This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. To find out more about the cookies we use, see our privacy policy

Ensuring better security one nudge at a time

“I would never fall victim to a scam…”

“I would never fall victim to a scam…”
“Going through security training is a waste of time…”
“I don’t care about learning, just tell me what to do!”

Let’s admit it – one of these thoughts might  have come to mind when going  through mandatory cyber security training for your job. When it comes to intangible things such as cyber risk, oftentimes people adopt a “if it ain’t broke, don’t fix it attitude”.

With 75% of large organisations and 31% of small businesses suffering staff related security breaches in the last year  it’s clear that  getting people to change their behavior is hard. The reality is traditional corporate training programs are ineffective for getting people to care about cyber risk and do something about it. One of the biggest challenges companies face is encouraging employee behavior to support security objectives.

Perhaps we should think less like security experts and more like economists.

Behavioral economists have been looking into people’s decision-making processes, and discovered that they don’t always make rational decisions, despite their best intentions. Our brains are hardwired to follow shortcuts (heuristics) that impacts our rational decision-making.  Richard Thaler’s research demonstrated the ability to “nudge” people to change their behavior by making subtle adjustments to the decision-making context or environment. Thaler has been awarded the 2017 Nobel prize for economics for his contribution in this field.

People tend to struggle with large complex tasks in areas they are not familiar with. Asking someone a simple question like “Is your PC secure?” effectively triggers dozens of thoughts about software updates, passwords, privacy settings and more. All of this information overwhelms the person and as a result, very few actions, if any, are taken.

Many people view a computer as they would a car. It’s a device they use all the time but have no idea how it works nor the desire to find out. Simply asking someone when they had their last tuneup might prompt them to take the car in for service which in turn reduces their risk of a car accident.

So how can we apply nudge theory in the context of cyber security?

Companies continue to invest heavily in security infrastructure and awareness programs, but these rarely result in the desired support from employees. According to nudge theory, very simple interventions can encourage people to take action without a large cost:

1) Inform someone they can find out their risk and give them a cyber score.

2) Based on a person’s score, they can then be nudged over time to improve their score which results in them being safer.

3) Gamify the experience and encourage employees to compete against one another to improve their risk score and take desired security actions.


These changes need not involve a lot of time and effort for people to do; in fact, very simple adjustments can produce powerful benefits for your company.

Be sure to contact us to learn more about how we use nudge theory to help people be safer online.