By Laura Bishop, Director of Human Risk Science at OutThink
Like the way cybercriminals manipulate people into conducting risky behaviours, the same human decision-making heuristics can be leveraged to protect staff. Effective methods exist to nudge people towards behaviours that will maintain individual and company security in the face of cybercriminal manipulation.
When you read the word ‘nudging’ you may find your mind jumps to technical pop-up messages on your computer or mobile phone that remind you to either take or not take a certain action. There are however many ways in which employees can be nudged towards secure behaviour, some of which can be implemented within your organisation at little cost.
How does nudging work?
Nudging assists smarter decision-making, without limiting choice. Behaviour is indirectly influenced without the need for commands or prohibitions. People may be unaware of the subliminal messaging involved but without it their lack of experience could result in harmful decisions.
The quick, intuitive thought systems of humans allow us to operate more efficiently and be less bogged down by choice. Nudges could include providing new technology with default options that offer a high level of security.
Behavioural psychologists suggest that a behaviour occurs when people are motivated, able, but also triggered into action. Simply triggering people to consider safer cybersecurity behaviours has a significant positive effect, even more so if the nudge also informs employees of true risk and what they need to do to reduce it.
How can your employees by nudged towards secure behaviour?
- Provide a default option. Auto suggest strong but memorable passwords for company systems to avoid the creation of those more obvious.
- Simplify the action. Ensure the inclusion of an embedded phishing reporting button to reduce the physical cost of emailing security.
- Utilise social norms. Advertise the number of employees that have completed cybersecurity training or are actively utilising the skills learned to encourage buy-in.
- Increase ease and convenience of choice. Ensure cybersecurity policy is easily accessible and digestible.
- Disclose information. Educate employees on internal and external security incidents to encourage a more realistic appraisal of risk.
- Provide a warning. Provide emotive posters that evidence the impact of cyber-attacks, utilising strong imagery and typefaces.
- Encourage precommitment. Actively ask employees to set security goals such as locking their devices each time they move away from their desks. Humans like to stick with predefined objectives.
- Set reminders. Send reminders or calendar invitations for training via email, Teams, or Slack to nudge your employees towards training or more secure behaviours. This concept has been added to the OutThink platform (SaaS) through Eva, the first intelligent virtual cybersecurity assistant in the Teams app store.
- Implementation intentions. Ask employees about their intention to comply with policy and training, requesting feedback on how they will apply the skills learned. This makes them feel committed to implementing them during their working day (machine learning can be used to provide the additional benefit of measuring employee sentiment to help improve the usability of policy, optimise security processes and tooling).
- Informing on past behaviours. Communicate previous security behaviours and an individual cybersecurity human risk scorecard to employees. Allow them to engage and respond with active feedback.
It is important to recognise that research around desensitisation to nudging is in its infancy with the need for both content and context to remain dynamic so that employees continue to digest its message.
This piece provides an introduction to the potential benefits of nudging and some understanding of how nudging can be implemented simply and at low cost. Nudges such as these should be considered during training, as reminders to complete training, and to boost motivation, ability, and memory post-training.
Take time to notice the nudges you rely on in life, why should cybersecurity in your organisation be any different?
FUEL has partnered with leading cybersecurity company OutThink to include its award-winning human risk management platform as one of the software solutions it offers clients.
OutThink received the highest possible score from ratings body Gartner Peer Insights, as well as a Seal of Excellence award from the European Innovation Council.
To find out how the OutThink Cybersecurity Human Risk Management platform can raise awareness, drive more secure behaviours, and increase motivation across your organisation please get in touch with us at email@example.com.