Abstract
Persuasive techniques and persuasive technologies have been suggested as a means to improve user cybersecurity behaviour, but there have
been few quantitative studies in this area. In this paper, we present a large
scale evaluation of persuasive messages designed to encourage University staff
to complete security training. Persuasive messages were based on Cialdini’s
principles of persuasion, randomly assigned, and transmitted by email. The
training was real, and the messages sent constituted the real campaign to
motivate users during the study period. We observed statistically significant
variations, but with mild effect sizes, in participant responses to the persuasive
messages. ‘Unity’ persuasive messages that had increased emphasis on the collaborative role of individual users as part of an organisation-wide team effort
towards cybersecurity were more effective compared to ‘Authority’ messages
that had increased emphasis on a mandatory obligation of users imposed by a
hierarchical authority. Participant and organisational factors also appear to impact upon participant responses. The study suggests that the use of messages
emphasising different principles of persuasion may have different levels of effectiveness in encouraging users to take particular security actions. In particular, it suggests that the use of social capital, in the form of increased emphasis of ‘unity’, may be more effective than increased emphasis of ‘authority’. These findings motivate further studies of how the use of Social capital may be beneficial for encouraging individuals to adopt similar positive security behaviours
been few quantitative studies in this area. In this paper, we present a large
scale evaluation of persuasive messages designed to encourage University staff
to complete security training. Persuasive messages were based on Cialdini’s
principles of persuasion, randomly assigned, and transmitted by email. The
training was real, and the messages sent constituted the real campaign to
motivate users during the study period. We observed statistically significant
variations, but with mild effect sizes, in participant responses to the persuasive
messages. ‘Unity’ persuasive messages that had increased emphasis on the collaborative role of individual users as part of an organisation-wide team effort
towards cybersecurity were more effective compared to ‘Authority’ messages
that had increased emphasis on a mandatory obligation of users imposed by a
hierarchical authority. Participant and organisational factors also appear to impact upon participant responses. The study suggests that the use of messages
emphasising different principles of persuasion may have different levels of effectiveness in encouraging users to take particular security actions. In particular, it suggests that the use of social capital, in the form of increased emphasis of ‘unity’, may be more effective than increased emphasis of ‘authority’. These findings motivate further studies of how the use of Social capital may be beneficial for encouraging individuals to adopt similar positive security behaviours
| Original language | English |
|---|---|
| Publication status | Published - 22 Aug 2022 |
| Event | Social Informatics 2022: The 13th International Conference on Social Informatics. - Glasgow, United Kingdom Duration: 19 Oct 2022 → 21 Oct 2022 http://www.dcs.gla.ac.uk/socinfo2022/index.html |
Conference
| Conference | Social Informatics 2022 |
|---|---|
| Country/Territory | United Kingdom |
| Period | 19/10/22 → 21/10/22 |
| Internet address |
Bibliographical note
This research was supported by the UKRI EPSRC award: EP/P011829/1.Keywords
- Cybersecurity
- Behaviour change
- Persuasive technology
- Actual effectiveness
- Quantitative field study