Publications

As a part of its Better Regulation agenda, the European Commission increasingly stresses the link between different types of regulatory evaluations. Predictions made by Impact Assessments (IAs) could be verified during ex–post legislative evaluations, while ex–post evaluations in turn could recommend amendments to be studied in future IAs. This article combines a dataset of 309 ex–post legislative evaluations (2000-2014) and a dataset of 225 IAs of legislative updates (2003-2014) to show how many ex–post evaluations of the Commission use IAs and vice versa. This way, it explores if the Commission's rhetoric of a ‘regulatory cycle’ holds up in practice. Building on the literature of evaluation use, we formulate the hypotheses that the timeliness, quality and focus of the IAs and evaluations are key explanations for use. Our results show that so far only ten ex–post evaluations have used IAs of EU legislation, while thirty three IAs have used ex–post legislative evaluations. Using Fuzzy set Qualitative Comparative Analysis, we find that timeliness is a necessary condition of the use of ex–post evaluations by IAs, suggesting that for the regulatory cycle to function properly, it is crucial to complete an ex–post evaluation before an IA is launched. Future research could repeat our analysis for evaluations of non–regulatory activities or study the causal mechanisms behind our findings.

Background Increasing safety and security online can help boost the opportunities for people and businesses to trade, innovate and interact in digital markets. The level of online security is affected by technical factors, natural events and human behaviour. This study contributes to policy initiatives aimed at getting consumers to increase their online security. It tests several warning messages, based on behavioural insights, which could persuade consumers to behave more securely while online, thus diminishing their chances of suffering a cyber-attack. Methods A lab experiment was conducted in Spain (n=600). Participants had to make some online shopping decisions, and were assigned a quantity of money. An additional variable incentive depended on how secure their behaviour was during the purchasing process. Five security behaviours were observed: choosing a safe connection, providing less information during the sign-up process, choosing a strong password, choosing a trusted vendor, and logging-out. Each decision could increase their chances of suffering a cyber-attack at the end of the experiment and losing part of their variable incentive. Other factors that could affect secure behaviour were measured through a pre-purchase and a post-purchase questionnaire. Findings Results show that long security messages and messages accompanied by a male anthropomorphic character led consumers to disclose less personal information when signing up to an e-commerce website. A loss-framed message made subjects more likely to choose a trusted vendor and to log out of a website after completing a purchase. It also made them behave more securely when security behaviour is treated as a composite indicator built on three behavioural measures (using trusted vendors, using secure passwords and logging out). None of the treatments was effective in making subjects choose a safe connection, or a stronger password. Conclusions The design of security messages has an effect on security behaviour. The policy implications are that security awareness messages should be designed based on behavioural insights and be piloted before implementation. The lack of effect of the security messages on choosing a stronger password should be further examined. This result may be related to consumers lacking information on what a strong password is, or lacking knowledge that could help them to relate stronger passwords with more secure behaviour online.