Persuasion Meets AI: Ethical Considerations for the Design of SocialEngineering Countermeasures

Nicolas E. Dıaz Ferreyra1 a, Esma Aımeur2,Hicham Hage3, Maritta Heisel1 and Catherine Garcıa van Hoogstraten4

1University of Duisburg-Essen, Department of Computer Science and Applied Cognitive Science, Germany2University of Montreal, Department of Computer Science and Operations Research (DIRO), Canada

3Notre Dame University - Louaize, Computer Science Department, Lebanon4Booking.com, the Netherlands

nicolas.diaz-ferreyra@uni-due.de, aimeur@iro.umontreal.ca, hhage@ndu.edu.lb, maritta.heisel@uni-due.de,catherine.garcia@booking.com

Keywords: social engineering, digital nudging, privacy awareness, risk management, self-disclosure, AI, ethics

Abstract: Privacy in Social Network Sites (SNSs) like Facebook or Instagram is closely related to people’s self-disclosure decisions and their ability to foresee the consequences of sharing personal information with largeand diverse audiences. Nonetheless, online privacy decisions are often based on spurious risk judgements thatmake people liable to reveal sensitive data to untrusted recipients and become victims of social engineeringattacks. Artificial Intelligence (AI) in combination with persuasive mechanisms like nudging is a promisingapproach for promoting preventative privacy behaviour among the users of SNSs. Nevertheless, combiningbehavioural interventions with high levels of personalization can be a potential threat to people’s agency andautonomy even when applied to the design of social engineering countermeasures. This paper elaborates on theethical challenges that nudging mechanisms can introduce to the development of AI-based countermeasures,particularly to those addressing unsafe self-disclosure practices in SNSs. Overall, it endorses the elaborationof personalized risk awareness solutions as i) an ethical approach to counteract social engineering, and ii) asan effective means for promoting reflective privacy decisions.

1 Introduction

Social Network Sites (SNSs) like Instagram andTwitter have changed radically the way people cre-ate and maintain interpersonal relationships (Penni,2017). One of the major attractiveness of such plat-forms is their broadcasting affordances which allowusers to connect seamlessly with large and diverse au-diences within a few seconds. However, while theseplatforms effectively contribute to maximizing peo-ple’s social capital, they also introduce major chal-lenges to their privacy. Particularly, users of SNSsare highly exposed to social engineering attacks sincethey often share personal information with peopleregardless of their doubtful trustworthiness (Wanget al., 2011; boyd, 2010).

Online deception is an attack vector that is fre-quently used by social engineers to approach and ma-nipulate users of SNSs (Tsikerdekis and Zeadally,

a https://orcid.org/0000-0001-6304-771X

2014). For instance, deceivers often impersonatetrustworthy entities using fake profiles to gain theirvictims’ trust, and persuade them to reveal sensi-tive information (e.g. their log-in credentials) orperform hazardous actions that would compromisetheir security (e.g. installing Malware) (Hage et al.,2020). Hence, counteracting social engineering at-tacks relies (to a large extent) on the users’ capacityof foreseeing the potential negative consequences oftheir actions and modify their behaviour, accordingly(Aımeur et al., 2019). However, this is difficult foraverage users who lack the knowledge and skills nec-essary to ensure the protection of their privacy (Ma-sur, 2019). Moreover, people -in general- regret hav-ing shared their personal information only after beingvictims of a social engineering attack (Wang et al.,2011).

Privacy scholars have proposed a wide range ofArtificial-Intelligence-Based (AI-based) approachesthat aim at generating awareness among people (De

and Le Metayer, 2018; Petkos et al., 2015; Dıaz Fer-reyra et al., 2020; Briscoe et al., 2014). Particularly,AI in combination with persuasive mechanisms hasgained popularity due to their capacity for nudgingusers’ behaviour towards safer privacy practices (Ac-quisti et al., 2017). However, these technologies areoften looked askance since there is a fine line betweenpersuasion, coercion, and manipulation (Renaud andZimmermann, 2018). For instance, users might beencouraged to enable their phone’s location serviceswith the excuse of increasing their safety when, infact, the main objective is monitoring their move-ments. Hence, ethical principles must be well definedand followed for safeguarding people’s agency, auton-omy, and welfare.

This work elaborates on the ethical challenges as-sociated with the use of persuasion in the design ofAI-based countermeasures (i.e. technical solutionsfor preventing unsafe self-disclosure practices). Par-ticularly, it analyses the different factors that influ-ence online privacy decisions and the importance ofbehavioural interventions for promoting preventativeprivacy practices in SNSs. Furthermore, it elabo-rates on the ethical issues that the use of persuasivemeans may introduce when used in combination withAI technologies. Based on our findings, we endorsethe elaboration of personalized risk awareness mech-anisms as an ethical approach to social engineeringcountermeasures. In line with this, challenges for reg-ulating the development and impact of such counter-measures are evaluated and summarized.

The rest of this paper is organized as follows. Sec-tion 2 discusses the particular challenges that SNSsintroduce in terms of privacy decision-making. Sec-tion 3 elaborates on the use of privacy nudges in com-bination with AI for designing effective social en-gineering countermeasures. Moreover, ethical chal-lenges related to the use of persuasion in cybersecu-rity are presented and illustrated in this section. Next,Section 4 analyses the role of risk cues in users’ pri-vacy decisions and their importance for the design ofpreventative technologies. Finally, the conclusions ofthis work are presented in Section 5.

2 Online Deception in Social Media

Nowadays, SNSs offer a wide range of affor-dances (e.g. instant messaging, posts, or stories)which allow people to create and exchange mediacontent with large and diverse audiences. In sucha context, privacy as a human practice (i.e. as adecision-making process) acquires high importancesince individuals are prone to disclose large amounts

of private information inside these platforms (boyd,2010). Consequently, preserving users’ contextual in-tegrity depends to a wide extent on their individualbehaviour, and not so much on the security mecha-nisms of the platform (e.g. firewalls or communica-tion protocols) (Albladi and Weir, 2016). In general,disclosing personal information to others is key forthe development and strengthening of social relation-ships, as it directly contributes to building trust andcredibility among individuals. However, unlike in thereal world, people in SNSs tend to reveal their per-sonal data prematurely without reflecting much on thepotential negative effects (Aımeur et al., 2018). Onone hand, such spurious behaviour can be groundedon users’ ignorance and overconfidence (Howah andChugh, 2019). Nevertheless, people often rely onlax privacy settings and assume their online peers astrusted, which increases significantly the chances ofbeing victims of a malicious user. Therefore, individ-uals are prone to experience unwanted incidents likecyber-bullying, reputation damage, or identity theftafter sharing their personal information in online plat-forms (Wang et al., 2013).

Overall, SNSs have become a gateway for access-ing large amounts of personal information and, con-sequently, a target for social engineering attacks. Onone hand, this is because people are more liable to re-veal personal information online than in a traditionaloffline context. However, there is also a growingtrend in cyber-attacks to focus more on human vul-nerabilities instead on flaws in software or hardware(Krombholz et al., 2015). Moreover, it is estimatedthat around 3% of Malware attacks exploit technicallapses while the remaining 97% target the users usingsocial engineering1. Basically, social engineers em-ploy online deception as a strategy to gain trust andmanipulate their victims. Particularly, “deceivers hidetheir harmful intentions and mislead other users to re-veal their credentials (i.e. accounts and passwords)or perform hazardous actions (e.g. install Malware)”(Aımeur et al., 2019). For instance, they often ap-proach users through fake SNSs accounts and insti-gate them to install malicious software on their com-puters. For this, deceivers exploit users’ motivationsand cognitive biases such as altruism or moral gainin combination with incentive strategies to misleadthem, accordingly (Bullee et al., 2018). Particularly,the use of fake links to cash prizes or fake surveys onbehalf of trustworthy entities can serve as incentivesand, thereby, as deceptive means.

1“Estimates of the number of social engineering basedcyber-attacks into private or government organization,”DOGANA H2020 Project. Accessed July 24, 2020.https://bit.ly/2k5VKmP

3 AI-Based Countermeasures

In general, people struggle to regulate the amountof information they share as they seek the right bal-ance between self-disclosure gratifications and pri-vacy risks. Moreover, an objective evaluation ofsuch risks demands a high cognitive effort which isoften affected by personal characteristics, emotions,or missing knowledge (Kramer and Schawel, 2020).Hence, there is a call for technological countermea-sures that support users in conducting a more accu-rate privacy calculus and incentivize the adoption ofpreventative behaviour. In this section, we discuss therole of AI in the design of such countermeasures es-pecially in combination with persuasive technologieslike digital nudges. Furthermore, ethical guidelinesfor the application of these technologies are presentedand analysed.

3.1 Privacy nudges

The use of persuasion in social computing applica-tions like blogs, wiki, and recently SNSs has caughtthe interest of researchers across a wide range ofdisciplines including computer science and cognitivepsychology (Vassileva, 2012). Additionally, the fieldof behavioural economics has contributed largely tothis topic and nourished several principles of user en-gagement such as gamification or incentive mecha-nisms for promoting behavioural change (Hamari andKoivisto, 2013). Most recently, the nudge theoryand its application for privacy and security purposeshave been closely explored and documented withinthe literature (Acquisti et al., 2017). Originally, theterm nudge was coined by the Nobel prize winnersRichard Thaler and Cass Sunstein and refers to theintroduction of small changes in a choice architecture(i.e. the context within which decisions are made)with the purpose of encouraging a certain user be-haviour (Weinmann et al., 2016), Among its manyapplications, the nudge concept has been applied inthe design of preventative technologies with the aimof guiding users towards safer privacy decisions. Forexample, (Wang et al., 2013) designed three nudgesfor Facebook users consisting of (i) introducing a 30seconds delay before a message is posted, (ii) display-ing visual cues related to the post’s audience, and (iii)showing information about the sentiment of the post.These nudges come into play when users are aboutto post a message on Facebook allowing them to re-consider their disclosures and reflect on the potentialprivacy consequences. Moreover, nudges have alsobeen designed, developed, and applied for securitypurposes. This is the case of password meters used

to promote stronger passwords (Egelman et al., 2013)or the incorporation of visual cues inside Wi-Fi scan-ners to encourage the use of secure networks (Turlandet al., 2015).

3.2 The role of AI

In general, the instances of privacy nudges describedin the current literature rely on a “one-size-fits-all”persuasive design. That is, the same behavioural in-tervention is applied to diverse individuals withoutacknowledging the personal characteristics or differ-ences among them (Warberg et al., 2019). However,there is an increasing demand for personalized nudgesthat address nuances in users’ privacy goals and regu-late their interventions, accordingly (Peer et al., 2020;Barev and Janson, 2019).

Figure 1: The user modelling-adaptation loop (De Bra,2017)

In essence, the idea of personalized nudges inher-ently encloses the application of AI techniques andmethods for understanding and anticipating the pri-vacy needs of each particular user. For this, it is nec-essary to define what is commonly known as the “usermodel” of the system. That is, a set of adaptation vari-ables that will guide the personalization process of be-havioural interventions (De Bra, 2017). For instance,people’s privacy attitude has been often proposed asan adaptation means in the design of privacy wizards.Under this approach, users are classified into fun-damentalists, pragmatists, or unconcerned, and theirprivacy policies adjusted to each of these categories(Knijnenburg, 2014; Alekh, 2018). As result, funda-mentalists receive strong privacy policies, moderatesettings are assigned to pragmatists, and weak onesto unconcerned users. In this case, the user modelis said to be explicit since it is generated out infor-mation that the users provide before starting to usethe system (e.g. in an attitude questionnaire). How-ever, the need for explicit user input can be dimin-ished when implicit models are automatically gen-

erated from large data sets (De Bra, 2017). Underthis approach, the model is automatically obtained outof information that emerges from the interaction be-tween the user and the system. Particularly, informa-tion such as likes, clicks, and comments is aggregatedinto an implicit model that guides the adaptation ofthe system’s interventions (Figure 1).

In general, the application of AI to nudging so-lutions offers the potential of boosting the effective-ness of behavioural interventions. However, such ef-fectiveness comes with a list of drawbacks inheritedfrom the underlying principles of AI technologies.Indeed, as personalization in nudges increases, con-cerns related to automated decision making and pro-filing quickly arise along with issues of transparency,fairness, and explainability (Susser, 2019; Brundageet al., 2018). Consequently, the user model and adap-tation mechanism underlying these nudges should bescrutable in order to prevent inaccurate, unfair, biased,or discriminatory interventions. This would not onlyimprove the system’s accountability but would alsogive insights to the users on how their personal datais being used to promote changes in their behaviour.Over the last years, explainable AI (XAI) has shedlight on many of these points and introduced methodsfor achieving transparent and accountable solutions.One example is the introduction of self-awarenessmechanisms that endow deep learning systems withthe capability to automatically evaluate their own be-liefs and detect potential biases (Garigliano and Mich,2019). However, the combination of AI with persua-sion introduces additional challenges related to theimpact that these technologies may have on the re-sulting behaviour of individuals and society in general(Muller, 2020; Susser, 2019). Hence, the definition ofethical guidelines, codes of conduct, and legal provi-sions are critical for guiding the development processof personalized nudges and for preventing a negativeeffect on people’s well-being.

3.3 Ethical Guidelines

Although many have shown excitement about nudgesand their applications, others consider this type of per-suasive technologies as a potential threat to the users’agency, and autonomy (Renaud and Zimmermann,2018; Susser, 2019). Particularly, some argue thatnudges do not necessarily contribute to users’ welfareand could even be used for questionable and unethi-cal purposes. For instance, a mobile application cannudge users to enable their phone’s location serviceswith the excuse of improving the experience withinthe app when, in fact, the main purpose is monitoringtheir movements. One case alike took place recently

in China during the outbreak of the Coronavirus: theChinese government implemented a system to mon-itor the virus’s expansion and notify citizens in casethey need to self-quarantine2. Such a system gener-ates a personal QR code which is scanned by the po-lice and other authorities to determine whether some-one is allowed into subways, malls, and other pub-lic spaces. However, although the system encouragespeople to provide personal information such as loca-tion and body temperature on behalf of public safety,experts suggest that this is another attempt by the Chi-nese government to increase mass surveillance.

Figure 2: Nudge for monitoring the Corovavirus spread

One distinctive aspect of nudges is that they areapplied in a decision-making context. That is, theyare used to encourage the selection of one alternativeover others with the aim of maximizing people’s wel-fare (Weinmann et al., 2016). In the case of the QRsystem introduced in China, its adoption was mademandatory by the government. Hence, it does notqualify as a nudge solution since this would normallyinvolve the manipulation of the environment in whicha decision is made while preserving users’ autonomy

2Paul Mozur, Raymond Zhong and Aaron Krolik “InCoronavirus Fight, China Gives Citizens a Color Code,With Red Flags” New York Times, March 1, 2020. Ac-cessed July 24, 2020.

and freedom of choice. However, one could imag-ine a nudge variant of such a system: the QR-codecould be included as an optional feature inside a mo-bile application (e.g. public transport), and its use in-centivized through a reward mechanism (e.g. a dis-count in the next trip) as illustrated in Figure 2. Thisand other instances of choice architectures give riseto ethical questions like “who should benefit fromnudges?”, “should users be informed of the presenceof a nudge?” and “how nudges should (not) influ-ence the users?”. In line with this, (Renaud and Zim-mermann, 2018) elaborated on a set of principles thatprivacy and security nudges should incorporate intotheir design to address these and other ethical con-cerns. Particularly, they introduced check-lists thatdesigners can use to verify if their nudging solutionscomply with principles such as justice, beneficence,and respect. For instance, to preserve users’ auton-omy, designers should ensure that all the original op-tions are made available. This means that, if a nudgeattempts to discourage people from installing privacy-invasive apps on their phones, then users should stillhave the option to install these apps if they wish to.Moreover, users should always be nudged towards be-haviours that maximize their welfare rather than theinterests of others. That is, choices that enclose a ben-efit for the designer (if any) should not be prioritizedover those who do benefit the user.

4 Risk-based approaches

As discussed, nudges can raise ethical concernseven if they are conceived for seemingly noble pur-poses like privacy and security. Furthermore, al-though personalization increases their effectiveness,it can also compromise users’ privacy and autonomy.In this section, risk awareness is discussed and pre-sented as a suitable means for developing appropri-ate nudging solutions. Particularly, it elaborates onhow risk cues influence peoples’ privacy decisionsand how choice architectures may incorporate suchcues into their design. Moreover, it discusses state-of-the-art solutions in which risk perception has beenintroduced as an adaptation variable for personalizingbehavioural interventions.

4.1 The role of risk cues

Risks are part of our daily life since there is alwayssome uncertainty associated with the decisions wemake. Moreover, it is our perception of risk whichoften helps us to estimate the impact of our actionsand influences our behaviour (Williams and Noyes,

2007). However, evaluating a large number of riskfactors is often difficult due to the limited cognitivecapacity of humans in general. Consequently, peopleoften misjudge the consequences of their actions, be-have unseemlily, and suffer unwanted incidents (Fis-cher, 2017). To avoid this, it is of utmost impor-tance to increase individuals’ sense of awareness andso their access to explicit and adequate risk informa-tion (Kim, 2017). This premise not only applies todecisions that are made in the real world but also inonline contexts such as the disclosure of personal in-formation. Particularly, self-disclosure is a practicewhich is usually performed under uncertainty condi-tions related to its potential benefits and privacy costs(Acquisti et al., 2015). However, average SNSs usersfind it difficult to perform proper estimations of therisks and benefits of their disclosures and, in turn, re-place rational estimations with cognitive heuristics.For example, they often ground their privacy deci-sions on cues related to the platform’s reputation (e.g.it’s size) or recognition (e.g. it’s market presence),among others (Marmion et al., 2017). All in all, theapplication of heuristics tends to simplify complexself-disclosure decisions. However, these heuristicscan also undermine people’s privacy-preserving be-haviour since SNSs portray many trust-related cues,yet scarce risk information (Marmion et al., 2017).Furthermore, privacy policies are also devoid of riskcues which, in turn, hinder users’ decisions related toconsent on data processing activities (De and Imine,2019). Consequently, even users with high privacyconcerns may lack adequate means for conducting arigorous uncertainty calculus.

4.2 Risk, persuasion and AI

In general, risk awareness has a strong influence onpeople’s behaviour and plays a key role in their pri-vacy decisions. Therefore, the presence of risk cues isessential for supporting users in their self-disclosurepractices. Under this premise, privacy scholars haveintroduced nudging solutions that aim to promotechanges in people’s privacy behaviour using risk in-formation as a persuasive means. For example, (Deand Le Metayer, 2018) introduced an approach basedon attack-trees and empirical evidence to inform usersof SNSs about the privacy risks of using lax pri-vacy settings (e.g. the risks of having a public pro-file). Similarly, (Sanchez and Viejo, 2015) developeda method for automatically assessing the sensitivitydegree of textual publications in SNSs (e.g. tweets orposts). Such a method takes into consideration the de-gree of trust a user has in the targeted audience of amessage (e.g. family, close friends, acquaintances)

when determining its sensitiveness level. Further-more, this approach is embedded in a system whichnotifies the users when privacy-critical content is be-ing disclosed and suggests them to either restrict thepublication’s audience or remove/replace the sensitiveterms with less detailed information. Nevertheless,the system ignores nuances in people’s privacy goalsand does not provide a mechanism for personalizingthe interventions.

In order to guide the development of preventativenudges, (Dıaz Ferreyra et al., 2018) introduced threedesign principles. The first one, adaptivity, refers tothe importance of personalized interventions in creat-ing engagement between the nudge and its users. Par-ticularly, personalization is considered key for engag-ing individuals in a sustained learning process aboutgood privacy practices. The second one, visceral-ity, highlights the importance of creating a strong andappreciable connection between users and their per-sonal data. This principle is grounded on empiricalevidence showing that, in general, users take con-science about the value of their data only after theysuffer an unwanted incident (e.g. phishing or finan-cial fraud). Finally, the principle of sportiveness, sug-gests that nudging solutions to cybersecurity shouldrecommend countermeasures or coping strategies thatusers can put into practice to safeguard their privacy.When it comes to sportiveness, the authors suggestthat many of the current privacy-enhancing technolo-gies such as access-control lists and two-step veri-fication would qualify as countermeasures and thatthe role of nudges is to motivate their adoption. Onthe other hand, they also suggest that adaptation andviscerality can be achieved by defining a user modelwhich reflects individuals’ risk perception (Dıaz Fer-reyra et al., 2020). Particularly, they introduced a usermodel consisting of a risk threshold which is updatedas behavioural interventions are accepted or ignoredby the end-user. By doing so, the nudge adapts to theindividual privacy goals of the users and increases theeffectiveness of its interventions. That approach wasput into practice in the design of preventative tech-

Figure 3: Personalized interventions for online-self disclo-sure (Dıaz Ferreyra et al., 2020).

nologies for SNSs as depicted in Figure 3. Partic-ularly, this approach uses empirical evidence on re-grettable self-disclosure experiences to elaborate riskpatterns and shape behavioural interventions. Suchrisk-based interventions aim to encourage the use offriend lists for controlling the audience of textual pub-lications.

5 Discussion and Conclusion

Overall, social interaction across SNSs demandsmaking privacy decisions on a frequent basis. How-ever, online self-disclosure, as well as the evolvingand ongoing nature of privacy choices, seem to beout of the scope of privacy regulations. Instead, dataprotection frameworks tend to focus more on issuesrelated to consent and overlook (sometimes delib-erately) the importance of providing the necessarymeans for performing an adequate privacy calculus.Consequently, service providers limit themselves tothe definition of instruments for obtaining consent(e.g. privacy policies) leaving the rational estima-tions of privacy risks to the individual discretion ofthe users. However, as discussed throughout this pa-per, such estimations are often impaired by cognitiveand motivational biases which tend to outweigh antic-ipated benefits over potential risks. Hence, users areprone to experience regret after disclosing personalinformation in SNSs due to false estimations and op-timistic biases. Furthermore, because of such spu-rious estimations, people might end up sharing theirprivate information with untrusted audiences and in-crease their chances of suffering social engineeringattacks. Thus, the incorporation of awareness mech-anisms is of utmost importance for supporting users’self-disclosure decisions and mitigating the likelihoodof unwanted incidents.

At their core, social engineering countermeasuresrequire promoting behavioural changes among theusers of SNSs. Hence, nudging techniques are ofgreat value for the design of technical solutions thatcould guide individuals towards safer privacy deci-sions. Furthermore, AI-based approaches can im-prove the effectiveness of such solutions by endow-ing them with adaptation and personalization featuresthat address the individual goals and concerns of theusers. However, despite its promising effects, thecombination of AI together with persuasive meanscan result in unethical technological designs. In prin-ciple, this is because nudges can mislead people to-wards a behaviour which is not necessarily beneficialfor them. In this case, ethical guidelines are quiteclear since they stress the importance of designing

choice architectures that are transparent and tend tomaximize people’s welfare. However, the questionthat still remains unclear is whether platforms shouldkeep self-regulating the design of these technologies,or if public actors should harness the application ofethical standards in order to safeguard individuals’agency and autonomy. Either way, conducting an ade-quate social welfare impact assessment of persuasiveAI technologies is crucial to determine their effects(positive or negative) on human behaviour at large.

Another controversial point is that users are notalways aware of the presence of a nudge since per-suasive means target primarily people’s automatic andsubconscious processing system. However, ethicalapproaches should allow people to explicitly recog-nize the presence of the nudge and the influence itis aiming to excerpt. Hence, choice architecturesshould, when possible, introduce mechanisms thattarget individuals’ reflective reasoning in order toavoid potential manipulation effects. As discussedin Section 4.1, social engineering countermeasurescan achieve this by incorporating risk information andcues in their design. However, even risk-related infor-mation can be subject to manipulation if not framedaccordingly. That is, when high-risk events are por-trayed as low-risk situations and vice-versa. Further-more, biases can also be introduced if the likelihoodand consequence levels of unwanted incidents are notproperly estimated and quantified. Hence, guidelinesfor the correct estimation of risks together with ethicalapproaches for their communication should be furtherinvestigated, introduced, and guaranteed.

ACKNOWLEDGEMENTS

This work was partially supported the H2020European Project No. 787034 “PDP4E: Privacyand Data Protection Methods for Engineering” andCanada’s Natural Sciences and Engineering ResearchCouncil (NSERC).

REFERENCES

Acquisti, A., Adjerid, I., Balebako, R., Brandimarte, L.,Cranor, L. F., Komanduri, S., Leon, P. G., Sadeh,N., Schaub, F., Sleeper, M., Wang, Y., and Wilson,S. (2017). Nudges for Privacy and Security: Under-standing and Assisting Users’ Choices Online. ACMComputing Surveys (CSUR), 50(3):44.

Acquisti, A., Brandimarte, L., and Loewenstein, G. (2015).Privacy and human behavior in the age of information.Science, 347(6221):509–514.

Aımeur, E., Diaz Ferreyra, N. E., and Hage, H. (2019). Ma-nipulation and Malicious Personalization: Exploringthe Self-Disclosure Biases Exploited by Deceptive At-tackers on Social Media. Frontiers in Artificial Intel-ligence, 2:26.

Aımeur, E., Hage, H., and Amri, S. (2018). The Scourgeof Online Deception in Social Networks. In Arab-nia, H. R., Deligiannidis, L., Tinetti, F. G., andTran, Q.-N., editors, Proceedings of the 2018 AnnualConference on Computational Science and Compu-tational Intelligence (CSCI’ 18), pages 1266–1271.IEEE Computer Society.

Albladi, S. and Weir, G. R. S. (2016). Vulnerability toSocial Engineering in Social Networks: A ProposedUser-Centric Framework. In 2016 IEEE InternationalConference on Cybercrime and Computer Forensic(ICCCF), pages 1–6. IEEE.

Alekh, S. (2018). Human Aspects and Perception of Pri-vacy in Relation to Personalization. arXiv preprintarXiv:1805.08280.

Barev, T. J. and Janson, A. (2019). Towards an IntegrativeUnderstanding of Privacy Nudging - Systematic Re-view and Research Agenda. In 18th Annual Pre-ICISWorkshop on HCI Research in MIS (ICIS).

boyd, d. (2010). Social Network Sites as NetworkedPublics: Affordances, Dynamics, and Implications,pages 47–66. Routledge.

Briscoe, E. J., Appling, D. S., and Hayes, H. (2014). Cuesto Deception in Social Media Communications. In47th Annual Hawaii International Conference on Sys-tem Sciences (HICSS), pages 1435–1443. IEEE.

Brundage, M., Avin, S., Clark, J., Toner, H., Eckersley, P.,Garfinkel, B., Dafoe, A., Scharre, P., Zeitzoff, T., Fi-lar, B., et al. (2018). The Malicious Use of ArtificialIntelligence: Forecasting, Prevention, and Mitigation.arXiv preprint arXiv:1802.07228.

Bullee, J.-W. H., Montoya, L., Pieters, W., Junger, M., andHartel, P. (2018). On the anatomy of social engineer-ing attacks - A literature-based dissection of success-ful attacks. Journal of Investigative Psychology andOffender Profiling, 15(1):20–45.

De, S. J. and Imine, A. (2019). On Consent in Online So-cial Networks: Privacy Impacts and Research Direc-tions (Short Paper). In Zemmari, A., Mosbah, M.,Cuppens-Boulahia, N., and Cuppens, F., editors, Risksand Security of Internet and Systems, pages 128–135.Springer International Publishing.

De, S. J. and Le Metayer, D. (2018). Privacy Risk Analysisto Enable Informed Privacy Settings. In 2018 IEEEEuropean Symposium on Security and Privacy Work-shops (EuroS&PW), pages 95–102. IEEE.

De Bra, P. (2017). Challenges in User Modeling and Per-sonalization. IEEE Intelligent Systems, 32(5):76–80.

Dıaz Ferreyra, N., Meis, R., and Heisel, M. (2018). AtYour Own Risk: Shaping Privacy Heuristics for On-line Self-disclosure. In 2018 16th Annual Conferenceon Privacy, Security and Trust (PST), pages 1–10.

Dıaz Ferreyra, N. E., Kroll, T., Aımeur, E., Stieglitz, S., andHeisel, M. (2020). Preventative Nudges: Introducing

Risk Cues for Supporting Online Self-Disclosure De-cisions. Information, 11(8):399.

Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov,K., and Herley, C. (2013). Does my password go upto eleven? The impact of password meters on pass-word selection. In Proceedings of the SIGCHI Confer-ence on Human Factors in Computing Systems, pages2379–2388.

Fischer, A. R. H. (2017). Perception of Product Risks.In Emilien, G., Weitkunat, R., and Ludicke, F., edi-tors, Consumer Perception of Product Risks and Ben-efits, pages 175–190. Springer International Publish-ing, Cham.

Garigliano, R. and Mich, L. (2019). Looking Inside theBlack Box: Core Semantics Towards Accountabilityof Artificial Intelligence. In From Software Engineer-ing to Formal Methods and Tools, and Back, pages250–266. Springer.

Hage, H., Aımeur, E., and Guedidi, A. (2020). Understand-ing the landscape of online deception. In NavigatingFake News, Alternative Facts, and Misinformation ina Post-Truth World, pages 290–317. IGI Global.

Hamari, J. and Koivisto, J. (2013). Social Motivations ToUse Gamification: An Empirical Study Of GamifyingExercise. In Proceedings of the 21st European Con-ference on Information Systems (ECIS).

Howah, K. and Chugh, R. (2019). Do We Trust the Inter-net?: Ignorance and Overconfidence in Downloadingand Installing Potentially Spyware-Infected Software.Journal of Global Information Management (JGIM),27(3):87–100.

Kim, H. K. (2017). Risk Communication. In Emilien,G., Weitkunat, R., and Ludicke, F., editors, ConsumerPerception of Product Risks and Benefits, pages 125–149. Springer International Publishing, Cham.

Knijnenburg, B. P. (2014). Information Disclosure Profilesfor Segmentation and Recommendation. In Sympo-sium on Usable Privacy and Security (SOUPS).

Kramer, N. C. and Schawel, J. (2020). Mastering the chal-lenge of balancing self-disclosure and privacy in so-cial media. Current Opinion in Psychology, 31.

Krombholz, K., Hobel, H., Huber, M., and Weippl, E.(2015). Advanced social engineering attacks. Jour-nal of Information Security and applications, 22:113–122.

Marmion, V., Bishop, F., Millard, D. E., and Stevenage,S. V. (2017). The Cognitive Heuristics Behind Disclo-sure Decisions. In International Conference on SocialInformatics, pages 591–607. Springer.

Masur, P. K. (2019). Privacy and self-disclosure in theage of information. In Situational Privacy and Self-Disclosure, pages 105–129. Springer.

Muller, V. C. (2020). Ethics of Artificial Intelligence andRobotics. In Zalta, E. N., editor, The Stanford En-cyclopedia of Philosophy. Metaphysics Research Lab,Stanford University, fall 2020 edition.

Peer, E., Egelman, S., Harbach, M., Malkin, N., Mathur, A.,and Frik, A. (2020). Nudge Me Right: PersonalizingOnline Nudges to People’s Decision-Making Styles.Computers in Human Behavior, 109:106347.

Penni, J. (2017). The Future of Online Social Networks(OSN): A Measurement Analysis Using Social MediaTools and Application. Telematics and Informatics,34(5):498–517.

Petkos, G., Papadopoulos, S., and Kompatsiaris, Y. (2015).PScore: A Framework for Enhancing Privacy Aware-ness in Online Social Networks. In 2015 10th Interna-tional Conference on Availability, Reliability and Se-curity, pages 592–600. IEEE.

Renaud, K. and Zimmermann, V. (2018). Ethical guide-lines for nudging in information security & privacy.International Journal of Human-Computer Studies,120:22–35.

Sanchez, D. and Viejo, A. (2015). Privacy Risk Assessmentof Textual Publications in Social Networks. In Pro-ceedings of the International Conference on Agentsand Artificial Intelligence - Volume 1, ICAART 2015,pages 236–241, Setubal, PRT. SCITEPRESS - Sci-ence and Technology Publications, Lda.

Susser, D. (2019). Invisible Influence: Artificial Intelli-gence and the Ethics of Adaptive Choice Architec-tures. In Proceedings of the 2019 AAAI/ACM Con-ference on AI, Ethics, and Society, pages 403–408.

Tsikerdekis, M. and Zeadally, S. (2014). Online Decep-tion in Social Media. Communications of the ACM,57(9):72.

Turland, J., Coventry, L., Jeske, D., Briggs, P., and vanMoorsel, A. (2015). Nudging towards Security: De-veloping an Application for Wireless Network Selec-tion for Android Phones. In Proceedings of the 2015British HCI Conference, British HCI ’15, pages 193–201, New York, NY, USA. Association for ComputingMachinery.

Vassileva, J. (2012). Motivating participation in socialcomputing applications: a user modeling perspective.User Modeling and User-Adapted Interaction, 22(1-2):177–201.

Wang, Y., Leon, P. G., Scott, K., Chen, X., Acquisti, A., andCranor, L. F. (2013). Privacy Nudges for Social Me-dia: An Exploratory Facebook Study. In Proceedingsof the 22nd International Conference on World WideWeb, pages 763–770.

Wang, Y., Norcie, G., Komanduri, S., Acquisti, A., Leon,P. G., and Cranor, L. F. (2011). “I regretted the minuteI pressed share”: A Qualitative Study of Regrets onFacebook. In Proceedings of the 7th Symposium onUsable Privacy and Security, SOUPS 2011, pages 1–16. ACM.

Warberg, L., Acquisti, A., and Sicker, D. (2019). CanPrivacy Nudges be Tailored to Individuals’ DecisionMaking and Personality Traits? In Proceedings of the18th ACM Workshop on Privacy in the Electronic So-ciety, WPES’19, pages 175–197. ACM.

Weinmann, M., Schneider, C., and vom Brocke, J. (2016).Digital Nudging. Business & Information Systems En-gineering, 58(6):433–436.

Williams, D. J. and Noyes, J. M. (2007). How does ourperception of risk influence decision-making? Impli-cations for the design of risk information. TheoreticalIssues in Ergonomics Science, 8(1):1–35.