For more than a decade, the nudge has been the dominant idea in applied behavioural science. Change the way a choice is presented, without removing options or paying anyone, and people make better decisions. Governments built units around it. Companies redesigned forms, defaults and prompts around it. Security awareness teams reached for it too, with nudges to report phishing attempts, choose stronger passwords, and pause before clicking.

Then the evidence caught up, and the picture got complicated. A run of recent analysis has asked an uncomfortable question. When you account properly for the way research gets published, is there much of a nudge effect left at all?

It is worth understanding what that research actually says, because the honest answer is more useful than either the obituary or the defence.

How we got here

The modern argument begins with a large 2022 meta-analysis by Mertens and colleagues. They pooled hundreds of nudge experiments and reached a confident headline: that choice architecture is an effective and broadly applicable way to change behaviour. For a field that had been accused of running on a thin evidence base, it looked like vindication.

The problem sat in the data underneath. Studies that find a positive result are more likely to get published than studies that find nothing. Run enough experiments and the published ones become a skewed sample, with the successes visible and the null results sitting in a drawer somewhere. The technical name is publication bias, and the Mertens analysis showed signs of it.

The authors corrected for what they judged to be a moderate bias, which reduced the average effect to about a third of a standard deviation. Still a real effect, in their reading. But a separate team led by Maier reanalysed the same data and reached a far sharper conclusion. They argued the bias was severe, not moderate, and that once you correct for it properly, no evidence for the effectiveness of nudges remains. Their sensitivity analysis suggested the true effect could be as low as a rounding error.

That is a striking thing to say about the most influential idea in the field. It set off an exchange that has run ever since.

Where the evidence sits now

The most recent attempt to settle this came at the end of 2025, in a second-order meta-analysis by Hu and colleagues. Rather than pool individual experiments again, they pooled the meta-analyses themselves, trying to synthesise a fractured literature. Their conclusion is the most honest summary available, and it pleases nobody completely.

Reanalyses of the classic findings, they note, repeatedly show severe publication bias, and once that is adjusted for the effects are much weaker than the early enthusiasm suggested. The default effect, long held up as the strongest nudge of all, looks considerably smaller under scrutiny. The authors stop short of declaring nudging dead. Instead, they point to the quality of the evidence itself, calling for higher-quality, preregistered work to establish the true impact.

So the state of play is not that nudges do nothing. It is that we do not yet have clean enough evidence to say with confidence how much they do, and the honest estimate is smaller and more variable than a decade of headlines implied.

There is a counterweight worth holding alongside this. When applied teams have looked at their own field trials, with access to both unpublished and published results, they have found real effects. One large analysis of government interventions across many policy areas, reaching millions of people, reported an average improvement of around 8 per cent in the outcomes that mattered, including both published and unpublished trials. That is not nothing. It is the difference between a tool that is oversold and a tool that is worthless, and those are very different verdicts.

So, is it the end?

No. But it is the end of something.

It is the end of the nudge as a magic wand. The idea that a clever tweak to a form or a prompt will reliably shift behaviour, cheaply and everywhere, does not survive contact with the corrected evidence. The effects are smaller than promised, they vary enormously by context, and a good share of the spectacular early findings were inflated by the studies that failed quietly, never reaching print.

What it is not is the end of the underlying truth. People are influenced by how choices are framed. Defaults matter. Friction matters. Social comparison matters. None of that has been disproven. What has been challenged is the confidence that any single technique will work, at a predictable size, wherever you point it.

The mature version of the idea is less exciting and far more useful. Some nudges work, in some contexts, for some behaviours, at sizes you have to measure rather than assume. The job is no longer to deploy nudges and trust the literature. It is to test whether a given intervention works in your setting, and to keep measuring whether the effect holds.

What this means for security behaviour

If you run a security awareness or behaviour change programme, this debate lands very close to home, because the field imported the nudge wholesale and rarely questioned it.

The first lesson is humility about borrowed interventions. A nudge that worked in a published pension study, or a health trial, may do little in your organisation under your conditions. Context decides. The instinct to copy a technique because it has a famous result behind it is exactly the instinct the corrected evidence warns against.

The second lesson is about your own evidence base. Security programmes suffer from the same publication bias in miniature. The interventions that seemed to work are discussed at conferences and documented in case studies. The ones that did nothing quietly disappear. If you only remember your successes, you will overestimate how well your own nudges work, precisely as the wider field did.

The third lesson is the one that matters most, and it is not really about nudging at all. The reason the field ended up here is that it counted outputs and trusted the literature instead of measuring outcomes in context. The correction was forced by people who took measurement seriously, who asked what the effect really was once you accounted for everything you could not immediately see.

That is the same correction security behaviour needs. Stop assuming an intervention worked because it was delivered. Stop trusting that a technique transfers because it has a citation. Measure the behaviour itself, in your environment, over time, and let the measurement tell you what is real. A nudge that genuinely reduces risky clicks in your organisation is worth keeping. A nudge that you assume is working because the literature said so, but never measured locally, is a liability dressed as good practice.

The honest conclusion

The nudge is not dead. The overclaim is. What survives is a more careful idea, that behaviour can be shaped, that the effects are real but modest and conditional, and that the only way to know whether yours is working is to measure it properly rather than borrow someone else's confidence.

For security, where the behaviours you care about have to hold up under real pressure long after a campaign ends, that is not a loss. It is the discipline the field needed all along.

 


 

Hu, B., Xia, Z., Guo, Q., Lu, C., Constantino, S. M., & Ju, X. (2025). Assessing nudge impact: A comprehensive second-order meta-analysis. Journal of Behavioral Decision Making, 38(5), Article e70053. https://doi.org/10.1002/bdm.70053

Maier, M., Bartoš, F., Stanley, T. D., Shanks, D. R., Harris, A. J. L., & Wagenmakers, E.-J. (2022). No evidence for nudging after adjusting for publication bias. Proceedings of the National Academy of Sciences, 119(31), Article e2200300119. https://doi.org/10.1073/pnas.2200300119

Mertens, S., Herberz, M., Hahnel, U. J. J., & Brosch, T. (2022). The effectiveness of nudging: A meta-analysis of choice architecture interventions across behavioral domains. Proceedings of the National Academy of Sciences, 119(1), Article e2107346118. https://doi.org/10.1073/pnas.2107346118