Search for: All records

Internet users often neglect important security actions (e.g., installing security updates or changing passwords) because they interrupt users’ main task at inopportune times. Commitment devices, such as reminders and promises, have been found to be effective at reducing procrastination in other domains. In a series of online experiments (\(n{\gt}3{,}000\)), we explored the effects of reminders and promises on users’ willingness to change a compromised password. We find that adding an option to delay the task increases the share of people willing to eventually change their password considerably. Critically, the option to delay yields this overall increase without reducing the share of people choosing to change their password immediately. Additionally, most participants who promised to change their password later, or asked to be reminded to do so, indeed followed through on their commitment, leading to a net positive effect. Reminding participants of their previous commitment further increased this effect. 

Commitment devices are a technique from behavioral economics that have been shown to mitigate the effects of present bias—the tendency to discount future risks and gains in favor of immediate gratifications. In this paper, we explore the feasibility of using commitment devices to nudge users towards complying with varying online security mitigations. Using two online experiments, with over 1,000 participants total, we offered participants the option to be reminded or to schedule security tasks in the future. We find that both reminders and commitment nudges can increase users’ intentions to install security updates and enable two-factor authentication, but not to configure automatic backups. Using qualitative data, we gain insights into the reasons for postponement and how to improve future nudges. We posit that current nudges may not live up to their full potential, as the timing options offered to users may be too rigid.