Nudge security doesn’t work …
when you miss these 3 things
Somewhere in downtown New York in the United States, young window-cleaning recruits are going through safety training.
“Wear a safety harness at all times.” Their supervisor tells them, as she demonstrates how to put it on before slipping into a rather lengthy monologue about the importance of, you know, not falling to their deaths.
So, the recruits know the theory, they’ve put it into practice, and they understand the risks. In other words, they know what to do, how to do it, and why they should do it.
But the supervisor knows people make mistakes. She’s seen it before. And she doesn’t want to see it again. Which is why she makes every recruit go through a ‘harness checkpoint’ right before they step onto the scaffolding.
It’s nothing special. Just a red stop sign and the words “We don’t have a safety net” in large bold letters. It’s a minor intervention, but in her experience, that security control is enough to get her employees to pause, think twice, and give their harness another tug.
Pretty straightforward, right?
Generally, human behavior is pretty open to nudges. And here are some everyday examples of security nudge theory in action to prove it! So it’s about time the industry embraced nudge security.
But nudges aren’t a magic wand. If you want nudges to pull their weight as part of your cybersecurity strategy, people need to know what to do, how to do it, and understand the value of their actions.
If the window-cleaners don’t know how to conduct the proper safety checks, then there’s going to be some friction whenever a window-cleaner encounters the sign. At best, they look for help, and, at worst, they shrug it off, ignore the threat and step on the scaffolding anyway.
The same goes for nudge security.
The ‘what’, ‘how’, and ‘why’ of effective nudge security
The fewer speed bumps there are along the road toward performing positive behaviors, the quicker your people can adopt long-term security behaviors they need to make your organization—and themselves—safer.
Take SaaS sprawl as an example. SaaS sprawl is a term used to describe the accumulation of an extensive array of SaaS tools within an organization, typically without sufficient vetting or management. This can result in an overwhelming and unmanageable stack of tools that negatively impacts productivity and drains resources. The process of SaaS sprawl is often gradual and can occur without notice, causing insidious harm to organizations over time.
- You can’t nudge someone to do something if they don’t know what to do.
- You can’t nudge someone to do something if they don’t know how to do it.
- You can’t nudge someone to do something if they don’t understand why they need to do it.
Well, okay, those three statements aren’t entirely true. You can always nudge people to do things. Seriously, with a good nudge security provider, you can schedule or send out your nudges with a few clicks. You’re just going to get better results if you also address the ‘what’, ‘how’, and ‘why’.
Alright, so, the secret to an effective nudge security strategy? Removing obstacles. That means addressing knowledge and technical gaps and vulnerabilities with behavioral security awareness training, providing your employees with support when they need it, and taking steps towards a more people-centric security culture.
When the ‘what’, ‘how’, and ‘why’ is clear, it becomes easier—and more likely—for people to follow-through with the right behavior when they get a nudge.
Of course, in a perfect world, modern organizations wouldn’t need nudge security at all. But people have their faults, and so does traditional security awareness training.
So, nudge security is here to compensate. And to help cybersecurity teams finally address the ‘human’ in ‘human security’—you know, the forgetfulness, the procrastination etc. A nudge could be:
Smart tech is learning when to ask us stuff that might help us out. Say you use your virtual assistant to order your weekly groceries, your assistant then knows some useful things:
- An app notification encouraging employees working remotely to stay secure by activating a VPN before connecting to a public network.
- A prompt to set up two-factor authentication (2FA) before logging on to the system to prevent data breaches..
- A pop-up at the end of the work day to get people to install the latest software update.
So, the takeaway is this: When people are confident in their modern cybersecurity knowledge, have the skills they need to put it into practice, and recognize the value of good security behaviors, then nudge security can help you steer behavior change and complement your human risk reduction efforts.