Nudge refers to “Influencing people’s behavior in a predictable way without forbidding any options or significantly changing their incentives.”–Richard Thaler & Cass Sunstein (“Nudge: Improving Decisions About Health, Wealth and Happiness”)
In this blog we will explore the behavioral science’s concept of ‘nudge’ in improving the security and data privacy posture of organizations.
Top-down security infrastructures (and their shortcomings)
Enterprise security & data privacy frameworks traditionally assume a posture of protecting the enterprise from external threats while paying limited attention to operational mistakes from within. The standard security framework in organizations is to create a ‘top-down’ approach of defining access roles of users.
Defining access to a certain set of folders, applications or databases are usually given by an ‘admin’ based on group or team memberships. This paradigm worked in the era of monolithic applications running on-premises.
Cloud and SaaS based offerings are blurring the lines of ‘data boundaries’ where data domain guardrails are blurring. Risk and scale of data breaches has significantly gone up as a result.
Educational videos are a great way to demonstrate good practices are but are nearly not enough in developing a culture where each and every employee follows best data management practices.
Let’s explore the power of influencing behavior at an individual level to achieve large systematic outcomes.
Humans are not robots
Thaler/Sunstein (also Kahneman/Tversky) postulate that human decision-making is not robotic. On a day to day basis, an individual might act in irrational ways. This same concept can be applied to Data Management in an organization:
Use of heuristics
If something has worked in the past, why do it differently. For example, sharing customer records via chat or other un-secure means is being done before so why not continue doing it.
Temptation or mindlessness
Studies have shown that the more popcorn people are given—even if the popcorn is stale!—the more they’ll eat. This applies to workers in rote tasks that are highly prone to fall in the ‘mindless’ state. Stimuli need to be varied to keep someone in a ‘mindful’ state. This is certainly a high risk area from a security perspective.
How to influence the “secure” choices
Thaler/Sunstein’s libertarian paternalism recognize that humans do make a bad choice, but given another chance, they would’nt make it again.
Defaulting to an opt-in vs opt-out has been used successfully by various governments in influencing higher savings rate. In an organizations, data management training is traditionally used to influence employee actions but we think design within applications and workflows can play a much bigger role. A/B testing on buttons and how data is displayed has lasting impact on creating ‘secure’ defaults.
Choice architecture and social influence
A Data Privacy-first culture automatically fosters awareness of sensitive data that is invective throughout the organization. Data Privacy & Security as important business drivers is a powerful message to create the ‘privacy’ mindset across engineering, product, sales/marketing etc.
Human errors are a feature and how they are handled is hugely important in reversing and reducing data breach risk. We have seen some subtle but powerful designs within applications to create feedback loops dramatically reducing error rates.
Behavioral science concepts such as ‘nudge’ are a very inexpensive ways of reducing cybersecurity risk. We argue that more of these principles need to incorporated in addition to training immediately as organizations move to the cloud and data is becoming less siloed within organizations.