Learning Password Best Practices Through In-Task Instruction

Aamod Joshi; Aditya Majumdar; Brett Frischmann; Noah Apthorpe; Qian Ma; Sarah Rajtmajer; Shubhang Kaushik; Yan Shvartzshnaider; Yingfan Zhou

arxiv: 2601.06650 · v2 · submitted 2026-01-10 · 💻 cs.HC

Learning Password Best Practices Through In-Task Instruction

Qian Ma , Yingfan Zhou , Shubhang Kaushik , Aamod Joshi , Aditya Majumdar , Noah Apthorpe , Yan Shvartzshnaider , Sarah Rajtmajer

show 1 more author

Brett Frischmann

This is my paper

Pith reviewed 2026-05-16 14:50 UTC · model grok-4.3

classification 💻 cs.HC

keywords password securitypedagogical frictionin-task instructionuser behaviorrule compliancesecurity interfacesbehavior-knowledge alignment

0 comments

The pith

Brief instructional prompts inserted during password creation teach users rules they apply correctly in later tasks without guidance.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper evaluates pedagogical friction, a method of adding short instructional steps right when users create passwords, to build lasting understanding of security rules. In a randomized study of 128 participants split across four interface versions with varying guidance depth, those who received prompts corrected most violations when later asked to make a new password on their own and aligned their actions closely with what they knew on a follow-up quiz. Survey answers showed clearer gains for some rule types, such as those involving symbols. The work frames this as a lightweight way to improve security choices in everyday interfaces without needing constant oversight.

Core claim

Pedagogical friction inserts brief instructional interactions at the moment of password entry. Across guided conditions, participants corrected most rule violations in a subsequent task without guidance and showed high alignment between their password behavior and their accuracy on survey questions about the same rules.

What carries the argument

Pedagogical friction: brief instructional interactions inserted directly into the password-creation interface at the point of decision.

If this is right

Users apply password rules correctly without ongoing interface support.
Behavior-knowledge alignment rises for multiple rule types, especially symbols.
The approach works across different depths of guidance in the initial task.
It offers a design pattern for embedding learning into security-critical actions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar in-task prompts could support other repeated privacy decisions such as permission grants or data-sharing choices.
Testing retention over days or weeks would reveal whether the learned rules persist beyond the immediate study session.
Designers of authentication flows could reduce long-term reliance on external tools by building rule understanding directly into the interface.

Load-bearing premise

That gains in the follow-up password task come from the inserted instructions rather than from participants sensing the study's goals or simply repeating a familiar task.

What would settle it

A control condition with no instructional prompts that produces similar rates of rule correction and knowledge alignment in the follow-up task would show the effect does not depend on the intervention.

Figures

Figures reproduced from arXiv: 2601.06650 by Aamod Joshi, Aditya Majumdar, Brett Frischmann, Noah Apthorpe, Qian Ma, Sarah Rajtmajer, Shubhang Kaushik, Yan Shvartzshnaider, Yingfan Zhou.

**Figure 1.** Figure 1: Study procedure: participants first completed a Test Phase with their assigned guided interface and main survey, then a Post-testing Phase with a [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗

**Figure 2.** Figure 2: Four password creation interfaces varying in instructional guidance: (T0) meter-only control; (T1) brief tips; (T2) detailed tips; and (T3) interactive [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 3.** Figure 3: (A) Group-level tip compliance. (B) User-level tip compliance (allrules resolved). [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗

**Figure 6.** Figure 6: Group-level tip compliance in post-testing Phase, survey compliance, [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗

**Figure 7.** Figure 7: Rule-level tip compliance, survey compliance, and their alignment across each group. [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗

read the original abstract

Users often make security- and privacy-relevant decisions without a clear understanding of the rules that govern safe behavior. We introduce pedagogical friction, a design approach that inserts brief, instructional interactions at the moment of action. We evaluate this approach in the context of password creation, a familiar task with clear quality criteria. We conducted a randomized study with 128 participants across four interface conditions that varied the depth and interactivity of guidance. We assessed three outcomes: (1) rule compliance in a subsequent password task without guidance, (2) accuracy on survey questions tied to password rules, and (3) behavior-knowledge alignment, which captures whether participants who correctly followed a rule also recognized it on the survey. Across the guided conditions, participants corrected most rule violations in the follow-up task and showed high behavior-knowledge alignment. Survey results suggested clearer advantages for some rule types, especially symbol related questions. These results position pedagogical friction as a lightweight intervention for security- and privacy-critical interfaces.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The study tests in-task guidance for passwords but needs a better control to confirm the learning effect.

read the letter

Pedagogical friction as an in-task teaching method for password rules has some initial support from this randomized study, but the improvements in the follow-up task might not be cleanly attributable to the guidance. The work introduces the idea of embedding brief instructional interactions right when users are creating passwords. They tested four interface conditions with varying levels of guidance depth and interactivity on 128 participants. The outcomes included how well people followed rules in a second password task without any prompts, how accurately they answered survey questions about the rules, and the alignment between their actual behavior and their stated knowledge. The guided conditions led to most rule violations being corrected later and high alignment overall, with stronger results on symbol-related questions. This approach is straightforward and targets a real problem in security interfaces where users often don't know the rules. Running a controlled experiment with multiple measures is a solid step, and the focus on behavior-knowledge alignment adds a nice layer beyond just compliance rates. The soft spot is in the controls. The design pits guided versions against each other but skips a no-guidance arm where participants would create two passwords in sequence anyway. That leaves open the possibility that corrections came from repeating the task, getting used to the interface, or picking up on the study's focus rather than learning from the friction itself. The abstract also skips statistical details, so it's hard to gauge the size or reliability of the differences. This is relevant for HCI and security researchers looking at just-in-time education in apps. It could be useful for designers wanting lightweight ways to improve user habits without extra screens. The paper deserves peer review to sort out the design details and get proper stats reported. I'd recommend sending it to referees for a closer look at the methods and results.

Referee Report

2 major / 2 minor

Summary. The paper introduces 'pedagogical friction' as a design intervention that inserts brief, in-task instructional interactions during password creation to teach security rules. It reports a randomized between-subjects study with 128 participants assigned to four interface conditions that vary the depth and interactivity of guidance. The central claims are that participants in the guided conditions corrected most rule violations when creating a second password without guidance, exhibited high alignment between their behavior and survey-reported knowledge of the rules, and showed clearer benefits for certain rule types (e.g., symbol requirements) on knowledge measures.

Significance. If the results hold after addressing design gaps, the work provides a practical, low-overhead method for embedding security education directly into critical user actions. This could inform interface design in authentication, privacy settings, and other domains where users make repeated decisions without explicit training, offering an alternative to separate tutorials or post-hoc feedback.

major comments (2)

[Methods / Experimental Design] The experimental design compares only among guided conditions and lacks an explicit no-guidance control arm in which participants complete two sequential password-creation tasks. Without this baseline, it is impossible to separate the effects of pedagogical friction from practice effects, interface familiarity, or demand characteristics when observing corrections in the follow-up task. This directly undermines the attribution of improved compliance to the intervention (see abstract and the description of the four conditions).
[Abstract and Results] The abstract states that participants 'corrected most rule violations' and showed 'high behavior-knowledge alignment' across guided conditions, but provides no numerical values, statistical tests, effect sizes, or confidence intervals. The results section must report these details (including per-rule breakdowns and any pre-registered analysis plan) for the claims to be verifiable.

minor comments (2)

[Methods] The four interface conditions are described at a high level; a table or figure explicitly mapping each condition to its guidance elements (e.g., static text vs. interactive prompts) would improve replicability.
[Procedure] Clarify whether the follow-up task used the same password rules and interface as the first task, and whether any carry-over instructions were present.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for their constructive feedback, which highlights important aspects of experimental design and reporting clarity. We address each major comment below and indicate the revisions planned for the manuscript.

read point-by-point responses

Referee: [Methods / Experimental Design] The experimental design compares only among guided conditions and lacks an explicit no-guidance control arm in which participants complete two sequential password-creation tasks. Without this baseline, it is impossible to separate the effects of pedagogical friction from practice effects, interface familiarity, or demand characteristics when observing corrections in the follow-up task. This directly undermines the attribution of improved compliance to the intervention (see abstract and the description of the four conditions).

Authors: We acknowledge the validity of this concern. Our study design intentionally varied the depth and interactivity of guidance across four conditions to examine how different levels of in-task instruction affect outcomes, allowing us to observe gradients in compliance and knowledge alignment. However, without a pure no-guidance baseline, we cannot fully rule out practice effects. We will revise the manuscript to include a more explicit discussion of this limitation in a dedicated Limitations section and clarify that the observed improvements are relative to less guided conditions. We will also suggest that future studies include a no-guidance arm. Since the experiment has been conducted, we cannot add new data, but we can strengthen the interpretation of existing comparisons. revision: partial
Referee: [Abstract and Results] The abstract states that participants 'corrected most rule violations' and showed 'high behavior-knowledge alignment' across guided conditions, but provides no numerical values, statistical tests, effect sizes, or confidence intervals. The results section must report these details (including per-rule breakdowns and any pre-registered analysis plan) for the claims to be verifiable.

Authors: We agree that the abstract should provide more specific quantitative information to support the claims. We will update the abstract to include key statistics, such as the proportion of rule violations corrected (with exact percentages), relevant p-values or statistical tests, and effect sizes. The full results section already includes per-rule breakdowns, behavior-knowledge alignment metrics, and references to the analysis approach; we will ensure the pre-registered analysis plan is clearly stated if not already. These changes will make the claims verifiable directly from the abstract. revision: yes

standing simulated objections not resolved

The absence of a no-guidance control condition, which cannot be addressed without conducting additional experiments.

Circularity Check

0 steps flagged

Empirical HCI study with direct behavioral measurement; no derivations or self-referential logic

full rationale

This paper reports a randomized controlled study with 128 participants comparing interface conditions for password creation guidance. All outcomes—rule compliance in a no-guidance follow-up task, survey accuracy on password rules, and behavior-knowledge alignment—are measured directly from participant actions and responses. The manuscript contains no equations, fitted parameters, predictive models, or derivation chains. No self-citations are invoked to justify uniqueness or to reduce claims to prior author work. The design compares guided conditions to each other and reports observed corrections; while external validity concerns (e.g., demand characteristics) exist, they do not constitute circularity in the derivation sense. The result is self-contained empirical evidence rather than a logical reduction to its own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that brief in-task instruction can produce measurable learning transfer without long-term follow-up data.

axioms (1)

domain assumption Brief instructional interactions at the moment of action produce lasting rule compliance and knowledge alignment
Invoked to interpret the follow-up task results as evidence of learning from the intervention.

pith-pipeline@v0.9.0 · 5493 in / 1001 out tokens · 38961 ms · 2026-05-16T14:50:27.451539+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Demonstrably Informed Consent in Privacy Policy Flows: Evidence from a Randomized Experiment
cs.HC 2026-04 unverdicted novelty 4.0

Slide-based and paced privacy policy formats raised the share of parents passing a comprehension quiz to 41.7% and 30.6% on first attempt, with retakes improving scores for 64.9%, yet 97.3% of those below threshold st...

Reference graph

Works this paper leans on

63 extracted references · 63 canonical work pages · cited by 1 Pith paper

[1]

Persuasive technology: using computers to change what we think and do,

B. J. Fogg, “Persuasive technology: using computers to change what we think and do,”Ubiquity, vol. 2002, no. December, p. 5, 2002. [Online]. Available: https://doi.org/10.1145/764008.763957

work page doi:10.1145/764008.763957 2002
[2]

A behavior model for persuasive design,

B. J. Fogg, “A behavior model for persuasive design,” in Persuasive Technology, Fourth International Conference, PERSUASIVE 2009, Claremont, California, USA, April 26-29, 2009. Proceedings, ser. ACM International Conference Proceeding Series, S. Chatterjee and P. Dev, Eds., vol. 350. ACM, 2009, p. 40. [Online]. Available: https://doi.org/10.1145/1541948.1541999

work page doi:10.1145/1541948.1541999 2009
[3]

The behaviour change wheel: a new method for characterising and designing behaviour change interventions,

S. Michie, M. M. Van Stralen, and R. West, “The behaviour change wheel: a new method for characterising and designing behaviour change interventions,”Imple- mentation science, vol. 6, no. 1, p. 42, 2011

work page 2011
[4]

R. E. Petty and J. T. Cacioppo,Communication and persuasion: Central and peripheral routes to attitude change. Springer Science & Business Media, 2012

work page 2012
[5]

Fast, lean, and accurate: Modeling password guessability using neural networks,

W. Melicher, B. Ur, S. M. Segreti, S. Komanduri, L. Bauer, N. Christin, and L. F. Cranor, “Fast, lean, and accurate: Modeling password guessability using neural networks,” in25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, T. Holz and S. Savage, Eds. USENIX Association, 2016, pp. 175–191. [Online]. Available: https:...

work page 2016
[6]

Measuring password guessability for an entire university,

M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur, “Measuring password guessability for an entire university,” in2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, A. Sadeghi, V . D. Gligor, and M. Yung, Eds. ACM, 2013, pp. 173–186. [On...

work page arXiv 2013
[7]

Common nonsense about password security and the expert-layperson knowl- edge gap,

B. M. Frischmann and A. Johnson, “Common nonsense about password security and the expert-layperson knowl- edge gap,”Available at SSRN 4345028, 2023

work page 2023
[8]

Sok: Anatomy of data breaches,

H. Saleem and M. Naveed, “Sok: Anatomy of data breaches,”Proceedings on Privacy Enhancing Technolo- gies, 2020

work page 2020
[9]

Un- derstanding how people share passwords,

P. Moh, A. Yang, N. Malkin, and M. L. Mazurek, “Un- derstanding how people share passwords,” inTwentieth Symposium on Usable Privacy and Security (SOUPS 2024), 2024, pp. 219–237

work page 2024
[10]

“it basically started using me:

S. Oesch, S. Ruoti, J. Simmons, and A. Gautam, ““it basically started using me:” an observational study of password manager usage,” inProceedings of the 2022 CHI Conference on Human Factors in Computing Sys- tems, 2022, pp. 1–23

work page 2022
[11]

Detecting stuffing of a {User’s}credentials at her own accounts,

K. C. Wang and M. K. Reiter, “Detecting stuffing of a {User’s}credentials at her own accounts,” in29th usenix security symposium (usenix security 20), 2020, pp. 2201– 2218

work page 2020
[12]

Simon, S

J. Simon, S. J. Watson, and I. van Sintemaartens- dijk, “Response-efficacy messages produce stronger pass- words than self-efficacy messages. . . for now: A longitu- dinal experimental study of the efficacy of coping mes- sage types on password creation behaviour,”Computers in Human Behavior Reports, vol. 17, p. 100615, 2025

work page 2025
[13]

Awareness, intention,(in) action: individuals’ reactions to data breaches,

P. Mayer, Y . Zou, B. M. Lowens, H. A. Dyer, K. Le, F. Schaub, and A. J. Aviv, “Awareness, intention,(in) action: individuals’ reactions to data breaches,”ACM Transactions on Computer-Human Interaction, vol. 30, no. 5, pp. 1–53, 2023

work page 2023
[14]

Understanding user’s behavior and protection strategy upon losing, or identifying unauthorized ac- cess to online account,

H. Kocabas, S. Nandy, T. Tamanna, and M. N. Al- Ameen, “Understanding user’s behavior and protection strategy upon losing, or identifying unauthorized ac- cess to online account,” inInternational Conference on Human-Computer Interaction. Springer, 2021, pp. 310– 325

work page 2021
[15]

Was this you? investigating the design considerations for suspicious login notifica- tions

S. Sahin, B. Sahin, and F. Li, “Was this you? investigating the design considerations for suspicious login notifica- tions.” inNDSS, 2025

work page 2025
[16]

Sok: Web authentication and recovery in the age of end-to-end encryption,

J. Blessing, D. Hugenroth, R. Anderson, and A. Beres- ford, “Sok: Web authentication and recovery in the age of end-to-end encryption,”Proceedings on Privacy Enhancing Technologies, 2025

work page 2025
[17]

” who is trying to access my account?

T. Wei, D. Wang, Y . Li, and Y . Wang, “” who is trying to access my account?” exploring user perceptions and reactions to risk-based authentication notifications.” in NDSS, 2025

work page 2025
[18]

Password memorability and security: Empirical results,

J. J. Yan, A. F. Blackwell, R. J. Anderson, and A. Grant, “Password memorability and security: Empirical results,” IEEE Secur. Priv., vol. 2, no. 5, pp. 25–31, 2004. [Online]. Available: https://doi.org/10.1109/MSP.2004.81

work page doi:10.1109/msp.2004.81 2004
[19]

The password life cycle,

E. Stobert and R. Biddle, “The password life cycle,”ACM Trans. Priv. Secur., vol. 21, no. 3, pp. 13:1–13:32, 2018. [Online]. Available: https://doi.org/10.1145/3183341

work page doi:10.1145/3183341 2018
[20]

Multiple password interference in text passwords and click-based graphical passwords,

S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, “Multiple password interference in text passwords and click-based graphical passwords,” in Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9-13, 2009, E. Al-Shaer, S. Jha, and A. D. Keromytis, Eds. ACM, 2009, pp...

work page arXiv 2009
[21]

You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings,

S. Egelman, L. F. Cranor, and J. I. Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings,” inProceedings of the 2008 Conference on Human Factors in Computing Systems, CHI 2008, 2008, Florence, Italy, April 5-10, 2008, M. Czerwinski, A. M. Lund, and D. S. Tan, Eds. ACM, 2008, pp. 1065–1074. [Online]. Available...

work page doi:10.1145/1357054.1357219 2008
[22]

Norman,The design of everyday things: Revised and expanded edition

D. Norman,The design of everyday things: Revised and expanded edition. Basic books, 2013

work page 2013
[23]

Microlearning: Emerging concepts, practices and technologies after e- learning,

T. Hug, M. Lindner, and P. A. Bruck, “Microlearning: Emerging concepts, practices and technologies after e- learning,”Proceedings of Microlearning 2005, 2006

work page 2005
[24]

Introduction to microlearning,

M. Allela, “Introduction to microlearning,”Columbia, Canada: Commonwealth of Learning, 2021

work page 2021
[25]

Microlearning in diverse contexts: A bibliometric analysis,

R. Sankaranarayanan, J. Leung, V . Abramenka-Lachheb, G. Seo, and A. Lachheb, “Microlearning in diverse contexts: A bibliometric analysis,”TechTrends, vol. 67, no. 2, pp. 260–276, 2023

work page 2023
[26]

Value sensitive design and information systems,

B. Friedman, P. H. Kahn Jr, A. Borning, and A. Huldt- gren, “Value sensitive design and information systems,” inEarly engagement and new technologies: Opening up the laboratory. Springer, 2013, pp. 55–95

work page 2013
[27]

The science of guessing: Analyzing an anonymized corpus of 70 million passwords,

J. Bonneau, “The science of guessing: Analyzing an anonymized corpus of 70 million passwords,” in IEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA. IEEE Computer Society, 2012, pp. 538–552. [Online]. Available: https://doi.org/10.1109/SP.2012.49

work page doi:10.1109/sp.2012.49 2012
[28]

Betrayed by updates: how negative experiences affect future security,

K. Vaniea, E. J. Rader, and R. Wash, “Betrayed by updates: how negative experiences affect future security,” inCHI Conference on Human Factors in Computing Systems, CHI’14, Toronto, ON, Canada - April 26 - May 01, 2014, M. Jones, P. A. Palanque, A. Schmidt, and T. Grossman, Eds. ACM, 2014, pp. 2671–2674. [Online]. Available: https://doi.org/10.1145/ 25562...

work page arXiv 2014
[29]

Using personal examples to improve risk communication for security & privacy decisions,

M. Harbach, M. Hettig, S. Weber, and M. Smith, “Using personal examples to improve risk communication for security & privacy decisions,” inCHI Conference on Human Factors in Computing Systems, CHI’14, Toronto, ON, Canada - April 26 - May 01, 2014, M. Jones, P. A. Palanque, A. Schmidt, and T. Grossman, Eds. ACM, 2014, pp. 2647–2656. [Online]. Available: ht...

work page doi:10.1145/2556288.2556978 2014
[30]

Design frictions for mindful interac- tions: The case for microboundaries,

A. L. Cox, S. J. Gould, M. E. Cecchinato, I. Iacovides, and I. Renfree, “Design frictions for mindful interac- tions: The case for microboundaries,” inProceedings of the 2016 CHI conference extended abstracts on human factors in computing systems, 2016, pp. 1389–1397

work page 2016
[31]

Per aspera ad astra, or flourishing via friction: Stimulating cognitive activation by design through frictional decision support systems,

C. Nataliet al., “Per aspera ad astra, or flourishing via friction: Stimulating cognitive activation by design through frictional decision support systems,” inCEUR workshop proceedings, vol. 3481. CEUR-WS, 2023, pp. 15–19

work page 2023
[32]

Friction-in-design reg- ulation as 21st century time, place, and manner restric- tion,

B. Frischmann and S. Benesch, “Friction-in-design reg- ulation as 21st century time, place, and manner restric- tion,”Yale JL & Tech., vol. 25, p. 376, 2023

work page 2023
[33]

Programmed inefficiencies in dss-supported human de- cision making,

F. Cabitza, A. Campagner, D. Ciucci, and A. Seveso, “Programmed inefficiencies in dss-supported human de- cision making,” inInternational Conference on Modeling Decisions for Artificial Intelligence. Springer, 2019, pp. 201–212

work page 2019
[34]

A framework for promoting online prosocial behavior via digital interventions,

D. J. Gr ¨uning, J. Kamin, F. Panizza, M. Katsaros, and P. Lorenz-Spreen, “A framework for promoting online prosocial behavior via digital interventions,”Communi- cations Psychology, vol. 2, no. 1, p. 6, 2024

work page 2024
[35]

Seamful design and ubicomp infrastruc- ture,

M. Chalmers, “Seamful design and ubicomp infrastruc- ture,” inProceedings of Ubicomp 2003 workshop at the crossroads: The interaction of HCI and systems issues in Ubicomp, 2003, pp. 577–584

work page 2003
[36]

Slow design for meaningful interac- tions,

B. Grosse-Hering, J. Mason, D. Aliakseyeu, C. Bakker, and P. Desmet, “Slow design for meaningful interac- tions,” inProceedings of the SIGCHI conference on human factors in computing systems, 2013, pp. 3431– 3440

work page 2013
[37]

Adapting security warnings to counter online disinformation,

B. Kaiser, J. Wei, E. Lucherini, K. Lee, J. N. Matias, and J. Mayer, “Adapting security warnings to counter online disinformation,” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 1163–1180

work page 2021
[38]

Comparing large-scale privacy and security notifications,

C. Utz, M. Michels, M. Degeling, N. Marnau, and B. Stock, “Comparing large-scale privacy and security notifications,”Proceedings on Privacy Enhancing Tech- nologies, 2023

work page 2023
[39]

Microlearning beyond boundaries: A systematic review and a novel framework for improving learning outcomes,

W. K. Monib, A. Qazi, and R. A. Apong, “Microlearning beyond boundaries: A systematic review and a novel framework for improving learning outcomes,”Heliyon, vol. 11, no. 2, 2025

work page 2025
[40]

Microlearning: a concept analysis,

J. Cronin and M. L. Durham, “Microlearning: a concept analysis,”CIN: Computers, Informatics, Nursing, vol. 42, no. 6, pp. 413–420, 2024

work page 2024
[41]

Microlearning in health professions education: scoping review,

J. C. De Gagne, H. K. Park, K. Hall, A. Woodward, S. Yamane, and S. S. Kim, “Microlearning in health professions education: scoping review,”JMIR medical education, vol. 5, no. 2, p. e13997, 2019

work page 2019
[42]

Scaling the security wall: Developing a security behavior intentions scale (sebis),

S. Egelman and E. P ´eer, “Scaling the security wall: Developing a security behavior intentions scale (sebis),” inProceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI 2015, Seoul, Republic of Korea, April 18-23, 2015, B. Begole, J. Kim, K. Inkpen, and W. Woo, Eds. ACM, 2015, pp. 2873–2882. [Online]. Available: https://d...

work page doi:10.1145/2702123.2702249 2015
[43]

Why aren’t we using passkeys? obstacles companies face deploying {FIDO2}passwordless authentication,

L. Lassak, E. Pan, B. Ur, and M. Golla, “Why aren’t we using passkeys? obstacles companies face deploying {FIDO2}passwordless authentication,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 7231–7248

work page 2024
[44]

Two studies of the per- ceptions of risk, benefits and likelihood of undertaking password management behaviours,

B. Merdenyan and H. Petrie, “Two studies of the per- ceptions of risk, benefits and likelihood of undertaking password management behaviours,”Behaviour & Infor- mation Technology, vol. 41, no. 12, pp. 2514–2527, 2022

work page 2022
[45]

On the accuracy of password strength meters,

M. Golla and M. D ¨urmuth, “On the accuracy of password strength meters,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, D. Lie, M. Mannan, M. Backes, and X. Wang, Eds. ACM, 2018, pp. 1567–1582. [Online]. Available: https://doi.org/10.1145/3243734.3243769

work page doi:10.1145/3243734.3243769 2018
[46]

{“You}still use the password after{all

F. M. Farke, L. Lorenz, T. Schnitzler, P. Markert, and M. D¨urmuth, “{“You}still use the password after{all”}– exploring{FIDO2}security keys in a small company,” inSixteenth Symposium on Usable Privacy and Security (SOUPS 2020), 2020, pp. 19–35

work page 2020
[47]

The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,” inIEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA. IEEE Computer Society, 2012, pp. 553–567. [Online]. Available: https://doi.org/10.1109/SP.2012.44

work page doi:10.1109/sp.2012.44 2012
[48]

Prospects for improving password selection,

J. Amador, Y . Ma, S. Hasama, E. Lumba, G. Lee, and E. Birrell, “Prospects for improving password selection,” inNineteenth Symposium on Usable Privacy and Security (SOUPS 2023), 2023, pp. 263–282

work page 2023
[49]

It’s a match-enhancing the fit between users and phishing training through personal- isation,

L. Sch ¨oni, N. Roch, H. Sievers, M. Strohmeier, P. Mayer, and V . Zimmermann, “It’s a match-enhancing the fit between users and phishing training through personal- isation,” inProceedings of the 2025 CHI Conference on Human Factors in Computing Systems, 2025, pp. 1–25

work page 2025
[50]

The psychology of security for the home computer user,

A. E. Howe, I. Ray, M. Roberts, M. Urbanska, and Z. Byrne, “The psychology of security for the home computer user,” in2012 IEEE Symposium on Security and Privacy. IEEE, 2012, pp. 209–223

work page 2012
[51]

Smart, useful, scary, creepy: perceptions of online be- havioral advertising,

B. Ur, P. G. Leon, L. F. Cranor, R. Shay, and Y . Wang, “Smart, useful, scary, creepy: perceptions of online be- havioral advertising,” inproceedings of the eighth sym- posium on usable privacy and security, 2012, pp. 1–15

work page 2012
[52]

Gamified cybersecurity initiatives: The trend, limits and lessons,

A. K. Gwenhure and S. Nam, “Gamified cybersecurity initiatives: The trend, limits and lessons,”Journal of Information Technology Education: Research, vol. 24, p. 024, 2025

work page 2025
[53]

Successful gamifica- tion of cybersecurity training,

T. van Steen and J. R. Deeleman, “Successful gamifica- tion of cybersecurity training,”Cyberpsychology, Behav- ior, and Social Networking, vol. 24, no. 9, pp. 593–598, 2021

work page 2021
[54]

Sustaining cyber awareness: The long-term impact of continuous phishing training and emotional triggers,

R. Toth, R. A. Dubniczky, O. Limonova, and N. Tihanyi, “Sustaining cyber awareness: The long-term impact of continuous phishing training and emotional triggers,” arXiv preprint arXiv:2510.27298, 2025

work page arXiv 2025
[55]

Why we use and abandon smart devices,

A. Lazar, C. Koehler, T. J. Tanenbaum, and D. H. Nguyen, “Why we use and abandon smart devices,” inProceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp 2015, Osaka, Japan, September 7-11, 2015, K. Mase, M. Langheinrich, D. Gatica- Perez, H. Gellersen, T. Choudhury, and K. Yatani, Eds. ACM, 2015, pp. 635...

work page doi:10.1145/2750858.2804288 2015
[56]

Design and evaluation of a data-driven password meter,

B. Ur, F. Alfieri, M. Aung, L. Bauer, N. Christin, J. Colnago, L. F. Cranor, H. Dixon, P. E. Naeini, H. Habib, N. Johnson, and W. Melicher, “Design and evaluation of a data-driven password meter,” in Proceedings of the 2017 CHI Conference on Human TABLE V GROUP-LEVEL TIP COMPLIANCE(CLUSTER-ROBUST95% CI). Group TipsnResolvednResolved % 95% CI T1 62 57 91.9...

work page doi:10.1145/3025453.3026050 2017
[57]

Password guessability service (pgs),

“Password guessability service (pgs),” https://pgs.ece. cmu.edu/, 2025, accessed: 09 February 2025

work page 2025
[58]

Measuring digital skills: From digital skills to tangible outcomes,

A. J. van Deursen, E. Helsper, and R. Eynon, “Measuring digital skills: From digital skills to tangible outcomes,” 2014

work page 2014
[59]

The power of testing memory: Basic research and implications for edu- cational practice,

H. L. Roediger III and J. D. Karpicke, “The power of testing memory: Basic research and implications for edu- cational practice,”Perspectives on psychological science, vol. 1, no. 3, pp. 181–210, 2006

work page 2006
[60]

Defining privacy: How users interpret technical terms in privacy policies,

J. Tang, H. Shoemaker, A. Lerner, and E. Birrell, “Defining privacy: How users interpret technical terms in privacy policies,”Proceedings on Privacy Enhancing Technologies, 2021

work page 2021
[61]

User-friendly yet rarely read: A case study on the redesign of an online hipaa authorization,

S. Pearman, E. Young, and L. F. Cranor, “User-friendly yet rarely read: A case study on the redesign of an online hipaa authorization,”Proceedings on Privacy Enhancing Technologies, vol. 2022, no. 3, 2022

work page 2022
[62]

A large-scale study of cookie banner interaction tools and their impact on users’ privacy,

N. Demir, T. Urban, N. Pohlmann, and C. Wressnegger, “A large-scale study of cookie banner interaction tools and their impact on users’ privacy,”Proceedings on Privacy Enhancing Technologies, 2024

work page 2024
[63]

Navigating social media privacy: Awareness, prefer- ences, and discoverability,

P. Charnsethikul, A. Zunquti, G. Lucas, and J. Mirkovic, “Navigating social media privacy: Awareness, prefer- ences, and discoverability,”Proceedings on Privacy En- hancing Technologies, 2025. APPENDIX This appendix reports detailed numerical values for the compliance and alignment analyses summarized in § IV. Table V expands the group-level tip complianc...

work page 2025

[1] [1]

Persuasive technology: using computers to change what we think and do,

B. J. Fogg, “Persuasive technology: using computers to change what we think and do,”Ubiquity, vol. 2002, no. December, p. 5, 2002. [Online]. Available: https://doi.org/10.1145/764008.763957

work page doi:10.1145/764008.763957 2002

[2] [2]

A behavior model for persuasive design,

B. J. Fogg, “A behavior model for persuasive design,” in Persuasive Technology, Fourth International Conference, PERSUASIVE 2009, Claremont, California, USA, April 26-29, 2009. Proceedings, ser. ACM International Conference Proceeding Series, S. Chatterjee and P. Dev, Eds., vol. 350. ACM, 2009, p. 40. [Online]. Available: https://doi.org/10.1145/1541948.1541999

work page doi:10.1145/1541948.1541999 2009

[3] [3]

The behaviour change wheel: a new method for characterising and designing behaviour change interventions,

S. Michie, M. M. Van Stralen, and R. West, “The behaviour change wheel: a new method for characterising and designing behaviour change interventions,”Imple- mentation science, vol. 6, no. 1, p. 42, 2011

work page 2011

[4] [4]

R. E. Petty and J. T. Cacioppo,Communication and persuasion: Central and peripheral routes to attitude change. Springer Science & Business Media, 2012

work page 2012

[5] [5]

Fast, lean, and accurate: Modeling password guessability using neural networks,

W. Melicher, B. Ur, S. M. Segreti, S. Komanduri, L. Bauer, N. Christin, and L. F. Cranor, “Fast, lean, and accurate: Modeling password guessability using neural networks,” in25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, T. Holz and S. Savage, Eds. USENIX Association, 2016, pp. 175–191. [Online]. Available: https:...

work page 2016

[6] [6]

Measuring password guessability for an entire university,

M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur, “Measuring password guessability for an entire university,” in2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, A. Sadeghi, V . D. Gligor, and M. Yung, Eds. ACM, 2013, pp. 173–186. [On...

work page arXiv 2013

[7] [7]

Common nonsense about password security and the expert-layperson knowl- edge gap,

B. M. Frischmann and A. Johnson, “Common nonsense about password security and the expert-layperson knowl- edge gap,”Available at SSRN 4345028, 2023

work page 2023

[8] [8]

Sok: Anatomy of data breaches,

H. Saleem and M. Naveed, “Sok: Anatomy of data breaches,”Proceedings on Privacy Enhancing Technolo- gies, 2020

work page 2020

[9] [9]

Un- derstanding how people share passwords,

P. Moh, A. Yang, N. Malkin, and M. L. Mazurek, “Un- derstanding how people share passwords,” inTwentieth Symposium on Usable Privacy and Security (SOUPS 2024), 2024, pp. 219–237

work page 2024

[10] [10]

“it basically started using me:

S. Oesch, S. Ruoti, J. Simmons, and A. Gautam, ““it basically started using me:” an observational study of password manager usage,” inProceedings of the 2022 CHI Conference on Human Factors in Computing Sys- tems, 2022, pp. 1–23

work page 2022

[11] [11]

Detecting stuffing of a {User’s}credentials at her own accounts,

K. C. Wang and M. K. Reiter, “Detecting stuffing of a {User’s}credentials at her own accounts,” in29th usenix security symposium (usenix security 20), 2020, pp. 2201– 2218

work page 2020

[12] [12]

Simon, S

J. Simon, S. J. Watson, and I. van Sintemaartens- dijk, “Response-efficacy messages produce stronger pass- words than self-efficacy messages. . . for now: A longitu- dinal experimental study of the efficacy of coping mes- sage types on password creation behaviour,”Computers in Human Behavior Reports, vol. 17, p. 100615, 2025

work page 2025

[13] [13]

Awareness, intention,(in) action: individuals’ reactions to data breaches,

P. Mayer, Y . Zou, B. M. Lowens, H. A. Dyer, K. Le, F. Schaub, and A. J. Aviv, “Awareness, intention,(in) action: individuals’ reactions to data breaches,”ACM Transactions on Computer-Human Interaction, vol. 30, no. 5, pp. 1–53, 2023

work page 2023

[14] [14]

Understanding user’s behavior and protection strategy upon losing, or identifying unauthorized ac- cess to online account,

H. Kocabas, S. Nandy, T. Tamanna, and M. N. Al- Ameen, “Understanding user’s behavior and protection strategy upon losing, or identifying unauthorized ac- cess to online account,” inInternational Conference on Human-Computer Interaction. Springer, 2021, pp. 310– 325

work page 2021

[15] [15]

Was this you? investigating the design considerations for suspicious login notifica- tions

S. Sahin, B. Sahin, and F. Li, “Was this you? investigating the design considerations for suspicious login notifica- tions.” inNDSS, 2025

work page 2025

[16] [16]

Sok: Web authentication and recovery in the age of end-to-end encryption,

J. Blessing, D. Hugenroth, R. Anderson, and A. Beres- ford, “Sok: Web authentication and recovery in the age of end-to-end encryption,”Proceedings on Privacy Enhancing Technologies, 2025

work page 2025

[17] [17]

” who is trying to access my account?

T. Wei, D. Wang, Y . Li, and Y . Wang, “” who is trying to access my account?” exploring user perceptions and reactions to risk-based authentication notifications.” in NDSS, 2025

work page 2025

[18] [18]

Password memorability and security: Empirical results,

J. J. Yan, A. F. Blackwell, R. J. Anderson, and A. Grant, “Password memorability and security: Empirical results,” IEEE Secur. Priv., vol. 2, no. 5, pp. 25–31, 2004. [Online]. Available: https://doi.org/10.1109/MSP.2004.81

work page doi:10.1109/msp.2004.81 2004

[19] [19]

The password life cycle,

E. Stobert and R. Biddle, “The password life cycle,”ACM Trans. Priv. Secur., vol. 21, no. 3, pp. 13:1–13:32, 2018. [Online]. Available: https://doi.org/10.1145/3183341

work page doi:10.1145/3183341 2018

[20] [20]

Multiple password interference in text passwords and click-based graphical passwords,

S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, “Multiple password interference in text passwords and click-based graphical passwords,” in Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9-13, 2009, E. Al-Shaer, S. Jha, and A. D. Keromytis, Eds. ACM, 2009, pp...

work page arXiv 2009

[21] [21]

You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings,

S. Egelman, L. F. Cranor, and J. I. Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings,” inProceedings of the 2008 Conference on Human Factors in Computing Systems, CHI 2008, 2008, Florence, Italy, April 5-10, 2008, M. Czerwinski, A. M. Lund, and D. S. Tan, Eds. ACM, 2008, pp. 1065–1074. [Online]. Available...

work page doi:10.1145/1357054.1357219 2008

[22] [22]

Norman,The design of everyday things: Revised and expanded edition

D. Norman,The design of everyday things: Revised and expanded edition. Basic books, 2013

work page 2013

[23] [23]

Microlearning: Emerging concepts, practices and technologies after e- learning,

T. Hug, M. Lindner, and P. A. Bruck, “Microlearning: Emerging concepts, practices and technologies after e- learning,”Proceedings of Microlearning 2005, 2006

work page 2005

[24] [24]

Introduction to microlearning,

M. Allela, “Introduction to microlearning,”Columbia, Canada: Commonwealth of Learning, 2021

work page 2021

[25] [25]

Microlearning in diverse contexts: A bibliometric analysis,

R. Sankaranarayanan, J. Leung, V . Abramenka-Lachheb, G. Seo, and A. Lachheb, “Microlearning in diverse contexts: A bibliometric analysis,”TechTrends, vol. 67, no. 2, pp. 260–276, 2023

work page 2023

[26] [26]

Value sensitive design and information systems,

B. Friedman, P. H. Kahn Jr, A. Borning, and A. Huldt- gren, “Value sensitive design and information systems,” inEarly engagement and new technologies: Opening up the laboratory. Springer, 2013, pp. 55–95

work page 2013

[27] [27]

The science of guessing: Analyzing an anonymized corpus of 70 million passwords,

J. Bonneau, “The science of guessing: Analyzing an anonymized corpus of 70 million passwords,” in IEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA. IEEE Computer Society, 2012, pp. 538–552. [Online]. Available: https://doi.org/10.1109/SP.2012.49

work page doi:10.1109/sp.2012.49 2012

[28] [28]

Betrayed by updates: how negative experiences affect future security,

K. Vaniea, E. J. Rader, and R. Wash, “Betrayed by updates: how negative experiences affect future security,” inCHI Conference on Human Factors in Computing Systems, CHI’14, Toronto, ON, Canada - April 26 - May 01, 2014, M. Jones, P. A. Palanque, A. Schmidt, and T. Grossman, Eds. ACM, 2014, pp. 2671–2674. [Online]. Available: https://doi.org/10.1145/ 25562...

work page arXiv 2014

[29] [29]

Using personal examples to improve risk communication for security & privacy decisions,

M. Harbach, M. Hettig, S. Weber, and M. Smith, “Using personal examples to improve risk communication for security & privacy decisions,” inCHI Conference on Human Factors in Computing Systems, CHI’14, Toronto, ON, Canada - April 26 - May 01, 2014, M. Jones, P. A. Palanque, A. Schmidt, and T. Grossman, Eds. ACM, 2014, pp. 2647–2656. [Online]. Available: ht...

work page doi:10.1145/2556288.2556978 2014

[30] [30]

Design frictions for mindful interac- tions: The case for microboundaries,

A. L. Cox, S. J. Gould, M. E. Cecchinato, I. Iacovides, and I. Renfree, “Design frictions for mindful interac- tions: The case for microboundaries,” inProceedings of the 2016 CHI conference extended abstracts on human factors in computing systems, 2016, pp. 1389–1397

work page 2016

[31] [31]

Per aspera ad astra, or flourishing via friction: Stimulating cognitive activation by design through frictional decision support systems,

C. Nataliet al., “Per aspera ad astra, or flourishing via friction: Stimulating cognitive activation by design through frictional decision support systems,” inCEUR workshop proceedings, vol. 3481. CEUR-WS, 2023, pp. 15–19

work page 2023

[32] [32]

Friction-in-design reg- ulation as 21st century time, place, and manner restric- tion,

B. Frischmann and S. Benesch, “Friction-in-design reg- ulation as 21st century time, place, and manner restric- tion,”Yale JL & Tech., vol. 25, p. 376, 2023

work page 2023

[33] [33]

Programmed inefficiencies in dss-supported human de- cision making,

F. Cabitza, A. Campagner, D. Ciucci, and A. Seveso, “Programmed inefficiencies in dss-supported human de- cision making,” inInternational Conference on Modeling Decisions for Artificial Intelligence. Springer, 2019, pp. 201–212

work page 2019

[34] [34]

A framework for promoting online prosocial behavior via digital interventions,

D. J. Gr ¨uning, J. Kamin, F. Panizza, M. Katsaros, and P. Lorenz-Spreen, “A framework for promoting online prosocial behavior via digital interventions,”Communi- cations Psychology, vol. 2, no. 1, p. 6, 2024

work page 2024

[35] [35]

Seamful design and ubicomp infrastruc- ture,

M. Chalmers, “Seamful design and ubicomp infrastruc- ture,” inProceedings of Ubicomp 2003 workshop at the crossroads: The interaction of HCI and systems issues in Ubicomp, 2003, pp. 577–584

work page 2003

[36] [36]

Slow design for meaningful interac- tions,

B. Grosse-Hering, J. Mason, D. Aliakseyeu, C. Bakker, and P. Desmet, “Slow design for meaningful interac- tions,” inProceedings of the SIGCHI conference on human factors in computing systems, 2013, pp. 3431– 3440

work page 2013

[37] [37]

Adapting security warnings to counter online disinformation,

B. Kaiser, J. Wei, E. Lucherini, K. Lee, J. N. Matias, and J. Mayer, “Adapting security warnings to counter online disinformation,” in30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 1163–1180

work page 2021

[38] [38]

Comparing large-scale privacy and security notifications,

C. Utz, M. Michels, M. Degeling, N. Marnau, and B. Stock, “Comparing large-scale privacy and security notifications,”Proceedings on Privacy Enhancing Tech- nologies, 2023

work page 2023

[39] [39]

Microlearning beyond boundaries: A systematic review and a novel framework for improving learning outcomes,

W. K. Monib, A. Qazi, and R. A. Apong, “Microlearning beyond boundaries: A systematic review and a novel framework for improving learning outcomes,”Heliyon, vol. 11, no. 2, 2025

work page 2025

[40] [40]

Microlearning: a concept analysis,

J. Cronin and M. L. Durham, “Microlearning: a concept analysis,”CIN: Computers, Informatics, Nursing, vol. 42, no. 6, pp. 413–420, 2024

work page 2024

[41] [41]

Microlearning in health professions education: scoping review,

J. C. De Gagne, H. K. Park, K. Hall, A. Woodward, S. Yamane, and S. S. Kim, “Microlearning in health professions education: scoping review,”JMIR medical education, vol. 5, no. 2, p. e13997, 2019

work page 2019

[42] [42]

Scaling the security wall: Developing a security behavior intentions scale (sebis),

S. Egelman and E. P ´eer, “Scaling the security wall: Developing a security behavior intentions scale (sebis),” inProceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI 2015, Seoul, Republic of Korea, April 18-23, 2015, B. Begole, J. Kim, K. Inkpen, and W. Woo, Eds. ACM, 2015, pp. 2873–2882. [Online]. Available: https://d...

work page doi:10.1145/2702123.2702249 2015

[43] [43]

Why aren’t we using passkeys? obstacles companies face deploying {FIDO2}passwordless authentication,

L. Lassak, E. Pan, B. Ur, and M. Golla, “Why aren’t we using passkeys? obstacles companies face deploying {FIDO2}passwordless authentication,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 7231–7248

work page 2024

[44] [44]

Two studies of the per- ceptions of risk, benefits and likelihood of undertaking password management behaviours,

B. Merdenyan and H. Petrie, “Two studies of the per- ceptions of risk, benefits and likelihood of undertaking password management behaviours,”Behaviour & Infor- mation Technology, vol. 41, no. 12, pp. 2514–2527, 2022

work page 2022

[45] [45]

On the accuracy of password strength meters,

M. Golla and M. D ¨urmuth, “On the accuracy of password strength meters,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, D. Lie, M. Mannan, M. Backes, and X. Wang, Eds. ACM, 2018, pp. 1567–1582. [Online]. Available: https://doi.org/10.1145/3243734.3243769

work page doi:10.1145/3243734.3243769 2018

[46] [46]

{“You}still use the password after{all

F. M. Farke, L. Lorenz, T. Schnitzler, P. Markert, and M. D¨urmuth, “{“You}still use the password after{all”}– exploring{FIDO2}security keys in a small company,” inSixteenth Symposium on Usable Privacy and Security (SOUPS 2020), 2020, pp. 19–35

work page 2020

[47] [47]

The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,” inIEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA. IEEE Computer Society, 2012, pp. 553–567. [Online]. Available: https://doi.org/10.1109/SP.2012.44

work page doi:10.1109/sp.2012.44 2012

[48] [48]

Prospects for improving password selection,

J. Amador, Y . Ma, S. Hasama, E. Lumba, G. Lee, and E. Birrell, “Prospects for improving password selection,” inNineteenth Symposium on Usable Privacy and Security (SOUPS 2023), 2023, pp. 263–282

work page 2023

[49] [49]

It’s a match-enhancing the fit between users and phishing training through personal- isation,

L. Sch ¨oni, N. Roch, H. Sievers, M. Strohmeier, P. Mayer, and V . Zimmermann, “It’s a match-enhancing the fit between users and phishing training through personal- isation,” inProceedings of the 2025 CHI Conference on Human Factors in Computing Systems, 2025, pp. 1–25

work page 2025

[50] [50]

The psychology of security for the home computer user,

A. E. Howe, I. Ray, M. Roberts, M. Urbanska, and Z. Byrne, “The psychology of security for the home computer user,” in2012 IEEE Symposium on Security and Privacy. IEEE, 2012, pp. 209–223

work page 2012

[51] [51]

Smart, useful, scary, creepy: perceptions of online be- havioral advertising,

B. Ur, P. G. Leon, L. F. Cranor, R. Shay, and Y . Wang, “Smart, useful, scary, creepy: perceptions of online be- havioral advertising,” inproceedings of the eighth sym- posium on usable privacy and security, 2012, pp. 1–15

work page 2012

[52] [52]

Gamified cybersecurity initiatives: The trend, limits and lessons,

A. K. Gwenhure and S. Nam, “Gamified cybersecurity initiatives: The trend, limits and lessons,”Journal of Information Technology Education: Research, vol. 24, p. 024, 2025

work page 2025

[53] [53]

Successful gamifica- tion of cybersecurity training,

T. van Steen and J. R. Deeleman, “Successful gamifica- tion of cybersecurity training,”Cyberpsychology, Behav- ior, and Social Networking, vol. 24, no. 9, pp. 593–598, 2021

work page 2021

[54] [54]

Sustaining cyber awareness: The long-term impact of continuous phishing training and emotional triggers,

R. Toth, R. A. Dubniczky, O. Limonova, and N. Tihanyi, “Sustaining cyber awareness: The long-term impact of continuous phishing training and emotional triggers,” arXiv preprint arXiv:2510.27298, 2025

work page arXiv 2025

[55] [55]

Why we use and abandon smart devices,

A. Lazar, C. Koehler, T. J. Tanenbaum, and D. H. Nguyen, “Why we use and abandon smart devices,” inProceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp 2015, Osaka, Japan, September 7-11, 2015, K. Mase, M. Langheinrich, D. Gatica- Perez, H. Gellersen, T. Choudhury, and K. Yatani, Eds. ACM, 2015, pp. 635...

work page doi:10.1145/2750858.2804288 2015

[56] [56]

Design and evaluation of a data-driven password meter,

B. Ur, F. Alfieri, M. Aung, L. Bauer, N. Christin, J. Colnago, L. F. Cranor, H. Dixon, P. E. Naeini, H. Habib, N. Johnson, and W. Melicher, “Design and evaluation of a data-driven password meter,” in Proceedings of the 2017 CHI Conference on Human TABLE V GROUP-LEVEL TIP COMPLIANCE(CLUSTER-ROBUST95% CI). Group TipsnResolvednResolved % 95% CI T1 62 57 91.9...

work page doi:10.1145/3025453.3026050 2017

[57] [57]

Password guessability service (pgs),

“Password guessability service (pgs),” https://pgs.ece. cmu.edu/, 2025, accessed: 09 February 2025

work page 2025

[58] [58]

Measuring digital skills: From digital skills to tangible outcomes,

A. J. van Deursen, E. Helsper, and R. Eynon, “Measuring digital skills: From digital skills to tangible outcomes,” 2014

work page 2014

[59] [59]

The power of testing memory: Basic research and implications for edu- cational practice,

H. L. Roediger III and J. D. Karpicke, “The power of testing memory: Basic research and implications for edu- cational practice,”Perspectives on psychological science, vol. 1, no. 3, pp. 181–210, 2006

work page 2006

[60] [60]

Defining privacy: How users interpret technical terms in privacy policies,

J. Tang, H. Shoemaker, A. Lerner, and E. Birrell, “Defining privacy: How users interpret technical terms in privacy policies,”Proceedings on Privacy Enhancing Technologies, 2021

work page 2021

[61] [61]

User-friendly yet rarely read: A case study on the redesign of an online hipaa authorization,

S. Pearman, E. Young, and L. F. Cranor, “User-friendly yet rarely read: A case study on the redesign of an online hipaa authorization,”Proceedings on Privacy Enhancing Technologies, vol. 2022, no. 3, 2022

work page 2022

[62] [62]

A large-scale study of cookie banner interaction tools and their impact on users’ privacy,

N. Demir, T. Urban, N. Pohlmann, and C. Wressnegger, “A large-scale study of cookie banner interaction tools and their impact on users’ privacy,”Proceedings on Privacy Enhancing Technologies, 2024

work page 2024

[63] [63]

Navigating social media privacy: Awareness, prefer- ences, and discoverability,

P. Charnsethikul, A. Zunquti, G. Lucas, and J. Mirkovic, “Navigating social media privacy: Awareness, prefer- ences, and discoverability,”Proceedings on Privacy En- hancing Technologies, 2025. APPENDIX This appendix reports detailed numerical values for the compliance and alignment analyses summarized in § IV. Table V expands the group-level tip complianc...

work page 2025