Nudge your way to better Cybersecurity

Published on 18th August 2022 Author: Rob Black

Our local post office parking lot was under construction for many months. I have no idea what they were working on and it would not be notable except…

… it used to be super-convenient to mail letters* there.

[*Yes, those physical paper things. What can I say, I have a certain nostalgia for an age gone by. I mail thank you notes, I send occasional checks to vendors, I write letters to my kids at summer camp. I even send checks to the IRS — my accountant says that I am his only client that does not file electronically.]

Pre-construction, the way it used to work in my town was that when you drove into the post office parking lot, there were mailboxes situated so that you could reach them without even getting out of your car.

Apparently, and despite the fact that everything from fast food, to pharmacies, to (I’m not making this up) funeral homes seems to be offering more drive-through options, our post office has decided that these innovations are too convenient!

So, when I went to mail a letter the other day, I had to park my car and walk to the mailboxes just outside the door. While I was there, I went inside and bought some stamps. That’s when it hit me — the post office, by moving the outside mailboxes, had changed my behavior.

By dictating that letters could no longer be mailed in the parking lot, and whether this was their intention or not, they had succeeded in “nudging” me to come inside and spend some money.

Dictates and Nudges

There are dictates and nudges in cybersecurity as well. Common examples of dictates include:

Not allowing personal email or social media on a work computer
Necessitating the use of browser X when accessing web sites
Requiring that passwords include special characters and be of a certain length

Dictates are fine in many cases. However, because they prohibit exceptions, they often prevent employees from doing their best work. Instead, employees are forced to battle the dictates or devise workarounds, rather than focusing on doing what they need to accomplish their goals.

That’s why I prefer nudges, something I’ve been thinking about a lot since listening to the aptly named audiobook, Nudge, by Nobel Laureate, Richard Thaler and Harvard Law School professor, Cass Sunstein.

As the authors explain, nudges use the path of least resistance to influence behavior, deploying what they call a “Choice Architecture.” Instead of telling people what they must do, they tap into various aspects of the way humans think and make decisions. On everything from organ donation to environmental policy, the book lays out lots of interesting examples and suggestions for getting better results.

Nudges are also important in creating a good cybersecurity program for your organization. Examples may include:

Optimizing company applications for a particular browser, preinstalling that browser on all computers, and setting it as the default
A warning message that pops up when downloading or clicking on a link from a personal email or social media post
Turning encryption on by default

None of these require a behavior, however they strongly influence the thinking and, therefore, the actions of those who encounter them.

Consider the Business Impact

There are many things that need to occur to minimize cyber risk to an organization.

But you’ll want to balance the various dictates and nudges put in place against the business impact that may result. After all, you could eliminate one hundred percent of cyber risk by running your business entirely on paper (not recommended).

Consider the example of suspicious email. You could have it all sent to spam. However, in that case, users would never know that they are not receiving some messages. A smarter approach might be to strip attachments or links from these emails, so at least users have the option of contacting the sender when appropriate.

Additionally, if the legitimacy of the sender is in question, it is much better to get a warning dialog on your email (example below) than to totally miss the message.

It’s Always a Balancing Act

Setting up systems that are both user-enabling and that protect your organization, its customers, and your collective data will always require prioritization and tradeoffs.

By employing a combination of dictates and nudges (especially nudges!), you can minimize friction while still operating securely.

Feel free to send me a letter with your thoughts (just be prepared to get out of your car).

Ready to strengthen your security and win more business? Fractional CISO services can boost your growth while keeping your organization secure. Learn more about our customized vCISO services today.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).