Sonya Mann, @sonyaellenmann
- nudging users toward better security habits, using passwords as example
- Background, Context:
- normal folks ("non-technical people") have bad security habits
- not lazy or stupid, rather different priorities
- no social pressures in private life re: password hygiene
- not on high alert if haven't experienced identity theft, password takeover
- not lazy or stupid, rather different priorities
- examples of bad password hygiene (larger population and Mark Zuckerberg)
- gonna assume/skip over the technical bits of security which should just be in place: HTTPs everwhere, hash and salt passwords, eliminate XSS opportunities, multiple account management, etc.
- behavior design: guiding users toward desired (more secure) actions
- combo of limiting options, incentivizing desired behaviors
- irritating the user until they do what you want
- ~ manipulation, persuasion
- examples (not necessarily security, just of behavior design more generally) with cognitive dissonance:
- http://confirmshaming.tumblr.com/ (e.g. choice between desired yes-type response and "No, I like to make bad choices")
- Amazon making you claim you're not you in order to sign out
- normal folks ("non-technical people") have bad security habits
- Security-Focused Behavior Design:
- good copywriting
- talk about benefits, rather than features
- instead of the mechanism, talk about how it'll improve the user's life
- appeal to unsatisfied needs
- good security habits work by creating friction
- so yes, that friction can also be friction for the user to sign-up/convert
- A/B test!
- consider the tradeoffs and evaluation your priorities