How Behavioural Science Reduces Human Error & Improves Cyber Security

Cyber security threats are a major concern for companies and individuals alike. Although security technology is advancing, one of the biggest weaknesses that is often overlooked is human error. Human errors, such as clicking on phishing links or using weak passwords, often provide an entry point for cyber attacks.
Behavioural science, which studies how humans think, act, and react in various situations, offers innovative solutions to overcome these risks. By understanding the psychological factors that drive human behaviour, companies can be more effective in reducing the risk of human error in cyber security. This article will discuss how behavioural science can be applied in the context of cyber security to help reduce these risks.

What is Human Error in Cybersecurity?

Before discussing how behavioural science can help, it is important to understand what human error means in the context of cybersecurity. Human error occurs when someone performs an unintentional action or oversight that could potentially compromise data security. Some examples of human error in cybersecurity include:

1. Phishing: Employees or individuals click on malicious links in phishing emails, resulting in the theft of credentials or malware being installed on their devices.

2. Use of weak passwords: Many people still use easily guessed passwords, such as ‘123456’ or ‘password,’ which make it easy for attackers to access their accounts.

3. Ignoring system updates: Users often ignore or delay security software updates, which creates vulnerabilities that can be exploited by hackers.

4. Configuration errors: System administrators misconfigure systems or security devices, opening the door to cyber attacks.

In many cases, human error is caused by a lack of knowledge, limited attention, or bad habits. This is where behavioural science can play a role in changing individual behaviour and reducing these risks.

Read: Reducing Human Error Through a Cybersecurity Awareness Platform

How Does Behavioural Science Help Reduce Human Error?

Behavioural science focuses on understanding why humans perform certain actions and how they respond to various stimuli or situations. By applying these principles, companies can develop better cybersecurity strategies that take human weaknesses into account and help prevent mistakes that could lead to security breaches. Here are some approaches that can be taken from behavioural science to reduce the risk of human error:

1. Nudging: Encouraging Positive Behaviour

Nudging is a technique in behavioural science that involves gently encouraging individuals to make better decisions without forcing them. In the context of cybersecurity, nudging can be used to encourage employees to be more cautious in their actions. Examples of nudging in cybersecurity include:

• Password reminders: Sending regular reminders to employees to update their passwords, accompanied by recommendations for using strong passwords.
• Phishing warnings: Displaying visual warnings when employees try to click on suspicious links in emails.
• Cybersecurity gamification: Implementing game elements, such as points or rewards, to encourage active employee participation in cybersecurity training.

By providing the right encouragement, nudging can help change employee behaviour without making them feel coerced or overly monitored.

2. Using the Principle of Gradual Learning (Chunking) for Training

One reason why employees often fail to maintain cybersecurity is that traditional security training tends to be too long and complicated. Based on the principle of chunking in behavioural science, training can be made more effective by breaking down information into small pieces that are easy to digest and understand.

For example, instead of providing one long training session on all aspects of cybersecurity, companies can divide the material into several short training sessions that focus on one specific topic. This method not only makes training easier to understand, but also helps employees better remember the information presented.

This type of training is known as microlearning, and it has proven effective in helping employees retain knowledge and change their behaviour for the better in terms of maintaining cybersecurity. Many large companies have begun to adopt this type of training because it is more effective than traditional training.

3. Utilising Cognitive Biases for Better Security

Behavioural science has identified various cognitive biases that can influence human decision-making. Understanding these biases can help companies design better interventions to reduce human error. Some cognitive biases relevant to cybersecurity include:

• Excessive optimism (Optimism Bias): Many people tend to think that they will not fall victim to cyber attacks, so they are less cautious. To overcome this bias, companies can provide concrete examples of how cyber attacks can affect anyone, including those who feel safe.
• Confirmation bias: People tend to seek out information that supports their beliefs and ignore evidence that contradicts them. In the context of cybersecurity, this can be overcome by presenting clear and indisputable information about the importance of security precautions, such as using strong passwords or being wary of phishing emails.
• Status quo effect: Many people prefer not to make changes and stick with existing habits, even if those habits are unsafe. To combat this bias, companies can make security measures the default option that is easy to follow, for example by automatically enabling two-factor authentication for all users.

By utilising knowledge about cognitive biases, companies can design more human-centred and effective security approaches.

4. Building a Cyber Security Culture through Positive Reinforcement

Another approach that can be taken from behavioural science is positive reinforcement, which is giving rewards or recognition for desired behaviour. In the context of cyber security, companies can provide incentives or rewards to employees who demonstrate compliance with security policies or who successfully detect and report cyber threats.

For example, companies can implement monthly reward programmes for employees who successfully complete security training, detect phishing attempts, or report security incidents. This positive reinforcement can motivate employees to be more proactive in protecting company data.

Recognition of good behaviour also helps build a strong cybersecurity culture within the company. When employees see their colleagues being rewarded for doing the right thing, they will be more motivated to follow suit.

5. Multi-Factor Authentication as a Behavioural Intervention

Relying solely on a single authentication factor, such as a password, puts data security at great risk in the event of human error. Multi-factor authentication (MFA) is a security measure that strengthens data protection by requiring users to provide more than one form of identification.

From a behavioural science perspective, the use of MFA can be considered a behavioural intervention that significantly reduces the risk of human error. By introducing additional barriers (such as verification via mobile phone or fingerprint), MFA can help users be more cautious before accessing the system. This automatically reduces the likelihood that data or accounts will be compromised simply because of human error in keeping passwords safe.

Several large companies such as Google and Microsoft have begun implementing multi-factor authentication as a mandatory policy for all users and employees. This step has been proven to significantly reduce security incidents caused by stolen or compromised passwords.

6. Phishing Simulations as a Continuous Education Tool

One of the most effective tools developed from behavioural science is phishing simulations. By placing employees in situations that simulate real threats, companies can teach them how to react correctly when faced with phishing emails.

These phishing simulations should be followed by constructive feedback, which helps employees understand where they went wrong and how they can avoid such mistakes in the future. In this case, simulations act as experience-based learning, which is highly effective in shaping new behaviours and reducing the risk of human error in the future.

These simulations also serve as an evaluation tool to assess the extent to which employees are aware of cybersecurity risks. Companies can use the results of the simulations to identify areas where employees need additional training, as well as monitor their progress over time.

7. Personalised Security Policies

Behavioural science also shows that the more relevant and personalised information is, the more likely people are to take action. Therefore, personalised cybersecurity policies and training tailored to employees' roles or responsibilities can increase effectiveness.

For example, employees in the finance department may be more frequent targets of phishing attacks related to fund transfers, so they need special training on how to detect suspicious emails related to financial transactions. By aligning training with the specific challenges faced by each department or individual, companies can ensure that employees are more vigilant and prepared to deal with cyber threats relevant to their work.

In addition, by personalising training based on past behaviour, companies can provide more relevant solutions to employees who show a tendency to make human errors. For example, an employee who repeatedly uses weak passwords may be required to undergo more intensive password security training.

8. Safer Default Settings

Behavioural science research shows that many people tend to stick with the default settings set by the system, regardless of whether those settings are optimal or not. This is known as the default effect. Therefore, companies can reduce the risk of human error by ensuring that the default settings in their security systems are optimised for better security.

For example, companies can automatically enable encryption for all emails and documents sent by employees, or set two-factor authentication as the default option when employees access the system remotely. This way, employees do not need to take extra steps to ensure that they comply with best security practices.

Setting safer default settings not only protects companies from potential threats, but also helps employees avoid mistakes caused by lack of attention or technical knowledge.

Case Study: Applying Behavioural Science in Cybersecurity

To provide a deeper understanding of how behavioural science can be applied in a real-world context, let's look at some examples of large companies that have successfully reduced human error through behavioural approaches.

1. Google and MFA

Google introduced multi-factor authentication to all its employees in 2017 after realising that one of the main causes of data breaches in the company was human error, particularly related to the use of weak passwords. By mandating the use of MFA, Google has significantly reduced the number of security incidents and created a stronger security culture among its employees.

2. JPMorgan Chase and the Phishing Simulation Programme

JPMorgan Chase, one of the world's largest banks, implements a comprehensive phishing simulation programme to train its employees on how to recognise phishing emails. Every month, employees receive fake phishing emails, and the results of these simulations are used to assess the performance of each employee and department. This programme helps the company identify weaknesses in employee security awareness and provide additional training as needed.

In addition, JPMorgan Chase also adopts a positive reinforcement approach by rewarding employees who successfully detect and report phishing. This measure encourages greater employee involvement in the company's security efforts.

Read: Psychology's Role in Raising Cybersecurity Awareness

Conclusion

Human error is one of the biggest factors in cybersecurity breaches, but by using behavioural science, companies can significantly reduce this risk. Approaches such as nudging, leveraging cognitive biases, positive reinforcement, and personalised training can help change employee behaviour and strengthen the cybersecurity culture within an organisation.

By implementing these behaviour science-based strategies, companies can more effectively protect their data and systems from cyber threats caused by human error. Reducing the risk of human error will not only improve cybersecurity, but also help create a safer and more productive work environment overall.