September 15, 2025
Why “we already have that data” is bullsh*t
CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it
A dribble of coffee on your clean shirt. The cable that stops charging your phone the moment you look away. That desk drawer that sticks. Every. Single. Time.
Those are minor irritations most are, unfortunately, familiar with. But that’s nothing compared to the incessant ads, notifications, and alerts that have become a part of our daily lives, contributing to stress, fatigue, and burnout.
With all the hype around cybersecurity nudges, or, ‘behavior nudges’—messages, notifications, and prompts designed to influence specific security behaviors—you’d be excused for getting a little carried away once you get started with them.
But, if you’re not careful, behavior nudges—whether they’re encouraging your people to complete their security awareness training, or getting James to switch to think twice about opening a suspicious attachment—can become part of the problem.
And we all know what happens when people get overwhelmed. They tend to ignore stuff. Even the important stuff. Like your behavior nudges. Or just cybersecurity in general.
So, how do you make sure your behavior nudges don’t just become (more) digital noise?
Just like Superman, the perfect nudge appears at the moment it’s needed most. It summons up our best selves, and lets that version of us make the best security decision.
In other words, nudges are the real deal. But making the most of them doesn’t mean sending them out every hour. Here’s how to use behavior nudges to help people make better security decisions, while staying in their good graces:
It’s the end of the day, and Daniel’s prepping for his last client meeting when he gets a cybersecurity message. He’s proud of his cybersecurity knowledge and likes to act quickly, but the message is so long-winded that he can’t figure out what it’s getting at before his meeting.
Flustered, he makes a mental note to read through the message later. But by the time his meeting is over, he’s forgotten all about it.
Reduce the mental burden on people. Your messages should be short and to the point, so everyone knows exactly what they need to do at a glance.
The month is a busy time for Finance. So reminding people to do a security awareness refresher test on the 28th will likely go ignored, and could spark feelings of irritation and inadequacy.
And it only gets worse if you’re sending too many behavior nudges. When there’s too much going on, dismissing notifications becomes second nature. Even before they’ve been read.
Map out the peaks and troughs of workload for the different teams in your organization. Then schedule your nudges accordingly.
Selma’s a great graphic designer, but she’s still learning the ropes when it comes to cybersecurity. Her three most recent notifications can be summarized as:
Selma’s starting to feel a little like cybersecurity is a minefield, and she’ll never get to the other side.
Studies show positive language instills a positive mindset and even boosts overall well-being. So, instead of the dont’s and threats, opt for language like:
Ali knows he shouldn’t click on suspicious links in emails, but he can’t remember what to look out for—at least not all of it.
Offer additional support and resources. People can’t do something if they don’t know how to do it. Fill in knowledge gaps with on demand support.
The past five cybersecurity notifications Steve’s received have all been irrelevant to him. They’re either about the training he’s already completed, or they’re about software he doesn't have.
By the time a behavior nudge comes in that’s actually relevant to him, Steve will probably be over it.
Not everyone needs every behavior nudge sent to them. Using ‘smart’ nudges to target only the people or user groups that need the nudge makes people more likely to pay attention.
Brenda’s at a conference, putting the finishing touches on her presentation. She gets a reminder to activate her VPN before connecting to the hotel Wi-Fi, and to watch out for shoulder surfing.
She decides not to bother. Her laptop has antivirus, doesn’t it? Besides, it’s a professional event, who would want to hack her here? It’s hardly like being in a random coffee shop.
If Brenda had a better understanding of the personal and organizational risks and consequences of a breach she would probably take cybersecurity more seriously.
Reinforcing the importance of the security behaviors you’re asking people to do makes them understand the value of their actions.
