Last Updated on 29 January 2023 by Daniel
Emily Collins, University of Bath and Joanne Hinds, University of Bath
The number of cyber attacks is estimated to have risen by 67% over the last five years, with the majority of these data breaches being traced back to human error.
The potential risks of such attacks are vast and can have a serious impact on both organisations and individuals. But protecting ourselves against cyber security threats can be extremely complicated.
Not only is the technology we use on a daily basis getting more complex, but attackers are constantly finding new ways to bypass security measures.
Yet staying up to date with safety measures and new devices is not always practical. Many people are exhausted and turned off by seemingly endless reports of data breaches in the news – an effect referred to as “privacy fatigue”.
They can become weary of installing software updates, updating privacy settings or changing passwords – or simply fear that such precautions are pointless.
Efforts to combat this within organisations often involves providing members of employees with relevant training sessions. But such training can quickly become obsolete, or simply forgotten.
Workers also tend to be busy. When people are trying to complete other tasks, they might not remember to stay secure, particularly when doing so makes their job more difficult or time consuming.
Research has shown that when computers were fitted with proximity sensors (which automatically log users out when they move away from the machine) users began placing cups over the sensors to disable them.
The intention had been to improve security, but in practice created what felt like a disproportionate burden for the user – in this case, having to repeatedly log back in, even after only briefly moving away from their work station.
Cyber security threats often take advantage of this reality. Phishing emails, for instance, frequently convey a degree of urgency or time pressure. This can result in a greater risk of clicking on a malicious link and giving away personal or private information. The busier someone is, the more likely they are to act without thinking.
When people are too busy and too distracted to act securely, one way of resolving this may be to exploit their “automatic processes” – their habits, or actions they take without really thinking.
If people can be successfully “nudged” in this way, they could end up becoming substantially more resistant to cyber attacks. Research into people’s habits has highlighted that “contextual cues” (events, physical items) can help to prompt particular behaviours.
Gadgets like activity trackers use similar cues – such as vibrating when the user has been stationary for too long – to try and increase activity levels.
Prompts that attempt to encourage cyber security behaviours in a similar way are common. But these approaches often fail because people will typically cancel, ignore or work around such alerts, particularly if they interrupt another task. When people are working on a computer, they find pop-up boxes or notifications frustrating and often click “yes” or “okay” without thinking about it.
Instead, using devices external to the computer (but on the desk) can allow reminders to stay in someone’s periphery, and possibly increase the chances they will act on them. Using soft lights provides an opportunity to try and change people’s behaviour in ways that are less “aggressive” or annoying.
Seeing the light
The Adafruit Circuit Playground is a small electronic piece of kit which can be programmed to display different coloured lights in different configurations or patterns. The idea is that it will sit next to someone’s computer and the lights will subtly nudge the user to lock their computer screen (if they forget to) as they leave their desk.
It can be connected to a variety of sensors that detect a person’s movement, which will effectively trigger the soft lights (or a gentle sound or vibration) to come on and then (hopefully) help to encourage the person to develop a new habit, such as locking a screen, changing a password, or updating their privacy settings.
These kind of nudges can be less disruptive to a person’s workload (or current task), and effectively remind them to do something. There is evidence that gentle prompts such as these have had positive impacts on people’s behaviour.
At a time when people are increasingly distracted, exhausted, and threatened by data breaches, the need to safeguard against threats is greater than ever. Exploring new approaches to “nudging” people’s behaviour could be a solution that helps to reduce our vulnerability to security threats – creating safer work and home environments for everyone.
Emily Collins, Research Associate in Human Factors of Cyber Security, University of Bath and Joanne Hinds, Research Associate, University of Bath
This article is republished from The Conversation under a Creative Commons license. Read the original article.