Low cost nudges for your security influence arsenal
This speed camera is very clever. It rewards people who choose to drive safely.
Like other speed cameras, it fines you for speeding. Unlike other speed cameras, if you pass by under the limit, it enters you into a lottery.
Winners are drawn periodically and rewarded with cash generated from the fines.
It’s a clever example of ‘nudging’.
A nudge is a change to an environment that helps people make better choices. Nudges don’t restrict freedom of choice. They simply make it easier to choose the right thing to do.
The most famous nudge can be found at Schiphol Airport, in the Netherlands. Little black flies have been etched into the men’s urinals in a bid to reduce cleaning costs!
The most important thing to understand about nudges is they have to be present ‘at the time of action’. Training, for example, is not nudging. This is because the advice (influence) is delivered before situations occur.
The effectiveness and ethics of nudging has been questioned over the years. I believe they can be used responsibly. When combined with other security controls, they are a great low cost addition to your security influence arsenal.
Here are some ideas to consider. As with anything you do within your security influence programme, make sure you measure the effectiveness and cost, so you can show success and ROI.
1 “This email came from outside our organisation”: Criminals regularly spoof (or fake) email addresses of people in your organisation. They’ll do so to convince others to do bad things.
A simple message can be appended to all emails that originate from outside your organisation. It prompts people to be on the lookout.
It won’t stop all phishing attacks. But it will prevent a good number of CEO fraud and other business email compromise attempts.
***This email came from outside our organisation.***Do not open attachments or click links unless you were expecting the email and it has come from someone you know.If the email looks like it’s from a colleague, do not reply! Speak to a member of the security team straight away.
2 “Who’s behind you?”: Tailgating is a common technique used by criminals to gain access to secure areas.
Tailgating works because people like to help. Holding a door open for a colleague makes you feel good. (Holding a door open for a good looking colleague makes you feel even better.)
Signs at entry points can be used to prompt people to check security credentials of anyone trying to enter with them.
Who’s behind you?This is a secure area. Please make sure you are not followed through. Check the security credentials of anyone trying to enter with you.
3 “Who are you talking to?”: Criminals often use phone calls to try and elicit sensitive information from people. Or to try and convince them to do things they shouldn’t.
Stickers placed on phone handsets can be used to remind people to verify who they’re talking with.
If a caller’s identity cannot be verified, people should be reminded of what they can and cannot discuss.
4 “Please don’t use me for passwords!”: Post-it notes are common in workplaces. They are used to attach notes to documents and other surfaces.
They’re also useful for jotting down passwords. The reasons this might happen are complex and numerous. We won’t dwell on them here.
If you have a problem with people using post-it notes to write down passwords, consider having them printed with a custom message.
Please don’t use me for passwords! — If you need to write a password down, use a notebook (stored somewhere safe). If you need a notebook, let your supervisor know.5 Locate confidential waste next to normal waste: Most of the time people will use the appropriate bin for their waste type (confidential/non-confidential). But there will be occasions when they don’t. Like when they’re in a rush or if they can’t be bothered.
In these instances, they’ll likely use the bin closest to them. This creates two problems:
- Waste inefficiency — with regular waste filling up confidential bins
- Security risks — with confidential waste ending up in regular bins
Locating confidential waste bins next to regular waste bins reduces the likelihood of both problems.
6 “The contents of this bin are sent to a public disposal facility. Anyone might see them.”: Dwelling on bins for a moment longer. You might also consider an additional nudge that lets people know what happens to waste placed in regular bins.
The contents of this bin are sent to a public disposal facility. Anyone might see them.Sensitive documents should be placed in the confidential waste.
7 “Going somewhere? Lock your workstation.”: Sensitive information can often be found at unattended, unlocked workstations.
Stickers placed on monitors can be used to remind people to lock their workstations when leaving them unattended. It’s important these include the shortcut for how.
Going somewhere? Lock your workstation! — [Windows] + [L]Additional thought: I wonder if custom keyboard stickers could be used to emphasise the screen-lock shortcuts for workstations. Big yellow stickers placed only on the [Windows] + [L] keys (or [CMD] + [L] for Macs) would certainly stand out.
8 Clear desk audits: Sensitive information is also commonly found at unattended desks. Clear desk audits are used to check and monitor occurrences.
Instead of punishing those who don’t comply with clear desk policies, consider using positive reinforcement to reward good behaviour. Leave treats (sweets, fruit, drinks vouchers, etc.) at workstations following policy.
Like security, driving safely is done for a cause greater than that of the individual. It’s a cause that often leads to people showing constraint, making roads safer overall.
The problem of speeding persists though. This is because not everyone thinks driving fast is driving dangerously. For many, ignoring the speed limit is still worth it.
The similarities to the challenges we face in security are clear. Some people comply with security controls for the benefit of all. Others chose to ignore them to improve their own productivity.
The introduction of the speed camera (in Stockholm, Sweden) caused the average speed of cars passing by to drop from 32km/h to 25km/h. That’s more than a 20% reduction.
This happened not because the fear of punishment was present (other cameras do not have the same success). It happened because it caused people to take ownership for their success, introduced elements of gamification, and rewarded good behaviour.
These are all things we can replicate.
If you would like to submit an article for publication, please get in touch. The best way to reach me is LinkedIn.
