Nudging users to better security

I’ve recently started reading Nudge by Richard H. Thaler & Cass R. Sunstein. The basic idea of the book is that governments, businesses, and others that present choices to individuals can—and in some cases should—arrange the choices in a way that encourage the individuals to make choices that are in their own best interests.

Here’s the definition of nudge in the authors’ own words:

A nudge, as we will use the term, is any aspect of the choice architecture that alters people’s behavior in a predictable way without forbidding any options or significantly changing their economic incentives.

They go on to talk about defaults as a powerful form of nudge. A classic example is enrolling new employees at a company into the 401(k) retirement plan by default, which encourages employees to save for retirement. (Typically, the default is for employees to not be enrolled unless they opt in.)

There are clear applications of this concept in the security world. A paper last year showed that users are more likely to have the latest version of a web browser installed if they’re using a browser like Firefox or Chrome that updates automatically by default, than if they use a browser that requires additional steps to update. Similarly, Adobe recently switched new installations of Reader from defaulting to only checking for updates to actually installing updates by default.

There is more work that can be done here. Plenty of apps still fail to even check for updates by default, even though known security issues in outdated apps are one of the leading avenues for malware infection. More browsers could default to protecting against cross-site scripting vulnerabilities. More wireless routers could default to a secure configuration. And so on.

Of course, remember that a nudge is supposed to be designed to support the individual’s self-interest. This implies that defaults have to be what most people would rationally choose if they had all the relevant information. We’ve seen cases of badware that default to bundling some irrelevant (or, worse, privacy-invading) additional piece of software without clear notice. Even legit software like Chrome may push things a little far with its completely silent, no-clear-disclosure updates that not only patch security vulnerabilities, but also change the browser’s functionality. Is this actually what users would want if they had all the information?

Every product manager at a hardware or software company should read Nudge, if only to help them think through how to configure defaults to maximize security and other benefits for their products’ users.