Impact of digital nudging on information security behavior: an experimental study on framing and priming in cybersecurity

Abstract: PurposePhishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research focuses on two types of digital nudging, framing and priming, and examines the impact of framing and priming on users' behavior (i.e. action) in a cybersecurity setting. It draws on prospect theory, instance-based learning theory and dual-process theory to generate the research hypotheses.Design/methodology/approachA 3 × 2 expe… Show more

“…Dual-process theory suggests that individuals process information and form judgements, including moral judgements (Kvaran et al, 2013), through both an unconscious and automatic pathway often based on emotion and intuition (system 1) and a slower, more conscious, deliberate and considered pathway (system 2) (Sharma et al, 2021). Although system 1 thinking may be appropriate for routine information system uses, such as email checking, it is likely to be inadequate for dealing with the more complex issues associated with cybersecurity threats (Sharma et al (2021). Priming can be used to disrupt system 1 thinking and prompt individuals to activate system 2 thinking, thus heightening the likelihood that they will respond appropriately to, for example, cybersecurity risks they might be facing (Sharma et al, 2021).…”

“…Although system 1 thinking may be appropriate for routine information system uses, such as email checking, it is likely to be inadequate for dealing with the more complex issues associated with cybersecurity threats (Sharma et al (2021). Priming can be used to disrupt system 1 thinking and prompt individuals to activate system 2 thinking, thus heightening the likelihood that they will respond appropriately to, for example, cybersecurity risks they might be facing (Sharma et al, 2021). Empirical work is emerging to support this logic, with evidence that priming interventions can reduce risky behaviour related to information security (Sharma et al, 2021), that priming individuals with the negative outcomes of risky behaviours can prompt safer cybersecurity choices (Rosoff et al, 2013), and that "risk priming" can momentarily affect users' security update decisions (Shieh and Rajivan, 2021).…”

“…Priming can be used to disrupt system 1 thinking and prompt individuals to activate system 2 thinking, thus heightening the likelihood that they will respond appropriately to, for example, cybersecurity risks they might be facing (Sharma et al, 2021). Empirical work is emerging to support this logic, with evidence that priming interventions can reduce risky behaviour related to information security (Sharma et al, 2021), that priming individuals with the negative outcomes of risky behaviours can prompt safer cybersecurity choices (Rosoff et al, 2013), and that "risk priming" can momentarily affect users' security update decisions (Shieh and Rajivan, 2021). However, there is also evidence that priming may be ineffective against more sophisticated forms of cyberattacks (Junger et al, 2017).…”

“…This involves a "prime", or some type of stimulus that impacts knowledge activation, and a "target", or something that the prime is directed toward influencing (Minton et al, 2017, p. 310). Dual-process theory suggests that individuals process information and form judgements, including moral judgements (Kvaran et al, 2013), through both an unconscious and automatic pathway often based on emotion and intuition (system 1) and a slower, more conscious, deliberate and considered pathway (system 2) (Sharma et al, 2021). Although system 1 thinking may be appropriate for routine information system uses, such as email checking, it is likely to be inadequate for dealing with the more complex issues associated with cybersecurity threats (Sharma et al (2021).…”

“…To identify a potential viable means to raise awareness of cybersecurity risks, we draw inspiration from the literature showing that priming, in which an individual is reminded of a moral code, changes how people think about their own behaviour (Ariely, 2012), and this change can encourage/discourage honest/dishonest behaviour (Mazar et al (2008), including in an information security context (Sharma et al, 2021). We build on this work to examine whether priming individuals toward heightened awareness of either (1) relevant ICT policies or (2) the ethical principles underlying those polices improves their ability to identify cybersecurity breaches, when compared to receiving no priming.…”

The influence of ethical principles and policy awareness priming on university students’ judgements about ICT code of conduct compliance

“…Dual-process theory suggests that individuals process information and form judgements, including moral judgements (Kvaran et al, 2013), through both an unconscious and automatic pathway often based on emotion and intuition (system 1) and a slower, more conscious, deliberate and considered pathway (system 2) (Sharma et al, 2021). Although system 1 thinking may be appropriate for routine information system uses, such as email checking, it is likely to be inadequate for dealing with the more complex issues associated with cybersecurity threats (Sharma et al (2021). Priming can be used to disrupt system 1 thinking and prompt individuals to activate system 2 thinking, thus heightening the likelihood that they will respond appropriately to, for example, cybersecurity risks they might be facing (Sharma et al, 2021).…”

“…Although system 1 thinking may be appropriate for routine information system uses, such as email checking, it is likely to be inadequate for dealing with the more complex issues associated with cybersecurity threats (Sharma et al (2021). Priming can be used to disrupt system 1 thinking and prompt individuals to activate system 2 thinking, thus heightening the likelihood that they will respond appropriately to, for example, cybersecurity risks they might be facing (Sharma et al, 2021). Empirical work is emerging to support this logic, with evidence that priming interventions can reduce risky behaviour related to information security (Sharma et al, 2021), that priming individuals with the negative outcomes of risky behaviours can prompt safer cybersecurity choices (Rosoff et al, 2013), and that "risk priming" can momentarily affect users' security update decisions (Shieh and Rajivan, 2021).…”

“…Priming can be used to disrupt system 1 thinking and prompt individuals to activate system 2 thinking, thus heightening the likelihood that they will respond appropriately to, for example, cybersecurity risks they might be facing (Sharma et al, 2021). Empirical work is emerging to support this logic, with evidence that priming interventions can reduce risky behaviour related to information security (Sharma et al, 2021), that priming individuals with the negative outcomes of risky behaviours can prompt safer cybersecurity choices (Rosoff et al, 2013), and that "risk priming" can momentarily affect users' security update decisions (Shieh and Rajivan, 2021). However, there is also evidence that priming may be ineffective against more sophisticated forms of cyberattacks (Junger et al, 2017).…”

“…This involves a "prime", or some type of stimulus that impacts knowledge activation, and a "target", or something that the prime is directed toward influencing (Minton et al, 2017, p. 310). Dual-process theory suggests that individuals process information and form judgements, including moral judgements (Kvaran et al, 2013), through both an unconscious and automatic pathway often based on emotion and intuition (system 1) and a slower, more conscious, deliberate and considered pathway (system 2) (Sharma et al, 2021). Although system 1 thinking may be appropriate for routine information system uses, such as email checking, it is likely to be inadequate for dealing with the more complex issues associated with cybersecurity threats (Sharma et al (2021).…”

“…To identify a potential viable means to raise awareness of cybersecurity risks, we draw inspiration from the literature showing that priming, in which an individual is reminded of a moral code, changes how people think about their own behaviour (Ariely, 2012), and this change can encourage/discourage honest/dishonest behaviour (Mazar et al (2008), including in an information security context (Sharma et al, 2021). We build on this work to examine whether priming individuals toward heightened awareness of either (1) relevant ICT policies or (2) the ethical principles underlying those polices improves their ability to identify cybersecurity breaches, when compared to receiving no priming.…”

The influence of ethical principles and policy awareness priming on university students’ judgements about ICT code of conduct compliance

Security Mental Models and Personal Security Practices of Internet Users in Africa

Combating Digital Exclusion with Cybersecurity Training – An Interview Study with Swedish Seniors