Training

Security nudges promise proactive security habits that reduce human errors  

(Adobe Stock)

COMMENTARY: Organizations have long faced the ongoing threat of human behavior. Whether by using weak or reused passwords, careless clicking, or neglecting to adhere to protocols, employees too often unwittingly become the security chain's biggest threat. They resort to convenience when that email appears urgent, or when that login page does not get scrutinized.

Legacy training programs for employees are lacking in two essential ways: rigid schedules may cause a timing disconnect with real security events, and generic modules may fail to align with individual habits or knowledge deficits.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

That's where security nudges—small, timely, behaviorally-informed prompts—come into play. Instead of using lengthy training sessions in strict blocks of time, nudges appear in the moment to encourage users towards safer options with cognitive cues, such as friendly reminders, warnings, or contextual tips, guiding user behavior. and minimizing risk.

What we mean by security nudges

We borrowed the theory of the security nudge from behavioral economics. It’s premised on the belief that small changes in a decision-making context can bring about significant changes in behavior.

In the world of cybersecurity, nudges can be a pop-up reminder, a warning banner, or a pre-filled security suggestion. These interventions are meant to be intrusive, real-time suggestions that let employees adjust to risks as they crop up. These nudges make one pause and think, prompting the individual to make a smarter, safer decision.

Security nudges operate by catching the user at the moment of decision and correcting potentially hazardous behavior, not in hindsight, but as it’s being initiated. This immediate correction is important to the effectiveness of micro-interventions: they address intent, not action. By incorporating such cues into everyday processes, organizations can reinforce proactive security habits that reduce human errors and help spur a positive cybersecurity culture.

How security nudges work

Security nudges are based on real-time vigilance, including data loss prevention (DLP) notifications, behavior analytics, and rule engines that correlate dangerous user patterns with predefined nudges. Frequency and timing are optimized by machine learning to keep nudges relevant without becoming too noisy.

Security nudges are most effective when they are context-aware and action-triggered, such as sharing a sensitive file with an external party; when it’s least disruptive, a one-click resolution or a temporary pop-up; or when it proposes an exact action explicitly, and maintains user autonomy.

Real-world applications

Below are examples of organizations that exemplify the fusion of behavioral science, real-time analytics, and user-centric design to deliver effective cybersecurity nudges.

  • Adaptive nudges.

Microsoft uses contextual, data-driven nudges that are engineered to minimize friction and applied to encourage millions of individuals to make safer choices. When users sign in from an unfamiliar device, they are prompted to enable MFA. The nudge gets executed in context, when the user decided on access, raising the probability that they will follow through.

Microsoft Defender for desktop apps will automatically mark emails with such alerts as: "This message comes from outside the organization. Be cautious with links and attachments." This gentle reminder causes users to pause/hesitate before clicking, particularly in phishing-vulnerable environments.

Microsoft Purview's Adaptive Protection dynamically remediates elevated-risk DLP policies against a user's risk level. A user with high insider risk might have more stringent nudges or block the copying of files to USB devices, or when uploading to home cloud storage. Lower-risk users might only receive gentle reminders.

  • Just-in-time (JIT) nudges at the moment of risk.

Google noticed that even highly-trained staff members sometimes make dangerous choices, such as omitting to enable two-factor authentication (2FA). To rectify this, they implemented JIT security nudges, which pop up immediately when a dangerous action is being initiated.

For instance, a user attempting to share a confidential document outside the company gets presented with a prompt: "This file contains sensitive data. Are you sure you want to share it externally?" On signing into a new device, users are prompted to enable 2FA.

Best practices for using security nudges

Here are a few principles that can improve the success of security nudges:

Personalize: Generic messages tend to get ignored. Tailored and context-aware prompts are often more effective.

Avoid overuse: Because nudges interrupt employee attention, every nudge needs a compelling reason to justify itself. Overuse can lead to ”nudge fatigue,” with employees potentially ignoring them.

Enable users: The best security nudges don't command or force, they assist. When users feel in charge, they're much more likely to behave safely.

A/B testing: Security nudges are not a one-and-done remedy. It's important to consistently test different types, timing, and placement of nudges to optimize their effectiveness.

Seamlessly integrated: Users have to perceive nudges as an organic element of the user experience and not as interruptions or additional tasks.

As cyber threats multiply and get more advanced, the security tools we employ must adapt in kind. Sometimes we all need a gentle push in the right direction. It’s the best type of change.

Security nudges combine the focus of automation with the expertise of behavioral science to promote better decision-making at the point when it matters most. They’re low-cost, highly targeted, and respectful of user autonomy, making them a must-have in any modern security toolkit.

Erich Kron, security awareness advocate, KnowBe4

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Erich Kron

Erich Kron, CISO Advisor at KnowBe4 is an author, a podcast host and regular contributor to cybersecurity industry publications. He is a veteran information security professional with over 30 years of experience in the medical, aerospace, manufacturing, and defense fields. His experience has fueled his passion for helping to address the human side of cybersecurity.

He is the former security manager for the US Army’s 2nd Regional Cyber Center and holds CISSP, CISSP-ISSAP, SACP, and many other certifications. Erich has worked with information security professionals around the world to provide the tools, training, and educational opportunities to succeed in Information Security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds