research-article

Open Access

A Promise Is A Promise: The Effect of Commitment Devices on Computer Security Intentions

Authors:
Alisa Frik

International Computer Science Institute & University of California, Berkeley, Berkeley, CA, USA

International Computer Science Institute & University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Nathan Malkin

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Marian Harbach

International Computer Science Institute, Berkeley, CA, USA

International Computer Science Institute, Berkeley, CA, USA
View Profile

,
Eyal Peer

Hebrew University of Jerusalem, Jerusalem, Israel

Hebrew University of Jerusalem, Jerusalem, Israel
View Profile

,
Serge Egelman

International Computer Science Institute & University of California, Berkeley, Berkeley, CA, USA

International Computer Science Institute & University of California, Berkeley, Berkeley, CA, USA
View Profile

CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing SystemsMay 2019Paper No.: 604Pages 1–12https://doi.org/10.1145/3290605.3300834

Published:02 May 2019Publication History

CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems

Pages 1–12

ABSTRACT

Commitment devices are a technique from behavioral economics that have been shown to mitigate the effects of present bias---the tendency to discount future risks and gains in favor of immediate gratifications. In this paper, we explore the feasibility of using commitment devices to nudge users towards complying with varying online security mitigations. Using two online experiments, with over 1,000 participants total, we offered participants the option to be reminded or to schedule security tasks in the future. We find that both reminders and commitment nudges can increase users' intentions to install security updates and enable two-factor authentication, but not to configure automatic backups. Using qualitative data, we gain insights into the reasons for postponement and how to improve future nudges. We posit that current nudges may not live up to their full potential, as the timing options offered to users may be too rigid.

References

Alessandro Acquisti. 2004. Privacy in Electronic Commerce and the Economics of Immediate Gratification. In Proceedings of the ACM Electronic Commerce Conference (EC '04). ACM Press, New York, NY, 21-- 29. http://www.heinz.cmu.edu/~acquisti/papers/privacy-gratification. pdf. Google ScholarDigital Library
Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, et al. 2017. Nudges for privacy and security: Understanding and assisting users' choices online. ACM Computing Surveys (CSUR) 50, 3 (2017), 44. Google ScholarDigital Library
Icek Ajzen. 1991. The theory of planned behavior. Organizational behavior and human decision processes 50, 2 (1991), 179--211.Google Scholar
Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Cranor, and Yuvraj Agarwal. 2014. Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging. Technical Report Carnegie Mellon University-ISR-14--116. Carnegie Mellon University.Google Scholar
Dan Ariely and Klaus Wertenbroch. 2002. Procrastination, deadlines, and performance: Self-control by precommitment. Psychological science 13, 3 (2002), 219--224.Google Scholar
Richard P Bagozzi. 1992. The self-regulation of attitudes, intentions, and behavior. Social psychology quarterly (1992), 178--204.Google Scholar
Peter Bogunovich and Dario Salvucci. 2011. The Effects of Time Constraints on User Behavior for Deferrable Interruptions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 3123--3126. Google ScholarDigital Library
Anna Breman. 2011. Give more tomorrow: Two field experiments on altruism and intertemporal choice. Journal of Public Economics 95, 11 (2011), 1349--1357.Google ScholarCross Ref
Gharad Bryan, Dean Karlan, and Scott Nelson. 2010. Commitment devices. Annual Review of Economics 2, 1 (2010), 671--698.Google ScholarCross Ref
Lorrie Faith Cranor. 2008. A Framework for Reasoning about the Human in the Loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security. USENIX Association, Berkeley, CA. Google ScholarDigital Library
Laura Dabbish, Gloria Mark, and Víctor M. González. 2011. Why Do I Keep Interrupting Myself?: Environment, Habit and Self-interruption. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'11). ACM, New York, NY, USA, 3127--3130. Google ScholarDigital Library
Paul Dourish, E. Grinter, Jessica Delgado de la Flor, and Melissa Joseph. 2004. Security in the Wild: User Strategies for Managing Security As an Everyday, Practical Problem. Personal Ubiquitous Comput. 8, 6 (Nov. 2004), 391--401. Google ScholarCross Ref
W. Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. 2008. Security Automation Considered Harmful?. In Proceedings of the 2007 Workshop on New Security Paradigms (NSPW'07). ACM, New York, NY, USA, 33--42. Google ScholarDigital Library
Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors. In Proceedings of the 2014 ACM SIGSAC Conference on Computer & Communications Security (CCS '14). ACM, New York, NY, USA. Google ScholarDigital Library
S. Egelman and E. Peer. 2015. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'15). ACM, New York, NY, USA. Google ScholarDigital Library
Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does my password go up to eleven?: the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2379--2388. Google ScholarDigital Library
Michael Fagan, Mohammad Maifi Hasan Khan, and Ross Buck. 2015. A study of users' experiences and beliefs about software update messages. Computers in Human Behavior 51 (2015), 504--519. Google ScholarDigital Library
Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdatta Akhawe, and David Wagner. 2012. How to ask for permission. In Proceedings of the 7th USENIX conference on Hot Topics in Security (HotSec'12). USENIX Association, Berkeley, CA, USA, 7--7. http: //dl.acm.org/citation.cfm?id=2372387.2372394 Google ScholarDigital Library
Adrienne Porter Felt, Robert W. Reeder, Hazim Almuhimedi, and Sunny Consolvo. 2014. Experimenting at Scale with Google Chrome's SSL Warning. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2667--2670. Google ScholarDigital Library
James Fogarty, Jennifer Lai, and Jim Christensen. 2004. Presence Versus Availability: The Design and Evaluation of a Context-aware Communication Client. International Journal of Human-Computer Studies 61, 3 (Sept. 2004), 299--317. Google ScholarDigital Library
Alain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, Marian Harbach, and Rahul Telang. 2016. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 97--111. https://www.usenix.org/conference/soups2016/ technical-sessions/presentation/forget Google ScholarDigital Library
Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. Morgan & Claypool. 124-- pages. Google ScholarDigital Library
Christos Gkantsidis, Thomas Karagiannis, and Milan Vojnovi?. 2006. Planet scale software updates. ACM SIGCOMM Computer Communication Review 36, 4 (2006), 423--434. Google ScholarDigital Library
Eric Grosse and Mayank Upadhyay. 2013. Authentication at scale. IEEE Security & Privacy 11, 1 (2013), 15--22. Google ScholarDigital Library
Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. 2014. Using Personal Examples to Improve Risk Communication for Security and Privacy Decisions. In Proceedings of the 2014 CHI Conference on Human FActors in Computing Systems (CHI'14). ACM, New York, NY, USA, 2647--2656. Google ScholarDigital Library
Eszter Hargittai and Yuli Patrick Hsieh. 2012. Succinct survey measures of web-use skills. Social Science Computer Review 30, 1 (2012), 95--107. Google ScholarDigital Library
S. Hollister. 2017. Microsoft won't fix the most frustrating thing about Windows. Cnet. https://www.cnet.com/news/ microsoft-windows-10-forced-updates/.Google Scholar
Scott Hudson, James Fogarty, Christopher Atkeson, Daniel Avrahami, Jodi Forlizzi, Sara Kiesler, Johnny Lee, and Jie Yang. 2003. Predicting Human Interruptibility with Sensors: A Wizard of Oz Feasibility Study. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'03). ACM, New York, NY, USA, 257--264. Google ScholarDigital Library
Christophe Hurter, Benjamin R. Cowan, Audrey Girouard, and Nathalie Henry Riche. 2012. Active Progress Bar: Aiding the Switch to Temporary Activities. In Proceedings of the 26th Annual BCS Interaction Specialist Group Conference on People and Computers (BCSHCI'12). British Computer Society, Swinton, UK, UK, 99--108. http: //dl.acm.org/citation.cfm?id=2377916.2377928 Google ScholarDigital Library
Alexa Huth, Michael Orlando, and Linda Pesante. 2012. Password security, protection, and management. United States Computer Emergency Readiness Team (2012).Google Scholar
Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. "...No One Can Hack My Mind": Comparing Expert and Non-Expert Security Practices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, 327--346. https://www.usenix. org/conference/soups2015/proceedings/presentation/ion Google ScholarDigital Library
Moazzam Khan, Zehui Bi, and John A Copeland. 2012. Software updates as a security metric: Passive identification of update trends and effect on machine infection. In Military Communication Conference 2012. IEEE, 1--6.Google ScholarCross Ref
Alexander K Koch and Julia Nafziger. 2011. Self-regulation through Goal Setting. The Scandinavian Journal of Economics 113, 1 (2011), 212--227.Google ScholarCross Ref
David Laibson. 1997. Golden eggs and hyperbolic discounting. The Quarterly Journal of Economics 112, 2 (1997), 443--478.Google ScholarCross Ref
Brian Y. Lim, Oliver Brdiczka, and Victoria Bellotti. 2010. Show Me a Good Time: Using Content to Provide Activity Awareness to Collaborators with Activityspotter. In Proceedings of the 16th ACM International Conference on Supporting Group Work (GROUP'10). ACM, New York, NY, USA, 263--272. Google ScholarDigital Library
Arunesh Mathur and Marshini Chetty. 2017. Impact of User Characteristics on Attitudes Towards Automatic Mobile Application Updates. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 175--193. https://www.usenix. org/conference/soups2017/technical-sessions/presentation/mathur Google ScholarDigital Library
Arunesh Mathur, Josefine Engel, Sonam Sobti, Victoria Chang, and Marshini Chetty. 2016. "They Keep Coming Back Like Zombies": Improving Software Updating Interfaces. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 43--58. https://www.usenix.org/conference/soups2016/ technical-sessions/presentation/mathur Google ScholarDigital Library
Arunesh Mathur, Nathan Malkin, Marian Harbach, Eyal Peer, and Serge Egelman. 2018. Quantifying Users' Beliefs About Software Updates. arXiv preprint arXiv:1805.04594 (2018).Google Scholar
Daniel E Montano and Danuta Kasprzyk. 2015. Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. Health behavior: Theory, research and practice (2015), 95--124.Google Scholar
Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The attack of the clones: A study of the impact of shared code on vulnerability patching. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 692--708. Google ScholarDigital Library
Kartik Nayak, Daniel Marino, Petros Efstathopoulos, and Tudor Dumitra?. 2014. Some vulnerabilities are different than others. In International Workshop on Recent Advances in Intrusion Detection. Springer, 426--446.Google ScholarCross Ref
Ted O'Donoghue and Matthew Rabin. 1999. Doing it now or later. American Economic Review (1999), 103--124.Google Scholar
Ted O'Donoghue, Matthew Rabin, et al. 2006. Incentives and selfcontrol. Econometric Society Monographs 42 (2006), 215.Google Scholar
Tadashi Okoshi, Julian Ramos, Hiroki Nozaki, Jin Nakazawa, Anind K. Dey, and Hideyuki Tokuda. 2015. Reducing Users' Perceived Mental Effort Due to Interruptive Notifications in Multi-device Mobile Environments. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp'15). ACM, New York, NY, USA, 475--486. Google ScholarDigital Library
Pew Research Center. 2017. Americans and cybersecurity. Technical Report. Accessed {11 April 2018}: http: //assets.pewresearch.org/wp-content/uploads/sites/14/2017/01/ 26102016/Americans-and-Cyber-Security-final.pdf.Google Scholar
Edmund S Phelps and Robert A Pollak. 1968. On second-best national saving and game-equilibrium growth. The Review of Economic Studies 35, 2 (1968), 185--199.Google ScholarCross Ref
Martin Pielot, Bruno Cardoso, Kleomenis Katevas, Joan Serrà, Aleksandar Matic, and Nuria Oliver. 2017. Beyond Interruptibility: Predicting Opportune Moments to Engage Mobile Phone Users. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1, 3, Article 91 (Sept. 2017), 25 pages. Google ScholarDigital Library
Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2016. How I Learned to Be Secure: A Census-Representative Survey of Security Advice Sources and Behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS'16). ACM, New York, NY, USA, 666--677. Google ScholarDigital Library
Eric Rescorla. 2003. Security holes... Who cares?. In USENIX Security Symposium. Washington, DC, 75--90. Google ScholarDigital Library
Florian Schaub, Rebecca Balebako, and Lorrie Faith Cranor. 2017. Designing Effective Privacy Notices and Controls. IEEE Internet Computing 21, 3 (2017), 70--77. Google ScholarDigital Library
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proceedings of the eighth symposium on usable privacy and security. ACM, 7. Google ScholarDigital Library
Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: an empirical study of SSL warning effectiveness. In Proceedings of the 18th USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 399--416. http://dl.acm.org/citation.cfm?id=1855768.1855793 Google ScholarDigital Library
Dan Tasse, Anupriya Ankolekar, and Joshua Hailpern. 2016. Getting Users' Attention in Web Apps in Likable, Minimally Annoying Ways. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI'16). ACM, New York, NY, USA, 3324--3334. Google ScholarDigital Library
Richard H Thaler and Shlomo Benartzi. 2004. Save more tomorrow?: Using behavioral economics to increase employee saving. Journal of Political Economy 112, S1 (2004), S164--S187.Google ScholarCross Ref
Yuan Tian, Bin Liu, Weisi Dai, Blase Ur, Patrick Tague, and Lorrie Faith Cranor. 2015. Supporting privacy-conscious app update decisions with user reviews. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 51--61. Google ScholarDigital Library
Unisys. 2017. Unisys security index. Technical Report. Accessed {11 April 2018}: http://www.unisys.com/unisys-security-index/us.Google Scholar
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, et al. 2012. How does your password measure up? The effect of strength meters on password creation.. In USENIX Security Symposium. 65--80. Google ScholarDigital Library
Kami Vaniea and Yasmeen Rashidi. 2016. Tales of software updates: The process of updating software. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, 3215--3226. Google ScholarDigital Library
Kami E Vaniea, Emilee Rader, and Rick Wash. 2014. Betrayed by updates: how negative experiences affect future security. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. ACM, 2671--2674. Google ScholarDigital Library
Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for facebook. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. ACM, 2367--2376. Google ScholarDigital Library
Rick Wash. 2010. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM, 11. Google ScholarDigital Library
Rick Wash, Emilee Rader, Kami Vaniea, and Michelle Rizor. 2014. Out of the loop: How automated software updates cause unintended security consequences. In Symposium on Usable Privacy and Security (SOUPS). 89--104. Google ScholarDigital Library
Rick Wash and Emilee J Rader. 2015. Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users.. In SOUPS. 309--325. Google ScholarDigital Library
Ryan West. 2008. The Psychology of Security. Commun. ACM 51, 4 (April 2008), 34--40. Google ScholarDigital Library

Index Terms

A Promise Is A Promise: The Effect of Commitment Devices on Computer Security Intentions
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. Empirical studies in HCI
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls
SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

Even though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an ...
Read More
Designing for User's Digital Wellbeing: Co-creating Nudges with Designers: Designing for user's digital wellbeingCo-creating nudges with designers
GoodIT '23: Proceedings of the 2023 ACM Conference on Information Technology for Social Good

Digital wellbeing (DWB) became a prominent topic since the use of technology evoked a concern over its impact on users’ mental health and wellbeing. Hence, raising designers' interest and recall of DWB is necessary. As nudges approved their ...
Read More
Investigating an appropriate design for personal firewalls
CHI EA '10: CHI '10 Extended Abstracts on Human Factors in Computing Systems

Personal firewalls are an important aspect of security for home computer users, but little attention has been given to their usability. We conducted semi-structured interviews to understand participants' knowledge, requirements, expectations, and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems
May 2019
9077 pages
ISBN:9781450359702
DOI:10.1145/3290605
General Chairs:
Stephen Brewster
University of Glasgow, Scotland, UK
,
Geraldine Fitzpatrick
TU Wien, Austria
,
Program Chairs:
Anna Cox
University College London, UK
,
Vassilis Kostakos
University of Melbourne, Australia
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 May 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
behavioral economics
commitment devices
decision-making
nudges
usable security
Qualifiers
- research-article
Conference

Acceptance Rates
CHI '19 Paper Acceptance Rate703of2,958submissions,24%Overall Acceptance Rate6,199of26,314submissions,24%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 7
  Total Citations
  View Citations
- 1,140
  Total Downloads
- Downloads (Last 12 months)329
- Downloads (Last 6 weeks)71
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

A Promise Is A Promise: The Effect of Commitment Devices on Computer Security Intentions

CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls

Designing for User's Digital Wellbeing: Co-creating Nudges with Designers: Designing for user's digital wellbeingCo-creating nudges with designers

Investigating an appropriate design for personal firewalls