The importance of nudge theory in email security

It is estimated that people make 35,000 decisions every day -- or, to break that number down, one decision every two seconds. That’s not to say that each decision has a big impact, most are small and often instinctive, like taking a sip of coffee, turning the work laptop on, and clicking a hyperlink in an email.

In fact, it is that instinctive use of email that can lead to cyberattacks and data breaches. Email is the backbone of business communication. Despite remote and hybrid work driving the adoption of messaging apps and video conferencing, four out of five employees say email is their preferred way to communicate.

But this reliance and instinctive use comes with risk.

Email provides cybercriminals with a ‘direct line’ to every employee within an organization and phishing provides a low-risk, high-reward method of attack that’s a highly repeatable process. In addition, phishing attacks are becoming increasingly sophisticated to get through traditional defenses.

So, is it possible to influence people’s decision-making processes to reduce risk in the long term?

The impact of heuristics on email security

Heuristics are the rule of thumb or mental shortcuts which help simplify decision-making. There are several techniques which are known to influence email security, including:

• Authority bias -- Believing the information has been verified fully by an organization or individual with formal authority.
• Availability -- Assessing how likely an event will occur or how often it occurs based on how easily the event can be recalled.
• Halo effect -- A quick judgement, usually based on a recent experience, a single characteristic or a first impression.
• Hyperbolic discounting -- Choosing immediate rewards over future gratification.
• Representativeness -- Judging how likely something belongs to a category based on similarities with members in the category already.

It is well-known that cybercriminals utilize heuristics, especially in phishing attacks, relying on a slip-up of an unsuspecting employee. Authority bias is essential to CEO fraud, with cybercriminals impersonating C-level executives to pressure more junior team members into carrying out an action (e.g. buying gift cards). Hyperbolic discounting appears as fraudulent flash discounts that trick people into ‘purchasing’ an item within tight timeframes. The halo effect appears in brand impersonations, with recipients trusting an email based on previously legitimate correspondences or interactions.

It’s worth noting, heuristics don’t just happen with inbound phishing attacks, but also influence the decisions people make when sending emails as well. For example, the sender may assume they won’t make an error when sharing sensitive information because they never have before.

Applying nudge theory to enhance email security

Nudge theory focuses on shaping the environment to promote certain outcomes by influencing decision making. Nudge theory can have multiple applications in cybersecurity, including in email security. This involves intervening at the point of risk, with micro-training that provides clear explanations that increase the individual’s understanding and improve their decision-making processes.

Traditional approaches to email security offer quarantine for admins to sift through and static prompts to provide some level of alert to the recipient (for example ‘This email originated from outside the organization’). But if users are alerted to treat all external emails with caution, they will become desensitized to the ‘warning’ and their heuristics will then apply to all. As well as the heuristics mentioned above, ‘availability’ might come into play: if the individual is rarely targeted with phishing attacks, they’ll be more likely to assume an email is legitimate like it seemingly always is. Or in the case of a business email compromise attack that convincingly imitates a legitimate request, the recipient could automatically put it in the same mental category, as that is what they do with all requests of that nature.

It is in this moment of risk that intervention is needed to shape decisions. Nudges are therefore essential, but they must be informative, relevant, timely, and distinctive to have an impact.

This makes micro-training distinct from traditional approaches to security awareness and training (SA&T) programs. Delivering broad-brush training modules periodically can raise general awareness, for example, regarding elevated risk due to geopolitical reasons, but it can’t tell each individual about the specific threats they’re facing. Therefore, it is best practice for organizations to implement a combination of personalized coaching with real-time micro-training to effectively enhance employee security awareness.

For nudge theory to work effectively in email security, any alerts applied to emails must be dynamic (and not the generic, static alert applied to all). This is possible as part of AI-based detection. Threats can be neutralized and delivered to the inbox with these dynamic banners that explain the risk to the end user. It is important to use non-technical language to avoid alienating the individual and discouraging continued learning, and color-coding to indicate the levels of risk can make a real difference. In addition, using real phishing emails that target the specific end user makes this micro-training highly relevant.

In a recent report analyzing people’s ability to accurately identify phishing emails, a vast increase was seen as nudge theory and real-time teachable moments took effect, with one organization seeing a 475 percent increase in people’s ability to correctly identify phishing emails within six months of nudge banners being deployed.

Fundamentally, teaching someone to catch a phish is more sustainable for long-term cyber resilience than using email security tools alone.

Image Credit: alphaspirit/depositphotos.com

Robin Bell is CISO at Egress, a KnowBe4 company