Get Started

Nudge your way to better Cybersecurity

  • 4 min read

Share this post

Our local post office parking lot was under construction for many months. I have no idea what they were working on and it would not be notable exceptโ€ฆ

โ€ฆ it used to be super-convenient to mail letters* there.

[*Yes, those physical paper things. What can I say, I have a certain nostalgia for an age gone by. I mail thank you notes, I send occasional checks to vendors, I write letters to my kids at summer camp. I even send checks to the IRS โ€” my accountant says that I am his only client that does not file electronically.]

Pre-construction, the way it used to work in my town was that when you drove into the post office parking lot, there were mailboxes situated so that you could reach them without even getting out of your car.

Apparently, and despite the fact that everything from fast food, to pharmacies, to (Iโ€™m not making this up) funeral homes seems to be offering more drive-through options, our post office has decided that these innovations are too convenient!

So, when I went to mail a letter the other day, I had to park my car and walk to the mailboxes just outside the door. While I was there, I went inside and bought some stamps. Thatโ€™s when it hit me โ€” the post office, by moving the outside mailboxes, had changed my behavior.

By dictating that letters could no longer be mailed in the parking lot, and whether this was their intention or not, they had succeeded in โ€œnudgingโ€ me to come inside and spend some money.

Dictates and Nudges

There are dictates and nudges in cybersecurity as well. Common examples of dictates include:

  • Not allowing personal email or social media on a work computer
  • Necessitating the use of browser X when accessing web sites
  • Requiring that passwords include special characters and be of a certain length

Dictates are fine in many cases. However, because they prohibit exceptions, they often prevent employees from doing their best work. Instead, employees are forced to battle the dictates or devise workarounds, rather than focusing on doing what they need to accomplish their goals.

Thatโ€™s why I prefer nudges, something Iโ€™ve been thinking about a lot since listening to the aptly named audiobook, Nudge, by Nobel Laureate, Richard Thaler and Harvard Law School professor, Cass Sunstein.

As the authors explain, nudges use the path of least resistance to influence behavior, deploying what they call a โ€œChoice Architecture.โ€ Instead of telling people what they must do, they tap into various aspects of the way humans think and make decisions. On everything from organ donation to environmental policy, the book lays out lots of interesting examples and suggestions for getting better results.

Nudges are also important in creating a good cybersecurity program for your organization. Examples may include:

  • Optimizing company applications for a particular browser, preinstalling that browser on all computers, and setting it as the default
  • A warning message that pops up when downloading or clicking on a link from a personal email or social media post
  • Turning encryption on by default

None of these require a behavior, however they strongly influence the thinking and, therefore, the actions of those who encounter them.

vciso ebook

Consider the Business Impact

There are many things that need to occur to minimize cyber risk to an organization.

But youโ€™ll want to balance the various dictates and nudges put in place against the business impact that may result. After all, you could eliminate one hundred percent of cyber risk by running your business entirely on paper (not recommended).

Consider the example of suspicious email. You could have it all sent to spam. However, in that case, users would never know that they are not receiving some messages. A smarter approach might be to strip attachments or links from these emails, so at least users have the option of contacting the sender when appropriate.

Additionally, if the legitimacy of the sender is in question, it is much better to get a warning dialog on your email (example below) than to totally miss the message.

Email Warning Banner

Itโ€™s Always a Balancing Act

Setting up systems that are both user-enabling and that protect your organization, its customers, and your collective data will always require prioritization and tradeoffs.

By employing a combination of dictates and nudges (especially nudges!), you can minimize friction while still operating securely.

Feel free to send me a letter with your thoughts (just be prepared to get out of your car).

Ready to strengthen your security and win more business? Fractional CISO services can boost your growth while keeping your organization secure. Learn more about our customized vCISO services today.

Want to get great cybersecurity content delivered to your inbox?ย Click hereย to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales