Nudging Users to Change Breached Passwords Using the Protection Motivation Theory

TL;DR

This study applies the Protection Motivation Theory to design nudges that encourage users to change breached passwords, demonstrating that threat and coping appeals can influence password change intentions and behaviors.

Contribution

It introduces a PMT-based framework for security nudges and evaluates their effectiveness in motivating password changes through an online experiment.

Findings

Threat appeals increase password change intentions.

Combined threat and coping appeals lead to higher actual password changes.

Password change behavior correlates with security attitudes and time since breach.

Abstract

We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our online experiment ($n$=$1,386$) compared the effectiveness of a threat appeal (highlighting negative consequences of breached passwords) and a coping appeal (providing instructions on how to change the breached password) in a 2x2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords; both comparisons have a small effect size. Participants' password change behaviors are further associated with other factors such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based nudges are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.