#RSAC: How to Nudge User Behavior

Speaking on 'The Art of the Nudge, Cheap Ways to Steer User Behavior' at RSA Conference 2019, Branden Williams, director of cybersecurity at MUFG Union Bank, highlighted the psychological ways that user actions can be influenced. 

Using real world examples, such as calorie counts on a menu to help you make a healthier choice, or towels and bed sheets being replaced in hotels or even a T-shirt with the slogan “cool people smile,” Williams said that these are examples of a “nudge,” a way to take advantage of unconscious bias. This involves three major factors:

  • It should produce an outcome
  • It should favor a better or more rational decision
  • It should exploit an individual’s cognitive bias

In essence, a “nudge theory” is “stupid things that smart people do” according to Williams, and a “push for a certain behavioral response.”

He said: “Nudges happen all around us, all of the time and you learn which attack your brain and what made them effective in your home and in the cybersecurity world.” 

In terms of methods, Williams picked four examples of simplification (making information more straightforward and easy to process) and framing (phrasing of information to activate values/attitudes of the target), changes to physical environment to guide your target to one choice over another (such as an arrow on the ground), changes to a default policy so that the standard choice is the one you want made and use of social norms to leverage peer pressure to cause your target to choose the preferred option.

Highlighting the problem of people printing confidential information and leaving it on desks when they go to lunch, or leaving a workstation unlocked, Williams said that these “are real information security problems, and there are technical solutions to each.” In the case of workstations, he suggested using posters which state “cool people who get bonuses lock their workstations” as a workable method.

Alternatively, to stop people printing off pages, prompt users not to print and get them to acknowledge what they are doing. Also offer incentives such as justification for printing pages.

For emails, include an alert that the email is 'external' and use keyword searches that their email may contain confidential information. 

Williams told Infosecurity that there are five ways that behavior can be influenced:

  • Incentive – offering some sort of economic incentive
  • Norm – challenging a social norm
  • Default – a default policy and how you are going to treat someone
  • Salience – where you’re going to scare someone, and this was most influential
  • Ego – playing to the person’s ego by saying “smart guys always do it this way”

He concluded by recommending delegates identify three to five human security problems that are worth solving, and pick two that you will fully define and understand, and after six months evaluate it and choose another problem to solve.

What’s hot on Infosecurity Magazine?