Cybersecurity may fail without nudge in the right direction
Most employees would try to circumvent security controls that block access to unsanctioned applications at work, cybersecurity research has revealed, but a more positive experience could improve matters.
According to new research from Nudge Security, undesirable security behaviours may have less to do with a lack of awareness and more to do with basic human emotions. The company’s new report, Debunking The 'Stupid User' Myth in Security, explores how workers' attitudes and emotions influence security behaviours.
Based on research conducted in consultation with leading psychologists at Duke University, Nudge says the report confirms workers are more likely to comply with security controls if they find the experience to be positive and reasonable.
"We now have evidence to suggest that improving the employee experience of security can actually lead to better security outcomes," says Russell Spitler, CEO and co-founder of Nudge Security.
The research took 900 participants through the scenario where they were required to access a SaaS application for work. Participants were randomly assigned to one of three "security interventions" that either blocked access to the application, revoked access punitively, or nudged participants to justify why they required access.
Humans need a nudge to appreciate reasonable cybersecurity
They were then asked to rate how reasonable they found the intervention, how positively or negatively they felt about it, and how likely they were to comply with it. Participants reported that their attitudes and emotions strongly correlated with their likelihood of compliance.
The report found that 67 per cent of participants said they would not comply with the blocking intervention and would instead look for a workaround. They perceived “nudging” as the most positive and reasonable intervention, according to Nudge, and were three times more likely to feel negative about blocking and punitive interventions. A total of 78 per cent of participants said they would comply with a nudge, twice the compliance rate of the blocking intervention.
"This research underscores basic tenets of human psychology and demonstrates that, even in cybersecurity, attitudes and emotions are strong predictors of behaviour," says Dr Aaron Kay, J Rex Fuqua Professor of Management and Professor of Psychology & Neuroscience at Duke University and Nudge Security advisor, consulted on the development of the research. "Security leaders are setting themselves up for failure when they implement security controls with the assumption that employees will comply mechanically, regardless of their own self-interests."