This study addresses the challenge users face in adhering to security best practices—such as creating strong passwords—due to insufficient understanding of underlying rules. To bridge this gap, the authors introduce a novel “instructional friction” approach, embedding lightweight, just-in-time guidance directly into security-critical tasks, marking its first application in security and privacy interface design. Through a randomized controlled experiment with repeated measures, they evaluate four guidance conditions varying in depth and interactivity. Findings reveal that across all conditions, participants significantly reduced password policy violations in subsequent unprompted tasks, with behavioral improvements closely aligned with gains in rule knowledge. These results demonstrate that instructional friction effectively fosters immediate learning and sustains long-term behavioral change in security decision-making.

Users often make security- and privacy-relevant decisions without a clear understanding of the rules that govern safe behavior. We introduce pedagogical friction, a design approach that introduces brief, instructional interactions at the moment of action. We evaluate this approach in the context of password creation, a task with clear, objective quality criteria and broad familiarity. We conducted a randomized repeated-measures study with 128 participants across four interface conditions that varied the depth and interactivity of guidance. We assessed three outcomes: (1) rule compliance in a subsequent password task without guidance, (2) accuracy on survey questions matched to the rules shown earlier, and (3) behavior-knowledge alignment, which captures whether participants who correctly followed a rule also recognized it on the survey. Across all guided conditions, participants corrected most rule violations in the follow-up task, achieved moderate accuracy on matched rule questions, and showed high behavior-knowledge alignment. These results support pedagogical friction as a lightweight and generalizable intervention for security- and privacy-critical interfaces.