by exploiting users’ cognitive biases and creating social cues that encourage users to share information. Understanding how falsehoods spread is a first step towards providing a framework for meeting this challenge. The Article argues that it is high time to rethink intermediary duties and obligations regarding the dissemination of falsehoods. It examines a new perspective for mitigating the harm caused by the dissemination of falsehood. The Article advocates harnessing social network intermediaries to meet the challenge of dissemination from the stage of platform design. It proposes innovative solutions for mitigating careless, irresponsible sharing of false rumors. The first solution focuses on a platform’s accountability for influencing user decision-making processes. “Nudges” can discourage users from thoughtless sharing of falsehoods and promote accountability ex ante. The second solution focuses on allowing effective ex post facto removal of falsehoods, defamation, and fake news stories from all profiles and locations where they have spread. Shaping user choices and designing platforms is value laden, reflecting the platform’s particular set of preferences, and should not be taken for granted. Therefore, this Article proposes ways to incentivize intermediaries to adopt these solutions and mitigate the harm generated by the spreading of falsehoods. Finally, the Article addresses the limitations of the proposed solutions yet still concludes that they are more effective than current legal practices

Simple Nudges for Better Password Creation

Recent security breaches have highlighted the consequences of reusing passwords across online accounts. Recent guidance on password policies by the UK government recommend an emphasis on password length over an extended character set for generating secure but memorable passwords without cognitive overload. This paper explores the role of three nudges in creating website-specific passwords: financial incentive (present vs absent), length instruction (long password vs no instruction) and stimulus (picture present vs not present). Mechanical Turk workers were asked to create a password in one of these conditions and the resulting passwords were evaluated based on character length, resistance to automated guessing attacks, and time taken to create the password. We found that users created longer passwords when asked to do so or when given a financial incentive and these longer passwords were harder to guess than passwords created with no instruction. Using a picture nudge to support password creation did not lead to passwords that were either longer or more resistant to attacks but did lead to account-specific passwords