Background. Persuasive techniques and persuasive technologies have been suggested as a means to improve user cybersecurity behaviour, but there have been few quantitative studies in this area. Aim. To gather empirical evidence of the actual effectiveness, in the wild, of Cialdini's persuasive principles in motivating users to take security action, using the case of encouraging an organisation's users to engage with security training. Methods. We conducted a large scale evaluation of persuasive messages designed to encourage University staff to complete security training. Persuasive messages were based on Cialdini's principles of persuasion and transmitted by email. The training was real, and the messages sent constituted the real campaign to motivate users during the study period. Results. We observed statistically significant variations, but with mild effect sizes, in participant responses to the persuasive messages. 'Unity' persuasive messages that had increased emphasis on the collaborative role of individual users as part of an organisation-wide team effort towards cybersecurity were more effective compared to 'Authority' messages that had increased emphasis on a mandatory obligation of users imposed by a hierarchical authority. Participant and organisational factors also appear to impact upon participant responses.
Conclusion.The study suggests that the use of messages emphasising different principles of persuasion may have different levels of effectiveness in encouraging users to take particular security actions. In particular, it suggests that the use of social capital, in the form of increased emphasis of 'unity', may be more effective than increased emphasis of 'authority'. These findings motivate further studies of how the use of Social capital may be beneficial for encouraging individuals to adopt similar positive security behaviours.
