Cyber-Nudging: Incentive Systems and Choice Architectures for Organizational Security
Human errors and malpractices, such as downloading malware, falling for phishing attacks, and choosing weak passwords, are at the root of many cybersecurity failures. These failures are incredibly harmful, not just to the person who fell for the attack, but to all the organization’s information systems and networks. Recent approaches have shown the potential of incentivizing and nudging users in cyber security. Unlike hard enforcement, softer forms of persuasion can be more effective in environments in which users need to be both productive and safe, allowing the user to optimize a specific decision according to the particular circumstances. However, finding the best way to incentivize users is challenging, due to the rarity of cyber-attacks for a single person. Furthermore, organizations have intricate work, legal, and social relations, making the most widespread types of nudging hard to implement.
In this project, we aim to investigate in nudging mechanisms, that aim to gently push users to safer and more responsible cyber behavior. We plan to design, develop, and evaluate non-monetary incentive systems and nudging mechanisms that have the potential to work in real-world organizations. We will test our designs in experimental conditions, evaluating whether they positively affect the safety behavior of the users while not harming their productivity. We will develop and test a new kind of incentive mechanism, which we call interaction incentives. This type of incentives relies on our ability to make computing experiences more or less usable, based on the behavior of the user. We will combine these incentives with different types of explanations and gamified environments to find out how can we point to safer behavior, without limiting users.