How Can We Nudge Employees Toward Better Cybersecurity Habits?

How Can We Nudge Employees Toward Better Cybersecurity Habits?

It’s not uncommon to think of cybersecurity as primarily a technological challenge, but it’s really more of a human one, Alex Blau writes at the Harvard Business Review, in that cyberattacks so frequently take advantage of human error. Most of the large-scale cyberattacks that have made headlines in the past year at some point involved someone making a mistake or exercising bad judgment and accidentally giving cybercriminals access to sensitive data. Behavioral science, Blau observes, help explain why people (including your employees) have a hard time adopting good cybersecurity habits:

One major insight from the fields of behavioral economics and psychology is that our behavioral biases are quite predictable. For instance, security professionals have said time and again that keeping software up-to-date, and installing security patches as soon as possible, is one of the best methods of protecting information security systems from attacks. However, even though installing updates is a relative no-brainer, many users and even IT administrators procrastinate on this critical step. Why? Part of the problem is that update prompts and patches often come at the wrong time — when the person responsible for installing the update is preoccupied with some other, presently pressing issue.

Blau’s insight here underscores something we discovered in our recent study of organizational culture at CEB, now Gartner. When culture change efforts fail, it is sometimes because employees are unable to manage the tension between the desired change and their day-to-day workflow. Getting employees to adopt a new habit at work means understanding the tradeoffs they need to make in order to do so, minimizing those tradeoffs as much as possible, and giving employees guidance on how to manage them. When best practices in cybersecurity (or any other area where you’re hoping to change employees’ habits) get in the way of an employee doing their work efficiently, the employees is more likely to sidestep them.

Blau also recommends some simple behavioral techniques employers can use to make employees more likely to behave responsibly when it comes to cybersecurity, starting with setting strong defaults to “nudge” employees into better habits. The concept of the nudge has been a demonstrated success in the realm of retirement savings, where the practice of auto-enrollment in retirement savings plans has led to employees saving more. This kind of intervention has also been shown in some recent studies to be more effective in some instances than financial incentives at encouraging participation.

In the context of cybersecurity, Blau suggests steps like requiring employees to opt out of extra security protocols on their devices rather than opt in. He also recommends motivating employees by comparing them to their peers, such as by polling them on their cybersecurity habits and presenting each employee with how they compare to the average, leveraging what behavioral scientists call social proof to encourage employees to get their digital houses in order.

As Blau’s article suggests, the challenge of cybersecurity touches on many areas of strength for HR, from onboarding and training to recognition and feedback. The growing threat posed by cybercriminals in the era of big data is keeping many CEOs up at night, but there’s a lot HR can do to help put their minds at ease.