Choice Architecture for Information Security

Dates: February 2013 – December 2016

Lead researchers: Professor Aad Van Moorsel, Newcastle University

Overview 

This project sought to understand how people make decisions regarding their security and privacy, by examining the psychological factors involved in decision-making. The work identified nudging techniques that influence human behaviours. This finding can be useful in information security, as it will aim to modifying or changing individuals’ behaviours that compromise their company’s privacy and cyber security, instead of forcing more and more rigid security policies on employees.

The research team published an approach for practitioners to discuss and introduce nudges in design of privacy and security tools, based on the MINDSPACE framework of influences on behaviour change (such as the messenger and incentives). The approach, SCENE, is a co-creation based on five stages involving stakeholders: (i) Scenario elicitation; (ii) Co- creating nudges; (iii) Election of nudge(s) for further development; (iv) Nudge prototyping and (v) Evaluation of prototype(s). During these five stages, a nudge intervention is developed and evaluated. The framework acknowledges the role that users increasingly play in the security decision making process.

Policy implications

The proposed tool could help practitioners and academics to develop a strong evidence base for different interventions while being practical for organisations. It may be useful for policymakers looking at trade-offs between organisational security and practicality. The findings link to the DCMS area of research interest to: “evaluate what drives organisations’ cyber security practices. This includes how to influence organisations to take action to protect themselves, identifying which actors to drive behaviour change, how decisions are made, and what information organisations would find useful in assessing risks and taking investment decisions.”

Methods

Development of choice architecture, stealth tools and prototypes for the nudge intervention, evaluation.

Funders: EPSRC

External collaborators: Metropolitan Police

Follow on work: EPSRC Funded project (EP/R033595/1) FinTrust: Trust Engineering for the Financial Industry, which runs until July 2021.

Skills

Posted on

December 9, 2021