CMU-ISR-21-107
Institute for Software Research
School of Computer Science, Carnegie Mellon University



CMU-ISR-21-107

Design and Evaluation of Security and Privacy Nudges:
From Protection Motivation Theory to Implementation Intentions

Peter Story

August 2021

Ph.D. Thesis
Societal Computing

CMU-ISR-21-107.pdf


Keywords: Nudges, privacy, security, technology adoption, protection motivation theory, implementation intentions, action plans, coping plans

Americans often express concern about their digital security and privacy, yet adoption of security and privacy tools and best practices remains inconsistent. The fields of psychology and behavioral economics offer explanations for this apparent discrepancy, and suggest nudging interventions as a potential solution. Nudges can take many forms, but what nudges have in common is that they should help people make decisions that align with their stated preferences.

My research centers on designing nudges to encourage the adoption of security and privacy tools. My major contribution is the introduction of implementation intention nudges to the field of computer security and privacy. Implementation intentions are plans which help people initiate behaviors (action plans) and overcome obstacles (coping plans). The effectiveness of implementation intentions has been demonstrated in many other contexts, but my work is the first to test them in the context of computer security and privacy. By studying implementation intentions in this context, I offer security and privacy advocates a greater understanding of how this type of nudge can help the public protect themselves from digital threats.

In my first chapter of completed work, I describe my study of nudges designed to encourage adoption of secure mobile payment systems. I tested nudges based on both action planning implementation intentions and protection motivation theory (PMT). I found that participants in both my treatment conditions used Apple Pay more than those in my control condition. Encouraged by these findings, I sought to identify other technologies which might benefit from similar nudging interventions. Thus, I conducted a survey of people's use of and beliefs about web browsing-related privacy tools, which I describe in my next chapter. I found that the most commonly adopted tools did little to address participants' greatest privacy concerns. Based on these findings, I conducted a study of implementation intention nudges designed to help people adopt Tor Browser, which is the subject of my final chapter of completed work. In this study, I tested nudges based on PMT, action planning implementation intentions, and coping planning implementation intentions. These nudges incorporated the recommendations from my second chapter study. I found that my coping planning nudge increased use of Tor Browser in the short-term, while my PMT-based nudge increased use of Tor Browser in both the short- and long-term. In my final chapter, I summarize my research, describe ethical considerations when deploying nudges, and enumerate open research questions relevant to large-scale deployment of nudges.

196 pages

Thesis Committee:
Norman Sadeh (Chair)
Lorrie Faith Cranor
Alessandro Acquisti
Florian Schaub (University of Michigan)
Yaxing Yao (University of Maryland, Baltimore County)
James D. Herbsleb, Director, Institute for Software Research
Martial Hebert, Dean, School of Computer Science


Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by reports@cs.cmu.edu