Category: Nudging
-
Fads
Nudging users to “fix” their security behaviours is all the rage. But is it the only option? Are there options that are better? Should we be treating users like lab mice, or engaging with them as individuals? Not sure I’ve answered any of those questions in this piece, but I’ve at least given them a…
-
A Passing Fad
Why Bother? Security awareness training doesn’t work. That’s so well known, it’s getting to be almost trite to point it out. Last survey I saw was based in a sample of about 20,000 people. The researchers were looking for some sort of correlation between having recently completed a phishing awareness course, and being less likely…
-
L’enfer, c’est les autres
AI and cyber… yawn… Inevitably I guess, the hype around AI and security focusses on technology. Assessing networks for inherent vulnerabilities, analysing incoming traffic for threats, (and again, inevitably) searching for possible phishing emails, thereby taking the unreliable human out of the loop, and in the process, further reducing their chances of learning from experience.…
-
Hey Users! Why not Just do as You’re Told?
We sent you on a course… Traditional security awareness courses are generally seen as pretty grim. David Lacey once summed up the average course as not much more than a “broadcast of facts”. Study after study finds the usual evidence of zero planning and appalling delivery, and no effort made to follow up. It’s that…
-
Examining security tropes and myths, starting with psychology
The first article has just gone up, looking at the use of psychology (“nudging”) in cyber security. Some quite substantial claims are being made that the use of behavioural science will address what some call the human cyber risk. Or is it just another point solution being offered by an industry intent on control rather…