Equitable Security: Optimizing Distribution of Nudges and Resources

Security behaviors can help users avoid incidents, but can also increase costs, both to users -- in time and mental effort -- and to platforms -- in user engagement and engineering resources. As such, we should consider when it is most efficient and effective to encourage security behaviors. Recent work has shown that users attempt to make security decisions based on cost benefit tradeoffs (boundedly, rationally). Yet, sometimes security nudges (e.g., create unique passwords for every website) encourage users toward irrational behavior: creating strong, unique passwords even for those sites that contain no personal data. In this work-in-progress, we present a mechanism design (a framework) that can be used to optimize the distribution of security nudges and requirements among users with different levels of risk or different levels of investment in a given system. Further, we introduce a new paradigm: the distribution of resources (e.g., ubikeys) that can lower the cost of security behaviors to those users with the most need (the highest time cost from 2FA or lowest Internet skill). Future work will involve simulations showing the value of optimizing distribution of nudges and resources using this framework, and evaluating such an approach in a live test.