Background: Nudging has become a prominent approach for influencing secure digital behavior, yet its theoretical coherence and long-term effectiveness remain unclear. Objec- tives: This systematic review examines how the “nudging paradigm” is interpreted and operationalized in cybersecurity research and evaluates the short-term effectiveness and durability of nudging interventions on user behavior. Methods: Following PRISMA 2020 guidelines, we searched Scopus, APA PsycInfo, IEEE Xplore, and the ACM Digital Library using the query “(cybersecurity OR security) AND nudg*”. We included peer-reviewed empirical studies that explicitly self-identified their intervention as a “nudge” within a digital security context. Two reviewers independently screened records and extracted data. Studies were classified by cybersecurity domain, nudge type, and functional mechanism. Risk of bias was assessed descriptively using a behavior-analytic quality lens focusing on ecological validity, outcome type, and temporal scope. Results were synthesized narra- tively and descriptively at the study level. Results: Sixty-five studies (2012–December 2025) met inclusion criteria. Most focused on password security and privacy/data security. Informational/feedback nudges predominated, followed by default/design, framing, and social nudges. Many studies reported significant short-term behavioral effects, partic- ularly when interventions embedded response-contingent feedback or altered response effort via protective defaults. Effects were most consistent for direct behavioral outcomes (e.g., password strength, clicks, configuration choices). Only one study met the criterion of post-withdrawal follow-up (≥2 weeks), and it did not demonstrate sustained maintenance of secure behavior once prompts and interface support were fully removed. Limitations: Evidence is constrained by heterogeneous designs, frequent reliance on short online exper- iments, limited ecological validity, and the near absence of post-withdrawal follow-ups. Interpretation: Nudging in cybersecurity reliably produces short-term improvements when interventions modify immediate contingencies of action. However, the literature does not currently provide empirical tests of durable behavior change under full with- drawal conditions. Future research should integrate consequence-based design, assess maintenance after withdrawal, and test generalization across contexts.
The Nudging Paradigm in Cybersecurity Research: A PRISMA-Based Systematic Review / Arciulo, Lorenzo; Di Nocera, Francesco. - In: INFORMATION. - ISSN 2078-2489. - 17:(2026), pp. 1-35.
The Nudging Paradigm in Cybersecurity Research: A PRISMA-Based Systematic Review
Lorenzo Arciulo;Francesco Di Nocera
2026
Abstract
Background: Nudging has become a prominent approach for influencing secure digital behavior, yet its theoretical coherence and long-term effectiveness remain unclear. Objec- tives: This systematic review examines how the “nudging paradigm” is interpreted and operationalized in cybersecurity research and evaluates the short-term effectiveness and durability of nudging interventions on user behavior. Methods: Following PRISMA 2020 guidelines, we searched Scopus, APA PsycInfo, IEEE Xplore, and the ACM Digital Library using the query “(cybersecurity OR security) AND nudg*”. We included peer-reviewed empirical studies that explicitly self-identified their intervention as a “nudge” within a digital security context. Two reviewers independently screened records and extracted data. Studies were classified by cybersecurity domain, nudge type, and functional mechanism. Risk of bias was assessed descriptively using a behavior-analytic quality lens focusing on ecological validity, outcome type, and temporal scope. Results were synthesized narra- tively and descriptively at the study level. Results: Sixty-five studies (2012–December 2025) met inclusion criteria. Most focused on password security and privacy/data security. Informational/feedback nudges predominated, followed by default/design, framing, and social nudges. Many studies reported significant short-term behavioral effects, partic- ularly when interventions embedded response-contingent feedback or altered response effort via protective defaults. Effects were most consistent for direct behavioral outcomes (e.g., password strength, clicks, configuration choices). Only one study met the criterion of post-withdrawal follow-up (≥2 weeks), and it did not demonstrate sustained maintenance of secure behavior once prompts and interface support were fully removed. Limitations: Evidence is constrained by heterogeneous designs, frequent reliance on short online exper- iments, limited ecological validity, and the near absence of post-withdrawal follow-ups. Interpretation: Nudging in cybersecurity reliably produces short-term improvements when interventions modify immediate contingencies of action. However, the literature does not currently provide empirical tests of durable behavior change under full with- drawal conditions. Future research should integrate consequence-based design, assess maintenance after withdrawal, and test generalization across contexts.| File | Dimensione | Formato | |
|---|---|---|---|
|
Arciulo_The-Nudging-Paradigm_2026.pdf
accesso aperto
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
650.15 kB
Formato
Adobe PDF
|
650.15 kB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
