Why you should be using cyber security nudges

Responding to human risk
CultureAI Team
June 1, 2023
Security Awareness Pros

Contributed by:

⚡ TL;DR ⚡
  • Even the most security-savvy people are busy and make security mistakes as they go about their work.
  • Cyber security nudges are notifications that provide a simple way to empower employees to easily self-remediate any risks they create, even if they haven't had security awareness training.
  • Trigger nudges via instant messenger apps when an employee performs a risky security behaviour, highlighting the issue and giving them the capability to fix any risk in a single click.
  • Sign up for our free 30-minute lightning webinar to learn how to use nudges to drive instant behaviour change.


Even the most security-savvy people are extremely busy in their day-to-day jobs and can make security mistakes. American Poet, Nikki Giovanni, said it best "mistakes are a fact of life. It is the response to error that counts."

This is very true for the world of cyber security. When security mistakes are made, they often go unnoticed by both the employee and the organisation until they result in an incident.

But what if there was a way to automatically know when risky security behaviours occur, and employees are empowered to easily fix their own mistakes before they cause problems?

That's where cyber security nudges come in. These simple yet effective notifications are designed to empower employees to quickly mitigate risks they create, no matter their level of security awareness or technical knowledge. And the best part? They can drive instant behaviour change and provide quantifiable metrics showing the number of resolved risks.


Simply put, it's a relevant, timely security notification delivered to an employee via instant message, push notification or web browser.

It's designed to get employees to perform a desired security behaviour, such as updating their password or double-checking the recipient of an email before opening any links. By triggering security nudges the instant an employee performs a risky security behaviour, you can make them aware and empower them to fix any risk in a single click.

Imagine this: you've accidentally shared sensitive HR data with the world on Dropbox. You're panicking, wondering how you could have made such a careless mistake. But then a security nudge pops up on your screen, guiding you through the steps to immediately fix the permissions in just one click. That's proper employee-powered security, and it should be a crucial part of any organisation's human risk management plan.

Check out our webinar on the 5 lessons learnt from one year of reducing insider risks
Watch here


Now, you might be thinking, "But we already provide security awareness training to our employees. Isn't that enough?" Unfortunately, traditional security awareness training has little to no impact on what behavioural scientists call system 1 behaviour.

System 1 behaviours are our brains' fast, automatic, unconscious, and emotional responses to situations and stimuli. These are our absentminded thoughts, such as tying your shoelaces or clicking send on an email (even if it's got the wrong recipient!).

System 2 is the mind's slow, analytical mode, where reason dominates. This activity is activated when we do something that doesn't come naturally and requires some mental exertion; this could be drawing a picture or setting a password.

This raises the question of cognitive process in how the employee thinks when they make security decisions - do they act unconsciously (system 1) or consciously (System 2)?

The human brain is optimised for efficiency, making unconscious, automated decisions. This greatly affects how employees react to phishing emails, MFA notifications, sharing information, and many more security behaviours while they go about their day-to-day job. Nudges immediately combat risky system 1 decisions, helping employees instantly fix any risks they create.


Data loss prevention (DLP) tools are great at handling cases of employees making mistakes that could put data at risk, but only when false positive rates are low.

High false positive rates can block employees from doing their job (Perhaps they need to post that personally identifiable information legitimately as part of their job!) and leave them frustrated.

Security nudges can be used as well as, or in some cases instead of, DLP tools to help employees stay secure without blocking their productivity. It's a win-win situation.


CultureAI has been at the forefront of reducing insider risk with nudges for the past year now.

We have learnt a lot in that time about how to reduce insider risk with nudges.

We’d love to share that knowledge with you and how these simple yet effective notifications have transformed security culture and reduced risks.

We will be hosting a 30-minute lightning webinar on March 1st to share with you the five core lessons we’ve learnt and how you can apply that knowledge to your organisation.

We will cover the following:

  • Delivering nudges via instant messaging and in-browser.
  • How to utilise real behavioural risk data to trigger nudges
  • How to track the effectiveness of nudges in your organisation
  • Utilising nudges effectively to reduce employee fatigue
  • Empowering employees to mitigate the risks they have created

You can also read more about CultureAI's thoughts on cyber security behaviour change, if this has got you interested.

On demand webinar

Check out our webinar on the 5 lessons from one year of reducing insider risks
Watch here