Unlocking the power of behavioural nudges to improve cyber security

Written by John Scott, Lead Security Researcher at CultureAI

In today’s digital landscape, managing security threats often hinges on how well organisations can identify and respond to risks in real time. While human errors are bound to happen, with the right technologies and processes, they don’t always have to pose a significant risk.

Unfortunately, when people make mistakes, they often go unnoticed until they result in an incident. This is where nudges can help, filling a crucial gap by intervening in risky behaviours automatically and efficiently. A well-executed security nudge can reduce Security Operation Centre (SOC) interventions and remediation times while reinforcing security policies, security culture, and best practices.​

What exactly is a nudge?  

Nudge Theory, popularised by Richard Thaler and Cass Sunstein in 2008, gained prominence as a cheap and effective method to influence behaviour change. The premise of this concept is that shaping the environment, known as choice architecture, influences individuals’ decision-making and allows them to maintain freedom of choice and feel in control of their decisions whilst being guided towards the ‘best’ solution.

The term ‘nudge’ has become a buzzword in cyber security over recent years, often mistakenly equated with ‘notifications’. While nudges can be used in different ways, overreliance can lead to ‘nudge fatigue’, overwhelming employees with dismissible reminders and notifications to complete training. To make the best use of them, nudges should aim to shift behaviours rather than simply notifying an employee of their actions.

Why do we need nudges in cyber security?  

When people are busy, they tend to be reactive, and reliant on system-one thinking, which is automatic and intuitive but more prone to errors. By sending a security nudge to employees at the point of risk, they are alerted in real time and prompted to shift to more logical, lower-risk, system-two thinking.

Incorporating nudges as part of a human risk management (HRM) strategy is an effective way to mitigate risks in real time, empowering employees precisely when it matters most. Nudges encourage employees to pause and think before making potentially risky security decisions, making them aware of the threat and empowering them to choose wisely. 

Nudge, not noise  

Nudging employees comes at a cost. Interrupting their workflow can hamper productivity, so a nudge must have a strong rationale. If you interrupt, there should be a specific, actionable step the employee can take to mitigate the identified risk. If the security team can fix the risk without interruption, they should. Repetitive or intrusive nudges will lead to nudge fatigue, causing employees to ignore them. 

Meet people where they are  

To ensure a nudge isn’t ignored, deliver it within the applications employees are already using, such as Slack, Teams, or their browser. Over time, nudges simplify decision-making for employees, requiring minimal cognitive effort to execute decisions without overthinking. 

Nudge people to make better decisions 

Rather than just leaving employees to navigate the safe use of SaaS and GenAI apps on their own, nudges can help establish guardrails and provide guidance in real time. For example, if the organisation has an approved GenAI solution, a good nudge can not only dissuade employees from using non-authorised sources, but it can also guide them towards a preferred solution. Nudges can help create a cultural shift towards proactive and engaged participation in cyber security practices. This approach not only streamlines security operations but also creates an environment where employees are empowered to make their own security decisions.