Nobel Prize-Winning “Nudge Theory” May Be the Answer to Your Internal Cybersecurity Challenges

December 9, 2020

According to a study by the UK Information Commissioner’s Office (ICO), 90% of cyber data breaches are caused by human error. Many people and enterprises already realize that the simplest human error can cause even the most robust cybersecurity frameworks to be compromised and fail. So why, as a cybersecurity leader, is it so difficult to convince your teams to practice some of the most basic cybersecurity hygiene? Perhaps they haven’t received the right “nudge”.

Dr. Richard Thaler, 2017 Nobel Economics laureate for his work with the “Nudge Theory”, argues that in general, humans do not make economic decisions based on rational thinking, even for very important decisions like taking measures to secure sensitive information stored on a corporate or personal device. Instead, Thaler believes that these decisions are more often made based on personal biases, emotions, and the individual’s environment. For example, employees of an organization may know that changing their password every 30 days to a different, complicated, and unpredictable password helps keep their work data secure, but the inconvenience of having to remember a new password can be enough to deter this best practice. The result is a predictable, easy to remember password that is also easy to hack, leaving the user and their company vulnerable to cybercrime. Based on this, we can see that cybersecurity awareness simply isn’t enough. So how can we create a more human-centered approach to cybersecurity that addresses security incidents associated with poor security behavior? One effective approach could be to implement the Nudge Theory. According to Dr. Richard Thaler,

“A Nudge, as we will use the term, is any aspect of the choice architecture that alters people’s behavior in a predictable way without forbidding any options or significantly changing their economic incentives. To count as a mere nudge, the intervention must be easy and cheap to avoid. Nudges are not mandates.”

Nudges are simple, inexpensive, and unobtrusive solutions to changing behaviors. They focus on removing as many barriers as possible from the desired outcome. For example, to address the challenge with passwords as explained above, some companies have taken to utilizing nudges by creating randomized passwords for their employees that include a randomly chosen and more obscure dictionary word as the foundation of the password and a simple number and symbol that defies predictable tendencies. When the password is generated, the employee is given the definition of the word. This approach removes the barrier of having to think of a strong password from scratch and uses basic memory tools to build an unpredictable and complicated password that is easier for the user to remember and more secure than what they likely would have come up with on their own.

Other examples of nudges that could help close the gap between security policy and compliance include:

  • Promoting anonymous statistics and numbers of how many other employees have complied with proper cybersecurity behaviors like regularly updating their technology and reporting suspicious emails. “Social Proof Messaging” impacts individual behavior by showing individuals that the majority of their peers are engaging with good practices, therefore, they should too.
  • When sending update notifications to employees, provide clear information explaining what the patch will address and why it is important they take the time to install the update. It is easier for individuals to brush these notifications off and leave their devices and software without updates when they aren’t made aware of the significance of the vulnerabilities and issues the update will address.
  • Giving positive incentives to follow best cybersecurity practices or “gamifying” good cybersecurity behavior. Encouraging compliance by making it fun and/or competitive.

People are often the first line of cybersecurity defense against common digital malicious activity and developing a strategy that includes both technological and human security solutions can ensure comprehensive protection for your company. These solutions don’t always have to be expensive and complicated - they can be as simple as giving your employees a light “nudge”.

To engage Herjavec Group’s diverse set of cybersecurity experts to plan, create, and execute an infrastructure that addresses every point and player on your cybersecurity journey, connect with a security specialist today.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn