Summary

  • Psychology studies show that people tend to make most decisions using their emotional brains, not their rational ones.
  • Cybersecurity awareness training initiatives have traditionally lent on the idea that users will make rational decisions (spoiler: they won’t).
  • To drive long-term behavioral change and boost security awareness, organizations must implement programs that make secure decisions a convenient, appealing choice.

Human error and negligence are among the top causes of data breaches and leaks today. Most organizations have cybersecurity awareness initiatives in place, but these programs fail to drive impactful, long-term change. 

Why? Well, research shows it’s probably because your people haven’t been given the right ‘nudge.’

Cybersecurity through the eyes of psychology

Five years ago, esteemed psychologist, Dr Richard Thaler, released his groundbooking book: Nudge Theory. The work put forward some revolutionary ideas that apply across marketing, politics and, of course, cybersecurity awareness.

The general principle behind Thaler’s work is that people tend to make most economic decisions based on emotional thinking, rather than using their rational brain. We can see this play out all the time in our own lives. Let’s take passwords, as an example. 

We all know we shouldn’t use the same password across accounts, and that we should change our passwords regularly, every 30 days. And yet, we’d bet a few of you reading this are still using the same password that you’ve used for years across applications you engage with. 

Rationally, you know you should update your password regularly. From an emotional standpoint, though, regularly updating passwords, and having to remember a host of different ones, feels difficult and inconvenient, so you avoid it. 

Now, while we’ve only talked about passwords so far, you can see how this principle applies to security awareness in its entirety. All the right messages and education won’t make the difference if people view cybersecurity as a hindrance or a nag. 

But, don’t worry. Thaler didn’t just explain how our brain makes decisions, he also offered a solution to harness these thinking patterns to get the outcomes we desire.  

Choice architecture: the secret sauce to successful cybersecurity awareness 

Thaler’s book goes on to talk about something known as “choice architecture”. He prescribed that, rather than telling people what to do, you should think about how you can gently influence them to make better decisions. 

Before we dive into how this works in a security setting, here’s an example that really captures choice architecture in action. A school wanted to combat rising levels of obesity among students. Instead of banning junk food from the lunch hall (which would’ve just enraged kids and possibly made them crave unhealthy options even more), the school started putting unhealthy options more out of view, and in harder to reach places.

In essence, they made it much easier and more tempting for their students to choose healthier lunch items. And it worked! Kids began eating healthier because it was simply more convenient. 

Ok, so, going back to cybersecurity, we can now see that we need to make secure decisions a convenient choice. If compliance and data security are viewed as obstructions, people will react negatively and look for ways to workaround your controls. By contrast, if you help your people build healthy security habits in an unobtrusive way, they’ll soon become security champions.

After all, your employees don’t want to put your sensitive data at risk. They do care about privacy and security – but they have their limits. And that limit is when security starts to detract from their productivity. 

Nudge your employees in the right direction with Polymer DLP 

By now, we’re sure you’re ready to cut your old security programs loose. But what do you use instead? How can you apply Thaler’s principles in the workplace? 

We’ve already done it for you. Polymer data loss prevention (DLP) is a cloud security tool that protects your data, while nudging your users towards better security decisions. 

Working in apps like Slack, Teams, Google Drive and more, our tool delivers helpful security nudges, based on psychology and heuristics, to guide employees towards a security-aware mindset. Rather than blocking your employees or working against them, Polymer DLP empowers them with the information they need to make the best decision, everytime. 


This is your nudge to revolutionize employee security awareness. Request a free demo today.

Polymer is a no-code data loss prevention (DLP) platform that allows companies to monitor, auto-remediate, and apply behavioral techniques to reduce the risk of insider threats, sensitive data misuse, and leakage over third-party SaaS apps. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.