AUSTIN, TX, NOVEMBER 1, 2022 – What cybersecurity practitioners have long suspected is true: 67% of employees would try to circumvent security controls that block access to unsanctioned SaaS applications at work. However, the reason why might come as a surprise. According to new research from Nudge Security, undesirable security behaviors may have less to do with lack of awareness and more to do with basic human emotions.
Released today, “Debunking the ‘stupid user’ myth in security,” is a new report from Nudge Security that explores how workers’ attitudes and emotions influence security behaviors. Based on research conducted in consultation with leading psychologists at Duke University, it confirms that workers are more likely to comply with security controls if they find the experience to be positive and reasonable.
“We now have evidence to suggest that improving the employee experience of security can actually lead to better security outcomes,” said Russell Spitler, CEO and co-founder of Nudge Security.
The research took 900 participants through a common scenario: needing to access a SaaS application for work. Participants were randomly assigned to one of three “security interventions” that either blocked access to the application, revoked access punitively, or nudged participants to justify access. Participants were asked to rate how reasonable they found the intervention, how positively or negatively they felt about it, and how likely they were to comply with it. Overall, participants’ attitudes and emotions strongly correlated with their likelihood of compliance.
- 67% of participants said they would not comply with the blocking intervention. Instead, they would look for a workaround.
- Participants perceived nudging as the most positive and reasonable intervention. They were 3X more likely to feel negatively about blocking and punitive interventions.
- 78% of participants would comply with a nudge, 2X the compliance rate of the blocking intervention.
Dr. Aaron Kay, PhD, J Rex Fuqua Professor of Management and Professor of Psychology & Neuroscience at Duke University and Nudge Security advisor, consulted on the development of the research.
“This research underscores basic tenets of human psychology and demonstrates that, even in cybersecurity, attitudes and emotions are strong predictors of behavior,” said Kay. “Security leaders are setting themselves up for failure when they implement security controls with the assumption that employees will comply mechanically, regardless of their own self interests.”
Kay and Spitler will discuss the research during an upcoming webcast. Register here. Download the full report here.
About Nudge Security
Nudge Security is transforming the human element of cybersecurity by nudging employees towards secure SaaS adoption. Founded in 2021 by Jaime Blasco and Russell Spitler, the company secured funding from Ballistic Ventures in 2022. A fully remote company, Nudge Security has outposts in Austin, Texas and Jackson, Wyoming. Learn more at www.nudgesecurity.com and follow on Twitter and LinkedIn.