Guidelines for ethical nudging in password authentication

Karen Renaud, Verena Zimmerman

Research output: Contribution to journalArticle

61 Downloads (Pure)

Abstract

Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context.
Original languageEnglish
Pages (from-to)102-118
Number of pages17
JournalSAIEE African Research Journal
Volume109
Issue number2
Early online date21 Feb 2018
DOIs
Publication statusPublished - Jun 2018

Fingerprint

ethics
planning

Cite this

Renaud, Karen ; Zimmerman, Verena. / Guidelines for ethical nudging in password authentication. In: SAIEE African Research Journal. 2018 ; Vol. 109, No. 2. pp. 102-118.
@article{32c49fcc3f0a47778d8df76f6a80cd6e,
title = "Guidelines for ethical nudging in password authentication",
abstract = "Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context.",
author = "Karen Renaud and Verena Zimmerman",
year = "2018",
month = "6",
doi = "10.23919/SAIEE.2018.8531951",
language = "English",
volume = "109",
pages = "102--118",
journal = "SAIEE African Research Journal",
issn = "1991-1696",
publisher = "South African Institute of Electrical Engineers",
number = "2",

}

Guidelines for ethical nudging in password authentication. / Renaud, Karen; Zimmerman, Verena.

In: SAIEE African Research Journal, Vol. 109, No. 2, 06.2018, p. 102-118.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Guidelines for ethical nudging in password authentication

AU - Renaud, Karen

AU - Zimmerman, Verena

PY - 2018/6

Y1 - 2018/6

N2 - Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context.

AB - Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context.

U2 - 10.23919/SAIEE.2018.8531951

DO - 10.23919/SAIEE.2018.8531951

M3 - Article

VL - 109

SP - 102

EP - 118

JO - SAIEE African Research Journal

JF - SAIEE African Research Journal

SN - 1991-1696

IS - 2

ER -