ABSTRACT
Commitment devices are a technique from behavioral economics that have been shown to mitigate the effects of present bias---the tendency to discount future risks and gains in favor of immediate gratifications. In this paper, we explore the feasibility of using commitment devices to nudge users towards complying with varying online security mitigations. Using two online experiments, with over 1,000 participants total, we offered participants the option to be reminded or to schedule security tasks in the future. We find that both reminders and commitment nudges can increase users' intentions to install security updates and enable two-factor authentication, but not to configure automatic backups. Using qualitative data, we gain insights into the reasons for postponement and how to improve future nudges. We posit that current nudges may not live up to their full potential, as the timing options offered to users may be too rigid.
- Alessandro Acquisti. 2004. Privacy in Electronic Commerce and the Economics of Immediate Gratification. In Proceedings of the ACM Electronic Commerce Conference (EC '04). ACM Press, New York, NY, 21-- 29. http://www.heinz.cmu.edu/~acquisti/papers/privacy-gratification. pdf. Google ScholarDigital Library
- Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, et al. 2017. Nudges for privacy and security: Understanding and assisting users' choices online. ACM Computing Surveys (CSUR) 50, 3 (2017), 44. Google ScholarDigital Library
- Icek Ajzen. 1991. The theory of planned behavior. Organizational behavior and human decision processes 50, 2 (1991), 179--211.Google Scholar
- Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Cranor, and Yuvraj Agarwal. 2014. Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging. Technical Report Carnegie Mellon University-ISR-14--116. Carnegie Mellon University.Google Scholar
- Dan Ariely and Klaus Wertenbroch. 2002. Procrastination, deadlines, and performance: Self-control by precommitment. Psychological science 13, 3 (2002), 219--224.Google Scholar
- Richard P Bagozzi. 1992. The self-regulation of attitudes, intentions, and behavior. Social psychology quarterly (1992), 178--204.Google Scholar
- Peter Bogunovich and Dario Salvucci. 2011. The Effects of Time Constraints on User Behavior for Deferrable Interruptions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 3123--3126. Google ScholarDigital Library
- Anna Breman. 2011. Give more tomorrow: Two field experiments on altruism and intertemporal choice. Journal of Public Economics 95, 11 (2011), 1349--1357.Google ScholarCross Ref
- Gharad Bryan, Dean Karlan, and Scott Nelson. 2010. Commitment devices. Annual Review of Economics 2, 1 (2010), 671--698.Google ScholarCross Ref
- Lorrie Faith Cranor. 2008. A Framework for Reasoning about the Human in the Loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security. USENIX Association, Berkeley, CA. Google ScholarDigital Library
- Laura Dabbish, Gloria Mark, and Víctor M. González. 2011. Why Do I Keep Interrupting Myself?: Environment, Habit and Self-interruption. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'11). ACM, New York, NY, USA, 3127--3130. Google ScholarDigital Library
- Paul Dourish, E. Grinter, Jessica Delgado de la Flor, and Melissa Joseph. 2004. Security in the Wild: User Strategies for Managing Security As an Everyday, Practical Problem. Personal Ubiquitous Comput. 8, 6 (Nov. 2004), 391--401. Google ScholarCross Ref
- W. Keith Edwards, Erika Shehan Poole, and Jennifer Stoll. 2008. Security Automation Considered Harmful?. In Proceedings of the 2007 Workshop on New Security Paradigms (NSPW'07). ACM, New York, NY, USA, 33--42. Google ScholarDigital Library
- Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors. In Proceedings of the 2014 ACM SIGSAC Conference on Computer & Communications Security (CCS '14). ACM, New York, NY, USA. Google ScholarDigital Library
- S. Egelman and E. Peer. 2015. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'15). ACM, New York, NY, USA. Google ScholarDigital Library
- Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does my password go up to eleven?: the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2379--2388. Google ScholarDigital Library
- Michael Fagan, Mohammad Maifi Hasan Khan, and Ross Buck. 2015. A study of users' experiences and beliefs about software update messages. Computers in Human Behavior 51 (2015), 504--519. Google ScholarDigital Library
- Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdatta Akhawe, and David Wagner. 2012. How to ask for permission. In Proceedings of the 7th USENIX conference on Hot Topics in Security (HotSec'12). USENIX Association, Berkeley, CA, USA, 7--7. http: //dl.acm.org/citation.cfm?id=2372387.2372394 Google ScholarDigital Library
- Adrienne Porter Felt, Robert W. Reeder, Hazim Almuhimedi, and Sunny Consolvo. 2014. Experimenting at Scale with Google Chrome's SSL Warning. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2667--2670. Google ScholarDigital Library
- James Fogarty, Jennifer Lai, and Jim Christensen. 2004. Presence Versus Availability: The Design and Evaluation of a Context-aware Communication Client. International Journal of Human-Computer Studies 61, 3 (Sept. 2004), 299--317. Google ScholarDigital Library
- Alain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, Marian Harbach, and Rahul Telang. 2016. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 97--111. https://www.usenix.org/conference/soups2016/ technical-sessions/presentation/forget Google ScholarDigital Library
- Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. Morgan & Claypool. 124-- pages. Google ScholarDigital Library
- Christos Gkantsidis, Thomas Karagiannis, and Milan Vojnovi?. 2006. Planet scale software updates. ACM SIGCOMM Computer Communication Review 36, 4 (2006), 423--434. Google ScholarDigital Library
- Eric Grosse and Mayank Upadhyay. 2013. Authentication at scale. IEEE Security & Privacy 11, 1 (2013), 15--22. Google ScholarDigital Library
- Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. 2014. Using Personal Examples to Improve Risk Communication for Security and Privacy Decisions. In Proceedings of the 2014 CHI Conference on Human FActors in Computing Systems (CHI'14). ACM, New York, NY, USA, 2647--2656. Google ScholarDigital Library
- Eszter Hargittai and Yuli Patrick Hsieh. 2012. Succinct survey measures of web-use skills. Social Science Computer Review 30, 1 (2012), 95--107. Google ScholarDigital Library
- S. Hollister. 2017. Microsoft won't fix the most frustrating thing about Windows. Cnet. https://www.cnet.com/news/ microsoft-windows-10-forced-updates/.Google Scholar
- Scott Hudson, James Fogarty, Christopher Atkeson, Daniel Avrahami, Jodi Forlizzi, Sara Kiesler, Johnny Lee, and Jie Yang. 2003. Predicting Human Interruptibility with Sensors: A Wizard of Oz Feasibility Study. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'03). ACM, New York, NY, USA, 257--264. Google ScholarDigital Library
- Christophe Hurter, Benjamin R. Cowan, Audrey Girouard, and Nathalie Henry Riche. 2012. Active Progress Bar: Aiding the Switch to Temporary Activities. In Proceedings of the 26th Annual BCS Interaction Specialist Group Conference on People and Computers (BCSHCI'12). British Computer Society, Swinton, UK, UK, 99--108. http: //dl.acm.org/citation.cfm?id=2377916.2377928 Google ScholarDigital Library
- Alexa Huth, Michael Orlando, and Linda Pesante. 2012. Password security, protection, and management. United States Computer Emergency Readiness Team (2012).Google Scholar
- Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. "...No One Can Hack My Mind": Comparing Expert and Non-Expert Security Practices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, 327--346. https://www.usenix. org/conference/soups2015/proceedings/presentation/ion Google ScholarDigital Library
- Moazzam Khan, Zehui Bi, and John A Copeland. 2012. Software updates as a security metric: Passive identification of update trends and effect on machine infection. In Military Communication Conference 2012. IEEE, 1--6.Google ScholarCross Ref
- Alexander K Koch and Julia Nafziger. 2011. Self-regulation through Goal Setting. The Scandinavian Journal of Economics 113, 1 (2011), 212--227.Google ScholarCross Ref
- David Laibson. 1997. Golden eggs and hyperbolic discounting. The Quarterly Journal of Economics 112, 2 (1997), 443--478.Google ScholarCross Ref
- Brian Y. Lim, Oliver Brdiczka, and Victoria Bellotti. 2010. Show Me a Good Time: Using Content to Provide Activity Awareness to Collaborators with Activityspotter. In Proceedings of the 16th ACM International Conference on Supporting Group Work (GROUP'10). ACM, New York, NY, USA, 263--272. Google ScholarDigital Library
- Arunesh Mathur and Marshini Chetty. 2017. Impact of User Characteristics on Attitudes Towards Automatic Mobile Application Updates. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 175--193. https://www.usenix. org/conference/soups2017/technical-sessions/presentation/mathur Google ScholarDigital Library
- Arunesh Mathur, Josefine Engel, Sonam Sobti, Victoria Chang, and Marshini Chetty. 2016. "They Keep Coming Back Like Zombies": Improving Software Updating Interfaces. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 43--58. https://www.usenix.org/conference/soups2016/ technical-sessions/presentation/mathur Google ScholarDigital Library
- Arunesh Mathur, Nathan Malkin, Marian Harbach, Eyal Peer, and Serge Egelman. 2018. Quantifying Users' Beliefs About Software Updates. arXiv preprint arXiv:1805.04594 (2018).Google Scholar
- Daniel E Montano and Danuta Kasprzyk. 2015. Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. Health behavior: Theory, research and practice (2015), 95--124.Google Scholar
- Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The attack of the clones: A study of the impact of shared code on vulnerability patching. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 692--708. Google ScholarDigital Library
- Kartik Nayak, Daniel Marino, Petros Efstathopoulos, and Tudor Dumitra?. 2014. Some vulnerabilities are different than others. In International Workshop on Recent Advances in Intrusion Detection. Springer, 426--446.Google ScholarCross Ref
- Ted O'Donoghue and Matthew Rabin. 1999. Doing it now or later. American Economic Review (1999), 103--124.Google Scholar
- Ted O'Donoghue, Matthew Rabin, et al. 2006. Incentives and selfcontrol. Econometric Society Monographs 42 (2006), 215.Google Scholar
- Tadashi Okoshi, Julian Ramos, Hiroki Nozaki, Jin Nakazawa, Anind K. Dey, and Hideyuki Tokuda. 2015. Reducing Users' Perceived Mental Effort Due to Interruptive Notifications in Multi-device Mobile Environments. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp'15). ACM, New York, NY, USA, 475--486. Google ScholarDigital Library
- Pew Research Center. 2017. Americans and cybersecurity. Technical Report. Accessed {11 April 2018}: http: //assets.pewresearch.org/wp-content/uploads/sites/14/2017/01/ 26102016/Americans-and-Cyber-Security-final.pdf.Google Scholar
- Edmund S Phelps and Robert A Pollak. 1968. On second-best national saving and game-equilibrium growth. The Review of Economic Studies 35, 2 (1968), 185--199.Google ScholarCross Ref
- Martin Pielot, Bruno Cardoso, Kleomenis Katevas, Joan Serrà, Aleksandar Matic, and Nuria Oliver. 2017. Beyond Interruptibility: Predicting Opportune Moments to Engage Mobile Phone Users. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1, 3, Article 91 (Sept. 2017), 25 pages. Google ScholarDigital Library
- Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2016. How I Learned to Be Secure: A Census-Representative Survey of Security Advice Sources and Behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS'16). ACM, New York, NY, USA, 666--677. Google ScholarDigital Library
- Eric Rescorla. 2003. Security holes... Who cares?. In USENIX Security Symposium. Washington, DC, 75--90. Google ScholarDigital Library
- Florian Schaub, Rebecca Balebako, and Lorrie Faith Cranor. 2017. Designing Effective Privacy Notices and Controls. IEEE Internet Computing 21, 3 (2017), 70--77. Google ScholarDigital Library
- Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proceedings of the eighth symposium on usable privacy and security. ACM, 7. Google ScholarDigital Library
- Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: an empirical study of SSL warning effectiveness. In Proceedings of the 18th USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 399--416. http://dl.acm.org/citation.cfm?id=1855768.1855793 Google ScholarDigital Library
- Dan Tasse, Anupriya Ankolekar, and Joshua Hailpern. 2016. Getting Users' Attention in Web Apps in Likable, Minimally Annoying Ways. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI'16). ACM, New York, NY, USA, 3324--3334. Google ScholarDigital Library
- Richard H Thaler and Shlomo Benartzi. 2004. Save more tomorrow?: Using behavioral economics to increase employee saving. Journal of Political Economy 112, S1 (2004), S164--S187.Google ScholarCross Ref
- Yuan Tian, Bin Liu, Weisi Dai, Blase Ur, Patrick Tague, and Lorrie Faith Cranor. 2015. Supporting privacy-conscious app update decisions with user reviews. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 51--61. Google ScholarDigital Library
- Unisys. 2017. Unisys security index. Technical Report. Accessed {11 April 2018}: http://www.unisys.com/unisys-security-index/us.Google Scholar
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, et al. 2012. How does your password measure up? The effect of strength meters on password creation.. In USENIX Security Symposium. 65--80. Google ScholarDigital Library
- Kami Vaniea and Yasmeen Rashidi. 2016. Tales of software updates: The process of updating software. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, 3215--3226. Google ScholarDigital Library
- Kami E Vaniea, Emilee Rader, and Rick Wash. 2014. Betrayed by updates: how negative experiences affect future security. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. ACM, 2671--2674. Google ScholarDigital Library
- Yang Wang, Pedro Giovanni Leon, Alessandro Acquisti, Lorrie Faith Cranor, Alain Forget, and Norman Sadeh. 2014. A field trial of privacy nudges for facebook. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. ACM, 2367--2376. Google ScholarDigital Library
- Rick Wash. 2010. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM, 11. Google ScholarDigital Library
- Rick Wash, Emilee Rader, Kami Vaniea, and Michelle Rizor. 2014. Out of the loop: How automated software updates cause unintended security consequences. In Symposium on Usable Privacy and Security (SOUPS). 89--104. Google ScholarDigital Library
- Rick Wash and Emilee J Rader. 2015. Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users.. In SOUPS. 309--325. Google ScholarDigital Library
- Ryan West. 2008. The Psychology of Security. Commun. ACM 51, 4 (April 2008), 34--40. Google ScholarDigital Library
Index Terms
- A Promise Is A Promise: The Effect of Commitment Devices on Computer Security Intentions
Recommendations
It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls
SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configurationEven though personal firewalls are an important aspect of security for the users of personal computers, little attention has been given to their usability. We conducted semi-structured interviews with a diverse set of participants to gain an ...
Designing for User's Digital Wellbeing: Co-creating Nudges with Designers: Designing for user's digital wellbeingCo-creating nudges with designers
GoodIT '23: Proceedings of the 2023 ACM Conference on Information Technology for Social GoodDigital wellbeing (DWB) became a prominent topic since the use of technology evoked a concern over its impact on users’ mental health and wellbeing. Hence, raising designers' interest and recall of DWB is necessary. As nudges approved their ...
Investigating an appropriate design for personal firewalls
CHI EA '10: CHI '10 Extended Abstracts on Human Factors in Computing SystemsPersonal firewalls are an important aspect of security for home computer users, but little attention has been given to their usability. We conducted semi-structured interviews to understand participants' knowledge, requirements, expectations, and ...
Comments