Design and Evaluation of Security and Privacy Nudges: From Protection Motivation Theory to Implementation Intentions

Americans often express concern about their digital security and privacy, yet adoption of security and privacy tools and best practices remains inconsistent. The fields of psychology and behavioral economics offer explanations for this apparent discrepancy, and suggest nudging interventions as a potential solution. Nudges can take many forms, but what nudges have in common is that they should help people

make decisions that align with their stated preferences.

My research centers on designing nudges to encourage the adoption of security and privacy tools. My major contribution is the introduction of implementation intention nudges to the field of computer security and privacy. Implementation intentions are plans which help people initiate behaviors (action plans) and overcome obstacles (coping plans). The effectiveness of implementation intentions has been

demonstrated in many other contexts, but my work is the first to test them in the context of computer security and privacy. By studying implementation intentions in this context, I offer security and privacy advocates a greater understanding of how this type of nudge can help the public protect themselves from digital threats. In my first chapter of completed work, I describe my study of nudges designed

to encourage adoption of secure mobile payment systems. I tested nudges based on both action planning implementation intentions and protection motivation theory

(PMT). I found that participants in both my treatment conditions used Apple Pay more than those in my control condition. Encouraged by these findings, I sought to

identify other technologies which might benefit from similar nudging interventions. Thus, I conducted a survey of people’s use of and beliefs about web browsing-related

privacy tools, which I describe in my next chapter. I found that the most commonly adopted tools did little to address participants’ greatest privacy concerns. Based on

these findings, I conducted a study of implementation intention nudges designed to help people adopt Tor Browser, which is the subject of my final chapter of completed

work. In this study, I tested nudges based on PMT, action planning implementation intentions, and coping planning implementation intentions. These nudges incorporated

the recommendations from my second chapter study. I found that my coping planning nudge increased use of Tor Browser in the short-term, while my PMT-based nudge increased use of Tor Browser in both the short- and long-term. In my final

chapter, I summarize my research, describe ethical considerations when deploying nudges, and enumerate open research questions relevant to large-scale deployment

of nudges.