In the moment nudges – What? How? Applying nudge theory to awareness

When (day):
Wed
At:
16:00 - 17:00



Session Video

About this session

What would it be like to be “there”, just when you were needed, to offer a tap on the shoulder and steer your colleagues in the right direction when they were about to do something risky? Click a link, plug in a USB, upload a file, give away their credentials…? This takes nudge theory to its logical conclusion – timely, in the moment and even measurable. In this talk, Tim will touch on why we should be looking at nudge theory, what makes a good nudge and why, how to run a campaign to steer behaviours, and the potential impact this approach can have. He will also offer some takeaways on how to apply nudge theory, behavioural and learning science to your own awareness campaigns as you build up towards real-time nudges.

Transcript:

Tim Ward - 00:00 It.

Dinis Cruz - 00:02 Hi, welcome to this open security summit session in June 2023. And we have Tim Ward, which is going to continue with talking about nudging and how to get stuff done. And I’m really interesting about how you’re taking it and your theory of awareness. Right. So over to you.

Tim Ward - 00:23 Brilliant. Thanks very much. Denis? Yes. I want to give you a bit of a spin through the world of nudge theory and how you can apply that to security awareness. So it’s got a lot of people talking about nudging at the moment. So I really want to dig into what does it even mean? How can you do it? What is and isn’t a nudge and how can you do it as effectively as possible? So let’s start with what is nudge theory? So I suppose it really started or gained notoriety through Salah and Sunstein’s work and their book called Nudge Now. They’re actually economists and they built a lot of it on the work of Tvrski and Kanaman, thinking about how do people behave and their thoughts on fast and slow thinking. And in essence, what it’s about is they called it soft, paternalistic nudges, steering people to make decisions and do things that are essentially in their best interest.

Tim Ward - 01:10 So in the past, we perhaps had a more forcing methods based approach. Nudge is about trying to help people see themselves as doing this thing. They’re less threatening. So really good examples you can think of to see the difference between forcing and nudging is, and parents probably know this quite well, if you want your children to tidy their room, well, you could shout tidy your room. Or you could play a tidy up game, things like dieting. Maybe you could count calories. That’s quite hard. It’s a forcing method. What about using a smaller plate or budgeting? That could be quite difficult, but maybe going to the supermarket and using a basket instead of a trolley. So what you’re doing is you’re sort of structuring your environment in a way that sort of nudges you or steers you towards doing the right thing. And in their sort of rewrite of the book, they actually focus a little bit more on this and this idea of choice architecture and a bit less on the idea of nudging.

Tim Ward - 02:04 So choice architecture reflects this fact that we have what you term limited rationality. We like to think we’re all rational beings, we make really deliberate, deliberative decisions, but actually probably only about 5% of the decisions we make each day are like that. The rest of the time our brain is overwhelmed with information, so it filters things out in that we have these cognitive biases that lead us to take shortcuts. And those cognitive biases are hugely influenced by context and the environment that you’re in. So that environment will steer you towards making decisions. And the important thing to think about here is that environment exists, whether we do something with it or not. And so the way that we send our messages to the organization, we are having an influence, so we might as well think about doing that. Well, really good example here that’s come from our research is if you call your training mandatory security awareness training, then you are effectively sending a message that it’s for you.

Tim Ward - 03:02 And that’s the feedback we got in our research, people saying, well, we know mandatory awareness training is for the company to cover its back, it’s not for us. So even just simple things like that, the way you word things, the way you phrase things, you are sending a message. So think about sending the right message. So let’s look at a few examples of nudge theory outlies. So, a supermarket is a great example of a real physical situation where nudge theory is in play. And choice architecture, I suppose something has to be on the shelf at Eyeline and it’s generally going to be the thing that the supermarket really wants you to buy. And that is a choice. It could be a healthy thing and then we’ll make healthy choices. It could be an unhealthy thing like chocolate’s right by the till, and those will be the choices of things that we buy.

Tim Ward - 03:43 So that’s choice architecture. In action school canteens, people have tried to do nudging here, so getting children to make healthy choices. So, again, putting the healthy things at eye level, normalizing those choices, making the vegetarian food look more interesting. So there’s some real interesting types of nudge theory going on there. There’s a good example of saving. So people were encouraged to put an image of the loved one or the thing they were saving for on the envelope, why they were saving. And it had an impact on how much they saved because it helped them reflect on the thing that they were saving towards. Lots of examples around hand washing or two. So, one, in the NHS, around the time of MRSA, people had real issues and people needed to wash their hands. So a really physical nudge was to put on the metal plate you put your hand on to push the door open, to put the messaging there, highlighting diseases spreading by bacteria and viruses on that.

Tim Ward - 04:41 And so people would put their hand on that and almost feel dirty instantly. And so right through the door they walk through would then be a sanitation station to help them clean their hands. Great example in a book called Ripple, which I’ll come back to with a reference of people in a Chilean abattoir. And so they wanted people to wash their hands. So at the beginning of each coffee break, after they left the abattoir, they would have a stamp put on their hand of a picture of a germ. And so this created a real situation where if the stamp hadn’t gone, then obviously your colleagues could see that, but also it meant that you washed your hands long enough and thoroughly enough to get rid of the stamp. So, very effective way of changing the environment and rather than telling people and forcing them, you’re effectively steering the behavior.

Tim Ward - 05:25 You want some great images of examples of nudges. I mean, if you search the internet, you’ll find lots, but we want people to be tidy, why not make it a game? And I have to slight confession here, I actually did take this photo myself. So if you get into nudge theory, then when you see it, you’ve got to capture it. The famous one here is a fly in the urinal. This is actually a goal with a football in urinal and I thought I saw this, I’ve got to have a photo to capture this moment. I’m still yet to really understand why it’s needed, but it’s clearly a problem. One you’ll see all around London on the escalator, steering people to stand in the right place. And also another one you’ll see all the time crossing the road. In my research for this, it’s important to get this right.

Tim Ward - 06:11 So here’s a great nudge that perhaps might have had the wrong outcome and quite a dangerous outcome potentially. So do think about what your nudge is and getting the right outcome from it. So what about sludge? Very kind of quick, sort of mentioned this is a tangent. So sometimes you can nudge people and you can be unhelpful and that can be quite deliberate or maybe accidental. So, for example, password advice that’s too complicated will tend to steer people to doing the wrong thing. A great example on a government savings website that I saw the other day where the nice easy thing would have been to create a new password or let Chrome create a new password and save it. However, the complexity that they required didn’t allow dashes and Chrome was trying to put dashes in. And so the out is that you end up creating another rubbish password or reusing a password.

Tim Ward - 07:05 So you can get this wrong, create Sludge and effectively drive the wrong behavior or slow people down. There’s a great website called Dark Patterns. I think it’s changed now, but this will redirect of examples of where people have got quite bad sludge. So you see it in booking processes, I think. Things like Ryanair trying to get you to book all these extra things. You see it when people are making it hard for you to unsubscribe or cancel a subscription. And of course the bad guys are doing evil but duck bad nudges all the time. That’s why you see social proof, authority, urgency, desire, all these things in their phishing emails and they’re using these psychological concepts to make you react really quickly without really thinking those are nudges, but bad nudges. So what makes a good nudge? So originally some academics worked with government to come up with a framework called mind space.

Tim Ward - 07:59 So each of these letters stood for a thing that you could think about to create a good nudge. So we’re really influenced by who the messenger is. So that’s why marketing has famous celebrities involved in things. So who would be the celebrity to help you get your message across? Is that someone in authority within the organization? The people who get the message across well might just be people who are well connected and people like and respect in the organization. It might not necessarily be coming down from the CEO, but that’s obviously an option. Incentives not necessarily a rewards here, but understanding that we like to avoid losses. So helping people understand that the risk can be helpful. Where this goes wrong is that perhaps overemphasize thinking about risk and threat and almost scare people. And I’ll come back to that. We’re massively influenced by what other people are doing.

Tim Ward - 08:47 We’re social creatures. Some of the initial research on this was really interesting. Towels in hotel rooms. So messages that said people in this hotel have reused their towels and that’s better for the environment, that was quite helpful. That message even more effective was a more specific message. People who stayed in this room reuse their towels. And so that specificity of how close that social group is to you can be really effective. We like to go with the flow, so if it’s easy, then we’ll do it. That’s why we have things like auto enrollment in pensions. You make the default action the thing that you want people to do. We’re really drawn to things that are bright and shiny and novel. Again, that’s why marketing is so sparkly and so can we use that in our messages to make them more interesting and make the key points stand out to people and we confine people.

Tim Ward - 09:40 So Devon Brown does this when he’s trying to get people to say a word or say animal or something at the end of his thing. He’s actually been priming you and mentioning that thing all the way through, but you haven’t really noticed. So can we prime people? Can we set them up to be thinking about a certain topic? And I’ll show you some examples of that later. Emotions really effective. But again, perhaps in this industry we’ve fallen down a bit and focused too much on fear. If you create fear without people feeling they can do anything about it, then you just get a response of people throwing their hands up in the air and giving up. So you need to think about a coping strategy as well as using fear. We like to be consistent with our promises. So this is a really good example of this.

Tim Ward - 10:21 In the research, people asked to put a really ugly banner in their garden advertising something. It was a charitable thing, but they asked and most people said no. But in one group the week before they’ve been asked to put a tiny postcard in their window and the people who have been asked to do that wanted to remain consistent with what they’d done and so they were much more likely to then show the banner. And so we can use this idea of commitment, we can convince people that they are or tell people that they’re behaving in a secure way. Well done, you’re secure. People want to then can stay consistent with that image and that label that you put on them. Obviously we all act in ways that make us feel better about ourselves so we can think about playing people’s egos and flattery. And so that was the original model called Mindspace and then lots to think about there.

Tim Ward - 11:12 You don’t have to use them all, but a simpler model is perhaps the east model. So this very simplistically says there’s four components to an effective nudge. It’s got to be easy, the thing you want people to do, so you’ve got to create a view of how easy it is or make sure you’re creating ease. So if you’re telling people about passwords then maybe you should be giving them a password manager to help them make that simple. It’s got to be attractive, people got to want to do it or at least understand why. So we need to help them with their motivation. It’s got to be social because that’s a really important thing. We’re driven by what other people are doing but really importantly, it has to be timely in some way. So you’ve got to help people when it matters, when it’s relevant, if you tell someone about something at the wrong time, they’re just going to ignore it.

Tim Ward - 11:59 So let’s think about how we might apply that. And a really simple message here is, look, you’re communicating anyway. If you’re in the world of awareness, you’re trying to get these messages out, so refine it, use things like mind space, think about cognitive biases, there’s lots of other things out there. Reciprocity is a really useful one to think about if you can say the security team have blocked this many phishing emails. Have you reported any? You’re kind of saying, look, we’ve given something, can you give something back? And so there’s different ways to just tune the message that you’re already delivering and here’s a really good example. So this comes from the book Ripple by Groom and Vellicott and it was Tesco trying to get people to sign up to their delivery saver and they got just from some very minor tweaks, they got a 10% uplift in impact.

Tim Ward - 12:45 So firstly they framed it as a loss and you see this all over the internet, that idea of scarcity, we don’t like missing out on things, so don’t miss out on an unlimited free deliveries. Then they used this idea of an image of a friendly face. I love this idea of putting us in a hot state of receiving groceries but that is obviously the kind of the thing were trying to you’re going to get something. It’s a gift. And it was a smiling face. We like that positivity. We will feel the need to we will feel warm inside and almost smile back. And then that face was looking towards the key message, which was that customers saved and then a really specific number. So not just roughly 75 pounds, you get authority by using a specific value. And so this had a real impact in how effective their messaging was.

Tim Ward - 13:32 Simple things, simple tweaks. And most of us will think, I wouldn’t fall for that sort of stuff, but actually when you’re just skimming reading, skim reading things, your subconscious is using these cognitive biases to make decisions so they will work. So if you’re going to do this, what we’re really saying here is we’re trying to think about behavior change. How do we move slightly beyond awareness and think about how we can use nudges to drive people to act in a particular way. And so it’s worth looking at some behavior change models. So Fog’s model is really interesting here and you can see some similarities with the east model. Fog says that for any behavior to happen, there has to be an element of motivation. You’ve got to want to do it. Now that’s why the bad guys use all these cognitive biases in their phishing emails.

Tim Ward - 14:21 They’re trying to just make you think, oh, I have to do this, it’s urgent, I have to click. There’s an element of ability. Can you do this? Is this something you know how to do? And then importantly, there’s some sort of timely prompt, something that creates that drive to actually act at a particular time. And so motivation and ability need to be enough to prompt you. And so Frogdor draws this graph and say, look, together they’ve got to be enough to get you past this line. And so this kind of makes logical sense to say, look, if you’re really willing and motivated to do something, then you can do really difficult things. Or if something’s really easy, then you can do them even if you’re not particularly motivated. And so if you reflect on where secure behaviors sit, unfortunately they sit in this unwilling, unmotivated area.

Tim Ward - 15:11 And that’s not because people don’t want to act securely, but it’s because there are lots of other motivations driving them. So it might be they’ve got to get something done for their boss, they’ve got other things that drive them to act in a particular way. So we need to think about making the secure behavior as easy as possible, which again, the east model does suggest. Boggle also says some interesting things about the order in which you try and tackle this. And this is simply in terms of how easy it is. So he says motivation is the hardest lever of change. And unfortunately, that’s where we have tended to start in security awareness. With that kind of scare people, help them understand the threat and if you reflect on this, if motivation was all we needed, we just had to want to do something, then we’d all be fit, we’d all be really healthily.

Tim Ward - 15:55 But motivation is complicated. You might want to do one thing, but you’ve got competing motivations. I want to be fit, I want to go to the gym, I want to eat cake. And those things are in encounter and so you don’t necessarily do them. So don’t start with motivation. If you could start with a prompt and just nudge people to think about something and that is effective, then you don’t need to do anything else. Then you can think about ease, then you can think about motivation. A great example he gives around keeping fit people who want to get out there and exercise. Put your running kit ready to put on as you get out of bed. So it acts as a visual prompt and you’re making it really easy because you get dressed and you put your running gear on. Now I do know people who then spend the whole day walking around in that kit and don’t actually do any exercise.

Tim Ward - 16:40 But it’s a starting point. It’s made it as easy as possible and it’s acted as a prompt. So let’s try and apply that to a real example, getting people to act securely around the threat of phishing. And if we’re going to do this using Fog’s model, then let’s do it in the right order. Start with the prompt. So we’re looking at a way to just trigger people to think, be careful in phishing. So timeless is really important. You want to deliver it as close to use of email as possible. The message is kind of you’re an email, remember phishing or is this link safe? And so a clearly visible reporting button if you’ve got that, can be a really good prompt. Now obviously you do have an issue of habituation there, which is if it’s the same thing in the same place all the time, your brain filters it out.

Tim Ward - 17:26 But timeliness is key here. So get something into the email system. When people are using email, then we can think about ability, make it easy. So here I would suggest don’t try and overcomplicate it. Like even experts for phishing, it’s not necessarily a knowledge thing. You’ve got to have a base level of understanding. But you don’t necessarily need people to understand every single aspect. What you do want is to reinforce the need to be cautious with email and maybe focus on things that humans can spot. Which is someone trying to get me to do something I don’t necessarily want to do? Am I being manipulated? Rather than trying to spot technical things and then make it really easy to act. So it’s a simple message, it doesn’t feel right. Report it again back to the reporting button and then we can think about motivation. And obviously you probably need to do all of these things but maybe do it in this order.

Tim Ward - 18:14 So motivation, you’re trying to help people understand the threat because they’ve got to be bothered to act. So you could highlight how many phishing emails have been received and blocked by security. So that’s a reciprocity thing. Show people real examples and this is a great opportunity to have that social proof look. Other colleagues have reported this. Have you, the MD got this? Have you spotted any helps people understand both that this thing is happening but also that they could do something about it and that their colleagues are so what could that look like? Well, one of the things that we did in some research with Cardiff University was simple as you open outlook we delivered some sort of reminder. Now this is magnified a bit to make it easy to read and there was some interesting psychology in this as well. So it’s timely. It’s appeared as I open my inbox, it’s salient because it’s kind of jumping out on me a little bit, it’s priming me so that as I then go into my inbox, phishing is something I’m thinking about.

Tim Ward - 19:07 So even if I read this really scan it in 5 seconds it’s gone. It is helping. And then interestingly, we found this initial sentence that focused on threat was quite helpful. We compared threat and coping and other researchers suggested coping is more effective. But actually we found this little bit of threat helped the really precise number added authority and then the final thing your inbox is at equal risk was trying to counter out optimism bias. So we found that we tried just threat on its own, optimism bias on its own. If we put these three together, we had the most impact on people and so it had a significant impact on whether people went forward and spotted phishing in their inbox. So let’s take that back and think about engagement generally, we want people to engage with our content. So let’s go back to the fog model again, really important thing, timeliness.

Tim Ward - 19:58 We have to say annual awareness is clearly not very timely. So it is a poor prompt and Ebbing house is graph that shows that after about five days you can only remember about 20% comes into play here. You’re just not going to remember things. So timeness is really important. Drip feeding is really helpful. The spacing effect of spreading content out through the year keep it ongoing. And what we also find is that making it topical can be really effective. So this plays to availability in that you link it to something that people are aware of in the news and so that when they think about that thing, they might also think about the thing you want to think about security. So link things with topical things going on in the world then make it easy, so easy to access your content. So bring the content to the user if you can, rather than expecting them to go and get it.

Tim Ward - 20:47 Make it quick and easy to digest, add a bit of user choice, an element of how they use it, but also ease in terms of can I do the thing you’re trying to teach me? So, simple messaging and really obviously actionable advice, things people can do and then back to motivation. Again, you’re trying to help people with their threat appraisal. We find that people engage a bit more with understanding the impact and threat to their personal context. But obviously if they learn to do those good behaviors, not reuse passwords, then some of that rubs off at work. We do have the fear of loss. So if you want to drive people away from a behavior, you can play on that, but not too much. If you want to drive towards a behavior, you probably want to set it in a more positive frame. So those are some examples.

Tim Ward - 21:31 So pulling that all together, we think there’s a sweet spot here. And so if you think about behavior, all behavior takes place in a context. For most of us, that’s going to be our it, there’s a trigger and then we act. And as an industry, we’ve been trying to solve the awareness problem in the wrong place. It’s not in the context where the threat lies. It almost doesn’t matter how good and funky these videos escape rooms elearning is. Obviously if it’s good, then people won’t hate you for making them do it. But by the time you get back to your desk, much of it is forgotten. It’s not in the context where the threat lies and it tends to be too infrequent. And then we’re seeing on this side where it’s kind of too late. So maybe responding to incidents in the scene, well, obviously that’s useful to know where behaviors lie, but it’s happened.

Tim Ward - 22:16 And if you deliver content afterwards, again by sending emails, then that’s a channel that is just too busy. But also it’s seen as punishment with training. Now, you might not see it as that, but I can promise you the people on the other end of it see it as punishment with training. And it’s also quite hard for people to contextualize. So if you get told after something’s happened that this is how you should have dealt with it, most of us will rationalize and go, well, I’m sure I was doing that for good reason at the time. So they’ll tend to be ignoring what you’re telling them. So our research has suggested there’s two sweet spots actually. One is here priming people just before the behavior happens. So like that Cardiff example, the Cardiff research, as you open your inbox, just that’s the place you need to know about Phishing or as you open LinkedIn, that’s the place you need to think about sharing data about the company or yourself to be careful.

Tim Ward - 23:05 So that’s when you need to hear about something and it doesn’t have to be long and it can be relatively subconscious as well. But even more interesting nudging here actually when the behavior is taking place. So as someone is about to click a link, as they’re about to upload a file, maybe as they click the link and they’re about to give away their credentials, trying to find those opportunities to intervene. And if you can see that behavior, you can baseline and monitor it silently, get that baseline and then when you start to intervene, you can see that you’re changing it. And that’s really what we focus on. That’s our thing with think cyber with red flags, measuring those behaviors and then driving and delivering content to drive behavior change. So let’s look a little bit more at what we mean by behavior change. And so I suppose I’m talking about instead of running security awareness campaigns, we’re actually talking about running behavior change campaigns.

Tim Ward - 23:56 And the best way to do that we found, is focus one behavior at a time or maybe a group of related behaviors. So it’s really clear to people what they need to focus on. You should expect it to take two to three months to see an impact and during that time you’re being really coherent, consistent with the sort of content you’re pushing out. You can be relatively subtle and infrequent. You’re trying to build a habit, you’re not necessarily trying to hit people every single time something happens. And you do need to mix things up. So that’s why you do two to three months one topic and then you might want to change to a completely different topic because you want to avoid habituation. So it’s got to be different content throughout. And then you switch to a different topic so that’s what it can look like.

Tim Ward - 24:34 And here’s an example. We have a check the sender campaign. So we might start by telling people why it’s important to check the sender before you click a link. But in the background, sorry, in the first couple of weeks you’re actually just tracking how often are people clicking links in emails from people they don’t know. Then you deliver this story to explain, well, why do you need to do it, why is it important? Help people understand the threat behind the scenes. You’re still tracking how often people are kicking links in emails from people they don’t know. Then you might do a reminder and you turn one of these real time nudges where you’re nudging people as they’re about to click a link. So you’re reinforcing that message at exactly the point someone’s about to do the thing you’re worried about. And then in the final week, again, another reminder and continue the nudging.

Tim Ward - 25:16 And what you can see in this time period is a real change. And I’ll show you that in a graph in a second. So what does that story, what does that content look like to. Introduce it. So what we do here is we will push content straight out onto the device, really short and sharp, maybe takes a minute to read, really conspicuous. So you’re looking at ease because it’s easy to digest because it’s on the device, it’s timely, it’s salient, it looks interesting, and it plays to availability because it’s then in your mind and you’ve been thinking about it and obviously you’re tracking who’s seen it, how have they reacted, how long have they looked at it for? Then you might deliver a reminder as people open their inbox. Again, I’ve magnified this a little bit just to remind you, look, this is where you ought to be thinking about, do I really know the sender before I click on the link again, it’s timely, it’s salient, and we’re priming people to think about this.

Tim Ward - 26:05 And then perhaps when I get this rather dodgy email and I’m about to click the link, this is where the real time nudging could come in to say, look, are you sure you know this sender? And a big red arrow pointing to who the email is from. So you’re either possibly just reminding people relatively subconsciously because this isn’t forcing them to stop. They don’t have to click, okay? It just appears and follows their mouse around. Or you’re knocking them out of their automatic pilot. Their system one thinking into a more deliberative mode to go. Oh, hold on. Let’s stop and think about this behind the scenes. Obviously you’re tracking this. How often do they hover? How often do they click? And this graph shows some of the impact you can have. So the spikes are where we’re delivering content and people are engaging. The top line is how often people hover and the bottom is how often they actually click the link.

Tim Ward - 26:50 And so just within a month, you’re seeing a reduction in people clicking links and emails from people they don’t know. So I suppose what I’m talking about here is almost an ability to deliver real time awareness, this right content, exactly the right time in the right way. And so I almost propose a manifesto for what do we mean by real time security awareness because people are talking about a little bit and talking about nudge theory. So my take on this is that it’s about supporting people and helping them as close to the point of risk as possible and you’re trying to steer them towards a secure behavior. It’s not meant to be a tool to find new mediums to nag people or to spot behaviors and then go and tell them off. And so it’s important, it might be attractive to think, well, what if we could message people in WhatsApp, in Slack, in teams, in SMS?

Tim Ward - 27:39 That’s great if your message is relevant and timely to where the threat is and what the threat is in what they’re doing. But if you’re just using a Slack message to tell them about, I don’t know, phishing or something that’s not really relevant. You’ve really just found another medium to nag people via. So you need to think about what do you mean by real time? And it should be trying to help people when it’s relevant and timely. And again, I talked about this earlier, responding to events in the scene, it’s not really timely enough. The event has already happened and so you risk getting into this cycle like we’ve been with phishing simulations where you’re effectively punishing people with training. And I think this matters because it’s really this choice between helping people, guiding, steering them and focusing on reducing risk, or an alternative which is just other ways to nag people and tell them they’ve got something wrong.

Tim Ward - 28:29 So we’re trying to help people and steer them and get them on our side and essentially try and build that culture that values security. So let’s look at a few other examples of what that could look like. So, example here, I open my inbox and I just get this nudge from the top of the screen. Now, even if I ignore this, I’ve been primed again. So you’ve got this salience, you’ve got Priming, it’s timely, but also you can play into this a bit of social proof. So this nudge doesn’t show it, but what we would often put here will be something like Freddie accounts or the MD or someone spotted this phishing. Have you reported any? So you’ve got social proof. You could highlight the skid team of block stuff and you can use reciprocity. So these are some of the things that highlight at the bottom of the slide where you’re playing to these cognitive biases.

Tim Ward - 29:14 And there’s a bit of a feedback loop as well. So if I click on this, the idea is I get shown an example of a real phishing email. So rather than just training people who fail a phishing test, why not show everybody an example of what phishing looks like? Different examples of things hitting the organization, maybe once a month, maybe once every two months. Or perhaps if I actually click a link and then I get to a web page and start to enter my credentials, well, we could spot this a nudge at this point. So really timely, really relevant. You’ve just clicked a link in an email from someone you don’t know. You’re now adding your password. Are you really sure you want to do this? And obviously you’d run this with an allow list so that you wouldn’t nudge on things people are meant to use.

Tim Ward - 29:55 But actually, you can take this far beyond this. You can think about phishing, data loss, safe routing, connecting to Insecure, WiFi. So here’s an example. Nudging when people try and upload something to dropbox, this is actually really generic. So normally we would think to change this, to tune it to the organization, to say, this organization, this is the tool we want to use. It’s far more effective to drive people towards a behavior than away from behavior. And that does mean you need to stop and think a little bit if you want to run a behavior change campaign, what’s the behavior you want? And have you got an easy way, have you got the tools in place to allow people to do that? Because it’s all very well sort of steering a behavior, but it has to be towards a good course of action that you actually want people to do.

Tim Ward - 30:37 Another example could just be sending an email too many people. Again, we’re not just nudging to say stop it, we’re telling people how to use it, how to enable BCC if it’s not even there or maybe signing up to it, the systems that you don’t really want people to sign into. So this could be the use case, could be around credential stuffing it, could be using it that hasn’t been sanctioned, but also things that move into the DLP type world. So sending things to webmail addresses, sending attachments internally where you might want to drive people to send links to reduce the risk of a document going to the wrong place. And finally nudging around different websites. So social media, we just added a chat GPT nudge. So not necessarily blocking the sites, but making sure that when you see people go there, you can very subtly nudge them.

Tim Ward - 31:28 So the mouse changes to say look, please don’t share any commercial data here. Now obviously you could have a nudge that was a bit more bold, took over the screen and said look, this is how to use this and here’s our policy on it. So just to pull that together. To final observations of what I’ve been talking about, we can’t always rely on people making rational decisions that we’re really driven by context. And so nudging is about shaping that choice architecture, that context, so we get the behavior that we actually want to see. There’s some really good frameworks out there that we can use. So east standing for ease, ability, social and timely and the mindspace model to start thinking about how do I change my messaging, so I’m thinking about ways of making it more impactful. All of these models suggest that timeliness and context are really fundamental.

Tim Ward - 32:19 So that’s what we should be thinking about and where we should be helping people. But if you’re going to do that, these real time interventions we believe should be about supporting people, not just finding new ways to nag them. And if you can make it measurable because you want to understand how often behaviors happen, try and build a baseline and then start to nudge away from it. Because if you can make this measurable, you can actually sort of tangibly say I am reducing risk. So what we’re trying to talk about here is taking nudge almost to its logical conclusion. A sort of a more physical tap on the shoulder, I suppose to actually measurably drive secure behavior change. And that’s very much what we’re focused on, using red flags. So couldn’t resist this. It’s a nudge, which is don’t miss a chance to ask questions.

Tim Ward - 33:03 Could obviously email me, although I haven’t put my email here, which isn’t very helpful. It’s Tim at thinksyber co UK or reach out on LinkedIn. But Dennis, I don’t know if we got a mechanism for people to ask questions on there.

Dinis Cruz - 33:15 Yeah, they could put in a chat. I don’t see a lot of stuff, but I got a couple for you here. So I really like the whole real time nudging. I think it’s really powerful. Have you have any experience doing that? For example, in the middle of bigger security transformation programs. So I’m a big fan, for example, of using incidents as strategic. So I take a P three and I run as a P one. So I put a lot of my team on it. And the reason why we do that is we also fix a lot of things. For example, I think we even have a scenario where once in an incident, we even create security awareness content during the incident, distributed it during the period, and the idea was to solve that problem of if you do it afterward, the post mortem, the momentum is gone.

Dinis Cruz - 34:04 Like it’s not relevant. Makes sense. So in a way it’s not as I guess the email and some of the examples are shown. It’s like when something happened. But I found that world where you basically are able to, for example, while something is hot, when incident is hot or something is happening or a team is working, that’s a great way to nudge a lot of those behaviors. Nudge. A lot of that changes even to say this exists by the way, you didn’t use it, this actually is there. And I found that people this makes them much more susceptible to be nudged, if that makes sense.

Tim Ward - 34:39 Yeah, no, I’d agree with that. And I think because the mechanism here is that we’re putting content on a content server and it’s being pushed down onto devices so it can be delivered sort of right there on the device that enables us to respond to events in the wider world. So we’ve helped people with comms related to Ukraine, to COVID, but also it can be incident based. So we’ve helped people so incident happens. We were planning to do different content, but the next day we’re pushing out content that’s relevant to that. And obviously that’s great for the security team because they’re seen by the board or whoever, the stakeholders as being really responsive and kind of getting that messaging out. So absolutely I agree because it’s again a place to availability, doesn’t it? People are seeing the impact of something, so now is a great time to tell them about it.

Tim Ward - 35:27 We’ve also seen interesting things where if a competitor has an incident or someone in your world then that sort of content being pushed out, people dive on it because it’s really relevant. They go, okay, this really happens in our industry. This is something that we should understand.

Dinis Cruz - 35:45 What about in for example an area of let’s say identity access management where you nudge, let’s say the risk owners to what’s been happening. So for example the whole thing, hey, do you have access to this or your team members are success this or even a regular nudge to go, this is what you and your team currently own. Is this still correct? Because those are in a way not as reactive nudges but it keeps reinforcing the idea of people to reduce the attack surface to go, oh, I don’t anymore. Again, that behavior of getting the users to take more accountability and to in a way accept certain risks but you need to keep nudging them that the.

Tim Ward - 36:27 Risks are still there. Yeah. Obviously don’t tell the comms team but this approach almost becomes a new channel that you can communicate some of your security messaging with. So we have actually done some of that site thing. I think we did something around a kind of a spring clean of spring cleaning your teams, groups and stuff just to remind people from time to time. So I suppose that comes into the priming thing and you can do it so you could spot that they have gone to teams or that they’ve gone to SharePoint and that would be a timely time to say can you just check who’s got permissions to this? When did you last check permissions or something like that just to kind of yes, it’s a bit more scheduled but it also can be made timely as well. Yeah.

Dinis Cruz - 37:11 And I guess my father’s point, what I like about some of these things is that it also allow us to bring some science to some of the things we do. And this is quite recognized that we know it works. Right nudging. The whole social media companies might have abused that but the bottom line is that it does actually work quite well to change behavior.

Tim Ward - 37:30 Yeah. And in fact I often talk about it in my talks. The fact that I don’t really call them the goodbyes but guys, but the likes of TikTok, Twitter, Facebook, they’re using these content biases against all the time and getting us to scroll and obviously that’s to show us more ads and keep us on the platform. But why can’t we use the same technique and the bad guys are using the techniques as well. Why can’t we use the techniques for good to help ourselves? Absolutely. But yeah, absolutely cool. Yeah.

Dinis Cruz - 38:01 Look, I don’t think we got for the question, so thanks for your session. And I think there’s definitely a couple of panels we should do on the back of this because I think it’s definitely a key topic and it’d be cool to explore other examples, other areas that it can be used in our industry, because I think it’s definitely maturing. I would say that I think that we talked about this offline. I think that the LLMs and the Chat GPT kind of analysis is a good example of it. Either will make some of the stuff you do a commodity or allow it to be even more relevant. I guess the interesting element here is that I think it allows you to consume a lot more data and to make things a lot more customized in context to the person.

Tim Ward - 38:44 You can definitely tune it to say, how do I create a persuasive message for someone who is like this? And how do I make that just in two lines of text? I mean, that’s where the language model, I think, can play can come in and be really effective and also make it the right sort of level for the audience.

Dinis Cruz - 39:04 Exactly. Well, there’s a good session for next time.

Tim Ward - 39:07 Yeah, brilliant. Excellent. Well, really good