Nudging Users to Protect Their Computing Systems

We've all seen those little messages pop up on our computer screens: "A software update is available from XYZ. Click 'Update' to install." Probably more often than not, we ignore them just as we ignored mother's good advice to "Be sure to wear a coat to school;'it's cold outside." And, just as we shivered in sub-freezing temperatures wearing a t-shirt and jeans at the bus stop, when we ignore the software update messages, we're likely to experience negative consequences.

We’ve all seen those little messages pop up on our computer screens: “A software update is available from XYZ. Click ‘Update’ to install.”  Probably more often than not, we ignore them just as we ignored mother’s good advice to “Be sure to wear a coat to school; it’s cold outside.” And, just as we shivered in sub-freezing temperatures wearing a t-shirt and jeans at the bus stop, when we ignore the software update messages, we’re likely to experience negative consequences.

Why do we carelessly risk so much, and how can we be motivated to act in our own best interests?

Dr. Mohammad Khan, an assistant professor of Computer Science & Engineering, is eager to learn the answers to those very questions.

Dr. Khan is principal investigator on a two-year, over $214,000 National Science Foundation Early Concept Grant for Exploratory Research (EAGER) award aimed at understanding how software developers can effectively motivate us to press the ‘update’ button that most often introduces security upgrades intended to repel known vulnerabilities and, in turn, protect our computers from security threats.

Collaborating with Dr. Khan on the project is Dr. Ross Buck, a professor of Communication Psychology in the Department of Communications at UConn who is renowned for his studies involving the communication of emotions.

“Skipping repeated requests to update software or ignoring security warnings while visiting unknown websites is very common and also extremely dangerous,” says Dr. Khan.

The researchers believe the root problem lies in the messages’ failure to arouse attention and convey the severity of the risk in a way that resonates with most people.  Failing to evoke an emotional reaction, the messages are often viewed as more of an annoyance than an insurance policy. “Oblique messages don’t make an emotional connection with us,” Dr. Khan explains.

Americans are motivated to go the gym, he says, by savvy media messages communicating the potential impacts of inactivity such as diabetes and heart disease. Add the constant barrage of fit Hollywood bodies on television, in advertisements and the movies, and it’s clear how our emotions are being played upon to evoke a response: “get to the gym!”

But software update messages are a different story. 

To tease out how better to reach computer users, the researchers will execute a number of different activities aligned with the Communications-Human Information Processing or C-HIP framework used to evaluate marketing strategies, according to Dr. Khan.  The messages must grab attention, evoke emotion, make sense, and resonate within the context of the user’s existing belief systems, which are informed by demographics, experiences and other factnudge1ors, he notes.

For one aspect of the study, the researchers will conduct an online survey in which various warning messages and visual cues will be displayed.  Among the messages will be those currently encountered routinely on digital devices.  Their shortcomings will be addressed initially through the pairing with “emotional appeals that command attention and evoke emotions more effectively,” Dr. Khan notes.  Survey participants – a voluntary cohort of UConn students – will rate each combination in terms of its effectiveness to induce action.

Other facets of the study will involve visual judgments of facial responses arising from exposure to different combinations of messages and visual cues.

To enhance compliance, the researchers will also develop emotional education and inoculation strategies that enable users to recognize and avoid the temptation associated with risky online behavior.

Drs. Khan and Buck anticipate that successful completion of the project will provide software vendors a more effective way to communicate the risks of running vulnerable software and to elicit a favorable response to the warning messages, specifically – users will update their software when cued to do so. 

Dr. Khan, who received his PhD from the University of Illinois at Urbana-Champaign and joined UConn in 2011, is involved in wide-ranging research revolving around smart sensor systems and various reliability aspects of large scale systems. Dr. Buck received his Ph.D. from the University of Pittsburgh. His current research involves the design of messages and interventions that educate the emotions to encourage mindful processing in risky decision-making.