Security Awareness News | ThinkCyber

Mastering Timely Interventions and Nudge Theory | ThinkCyber

Written by ThinkCyber | 31-Oct-2024 11:08:42
 
 

Introduction

Timing is key for delivering any kind of security comms messages to your team. In the fast-moving world of cybersecurity, our ability to make quick, instinctual decisions can be both an asset and a vulnerability. The critical moment when a person shifts from autopilot (what psychologist Daniel Kahneman calls "System 1 thinking") to conscious, deliberate decision-making ("System 2 thinking") is essential to security awareness and behaviour.

Equally, well-timed interventions, or "nudges," can harness this transition to make people pause and think, helping them recognise potential security risks. By delivering the right message in the right context, organisations can foster a more mindful approach to security, reducing risky behaviours before they happen.

In our final blog, we’ll explore how nudge theory and consistent, friendly communication can create a proactive security culture that supports individuals and teams in protecting themselves and the organisation.

 

Timing and System 1 and 2 Thinking

When delivered in the moment, a message can be directly contextualised by the user, meaning that they understand that the security message that is being delivered to them relates to the situation they are currently in. This is important when taking into consideration that there are two modes of cognitive processing known as System 1 and System 2 thinking which can have a huge impact on people’s actions and behaviours.

In his book, Thinking Fast and Slow, psychologist and author, Daniel Kahneman, explains how System 1 thinking is when an individual’s brain is on autopilot and is functioning with little to no effort (automatic behaviour), helping them to make quick decisions and judgements based on their own experiences. Whereas, when in System 2 people are more intentional (reflective behaviour) in their actions.

For example:

System 1 thinking: Imagine you're walking into a secure office building where you always use your ID badge to scan in. As you've done this many times, you automatically reach for your badge and scan it without consciously thinking about the process. All around you, people are doing the same. Your brain is in autopilot mode, making quick decisions based on past experience.

System 2 thinking: Now, imagine as you're about to scan your badge, and you see a poster next to the gate displaying a security message reminding you to check for people trying to tailgate in behind you as you scan your badge. This gentle nudge, which has restructured the environment that you usually operate in, interrupts your autopilot mode, prompting you to pause and think more carefully about your situation. Before proceeding, you take a moment to look over your shoulder to check that no one is behind you. Here, your brain has shifted to more deliberate, intentional processing.

Therefore, if a person’s “flow” is gently interrupted with a behavioural prompt just before they are about to act, their brain will likely switch from System 1 thinking to System 2 thinking, where they are more likely to think about their actions. This switch from automatic to reflective thinking can be crucial in a security context, as cyber criminals rely on manipulating that moment where you’re on autopilot to slip past your defences, where they’d otherwise be caught if you were consciously thinking about the risky situation. Moreover, gentle nudges can directly stimulate the creation of habits by steadily providing the required guidance at the right time; thereby embedding and reinforcing good behaviour.

Exploring Nudge Theory

Collectively, the idea of timely interventions aligns with the idea of Nudge Theory. Introduced and developed by economist Richard Thaler in 2008, the theory explores how “nudging” people can help them make decisions and do things that work in their best interest. It suggests that by placing small, practical stimuli or “nudges” can help guide a person towards the decision that benefits them in the long term.

Subtle nudges just the behaviours occur are far more effective than stepping in after a risky event has taken place, particularly in the world of awareness security comms. This proactive approach helps to create a more positive security programme. As in doing so, you can offer support your team members before an incident occurs, rather than punishing them afterwards.

However, it is important for the language and tone of the nudges are friendly to make sure that the message is well received by the user. In-context nudges can also help maintain ongoing security awareness within teams and can help to improve individuals' existing knowledge of security threats. In fact, a recent survey we conducted revealed that 70% of respondents preferred to keep their security knowledge fresh, and “little and often” works for them when asked their preferred method for receiving security awareness training.

 

Time to Try it Yourself!

Take a moment to evaluate your existing security comms strategy. Incorporating nudge theory and the psychology of System 1 and System 2 thinking into your security communications can empower your team to make smarter, safer decisions when it matters most. By delivering timely, friendly nudges, you can guide people from autopilot into a more mindful, proactive approach to security that strengthens overall resilience. This not only reduces risky behaviours but also fosters a positive security culture where team members feel supported and informed, rather than reprimanded. A small, well-placed nudge could make all the difference in protecting your organisation from emerging threats. Now is the time to implement these strategies and see the impact for yourself.

That concludes our Cyber Security Awareness Month blog series, but the learning doesn't have to stop here. Download our free eBook 'Maximizing Impact with Nudge Theory Boosting Engagement and Behaviour Change' for more insights into the wonderful world of behavioural science and cyber security.