A Bloke in a Pub

A Passing Fad

Why Bother?

Security awareness training doesn’t work. That’s so well known, it’s getting to be almost trite to point it out. Last survey I saw was based in a sample of about 20,000 people. The researchers were looking for some sort of correlation between having recently completed a phishing awareness course, and being less likely to click on a link in a phishing simulation. They found… nothing. Nix. Nil. Null. Nada. Not a bean. Not a sausage. Zip.

So why do people still pursue that as an option?

Personally, I think treating it as a marketing exercise is likely to be more effective. But the majority of the cyber security industry disagrees. Sad face. Although, personal note, that’s probably because most security teams aren’t interested in awareness. They have a stereotypical “stupid user” in mind. No matter what you do, that user will always screw up. I would quote Tucker’s Law here, but I think it might get me kicked off LinkedIn. So conducting an awareness course is more about legitimising future sanctions. You were told not to do that and you did it. Get ready for some punishment. Consequently when an idea comes along that says “this will improve things”, by and large it’s seen as a bit of a curiosity, because improving things isn’t the point.

Which is how come, fifteen years after the publication of a book pretty much explaining the human decision making process, the application of psychology to cyber is still seen as a bit ‘out there’.

A typical user, wearing a carved melon and imitation goggles
A Typical User (Credit: Canstockphoto)

Marketing People – What Do They Know?

A standard idea in marketing is that we make purchasing decisions on the basis of gut feel, and then construct a narrative to explain our decision, so that we feel comfortable with it. You can see that in a couple of pithy quotes:

“People buy on emotion and justify on logic” (Ziglar)
“No rationalisation, no decision” (Feddersen, 2009)

But hey, security is different, right? Special case. Security decisions are made rationally and logically. Hmmm…

Tamir and Mitchell found increased activity in reward pathways when people were asked to reflect on themselves, and further increases when they were asked to imagine sharing that personal information with others. A parallel part of the study found that people were also willing to forego financial rewards for a chance to talk about themselves, rather than talking about other people. Thanks to research by Tali Sharot, it seems we’re also rewarded when we unexpectedly receive information from others.

In a species that’s oriented towards cooperation, increasing the strength of social bonds through the sharing of personal information makes perfect sense. There’s a well known paper looking at a community of mushroom collectors, showing that information sharing acts as ‘social glue’, which is definitely worth a read.

We’re intrinsically rewarded for sharing our personal information, and it’s the act of release that triggers that reward. Disclosure is a gut feel decision. Hence why people are happy to give away their personal information, but get angry when other people do it for them (the “privacy paradox”), because they’ve been cheated out of a reward.

Acquisti and colleagues showed that when people were asked to make hypothetical decisions on privacy, rational thinking came to the fore, and their choices were driven by the absolute weightings assigned to each of the options. But when people were asked to make an actual decision, a gut-feel approach dominated, and people made those decisions based on relative differences. That is, when you ask people to make an actual decision, you don’t get the same outcome that you see when you ask them to make their minds up within the earlier, rational stages of decision-making.

Essentially, “…decision making is a process critically dependent on neural systems important for the processing of emotions”.

And if you’re still convinced that emotion isn’t involved in security decisions, I’d be happy to listen to any argument saying that 200,000 years of evolution has conditioned us to make some decisions differently, if they’re related to a topic that’s only about 25 years old.

Options

With a lump of irrationality at the point of the decision, there are three options to affect that decision: exploit the irrationality (through what are routinely referred to as nudges); reduce the level of irrationality at the point of the decision (what Boris Johnson called “squashing the sombrero”. Anyone remember Boris Johnson? Somebody should. Anybody?) – that’s called debiasing; or finally, through redesigning the bias (boosts).

1. Nudging

When you go to the supermarket, chances are you’ll need to go through a couple of right angle bends to get into the building. In marketing terms, that’s the ‘decompression zone’. It’s intended to physically slow you down, so the psychology on offer has a chance to work its magic.

Probably the first thing you encounter once you’re in will be displays of fresh flowers and vegetables, so you’re given a wholesome first impression. In most large supermarkets, you’ll also see a National Lottery stand (on your right, because we tend to turn right when we enter a store). It could be you! In fact – you might already be a millionaire. Well, if that’s the case, I can afford to spend a bit more! Possibly you’ll also see people offering free samples, usually chocolate, alcohol or cream – something indulgent, to trigger you to return the favour by buying more. Or signs saying ‘no more than two per customer’ – well if there’s a shortage, I’d better stock up!

Nudging has now become a broad term, with pretty much anything related to the application of psychology to behaviour change being referred to as “nudging”. You may remember the charming ads developed during COVID. The ones that bore a shocking resemblance to drink driving posters from about twenty years earlier. Evidence if evidence were needed, that messaging has become conflated with nudging.

My local supermarket (beginning in “W”, but I won’t name them, and of course other supermarkets are available) recently installed what they euphemistically call “electronic mirrors” on the self-checkout terminals, so you can see yourself managing your own shopping, as you reduce their wage bill and contribute to their profit. Plus live facial recognition, on a big screen facing you as you enter, so you can see the little green square dancing around your face as you walk in. There’s evidence that if we think we have “eyes on us”, we tend to behave more honestly. And that’s what the little green box is doing – making us feel like we have eyes on us wherever we go in the store. You’re obviously a thief, we just haven’t caught you stealing anything yet.

What we see now as nudging is a long way from the original idea of choice architecture, and the idea of gently encouraging people to follow the course that might be best for them, such as eating healthily and saving for their retirement. On the face of it, the more or less innocuous nudging to get you to buy more is aimed at increasing profit, as is the nudging to dissuade you from pocketing stuff. However, one is definitely more pernicious than the other. Context is everything.

Ahem. Anyway. More politely, you can see some of the same principles of persuasion employed as you walk into the Natural History Museum for example. It’s not just confined to supermarkets.

Do those principles apply to security behaviours? Yes, there’s reliable evidence that they do. But there are a couple of issues:

  • Nudging works best when it’s applied to a single type of decision (click, or not?). It’s not generally applicable.
  • There’s mounting evidence that the concept of nudges may have been <cough> a little oversold, in terms of its effectiveness.
  • Nudges “work best in the dark”. Enough said.

Bottom line for cyber: this is not a silver bullet.

2. Debiasing

Morewedge and colleagues looked at ways of reducing confirmation bias amongst intelligence analysts, to prevent them searching out evidence supporting their initial assessment, and discounting anything else.

By asking people to run through a fictional detective story, cracking the clues, solving riddles etc., they found that levels of confirmation bias could indeed be reduced. It seemed that asking people to think more analytically, even within a game, had affected their approach. The change was relatively long lasting, and seemed to be general in nature, since there was evidence that the effect had “spilled over” and reduced other cognitive biases.

So debiasing does seem to work. It also seems to be quite long-lasting, and it leads to a more generalised effect.

Great! So we just ask people to run through a detective mystery. Problem solved. Maybe. Or maybe not, if you believe in Fuzzy Trace theory, and/or Cognitive Continuum theory. Between them, they say that our decision making approaches aren’t based on the “two process” ideas underpinning nudging (that 95% of our decisions are made on an intuitive basis and that the underlying process – System One – only hands over to a more effortful but rational System Two, if it can’t find a solution). Instead, the idea is that those are the two ends of a spectrum, and where we sit on the spectrum depends on the nature of the decision, and the way in which the decision has been presented to us. Fuzzy Trace theory in particular, says that you get better outcomes when the decision-making style is aligned with the nature of the decision. In clinical diagnosis for example, the research says that in most cases, dragging clinicians up towards the rational end gets you better results. When patients are making choices about elective surgery however, giving them the basic “gist” is more likely to result in happier outcomes than swamping them with statistics and probabilities.

If this is true, then by debiasing people i.e. by pulling them up to the rational end every time, there might be an overall gain, but there may also be worse outcomes for those decisions that needed to be made on an instinctive basis. Essentially, this is a trade-off.

In security terms, that means you can’t turn people into “human firewalls”. Can’t be done. No matter how many security people tell you it can.

3. Boosts

Irrationality at the point of decision is widely viewed as coming from heuristics and biases. Biases we’ve seen before, as in confirmation bias – we actively seek out supporting evidence for an idea, because it’s usually the quickest way to arrive at a “good enough” decision. Heuristics are rules of thumb e.g. anchoring, which is used in nudging to establish a first guess which then influnces people’s subsequent estimates.

The concept of a boost is still evolving, but one way to look at it is to think of it as adding new rules of thumb. On the project I’m currently on for example, we suggest that people use “pre-mortems”. If you’re not sure about whether or not you should click “send”, imagine it’s all gone wrong, and now you’re being asked to explain your decision. If you can come up with a justification that you’d accept after the fact, then the chances are it’s an ok decision. But if not, you might want to seek a second opinion.

For me, the best things about boosts are that (a) they leave people with agency (the right to make their own decisions), (b) they build up knowledge based on experience rather than lecturing, (c) they produce relatively long lasting effects, and (d) they act in a general manner i.e. this isn’t about a single type of decision. Oh yes – and they treat people as individuals.

Reality

In practice, it’s impossible to write security guidance that will cover every eventuality. So you end up with little islands of firm guidance dotted around in a big sea of uncertainty. On the basis of probability alone, the vast proportion of security decisions will be made a long way offshore.

Little islands in a blue sea
Credit: Canstockphoto

Most will therefore necessarily involve and require judgement, rather than a slavish compliance to published guidance. There’s simply no point in telling people to swim to the nearest island and make their decision from there. And if people have to make a judgement anyway, it makes more sense (to me) to give them the tools that will support them in that judgement.

Alter’s paper on beneficial non-compliance argues that mindless adherence to the rules isn’t always in the organisation’s best interest. Considered non-compliance based on judgement is sometimes the better option. So perhaps rather than setting in place a fixed, inflexible rule base, maybe the security industry should be equipping people with the ability to know when the security rules make sense, and when they don’t.

I guess contrary to most security people, I’ve also found it quite hard work thinking about what a “good” security decision looks like. In the first instance, my belief is that it’s probably best to aim for a decision that’s defensible. If you’re looking to implement boosts, that might not be a bad objective to start with. And if you’re looking for what you might get out of it… Zheng and Becker (in an article referenced by Karen Renaud) found that the proportion of people clicking on a link in a phishing simulation could be reduced by about 70% from the default case, if those people had been given mindfulness training. As in “step back from the decision, and ask yourself, why would anyone want you to click that?”. You know, judgement.

The evidence is that you get a much better result by providing people with the tools they need to make more considered decisions, than you do if you just give them instructions to follow. And that’s what boosts do; they provide additional tools to support judgement. And it’s all honest, and it’s all out in the open – in fact to be effective, boosts require engagement and collaboration.

The Future

So boosts are the future? Maybe.

A couple of years ago, Chater and Lowenstein put the cat amongst the pigeons when they suggested that an unrelenting focus on the individual was leading us astray when it came to the application of behavioural science. They said that this approach, which they described as setting problems within an “i-frame” (“i” for “individual”) was a mistake, since it looked at the individual in isolation. It would be better, they argued, to take a wider, system level view, which they called an “s-frame”. Behavioural science, rather than being used to develop nudges to drive individual behaviour, should be used to develop system level solutions.

You can maybe see the same argument in the ENISA paper from a few years ago, in which Prof. Angela Sasse pointed out that in almost all cases, the application of behavioural science to cybersecurity had been based on the perceived need to “fix the stupid user” i.e. the tools may have changed, but the underlying viewpoint remains the same, and it’s based on an i-frame.

Chater and Lowenstein cite the example of the opioid scandal in the US. The vendor of a particularly troublesome chemical (Purdue Pharma, and Oxycontin), were very enthusiastic about blaming reckless, irresponsible users for getting addicted to their painkiller (ignoring the fact that the US system was inherently set up to encourage over-prescribing), while the US Government also saw it as an i-frame problem, and committed significant funding to try to change people’s behaviours, through increasing their awareness of the nature of Oxycontin. None of which was going to work, obviously. Both sides were fully aware of the nature of Oxycontin. So instead the Government added a new feedback loop into the system, which directly linked increasing levels of social damage with decreasing levels of profit for Purdue Pharma, through class action lawsuits and actions related to false advertising. Eventually the company (and the owners, the Sackler family) agreed to a $7Bn fine, and Purdue Pharma was transformed into a social enterprise company.

Tools are emerging which support this sort of analysis and modelling (Behavioural Systems Mapping – think “rich pictures” from Soft Systems Methodology), and also Agent Based Modelling. And if I read it right, we’re now seeing public disagreements about who invented the concept of i-frames vs s-frames, which is a sure sign that the idea has legs.

So for me, a wider system level view is probably the future, rather than a single-minded focus on fixing the stupid user.

Perhaps nudging will eventually be seen as a phase we had to go through, in order to get to more effective, system level interventions.

Selected Sources

  1. https://www.zdnet.com/article/phishing-training-doesnt-stop-your-employees-from-clicking-scam-links-heres-why/
  2. Rozema et al. 2026. Anti-Phishing Training (Still) Does Not Work: A Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale. In Proceedings of the ACM Web Conference 2026 (WWW ’26). Association for Computing Machinery, New York, NY, USA, 3147–3158.
  3. Kahneman, D. (2011). Thinking, fast and slow. Farrar, Straus and Giroux.
  4. Adjerid, I., E. Peer, and A. Acquisti, Beyond the privacy paradox: Objective versus relative risk in privacy decision making. Available at SSRN 2765097, 2016.
  5. Tamir, Diana & Mitchell, Jason. (2012). Disclosing information about the self is intrinsically rewarding. Proceedings of the National Academy of Sciences of the United States of America. 109. 8038-43. 10.1073/pnas.1202129109.
  6. Fine, G.A. and L. Holyfield, Secrecy, trust, and dangerous leisure: Generating group cohesion in voluntary organizations. Social psychology quarterly, 1996: p. 22-38.
  7. Sharot, T. (2017). The influential mind: What the brain reveals about our power to change others. Henry Holt.
  8. Gupta, R., Koscik, T. R., Bechara, A., & Tranel, D. (2011). The amygdala and decision-making. Neuropsychologia, 49(4), 760–766
  9. Thaler, R. H., & Sunstein, C. R. (2008). Nudge: Improving decisions about health, wealth, and happiness. Yale University Press.
  10. Szaszi, B., et al., A systematic scoping review of the choice architecture movement: Toward understanding when and why nudges work. Journal of Behavioral Decision Making, 2018. 31(3): p. 355-366.
  11. Szaszi, B., Goldstein, D. G., Soman, D., & Michie, S. (2025). Generalizability of choice architecture interventions. Nature Reviews Psychology, 4(8), 518-529.
  12. Maier, M., Bartoš, F., Stanley, T. D., Shanks, D. R., Harris, A. J. L., & Wagenmakers, E. J. (2022). No evidence for nudging after adjusting for publication bias. Proceedings of the National Academy of Sciences of the United States of America, 119(31), e2200300119. https://doi.org/10.1073/pnas.2200300119
  13. Ivanković, V., & Engelen, B. (2019). Nudging, transparency, and watchfulness. Social Theory and Practice, 43-73.
  14. Cialdini, R. B. (2007). Influence: The psychology of persuasion. New York: Collins.
  15. Morewedge, C. K., Yoon, H., Scopelliti, I., Symborski, C. W., Korris, J. H., & Kassam, K. S. (2015). Debiasing decisions: Improved decision making with a single training intervention. Policy Insights from the Behavioral and Brain Sciences, 2(1), 129-140.
  16. Isler, O., O. Yilmaz, and B. Dogruyol, Activating reflective thinking with decision justification and debiasing training. Judgment & Decision Making, 2020. 15(6)
  17. Reyna, V.F., A new intuitionism: Meaning, memory, and development in Fuzzy-Trace Theory. Judgment and Decision making, 2012.
  18. Dhami, M.K. and M.E. Thomson, On the relevance of Cognitive Continuum Theory and quasirationality for understanding management judgment and decision making. European Management Journal, 2012. 30(4): p. 316-326.
  19. Hertwig, R. and M.D. Ryall, Nudge versus boost: Agency dynamics under libertarian paternalism. The Economic Journal, 2020. 130(629): p. 1384-1415.
  20. Snowden, D. J., & Boone, M. E. (2007). A leader’s framework for decision making. Harvard business review, 85(11), 68.
  21. Zheng, S. Y., & Becker, I. (2023, October). Phishing to improve detection. In Proceedings of the 2023 European Symposium on Usable Security (pp. 334-343).
  22. Chater, N. and G. Loewenstein, The i-frame and the s-frame: How focusing on the individual-level solutions has led behavioral public policy astray. Available at SSRN 4046264, 2022
  23. ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity: Available from: https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity.

First published 17th April 2026

Minor edits 18th April 2026