Picture this: your colleague’s about to click a link that you know is dodgy. You see it happening from the corner of your eye and intervene just before it’s too late, ready to offer a timely tap on the shoulder and guide them away from the risky action. Now imagine this happening every time they go to plug in a questionable USB stick, upload a sensitive file, or inadvertently reveal their credentials. Whilst it’s almost impossible for humans to catch these risky behaviors in the act every time, this scenario takes nudge theory to its ultimate application—immediate, in-the-moment guidance that is even measurable.
But before diving into these real-time interventions, let’s start at the beginning by addressing some fundamental questions:
- What is nudge theory?
- What is choice architecture?
- What constitutes a nudge and what does not?
- How to begin using nudges?
- What are the targets for implementing nudges?
Nudge Theory and Choice Architecture
Nudge theory gained widespread recognition with the release of “Nudge” by Richard H. Thaler and Cass R. Sunstein, focusing on behavioral economics. They introduced the concept of “soft, paternalistic nudges,” which aim to help people make beneficial decisions without restricting their choices.
Traditional methods of influencing behavior often involve ‘forcing people,’ which can be direct and require significant effort from individuals to change their actions. This approach is common in cybersecurity, where fear is often used as a motivator. However, poorly executed attempts can lead to resistance or disengagement.
In contrast, nudging employs a gentler strategy, allowing individuals to naturally make the right choices. Consider these examples:
When asking children to tidy their room, a directive approach would be instructing them, whereas a nudge might involve turning it into a game.
Signs that say “no littering” take a forceful approach, but simply providing and highlighting bins is a more nudge-based strategy.
In the context of healthy eating, counting calories and deliberately reducing portions can be a forcing approach that demands considerable effort, while using smaller plates serves as a nudge to encourage the behavior.
The Role of Choice Architecture
In a later edition of “Nudge,” Thaler and Sunstein emphasized the concept of Choice Architecture. They explained that all choices occur within a context, and that context greatly influences the decisions made. Choice Architecture involves designing this context in a way that steers choices in the desired direction. The authors point out that such an architecture always exists and will influence decisions, whether it is intentionally designed or not.
Moreover, our cognitive biases, shortcuts, and heuristics shape our decisions. By understanding the interaction between the environment and these biases, we can better guide people toward optimal choices.
Decision-making and Cognitive Biases
To grasp this concept, we need to consider how we make decisions. While we like to believe that our decisions are deliberate and well-considered, only about 5% of them actually are. Around 95% of our daily decisions are made more automatically. In these instances, the brain manages information overload by relying on shortcuts. Here are some real-life examples of choice architecture:
At a supermarket checkout, there will always be a shelf. The choice of what to place on it is an example of “architecting” the choice. Placing confectionery at the checkout promotes unhealthy choices, while placing water, vegetables, and fruit promotes healthier decisions.
Numerous studies on nudging have been conducted in school cafeterias, focusing on guiding children towards healthier choices. Researchers discovered that simple strategies, such as making fruits and vegetables more appealing with creative names or placing them at eye level for convenience, positively influenced children’s choices. Additionally, normalizing the choice by having servers ask, “Would you like to try this?” also proved effective.
Effective Nudges and Behavioral Models
Effective nudges leverage an understanding of cognitive biases and behavioral science to craft messages with maximum impact. This involves not just wording but also context and timing. Several models can help conceptualize how to apply nudges. The MINDSPACE acronym, developed by the UK government’s Nudge Unit or Behavioral Insights Team, offers a framework. For the most straightforward applications of nudging, we focus on tweaking and refining messages we already send. If we’re already communicating with our organization about security awareness, we should consider how to make those messages as effective as possible. Each letter in MINDSPACE represents a key element to consider for enhancing the impact of a nudge. For instance, M for Messenger emphasizes the influence of the information source, and P for Priming highlights the impact of subconscious cues.
A simpler alternative to MINDSPACE, developed by the Behavioural Insights Team, is the EAST model. This model highlights the key characteristics of an effective nudge by suggesting that effective nudges target behaviors that are easy to perform, attractive, social, and timely.
Designing nudges goes beyond merely fine-tuning messages; it involves creating environments where desired behaviors are effortless, and messages are delivered at the right time. While nudge theory can refine communication wording, models like MINDSPACE and EAST underscore the critical role of timeliness and relevance. Messages in Slack, Teams, or emails are effective only if they address relevant risks or behaviors in those platforms. If not, they fail the timeliness and relevance test and may just come across as nagging.
Challenges with Traditional Approaches to Cybersecurity Training
In the cybersecurity field, traditional methods often overlook how people learn and behave. Annual e-learning or PowerPoint presentations are untimely, lack context, and rarely facilitate ease of understanding. In fact, recent research revealed that 60% of cybersecurity professionals only receive training once a year (or even less frequently!) Given that cyber threats are constantly evolving, this sort of “snapshot” training doesn’t go far enough to help keep your people up to date on the latest cybersecurity threats. Tools like phishing simulations or SIEM-based behavioral analyses that follow up with training also fall short as they often come too late and may be perceived as punitive.
Use Nudge Theory for More Effective Training
The ideal solution lies in timely, context-aware interventions, delivered at the moment the behavior occurs. Nudge-based approaches hold significant potential for enhancing security awareness by leveraging context and timeliness to embed desired behaviors. What does applying this to security awareness training look like?
- Make it Timely – Annual or even quarterly awareness efforts are insufficiently timely. Instead, we should consider drip-feeding content more frequently throughout the year, ensuring it is an ongoing effort. Additionally, making the content topical can leverage the availability heuristic; linking it to current news or making it personal by referring to individuals’ personal lives and security can make it more impactful.
- Make it contextual – Providing nudges with pragmatic advice, at the moment of greatest risk, really helps people understand the impact their actions may have and make the safer choice.
- Make your awareness easily accessible and user-friendly – Keep it quick and simple to understand, offering advice that is easy to follow and actionable.
- Motivate People – Assist people with threat assessment by setting it in a personal context, which we found to be highly effective. Since we care deeply about protecting ourselves and our families, we are more likely to pay attention. Incorporating real examples, stories, and curiosity can significantly enhance the saliency and relevance.
People don’t always make rational decisions! Nudge theory explains that our brains often take shortcuts, influenced by cognitive biases and context. Our goal is to leverage this tendency to guide people towards actions that are in their best interest. Nudging involves designing the choice environment, recognizing that there will always be a choice architecture. Therefore, we should “architect it” to achieve the most positive outcomes.
By examining examples of effective nudges, the MINDSPACE model, other behavioral frameworks, and in-the-moment nudges, we can explore how to run campaigns to steer behaviors, what effective nudges look like, how to deliver them, and their potential impact.
About the Author
Tim Ward is CEO and Co-Founder of Think Cyber Security Ltd. Tim has worked in IT for over 25 years with organisations including Logica, PA Consulting, Sepura and was previously Global Head of IT for the cyber division of BAE Systems (Detica).
Tim can be reached online at https://www.linkedin.com/in/tim-ward-cyber/ and at our company website https://thinkcyber.co.uk/