Can we nudge our way to improved cyber security? Why a simple thank you might help
When the new Nobel Economics laureate, Dr Richard Thaler, was asked how he would spend the more than one million dollars in prize money he received along with the award, he replied: “… as irrationally as possible.”
It was an entirely appropriate response from the man who co-authored the seminal bestseller Nudge in 2008 with Cass Sunstein, a book praised for its research into irrational thinking and behavioural economics.
For many years, economics was built on the concept of perfectly rational individuals. However, as Thaler and Sunstein identified, humans actually take economic decisions based on personal biases, emotion and the environment they’re in. And the irrational decision making is just as relevant when we take out the subject of economics and replace it with cyber security.
Doing the right thing
An organisation’s policies are predicated on the principle that its people do not intentionally behave irrationally. But as cyber security professionals we know that people, no matter what we think of them as the strongest or weakest link in the mantra of ‘people, process and technology’, seldom do the right thing all the time. So, anything we can do to nudge them in the right direction, at whatever level and from any starting point, would be a good thing.
Thaler realised that we fail to recognise our own biases, even if we consider ourselves to be completely rational; at work we don’t always do the things that might improve our organisation’s security and at home we take shortcuts that leave us vulnerable.
While the debate over exactly what influences human behaviour is the subject of continued academic debate (and we’ll leave Artificial Intelligence to another day), the idea of a nudge having some impact has gained significant traction since Thaler and Sunstein’s book.
Indeed, the theory that a small incentive, or nudge, can change behaviour has been taken on board by organisations such as HMRC (the UK tax authorities) and a range of US pension suppliers with evident success.
HMRC has seen increased tax revenues, while the pension suppliers have encouraged more people to save for the future after automatic enrolment in pension plans.
Even a Swiss corporate security team, who rewarded those staff following the ‘clear desk’ policy with a small chocolate - rather than highlighting the cluttered desks with large yellow reminder notes - realised that a tiny incentive can help change and maintain good behaviour.
Increasing security awareness through behaviours
In looking to improve organisational security, the UK’s Centre for the Protection of National Infrastructure (CPNI) has published a variety of guidance and advice. It is excellent and explores how to establish a baseline of current behaviours and then move such behaviour towards increasing security awareness. And we can help you along that path.
CPNI has also studied one element of employee behaviour of particular significance to cyber security: the insider threat.
They found that three quarters of insider cases involved employees who had no malicious intent when they joined an organisation but whose loyalties changed after recruitment. This suggests that anything we can do to help maintain the loyalty of our staff and nudge them to continue to do the right thing can improve our organisation’s security.
The CPNI has established a ‘5Es framework’ (Crown Copyright)  to improve and embed security behaviours. The five Es are:
- Educate why
- Enable how
- Shape the Environment
- Encourage the action
- Endorsed by credible sources
An example of an effective nudge, mentioned in the framework as a way of encouraging good behaviour, involved the Head of Security sending an email to all staff who reported security issues. A simple ‘thank you’ response to an incident report was identified as reinforcing the good behaviour and encouraging future good practice.
While many parts of a comprehensive corporate cyber security policy involve restrictions and curtailments of an individual’s behaviour, maybe this final example is more meaningful than we realise.
Perhaps we should remember that a simple “thank you” – or any kind of positive response - might be sufficient to help nudge a colleague from the dark path of cyber insider and into the cyber security light.
Published date:  12 October 2017
Written by:  Tim Rawlins