Guide to Evaluating a Nudge Security Strategy

Some security experts estimate that 90% of cyber data breaches are caused by human error.  Intuitively this makes sense because employees are really the first line of defense against an increasing barrage of cyberattacks.  When breaches are investigated, most are found to be caused by some sort of human error.  These errors range from simple mistakes, such as reusing the same password for multiple accounts, to more advanced, technical mistakes such as hardcoding a password into an automation script that is then accessed by a hacker.  The fact is that despite years of evangelism, training, and no shortage of security products, humans remain the weakest link in the cybersecurity chain. 

One approach to addressing the human element of cybersecurity is based on what is known as the nudge theory.  The theory comes from behavioral science and is intended to alter people’s behavior in a predictable way using a nudge.  A nudge is an indirect suggestion that influences a person’s decision.  In cybersecurity, it could be a reminder to create a strong password or enable multifactor authentication.  Nudges can also be created through gamified environments where the user is prompted to take action by being shown the number of people who have responded to a prompt or have improved their security posture. 

What is a nudge security strategy?

Some believe a nudge security strategy is a good fit for SaaS security.  Shadow SaaS is becoming an increasing risk for companies because employees do not have to go through IT to acquire or set up accounts.  Identifying security shortfalls and prompting users could be a scalable method to securing these applications.  There are dedicated products on the market that focus on this approach. 

However, implementing a nudge security strategy goes far beyond merely delivering and measuring user responses to prompts.  Most companies already have nudges in the form of security training, reminder emails, or even compliance audits, but these have had limited effectiveness.  The argument is that these are too generic, and a nudge that is about a specific action on a particular application increases the probability of the user completing the action.   

An effective program utilizing nudge theory requires a tremendous amount of work to create the appropriate nudges, since users will respond differently.  For example, for some users a simple pop-up message may suffice, while others may need multiple email or other messages that include graphics and information about the consequences of bad cybersecurity practices.  Given human nature, a nudge security strategy where user action is not mandatory may have limited effectiveness and deliver inconsistent security outcomes. 

The foundation of a nudge security strategy for SaaS requires robust SaaS discovery, prioritization, remediation, and orchestration across all the control layers in a security architecture.  For such a program to work, it must first discover when SaaS accounts are created, which Grip has found to be lacking in many companies.  Once discovered, the risks must be prioritized then assigned to the users at a reasonable rate so as not to overwhelm them.  Just like the human SOC analysts, normal users will develop nudge fatigue and miss or outright ignore nudges. 

Nudge security strategy requires enforcement

Unlike other security strategies, one based on nudge theory relies on changing people’s behavior.  The most similar strategy to this is training, which most companies require but do not necessarily view as being one of the most critical programs, unless required by laws or regulations.  A nudge security strategy could make training more effective by delivering the nudge while the user is demonstrating an unsafe security practice and asking them to correct it.  However human beings have a bias towards convenience, and if a nudge is inconvenient, the appropriate action is likely to be ignored or delayed, which could make all the difference in cybersecurity. Without enforcement, a nudge security strategy is unable to deliver a definitive security outcome. 

Not being able to enforce a nudge makes the security outcome dependent on the state of mind of the user, which means the outcome is subject to the biases and emotions of each person.  People can change behavior, but this takes time.  Though every employee has the best intentions, their priorities and willingness to act on a nudge can change for many reasons.  They may be under a tight deadline, finishing up something to go on vacation, or just having a bad day.  

If the objective is to have the user take an action, an enforcement mechanism of cutting off their access to the application would be the most effective nudge, though it goes beyond the definition defined by nudge theory.  To achieve this would require a system that is able to take back control of any unmanaged SaaS application.  The Grip SaaS Security Control Plane solution is the only product on the market today that can do this at scale.  The solution detects every SaaS account created by a user.  Then, through automation, it can take over an account and lock the user out until the desired security outcome is achieved.  

Is a nudge security strategy right for my company?

Whether a nudge security strategy is appropriate for a company really depends on the objectives of the program.  It can be a great addition to enhance a robust training program for a company that already has its SaaS security issues identified and under control.  This means that they have comprehensive shadow SaaS discovery, risk prioritization, remediation, and orchestration operationalized and working.  With this in place, it makes sense to then focus on the users to try and change their behaviors to further strengthen the company’s overall security posture by creating a security-oriented culture that addresses SaaS security vulnerabilities at the source.    

Implementing a nudge security strategy without the foundational elements with automated enforcement in place has the following drawbacks:

• Secure outcome is not predictable: Secure outcomes are dependent on individual users who may or may not act in a timely manner.  Users may also not know how to take the action requested.
• Users Lack Accountability: When a user ignores a nudge and a breach occurs, the security is still held accountable.  The user may be one of many that failed to act on a nudge.
• Nudge fatigue: Users will get used to nudges and start ignoring them if there are too many or ones they view as unnecessary.  Gamifying nudges can amplify this because some users are not motivated by this approach.
• Inconsistent participation: A nudge solution is required to deliver nudges, and not all users will want to participate or use the solution.  Nudges delivered to standard communication applications like email or Slack can be muted easily. 

Most users view cyber security as inconvenient, and it is indisputable that users have a critical role in a company’s overall security posture.  Focusing on educating users and changing their behavior is the right approach.  However, a nudge security strategy as the foundational SaaS security approach is unable to deliver a consistent and comprehensive set of security outcomes that works for every employee for both managed and unmanaged devices.  

To learn more about how the Grip SaaS Security Control Plane solution can help change user behavior, schedule a demo to see our dynamic risk score and automated user SaaS survey with enforcement.