by ThinkCyber | Reading time: 7 minutes
What would it be like to be ‘there’, right when you were needed, to offer a tap on the shoulder and steer your colleagues in the right direction when they were about to do something risky? Click a link, plug in a USB, upload a file, or give away their credentials?
This takes nudge theory to its logical conclusion – timely, in the moment, and even measurable.
But before we get to that, let’s start at the beginning and answer questions like:
Nudge theory came to prominence with the publication of “Nudge” by Richard H. Thaler and Cass R. Sunstein, with a focus on behavioural economics. They focused on the idea of “soft, paternalistic nudges”, essentially helping people make decisions that are in their best interests and without limiting their choices.
Traditional approaches to changing behaviour have tended to focus on ‘forcing people’. This can be quite direct and might require a determined effort on the part of the target to change their actions. We see this a lot in the world of cyber security, often using fear as a motivating factor. Done badly it can result in resistance or people simply giving up.
The alternative tactic using nudges takes a gentler approach, where-in individuals more naturally go with the flow and make “the right” decisions on their own.
Some examples of this could be:
The context in which choices are made greatly influences decisions. Choice Architecture is the idea of configuring that context, “architecting it” such that it influences choices in the right way. It’s important to remember that this architecture exists and will influence decisions whether it is “architected” or not!
Furthermore, the cognitive biases, shortcuts, and heuristics our brains use will influence those decisions. Understanding how the environment interacts with those biases, will help us understand how to steer people to make the best choices. Let’s think about some examples of choice architecture in real life.
There’s always going to be a shelf next to the till and there’s always going to be something on that shelf. The channel is already there but we can choose what goes on top of it to “architect” the choice.
If supermarkets put confectionery by the till, then they will steer people towards unhealthy choices. If they put water, vegetables, and fruit, then they will steer towards a healthier choice.
Good nudges draw on an understanding of cognitive biases and behavioural science to “tune” messages to offer the most impact on behaviour. This can be about wording but also context and timeliness.
Several models exist that can offer a good starting point for thinking about how to apply nudges. The MINDSPACE acronym was an initial model created by the UK government’s Nudge Unit or Behavioural Insights Team (originally part of the Cabinet Office). For example, thinking about M for Messenger, we are heavily influenced by who communicates information, or P for Priming, our acts are often influenced by subconscious cues.
This same team simplified things in their EAST model, suggesting that a good nudge would be towards a behaviour that was easy to do; was attractive – people wanted to do it; was social – other people were doing it; and the nudge itself was timely and relevant.
Here we can see that in designing nudges we can go beyond simply tuning the message, but also think about how we tune the environment such that the required behaviour is easy and that the message is delivered in a timely manner.
Whilst it is true to say we can apply nudge theory to tune the wording of any communications. The above models start to highlight the fundamental importance of timeliness and relevance. So, a message in Slack or Teams or email is fine – if it is relevant to a risk or behaviour in that tool. If it isn’t then it might fail the timely and relevant test and simply be a new way to nag staff!
As an industry, we've been trying to solve the problem of insecure behaviours without considering how people really learn and behave. For example, e-learning / PowerPoint presentations delivered to our staff once a year are simply not timely, ignore context and rarely make things easy! Newer tools like Phishing Simulations or those looking at behaviours in the SIEM are also untimely in that they come too late, risking being seen to punish people after the fact with training.
What would the sweet spot be? Well, it’s in context. timely, in the moment the behaviour is happening. Something we’ve explored more in a recent blog.
But this is where nudge-based approaches have the potential to be really impactful, going beyond simple use of language by drawing on context and timeliness to embed behaviours.
So what does it look like to apply all of this to security awareness? Going deeper into examples of good nudges, the MINDSPACE model, other Behavioural Models and In-the-moment nudges? How might you run a campaign to steer behaviours? What would a nudge look like? How would you deliver it? What would the potential impact of a nudge approach be?