Experimental Evidence for Using a TTM Stages of Change Model in Boosting Progress Toward 2FA Adoption

TL;DR

This study applies a health psychology model to cybersecurity, demonstrating that targeted informational interventions can effectively promote 2FA adoption among users.

Contribution

It adapts and validates the Transtheoretical Model of Change for predicting and influencing 2FA adoption behavior in a cybersecurity context.

Findings

Interventions increased progress toward 2FA adoption.

Highlighting the process of enabling 2FA was particularly effective.

Participants exposed to process-focused content showed significant improvement.

Abstract

Behavior change ideas from health psychology can also help boost end user compliance with security recommendations, such as adopting two-factor authentication (2FA). Our research adapts the Transtheoretical Model Stages of Change from health and wellness research to a cybersecurity context. We first create and validate an assessment to identify workers on Amazon Mechanical Turk who have not enabled 2FA for their accounts as being in Stage 1 (no intention to adopt 2FA) or Stages 2-3 (some intention to adopt 2FA). We randomly assigned participants to receive an informational intervention with varied content (highlighting process, norms, or both) or not. After three days, we again surveyed workers for Stage of Amazon 2FA adoption. We found that those in the intervention group showed more progress toward action/maintenance (Stages 4-5) than those in the control group, and those who received content highlighting the process of enabling 2FA were significantly more likely to progress toward 2FA adoption. Our work contributes support for applying a Stages of Change Model in usable security.