Nudge science: The behavioral research behind cybersecurity nudges
Fact: The human brain is optimized for efficiency. We make unconscious decisions based on instinct and intuition to get sh*t done.
But that leaves a lot of room for error and bias. Two things that can open people and organizations up to cyberattacks.
It’s fascinating. And terrifying. But a powerful intervention has emerged: Behavior nudges. If you’re a security awareness and culture professional, you NEED to get onboard with nudges. They’re a great tool for anyone creating a company culture for security transformation.
So, what exactly is a nudge, where did the concept come from, and what’s the behavioral science behind it? Fear not; we’ll get you up to speed. But if you’re interested in a deep-dive, then our free nudges webinar is where it’s at.
Go on. Register now. We’ll wait.
What is a cybersecurity nudge?
Nudges are security notifications, messages, and prompts designed to influence specific security behaviors. They steer people toward the right security decision—when it matters most.
A nudge could be a prompt at the end of the working day, prompting a software update. Or it could be a reminder to complete the latest security awareness training module. It’s personalized. It’s relevant. It gets people to do the right thing, at the right time.
Emails vs nudges
“And why can’t I just do the same thing, but with email?” You ask.
Well, that’s a great question. Here’s the answer: Email isn’t the most effective way to communicate to your people.
With newsletters, special offers, and dozens of unread messages all competing for your people’s attention, cyber notifications are at risk of falling through the cracks.
Besides, sending people security information via email is like showing people the map months before a trip, and expecting them to remember all the directions while they’re driving. People will probably have an idea of where they’re supposed to go, but they probably won’t remember the details.
A security nudge is like sat nav. It tells people when to turn—when to take action—when it matters most. And the best part? People are already pretty receptive to nudges, so adopting them in your organization wouldn’t be a leap.
How nudging works: The science of it all
What’s behind human decision-making?
Our brains have two gears. And yes, that does make it sound like human behavior is simpler than it is.
They’re (very creatively) named System 1 and System 2. They are pivotal to nudge theory, so here’s what you need to know:
System 1 (Han Solo)
People rely on intuition and instinct to make quick, unconscious decisions. It allows us to juggle our day-to-day tasks. And—like we mentioned earlier—get sh’t done.
But using System 1 means we take some mental shortcuts. We make less rational decisions. And more mistakes.
System 2 (Yoda)
We tend to reserve this for complex decisions. We stop and carefully process information, and make more rational decisions.
Unfortunately, we only spend about 5% of our time in rational mode. Yikes!
What do System 1 and System 2 thinking have to do with cybersecurity?
The busier people are, the more likely they are to stick to System 1. We want them to make more secure, rational decisions—like checking an email for signs of phishing before hitting “reply”, or acting on their security notification emails.
In other words, we want people to do more System 2 thinking.
How do we do that?
Two behavioral scientists, Cass Sunstein and Richard Thaler, popularized nudge theory in the olden days (okay, it was 2008), coining the term “nudge”. They believed that by understanding the complexities of human decision-making, it was possible to guide, or, “nudge” a person toward a better decision, i.e. behavior change.
If our brain is a moving vehicle, then nudges are speed bumps. Effective nudging makes people slow down and navigate the road ahead a little more carefully.
Why people need security nudges
Every day, people face more complicated security decisions. And more limited mental resources. Which tends to translate to cybersecurity fatigue.
And boy, do criminals know how to take advantage of that.
This is something Sunstein and Thaler were all too aware of. Retaining and recalling the finer points isn’t people’s strong suit. It’s not laziness or unwillingness. It’s just how we’re wired.
Enter nudge theory.
A nudge security system makes it safer to be, well, human. It takes some of the mental load off, and makes people give things a second thought.
Examples of nudging in the workplace
So, what are some examples of security nudges, then? We’ve split these behavioral interventions into four categories, and they all help effect change and help people make the better choice.
1.Comparison
These nudges encourage people to take an action that’s in their best interests and aligns with their goals. It draws attention to an option that might not be front of mind. It makes the choice feel easier and more natural.
Example: “It takes longer to make a cup of coffee than it does to complete a CybSafe module.”
2. Emotion
We’re emotional creatures, and feelings have a strong effect on our choices. Cybersecurity notifications that elicit emotions, like compassion or excitement, will have more of an impact and make the message more memorable. Making people more likely to act on the suggestion.
Example: “CybSafe modules aren’t all about work, they’re tips for home and protecting your family too.”
3. Social
Like it or not, we’re social beings and pay attention to what others are doing. Because back in the day that could mean the difference between survival and [slitting throat gesture]. It’s the same reason we’re drawn to conforming to norms, public policy, and what’s expected of us. Nudges can harness social comparisons to encourage people to comply.
Example: “Your team members increased their online resilience score by completing their CybSafe goals. Have you?”
4. Risk
If we’re reminded of a risk, we’re more likely to act to avoid it. Reminding people of the consequences encourages them to choose carefully.
Example: “You know how to report a crime, but what about a suspicious email?”
Your next steps
You can’t be everywhere at once, sitting on someone’s shoulder like a little security angel, telling them what to do every time they move their mouse.
But now you have some insights into how valuable a strong nudge culture can be for cybersecurity. And that’s a great start.
To take things further and influence people to do what you need them to do, CybSafe’s Security Nudge Taxonomy is where it’s at.
It’s a groundbreaking new database that uses behavioral science-based mechanisms to cut through cognitive biases and barriers to security behaviors. So you can influence people to do what you need them to do.
To learn more about effective nudging, nudge science, and how to use the Security Nudge Taxonomy