Nudging for Cybersecurity

Why do security awareness trainings fail to impact employee behavior, and how can nudging help?

All too often, cybersecurity is perceived to be overwhelmingly technical in nature. However, Information Security professionals would be wise to keep in mind the words of security expert and cryptographer Bruce Schneier: “Only amateurs attack machines, professionals attack people”. Security infrastructures can be intricate and robust, but a careless employee can easily render these painstaking defense mechanisms meaningless by failing to take simple precautions. Though security awareness trainings are commonly held in order to train employees in best practices, a substantial body of research indicates that knowledge of how to protect oneself does very little to translate into safe security behavior. 

Approximately 90% of all cyber claims are the result of some type of human error or behavior.

Thus, organizations are left vulnerable not due to immature security infrastructures, nor to lack of awareness surrounding cybersecurity threats and proper precautions, but to employee behavior which is consistently and irrationally counterproductive to desired outcomes. For example, many employees are well aware that the comfort enjoyed when choosing not to increase the complexity or diversity of their passwords is far overshadowed by the costs associated with the exposure to cyber risk that derives from lazy password practices. They don’t want their company exposed to a cyber attack, and they certainly do not want the origins of such an attack to be traced back to their personal security habits. Yet, they keep the simple, convenient passwords anyways. Any solution hoping to bridge the gap between knowledge of security policy and subsequent action requires an understanding of the behavioral factors that drive irrational decision-making and cause well-intentioned employees to neglect their security responsibilities.