Nudge is a concept in behavioral science, political theory and behavioral economics which proposes positive reinforcement and indirect suggestions as ways to influence the behavior and decision making of people.
In simpler terms, whenever there is a point at which someone has to make a decision, a nudge helps to push people in a desired direction without forbidding any of the other options or changing their economic incentives.
To count as a nudge, the intervention must be easy and cheap to avoid. Nudges are not mandates.
There are many examples of nudges which we encounter in our daily lives, some of which we notice, and others we don't. For example, some shops will place fruit at eye level - this counts as a nudge. Conversely, banning junk food does not count as a nudge.
If you travel on the London underground, many escalators have stencil marks on them. Static ones on the right hand side and walking ones on the left in order to nudge people to stand or walk on the correct side.
Whenever we're disposing of rubbish, the bins are usually clearly labelled, identifying where recyclable waste should go vs landfill. There's no actual mandate to prohibit someone from throwing all their rubbish into the landfill, but a simple nudge or reminder at the point of throwing rubbish can be surprisingly effective in getting people to spend a few seconds separating out landfill from recyclable waste.
Security Nudges
Nudges can also work really well in security. Perhaps one of the most common and best examples is the use of a password strength meter. As someone chooses a password, the longer and more complex it becomes, the more a bar fills up, or a sad face turns into a smiley.
Another security-related example of nudging can be as simple as putting a reminder poster about secure document disposal over an area in your office that has regular and secure paper disposal. The prompt to do the secure behavior is happening at the point of disposing of the paper and serves as a gentle nudge in the direction of security.
Recently, I saw a photo of a security conference where people were given the choice of different colored lanyards, one indicating they were open to conversation or job offers, and another which implied they wanted to be left alone.
The Dark Side of Nudges
Given the power of nudging, you probably won't be too surprised to learn that there are some unscrupulous people seeking to weaponize nudges and use them against us. These weaponized nudges are called dark patterns, and they are generally used to nudge us toward whatever agenda the person or organization leveraging the nudge has as opposed to the good of the person being nudged.
A good resource which documents many of these anti-nudges is Darkpatterns.org. One particularly devious dark pattern used on mobile devices is where an advertisement makes it look like there's a speck of dust or hair on the screen, and when you go to wipe it off with your finger, you accidentally tap the ad.
Embracing nudges and recognizing dark patterns
From a security perspective, there are a few things to bear in mind when it comes to nudges. Attackers will use more dark pattern to trick users into performing behaviors that benefit the attacker. This could be something as simple as clicking on an ad, or it could be to install malware.
However, while nudges may seem sophisticated, they are extremely intuitive to create and setup. Similarly, it's not too difficult to train people on how to detect dark patterns in any context, not just security.
Perhaps where nudges can be most effective is if we can build security nudges into every product. So that, rather than security being the department of no, it can become the department of yes with a nudge towards the better answer.