A nudge security strategy uses gentle prompts or reminders (called ‘nudges’) to encourage people to address security concerns on their system.
The strategy is rooted in behavioral science. It uses psychological techniques such as open questions, comparisons, and choice architecture to make people stop and think about their security decisions, guiding them toward better cyber habits without using strict directions or commands.
Nudges can include:
- Notifications
- Messages
- Prompts
For tasks such as:
Message | Nudge example | Psychology |
Enroll in a security course | “This security module can help you protect your colleagues and family members.” | Emotion: Nudges can elicit feelings like compassion. concern, or excitement to inspire action. |
Install software update | “Select a time to install the new update.” (This doesn’t allow the user to simply delay the task). | Choice architecture: Encouraging people to act without restricting their freedom of choice. |
Reset a password | 1. “Your password is weaker than 90% of your colleagues.” 2. A traffic light graphic that shows the strength of a user’s new password choice. | 1. Comparisons: Social comparisons can bring a sense of competition to tasks and motivate people to act. 2. Feedback: People are more likely to act when they receive instant feedback about their choices. |
Suspicious link warning | “Do you trust this link or attachment?” | Risk: Encourages people to think deeply about potential risks, helping them better identify them in the future. |
Why do we need nudges?
People are the weakest link when it comes to cybersecurity, and human error is the culprit for most data breaches. Whether intentional or accidental, poor security behavior opens up vulnerabilities – no matter how effective an organization’s IT security team and tools are.
Awareness is more important than tools for enhancing an organization’s security posture. Nudges (a term popularised by behavioral scientists Cass Sunstein and Richard Thaler in 2008) don’t tell people to do anything, they’re designed to guide them toward doing the right thing without the usual pressure associated with risk management.
A nudge security strategy helps employees adopt a security-first mindset, weaning them off bad habits such as delaying updates, using weak passwords, and ignoring security warnings, all of which can increase attack surfaces across the various cloud and SaaS technologies used by organizations today.