Abstract
The field of behavioural cybersecurity, with a focus on the behaviour of end-users when working to improve the overall cybersecurity of a system or organisation, is gaining ground. As the field is still relatively small, most of the focus lies on awareness campaigns, or the occasional behavioural change intervention. Another way of looking at improving cybersecurity behaviour is by taking a closer look at the way systems present options and choices to end-users. The selection, design, and presentation of these options can strongly influence end-users’ behaviour, thereby hindering or supporting the security of systems. These options can be categorised under two approaches: nudging and techno-regulation. The former aims to gently push end-users towards a preferred (safer) course of action, while the latter forcefully removes any unwanted (riskier) options, thereby improving cybersecurity at the cost of freedom of choice. The current paper outlines and compares these two approaches in terms of mechanisms, effectiveness, and potential unwanted side effects. Furthermore, the applicability of these methods to improve cybersecurity behaviour and the ethical dilemmas associated with applying these methods are discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
IBM Security: Cost of a Data Breach Report 2021. IBM, Armonk, NY (2021)
van Steen, T., Norris, E., Atha, K., Joinson, A.: What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use? J. Cybersecur. 6 (2020). https://doi.org/10.1093/cybsec/tyaa019
van Steen, T., Deeleman, J.R.: Successful gamification of cybersecurity training. Cyberpsychol. Behav. Soc. Netw. 24, 593–598 (2021)
Thaler, R.H., Sunstein, C.R.: Nudge. Yale University Press (2021)
Madden, S., et al.: The effect on consent rates for deceased organ donation in Wales after the introduction of an opt-out system. Anaesthesia 75, 1146–1152 (2020)
Cialdini, R.B., Trost, M.R.: Social influence: Social norms, conformity and compliance (1998)
Mortensen, C.R., Neel, R., Cialdini, R.B., Jaeger, C.M., Jacobson, R.P., Ringel, M.M.: Trending norms: a lever for encouraging behaviors performed by the minority. Soc. Psychol. Person. Sci. 10, 201–210 (2019)
Schultz, P.W., Nolan, J.M., Cialdini, R.B., Goldstein, N.J., Griskevicius, V.: The constructive, destructive, and reconstructive power of social norms. Psychol. Sci. 18, 429–434 (2007)
Brownsword, R.: So what does the world need now? Reflections on regulating technologies. In: Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes, pp. 23–48. Hart (2008)
Lessig, L.: Code v2.0. Basic Books, New York, NY (2006)
Lessig, L.: The new Chicago school. J. Leg. Stud. 27, 661–691 (1998)
Lockton, D., Harrison, D., Stanton, N.A.: The design with intent method: a design tool for influencing user behaviour. Appl. Ergon. 41, 382–392 (2010)
Kramer, A.D., Guillory, J.E., Hancock, J.T.: Experimental evidence of massive-scale emotional contagion through social networks. Proc. Natl. Acad. Sci. 111, 8788–8790 (2014)
Brignull, H.: About this site, https://www.darkpatterns.org/about-us. Accessed 11 Feb 2022
Associated Press: Google records your location even when you tell it not to (2018). https://www.theguardian.com/technology/2018/aug/13/google-location-tracking-android-iphone-mobile
Cho, H., Roh, S., Park, B.: Of promoting networking and protecting privacy: effects of defaults and regulatory focus on social media users’ preference settings. Comput. Hum. Behav. 101, 1–13 (2019)
Peer, E., Egelman, S., Harbach, M., Malkin, N., Mathur, A., Frik, A.: Nudge me right: personalizing online security nudges to people’s decision-making styles. Comput. Hum. Behav. 109 (2020)
The YouTube Team: An update to dislikes on YouTube. https://blog.youtube/news-and-events/update-to-youtube/. Accessed 11 Feb 2022
Kirlappos, I., Parkin, S., Sasse, M.A.: Learning from “Shadow Security”: why understanding non-compliance provides the basis for effective security. In: USEC 2014 (2014)
Kirlappos, I., Parkin, S., Sasse, M.A.: “Shadow security” as a tool for the learning organization. ACM Sigcas Comput. Soc. 45, 29–37 (2015)
Rogers, R.W.: A protection motivation theory of fear appeals and attitude change. J. Psychol. 91, 93–114 (1975)
Rogers, R.W.: Cognitive and psychological processes in fear appeals and attitude change: a revised theory of protection motivation. In: Social Psychophysiology, pp. 153–176. Guilford Press, New York, NY (1983)
Fogg, B.J.: The behavior grid: 35 ways behavior can change. In: Proceedings of the 4th international Conference on Persuasive Technology, pp. 1–5 (2009)
Fogg, B.: Fogg Behavior Grid. https://behaviordesign.stanford.edu/fogg-behavior-grid. Accessed 11 Feb 2022
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
van Steen, T. (2022). When Choice is (not) an Option: Nudging and Techno-Regulation Approaches to Behavioural Cybersecurity. In: Schmorrow, D.D., Fidopiastis, C.M. (eds) Augmented Cognition. HCII 2022. Lecture Notes in Computer Science(), vol 13310. Springer, Cham. https://doi.org/10.1007/978-3-031-05457-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-05457-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-05456-3
Online ISBN: 978-3-031-05457-0
eBook Packages: Computer ScienceComputer Science (R0)