The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity
Decisions
VERENA ZIMMERMANN
∗
, Technische Universität Darmstadt, Germany
KAREN RENAUD, University of Strathclyde, Scotland, Rhodes University, South Africa
Nudging is a promising approach, in terms of inuencing people to make advisable choices in a range of domains, including
cybersecurity. However, the processes underlying the concept, the nudge’s eectiveness in dierent contexts, and in the
long term, are still poorly understood. Our research thus rst reviewed the nudge concept and dierentiated it from other
interventions before applying it to the cybersecurity area. We then carried out an empirical study to assess the eectiveness
of three dierent nudge-related interventions on four types of cybersecurity-specic decisions. Our study demonstrated that
the combination of a simple nudge and information provision, termed a “hybrid nudge”, was at least as, and in some decision
contexts even more eective in encouraging secure choices as the simple nudge on its own. This indicates that the inclusion
of information when deploying a nudge, thereby increasing the intervention’s transparency, does not necessarily diminish its
eectiveness.
A follow-up study explored the educational and long-term impact of our tested nudge interventions to encourage secure
choices. The results indicate that the impact of the initial nudges, of all kinds, did not endure. We conclude by discussing our
ndings and their implications for research and practice.
CCS Concepts:
• Human-centered computing → Empirical studies in HCI
; HCI theory, concepts and models;
• Security and privacy → Social aspects of security and privacy;
Additional Key Words and Phrases: Nudging; Security; Privacy; Decision Making, Feedback; Information
ACM Reference Format:
Verena Zimmermann and Karen Renaud. 2020. The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity Decisions.
ACM Trans. Comput.-Hum. Interact. 1, 1, Article 1 (January 2020), 43 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn
1 INTRODUCTION
We are confronted, daily, with the need to make a plethora of decisions, each of which is inuenced both by the
dimensions of the decision itself and by the context of the decision i.e. the ‘choice architecture’. The Nobel prize
winner, Richard Thaler, together with Cass Sunstein, introduced the world to nudges in 2008 [
83
]. Nudges are
eectively ways of tweaking the choice architecture to inuence people’s choices. Some countries’ governments,
including the USA, the UK and Australia [
16
,
29
,
56
,
82
], have established units to study and deploy nudge-related
interventions to improve the welfare of their citizens.
The nudge concept originated from the eld of behavioral economics and has been applied in a variety of
contexts. It has gained prominence in contexts such as health [
45
], energy consumption [
5
,
69
] and road safety
[
83
]. Nudges have also been deployed in the digital world, referred to as “digital nudging” [
93
]. This has become
Authors’ addresses: Verena Zimmermann, zimmermann@psychologie.tu-darmstadt.de, Technische Universität Darmstadt, Darmstadt,
Germany; Karen Renaud, University of Strathclyde, Glasgow, Scotland,, Rhodes University, Grahamstown, South Africa, karen.renaud@
strath.ac.uk.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that
copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation on the rst page.
Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy
otherwise, or republish, to post on servers or to redistribute to lists, requires prior specic permission and/or a fee. Request permissions from
permissions@acm.org.
© 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM.
1073-0516/2020/1-ART1 $15.00
https://doi.org/10.1145/nnnnnnn.nnnnnnn
1:2 • Zimmermann & Renaud
increasingly important as the boundaries between the digital and physical worlds blur due to the widespread
diusion of smart technologies.
An important application area of digital nudging is the domain of human-centred cybersecurity. In some
ways, cybersecurity decisions are very similar to other kinds of decisions. The information people have, and the
biases they are subject to, inuence all their decisions. On the other hand, cybersecurity decisions have some
distinguishing features. Security is a relatively intangible concept and often invisible to users in the digital world.
For example, the appearance of a website does not necessarily align with its security and privacy features. Even a
security breach might not be immediately visible or experiential. For example, the link between the unauthorized
sharing of one’s email address by one service provider and the later receipt of spam mails, might never be revealed.
Furthermore, security is often not the user’s primary aim. People usually engage in a security ceremony because
they are required to do so, not because it is their primary goal. For example, someone wants to connect to a WiFi
to check their email while shopping (their primary aim). To do this, they have to choose a WiFi to connect to,
and security might not be uppermost in their mind. Nudging can make the security and privacy dimensions of
the decision more salient.
The eld of human-centred cybersecurity aims to support people in behaving more securely [
30
,
73
,
87
], or
in adopting measures to preserve their privacy while online [
24
]. For example, one cybersecurity-related study
trialled a number of nudges to identify the one that would encourage stronger passwords [
73
]. A privacy-related
nudge attempted to persuade people to choose the most secure WiFi to connect to [85].
To qualify as a nudge, an intervention should not forbid or signicantly alter the economic incentives of the
pre-nudge options [
83
]. Yet the original denition was perhaps not precise enough to delineate exactly what
counts as a nudge [
37
,
75
]. For example, if a web page displays password strength requirements, does that count
as a nudge? What about nagging people into installing software updates? This kind of ambiguity prompted
researchers to develop alternative and more precise denitions [
21
,
38
,
49
,
55
,
72
,
75
], in an attempt to bring more
clarity to the domain, but their denitions also dier from each other.
The experimental results across the digital nudge domain have been somewhat mixed. While some interventions
led to positive behavioral change, others did not. A review of nudging in HCI, for example, found that about a
third of the studied nudges did not lead to a signicant eect. Moreover, the authors did not uncover an obvious
relationship between the applied nudge mechanism and its eectiveness [
22
]. Even more puzzling is the fact
that particular nudges work well in one context but do not exert inuence in others. An example is that of
visual password strength prompts that worked in some contexts [
87
] but did not prompt the choice of stronger
passwords in others [71, 89].
These examples do not prove that nudges in general, and cybersecurity nudges in particular, are ineective or
unreliable. What they do do is to highlight the strong inuence exerted by the decision context, the nudge design,
and their interaction. The potential interactions between the nudge and the choice architecture are not yet well
enough understood and require more evidence from empirical research [
22
,
28
]. Understanding what counts as a
nudge and how nudges exert their inuence is important, in terms of informing deployment decisions, and also
to facilitate discussions about their ethical implications. The latter includes aspects such as their transparency,
long-term and/or side eects (see [
38
] and [
72
] for ethical nudge considerations). Moreover, understanding the
mechanisms behind nudges might save nudge designers from engaging in unsuccessful and expensive trials
before identifying an eective nudge. Guidance to inform eective and responsibly designed nudges would be
helpful.
Related work, to date, identies at least four research areas requiring further investigation to bring us closer to
understanding the nudge concept and to inform eective cybersecurity-related nudge design (Figure 1):
1. What counts as a nudge?
2. How do nudges exert their inuence?
The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity Decisions • 1:3
3. Which nudges should be deployed in dierent contexts? Context is a complex and multidimensional concept.
Here, we focus on the nature of the cybersecurity-related decision as the contextual factor of interest.
4. Does the nudge inuence subsequent decisions in the same general choice architecture, taking place in the
absence of the nudge?
Fig. 1. The dimensions studied: the Choice Architecture with (1) the Nudge Interventions, (2) the Targeted Information
Processes, (3) the Context within the Decision Types, and (4) the Varying Decisions
To support cybersecurity researchers and nudge designers, this research targets these questions by analyzing the
mechanisms behind dierent types of cybersecurity-related nudge interventions and their impacts on various
kinds of security-related decisions.
In an extensive two-part study, four dierent security decisions representing various types of decisions were
studied as one contextual factor. These included password creation, choice of a public Wi, smartphone encryption,
and choice of a cloud service provider. In the main study, the eects of three kinds of nudge interventions were
analysed in terms of their impact on the four decision types. We dierentiated between simple nudges, information
provision, and a combination of the two labelled a ‘hybrid nudge’. In a follow-up study about two weeks later, in
which the intervention was absent, the durability of the previous nudge interventions’ inuence was tested.
We found that the combination of a nudge and educational information provision, the ‘hybrid nudge,’ was at
least as, or even more eective in encouraging secure user choices than a simple nudge or information provision
on its own. This was true across all analysed decision contexts. Our ndings indicate that enhancing nudge
transparency, by providing explanatory information, does not diminish the power of the nudge and is also ethically
more palatable. However, the follow-up study revealed limited durability of all the tested nudge interventions’
impact, in terms of their inuence on subsequent security-related decisions in the absence of the intervention.
Contributions:
First, we clarify the nudge concept to arrive at a shared understanding to help us to distinguish
dierent types of interventions from each other based on the human information processes they target.
Second, we analyze the impact of dierent cybersecurity-related interventions that are designed based on the
dierentiation resulting from the rst contribution on dierent kinds of representative decisions to measure their
individual and combined impact on security-related decisions.
Third, we distinguish dierent dimensions of security decisions (frequency and complexity) to explore the
interplay between the nudge intervention and the type of the decision, as one contextual factor.
Fourth, we explore the durability of the impact of dierent nudge types by conducting a follow-up study
requiring people to make the same decisions in a nudge-free choice architecture.
Structure:
We commence with a related work section in Section 2 to address the four questions in more detail,
before explaining how this research addresses each of these to derive a more holistic overview of the ‘nudge’ in
the cybersecurity domain. We then proceed, in Section 3, to clarify the nudge-related interventions as applied in
this study, and outline the decision dimensions that were used to represent dierent choice architectures. The
1:4 • Zimmermann & Renaud
empirical study design is detailed next (Section 4), followed by the results (Section 5) and discussion in Section 6,
which includes some guidelines to guide cybersecurity researchers in deploying nudges. We consider the ethical
aspects of our nudges in Section 7 and the limitations of this study in Section 8. Section 9 discusses and reects
on our ndings and their implications for research and practice in nudge-related research and deployment.
2 RELATED RESEARCH: NUDGING
This section explores the questions outlined in the introduction by summarizing the related work and providing
relevant background information. Each subsection ends with a statement on how this research addresses each
question. The nal subsection considers related research into the use of nudges in cybersecurity and privacy.
2.1 Addressing the Four estions
1. What counts as a nudge?
Thaler and Sunstein dened a nudge as “any aspect of the choice architecture that alters pe ople’s behavior in
a predictable way without forbidding any options or signicantly changing their economic incentives. To coun t as
a mere nudge, the intervention must be cheap and easy to avoid.” [
83
, p.6]. Later denitions and extensions by
nudge researchers highlight the fact that option-specic economic incentives should be avoided, and also that
all options should be equal in terms of cost (e.g., time, eort, or social sanction) [
40
]. Another core element is
the role of automatic cognitive processes in human decision-making and consideration of how nudges exploit
these predictably to inuence behaviors [
21
,
37
,
40
]. Automatic cognitive processes can be described as intuitive,
eortless, fast, and unconscious [
38
,
61
]. Examples include cognitive biases such as the hindsight bias (tendency to
believe to have known outcomes beforehand), heuristics such as the availability heuristic (tendency to overestimate
the likelihood of events easily available in the memory), or other learned processes such as routines.
In general, the term ‘nudging’ has been applied to a wide variety of interventions, and a number of subsequently
formulated denitions and classications extend the original one proposed by Thaler and Sunstein. Additional,
related concepts such as ‘sludge’ or ‘code’ [
21
] have also been introduced. Some researchers suggest that the
denition of a nudge might not be sharp enough to separate nudges from related interventions such as incentives
or feedback mechanisms [
37
,
75
]. Furthermore, Marchiori et al., referring to decades of psychological research,
conclude that nudging is not a “new” research eld but “a clever application of knowledge on behavior change and
decision-making, that is now nding its way into policy-making and consumer welfare” [
49
, p.3] and argue that
many interventions in psychological studies could retrospectively be labelled as ‘nudges’. This kind of ambiguity
is likely to contribute to the existing confusion about whether or not a tested intervention actually counts as a
nudge.
For example, consider the blacklisting of weak passwords, which could be considered to nudge people towards
stronger passwords. This, however, does not satisfy Thaler and Sunstein’s denition, which does not allow the
removal of any pre-nudge option. What about making people pay more for software that gives them control over
software updates [
9
]? This scheme makes automatically-updating software the cheaper option. This, too, is not a
nudge because nudges ought not to introduce economic dierences between pre-nudge options.
To clarify the meaning of the nudge term, we rst consolidate the dierent denitions of nudges touched upon
above, and then distinguish those from related intervention types.
In summary, the following criteria apply to an intervention that can be termed a ‘nudge’:
• Predictability: Nudges should inuence nudgees in a predictable way and towards a predicted outcome.
• Automatic cognitive processes:
Nudges exploit automatic cognitive processes such as well known biases
and heuristics.
The Nudge Puzzle: Matching Nudge Interventions to Cybersecurity Decisions • 1:5
• Equality of costs:
No choice should be more costly nancially or economically, or in terms of time, eort,
or social sanction.
• Preservation of choices: The nudge should not remove or ban any pre-nudge choice.
The concept of nudges, as envisioned by Thaler and Sunstein, is intended to be used “for good”, that is, to
facilitate “better” decision making and behaviors. Examples are choices leading to better health, wiser nancial
decisions, or more secure behaviors. They emphasize this by signing copies of their book with the words: “nudge
for good” (as reported by Hansen and Jespersen [
38
]). Even though the nudge designer might be well intended, it
might sometimes be dicult to discern whether an intervention is benecial for all nudgees with idiosyncratic
goals and needs, or for decisions where there is no unanimity about what the best choice actually is.
Even so, there are clear cases where the nudge designer might deploy nudges to benet him or herself or
their employer. An example would be an organization deploying nudges to prompt nudgees to buy the most
expensive enterprise-level antivirus software merely to increase their prot margins when a home version is all
the individual needs. This kind of inuence would be termed ‘sludge’ [41].
Calo [
21
] dierentiates three dierent kinds of interventions, one of which is the nudge. The next is a ‘code’,
which manipulates the environment to make the undesirable behavior more dicult. Consider, for example,
speed bumps that require drivers to slow down if they do not want to damage their cars. The dierence from the
nudge concept is that a code is not as “cheap and easy to avoid” as a nudge. An oft-cited example of a nudge
used to target the same behavior is a trac sign displaying a sad face if the driver exceeds the speed limit and a
happy face if the driver slows down. These could easily be ignored by the driver without undue penalty. Another
dierence might be the focus of the intervention. While codes aim to decrease an undesired behavior, nudges
often aim to increase the incidence of the desired behavior (though exceptions are possible, see, for example, the
dierentiation of nudges encouraging or discouraging behavior as proposed by [42]).
The third intervention type proposed by Calo [
21
] is a ‘notice’, i.e. the provision of information that can take
the form of information texts or reminders. Mere information provision is also distinguished from the concept
of nudging by other researchers [
12
,
62
]. According to Osman [
62
], this dierentiation is important, because
otherwise nearly every intervention could be considered a nudge and the nudge agenda would thus rendered
unfalsiable. Previous studies suggest that mere information provision does not reliably change behaviors [
60
],
perhaps because they do not benet from the power nudges have by targeting cognitive bias, as suggested
by Renaud and Zimmermann [
72
], or perhaps because of the eort associated with processing the provided
information.
Contribution:
Before analysing the eects of nudging, this research rst establishes a denition of the nudge
concept to separate it from related concepts. Building on that denition, this research contributes by examining
the eectiveness of dierent nudges and nudge-related interventions individually and in combination. In doing so,
the research targets unresolved questions related to the impact of dierent interventions aimed at a combination
of cognitive processes [28].
2. How do nudges exert their influence?
Nudges activate automatic cognitive processes, such as biases and heuristics, to encourage people to decide in
a particular way. Particularly in the area of politics and public policy, this includes guidance provided by the
authorities, while preserving the user’s freedom of choice, and has often been linked to the term ‘libertarian
paternalism’ [
12
,
37
,
83
]. However, this kind of intervention has not been unanimously welcomed and has
triggered a discussion around the ethics of nudging and the argument that libertarian paternalism is essentially a
contradiction in terms.
One criticism concerns the acknowledgement that nudges essentially manipulate choice by activating automatic
cognitive processes and nudgees might well be unaware of their inuence [
65
,
95
]. In essence, the nudgee might
