How to make sure your behavior nudges aren’t doing more harm than good
A dribble of coffee on your clean shirt. The cable that stops charging your phone the moment you look away. That desk drawer that sticks. Every. Single. Time.
Those are minor irritations most are, unfortunately, familiar with. But that’s nothing compared to the incessant ads, notifications, and alerts that have become a part of our daily lives, contributing to stress, fatigue, and burnout.
With all the hype around cybersecurity nudges, or, ‘behavior nudges’—messages, notifications, and prompts designed to influence specific security behaviors—you’d be excused for getting a little carried away once you get started with them.
But, if you’re not careful, behavior nudges—whether they’re encouraging your people to complete their security awareness training, or getting James to switch to think twice about opening a suspicious attachment—can become part of the problem.
And we all know what happens when people get overwhelmed. They tend to ignore stuff. Even the important stuff. Like your behavior nudges. Or just cybersecurity in general.
So, how do you make sure your behavior nudges don’t just become (more) digital noise?
Six ways to avoid pushing people over the edge
with your behavior nudges
Just like Superman, the perfect nudge appears at the moment it’s needed most. It summons up our best selves, and lets that version of us make the best security decision.
In other words, nudges are the real deal. But making the most of them doesn’t mean sending them out every hour. Here’s how to use behavior nudges to help people make better security decisions, while staying in their good graces:
1. Keep it concise
It’s the end of the day, and Daniel’s prepping for his last client meeting when he gets a cybersecurity message. He’s proud of his cybersecurity knowledge and likes to act quickly, but the message is so long-winded that he can’t figure out what it’s getting at before his meeting.
Flustered, he makes a mental note to read through the message later. But by the time his meeting is over, he’s forgotten all about it.
Reduce the mental burden on people. Your messages should be short and to the point, so everyone knows exactly what they need to do at a glance.
2. Timing is everything
The month is a busy time for Finance. So reminding people to do a security awareness refresher test on the 28th will likely go ignored, and could spark feelings of irritation and inadequacy.
And it only gets worse if you’re sending too many behavior nudges. When there’s too much going on, dismissing notifications becomes second nature. Even before they’ve been read.
Map out the peaks and troughs of workload for the different teams in your organization. Then schedule your nudges accordingly.
3. Use positive language
Selma’s a great graphic designer, but she’s still learning the ropes when it comes to cybersecurity. Her three most recent notifications can be summarized as:
- “Don’t do X.”
- “You haven’t completed Z.”
- “Never do this or else [punishment].”
Selma’s starting to feel a little like cybersecurity is a minefield, and she’ll never get to the other side.
Studies show positive language instills a positive mindset and even boosts overall well-being. So, instead of the dont’s and threats, opt for language like:
- “Your next module is ready. Got 10 minutes?”
- “Smash that ‘enable auto-updates’ button like you’re smashing all your targets!”
- “#PIZZAdiamondsCHAMPAGNE! Passwords are soooo 2010’s. Swap your password for a passphrase.”
4. Be more supportive
Ali knows he shouldn’t click on suspicious links in emails, but he can’t remember what to look out for—at least not all of it.
Offer additional support and resources. People can’t do something if they don’t know how to do it. Fill in knowledge gaps with on demand support.
5. Use smart nudges
The past five cybersecurity notifications Steve’s received have all been irrelevant to him. They’re either about the training he’s already completed, or they’re about software he doesn’t have.
By the time a behavior nudge comes in that’s actually relevant to him, Steve will probably be over it.
Not everyone needs every behavior nudge sent to them. Using ‘smart’ nudges to target only the people or user groups that need the nudge makes people more likely to pay attention.
6. Answer the ‘why’
Brenda’s at a conference, putting the finishing touches on her presentation. She gets a reminder to activate her VPN before connecting to the hotel Wi-Fi, and to watch out for shoulder surfing.
She decides not to bother. Her laptop has antivirus, doesn’t it? Besides, it’s a professional event, who would want to hack her here? It’s hardly like being in a random coffee shop.
If Brenda had a better understanding of the personal and organizational risks and consequences of a breach she would probably take cybersecurity more seriously.
Reinforcing the importance of the security behaviors you’re asking people to do makes them understand the value of their actions.