September 13, 2024 — Internet passwords and security updates often appear at inopportune times and are thus ignored, leading Hebrew University of Jerusalem and U.C. Berkeley researchers to devise a new, simple, and effective approach that could significantly improve cybersecurity behavior.

According to a new study led by Prof. Eyal Pe’er from the Hebrew University Federmann School of Public Policy and published in ACM Transactions on Computer-Human Interaction, allowing internet users the choice to delay important security tasks, with a promise to complete them later increases the likelihood that they will actually do the update.

“Security tasks often interrupt users at inconvenient times, leading to procrastination or outright neglect,” says Prof. Pe’er. “Our research shows that by allowing users to delay these and commit to completing them later, we can significantly increase the rate at which users complete critical security actions. This approach offers a practical behavioral solution to a common problem in online security.”

The series of online experiments focused on understanding how these “nudges” could affect users’ willingness to change a compromised password. The study found that participants who made a promise to change their password later or requested a reminder were much more likely to follow through on their commitment. The effect was further enhanced when participants were reminded of their previous commitment, leading to a net positive impact on cybersecurity behavior.

More than 80% of computer breaches are related to stolen, weak, or reused passwords. In 2022 alone, over 24 billion passwords were exposed by hackers.

The implications of this study are far-reaching, offering an effective strategy to improve cybersecurity compliance among internet users. By incorporating delay options and commitment nudges into security protocols, online platforms and services can better protect their users from potential security threats.

The research paper titled “Protect Me Tomorrow”: Commitment Nudges to Remedy Compromised Passwords” is now available at ACM Journals and can be accessed here.

The study was funded with a grant from the National Science Foundation (NSF) and the US-Israel Binational Science Foundation (BSF).

Researchers:

Eyal Pe’er1, Alisa Frik2, Conor Gilsenan3, Serge Egelman2,3

Institution:

  1. The Federmann School of Public Policy, Hebrew University of Jerusalem, Jerusalem, Israel
  2. International Computer Science Institute, Berkeley, USA
  3. University of California, Berkeley, USA