Security nudges offer a way for organisations to get employees to make better security decisions - right at the point of risk. Security nudges often take the form of an instant message or notification sent to an employee and, when implemented correctly, can help employees avoid creating security incidents and even empower them to mitigate a risk they’ve created in a single click.
Today we’ll explore the five key lessons we’ve learnt from how our clients use security nudges to drive better security behaviours and instantly fix risks created across their workforce.
We'll dive into the importance of targeting high-risk behaviours, focusing on the most critical risks, utilising the right delivery channels, empowering employees to fix rather than merely training, and tracking nudge effectiveness through A/B testing.
Let's kick off our top five list with a vital distinction: security nudges are not the same as alerts. It’s important that nudges maintain their power to influence behaviour without turning into a flood of notifications that employees simply tune out.
Often security pro’s mistakenly use nudges for alerts – reminders to complete mandatory training, policy updates, and so on. But bombarding people with alerts can be counterproductive, failing to change behaviour and creating 'alert fatigue'. Instead, where we see clients successfully achieving high rates of behaviour change, they’re using nudges triggered only when risky behaviours occur.
Picture this: a nudge pops up on an employee’s instant messaging app (think Slack, Teams), helping highlight that they’ve done something that’s put them at risk and providing them with a single-click button to fix the risk and protect themselves and the organisation. By focusing on behaviour, coaching events become more impactful, and the value of nudges is preserved.
Avoid the 'boy who cried wolf' scenario by steering clear of constant reminders. Timely notifications that highlight specific incidents, such as accidentally posting sensitive information on Slack, are far more effective. Employees are then given the opportunity to address the issue instead of merely ticking off compliance events.
When a security nudge is delivered, the aim is to create an "oh wow" moment. Employees should think, "I didn't realise that!" No matter their position in the organisation, real-time nudges should grab their attention, unlike traditional security awareness training, which is often ignored.
While behaviour-based security nudges are a powerful behaviour change tool, it's essential not to overdo it. You must strike a balance between addressing risks and maintaining the attention of your employees. In other words, don't create nudges for every single risk. Instead, focus on the top 3 to 5 risks that concern your organisation the most.
As illustrated in the graph, there's a clear drop-off period when employees receive too many nudges per quarter. Even if they're relevant and timely, a barrage of nudges can lead to people ignoring them and not taking action. By concentrating on the most pressing risks, you can optimise the effectiveness of your nudges and keep your workforce engaged.
While we only have about 12 months of data, it's worth considering how this strategy scales over time. There may be an ideal number of security nudges that can be sent or a recommended number of behaviours to focus on. But for now, based on the data we have, targeting between 3 and 5 key risks appears to be the most effective approach.
Choosing the right delivery channel for your security nudges is crucial. As we increasingly rely on instant messaging apps in our daily lives, these platforms have become the ideal place for nudges. Even in email-first organisations, sending nudges through instant messaging apps like Slack, MS Teams, and Meta Workplace has proven to be more impactful and prompt quicker responses.
The speed of remediation is a significant advantage when using instant messaging apps compared to email. When a risk is identified, instant messaging enables you to address it swiftly, often within seconds, whereas a nudge sent by email may sit in a user's inbox for a prolonged period, leaving the risk exposed. For security teams, reducing this window of time is essential to mitigating potential threats.
As we continue to gather data over the next 12 months, we'll be able to provide more insights into the effectiveness of various delivery channels. Another option worth considering is browser-based nudges. By using browser extensions, you can deliver security nudges directly within an employee's browser, offering an alternative to email and instant messaging.
The key takeaway here is that even if your organisation is "email-first", instant messaging should still be the go-to channel for security nudges. The industry is moving towards meeting the workforce where they are, and in this case, instant messaging apps provide the most effective and timely way to deliver nudges.
Instant messaging apps like Slack and MS Teams offer a perfect platform for enabling employees to remediate risks directly within the app. For example, suppose someone uploads a file containing PII to OneDrive and accidentally shares the file publicly; a real-time security nudge can be sent with the option to change the file's permissions right from the app.
Organisations that are taking this approach are seeing significantly higher levels of behaviour change than those just using nudges to deliver training or advice. Where organisations aren’t levering this capability, instead using nudges to just deliver yet more training, they see significantly lower levels of behaviour change.
Empowerment is key to changing behaviours. Behavioural science teaches us that awareness, attitude, cognitive processes, and capability (how easy we, as security pros, make it for people to behave securely) all play crucial roles in driving change. By making it easy for people to take action, we increase their capability to address risks promptly.
When developing nudges, consider the content, wording, and ease of use. Instant messaging platforms like Slack, MS Teams, and Meta Workplace enable you to create interactive messages with buttons that streamline the risk remediation process. Even if you're not using CultureAI, you can still build in-house solutions that empower employees to resolve security issues quickly and efficiently.
Focus on providing your employees with the tools they need to address risks directly within a messaging platform that they have instant access to. By making the remediation process as straightforward as possible, you can drive real behavioural change and create a more secure working environment.
For organisations already using nudges or beginning their nudge journey, tracking their effectiveness is crucial. By incorporating interactive elements like buttons, you can easily monitor who is mitigating risks, ignoring nudges, or rejecting them. Even without these interactive elements, observing behaviour changes can still provide valuable insights into the impact of your nudges.
To optimise your nudges, consider implementing multiple variations for a specific security behaviour. For example, if you're addressing the issue of posting API credentials in public Slack channels by using nudges, create several different nudges with varying messaging. This approach allows you to A/B test and determine which nudge is most effective in getting employees to delete the message containing the API credentials.
Referencing social norms within your nudges can significantly influence their effectiveness. For instance, mentioning that a specific percentage of colleagues would have taken the desired action may encourage others to follow suit.
As you begin your nudge journey, start collecting data on the effectiveness of your nudges. Analysing this information will help you determine which nudges work best and whether you may be overusing them. By tracking metrics and continuously refining your nudges, you can create a more secure and compliant work environment.
Security nudges offer a powerful tool for enabling employees to make better security decisions and fix their own security risks without involvement from the SOC or wider security team.
By focusing on high-risk behaviours, prioritising key risks, leveraging instant messaging channels, and empowering employees to fix issues, you can significantly enhance your organisation's cybersecurity posture.
Remember, the key to successful nudging lies in striking the right balance between being informative and engaging while keeping the process simple and actionable for your employees.
By incorporating these five essential tips into your security nudge strategy, you'll be well on your way to creating a more secure, compliant, and resilient work environment for everyone.