One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8500260 |
| Date de publication | 2024-05-15 06:00:25 (vue: 2024-05-15 15:07:21) |
| Titre | La théorie du coup de pouce à elle seule a gagné \\ 'ne sauvera pas la cybersécurité: 3 considérations essentielles Nudge Theory Alone Won\\'t Save Cybersecurity: 3 Essential Considerations |
| Texte | After reading the book Nudge: Improving Decisions About Health, Wealth, and Happiness, it is tempting to believe a well-crafted, perfectly timed pop-up message will move people away from engaging in unsafe online behaviors and toward building better cybersecurity habits. But let\'s be honest. If it were that simple, then we wouldn\'t be seeing the ongoing financial losses that many individuals and organizations are experiencing each year. Instead, it is more productive to talk about the judicious application of nudging to this incredibly complex problem. We wish to understand how the practice of nudging fits within the broader scope of cybersecurity education and behavioral change. The purpose of this blog is to lay the conceptual groundwork for deciding when nudging is appropriate, as well as maintaining a realistic understanding of the magnitude of the impact. Toward that end, we will attempt to address three important questions when considering nudging in the context of cybersecurity education and behavioral change: What is a nudge? Conversely, what is not a nudge? Where do we draw the line? Under which conditions are nudges effective, and what is the expected magnitude of the effect? Assuming nudges are cheap and easy to ignore (by definition), what is the alternative? Question 1: What is a nudge? What is not a nudge? As stated above, the concept of a nudge was made popular in 2009 with the publication of Nudge: Improving Decisions About Health, Wealth, and Happiness. In the past 15 years, we have collected ample evidence of its efficacy. One advantage of nudge theory is its broad applicability. It has been shown to facilitate better behaviors in several disparate domains, including auto-enrolling employees into retirement plans, increasing the number of organ donors, and the number of people who pay their taxes on time. These benefits were achieved by architecting sensible defaults and crafting well-designed messages for the target audiences. The broad applicability might be related to the all-encompassing definition of what counts as a “nudge.” The authors Richard H. Thaler, and Cass R. Sunstein define a nudge as, “Any aspect of the choice architecture that alters people\'s behavior in a predictable way without forbidding any options or significantly changing their economic incentives.” One easily overlooked aspect of the nudge definition is, “the intervention must be easy and cheap to avoid” (my emphasis). In other words, a nudge aims to influence the decision a person makes without taking away any options. A good example of this is putting healthier foods at the beginning of a salad bar. You can still wait and choose to fill your plate with desserts. However, given that many people choose the first food that sounds good, having salad ahead of dessert makes people more likely to pick it. By this definition, then, a policy should not be considered a nudge because a policy expressly forbids a specific action, behavior or choice. This is problematic because most cybersecurity behaviors fall under “policy violations.” Consider, for example, an organization that does not allow its employees to use third-party storage solutions like DropBox. If an employee attempts to save their work-related files on an unsupported storage platform, then a data loss prevention (DLP) policy might be triggered, thus preventing them from executing their action (see Figure 1). Figure 1. A DLP warning to the end user that their action has been blocked. If a pop-up message explains what happened, then that would not count as a nudge, under the strict definition, because it prevents the end user from taking their preferred action. Instead, this message might be considered “feedback” or a “just-in-time learning opportunity” that reiterates or reinforces the company\'s DLP policy. It is also important to consider the pragmatics of nudge delivery. Policies ar |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 2009 about above academic accordingly achieved action address adjust advantage after ahead aim aims all allow alone also alternative alters always ample another antivirus any applicability application appropriate arbitrary architecting architecture are around asking aspect assuming attach attempt attempts audiences authors auto available average avoid” awareness away balance bar based because been beginning behavior behavioral behaviors belief believe benefits better between blocked blog book both bound broad broader build building but campaign can cass causing celebrate central change change: changing channels cheap choice choose clicking clicks code collected company compared complex component computer concept conceptual conditions connect consider considerations considered considering contained content contents context contextualized control conversely could count counts course crafted crafting critical cross cybersecurity cybersecurity: data deciding decision decisions defaults define definition delivery depth” designed despite dessert desserts detect did disparate dlp does domains done donors draw driven drivers dropbox drops each easier easily easy economic education educational effect effective efficacy either email emphasis employee employees encompassing end engaging enrolling essential estimated evaluating even every evidence example exclusion executing expect expected experiencing explains explicitly expressly face facilitate fail fall figure file files fill final financial first fits focus focused follow food foods forbidding forbids from gaps gateway generally get given going good government governmental governments groundwork group habits happen happened happiness has have having health healthier help high honest how however huge human hypothesis ignore immediate impact impacted implement implemented importance important improving incentives included includes including increase increasing incredibly indeed individual individuals influence initiative insecure installed instead intended intervention interventions issues iteration iteration its judicious judiciously kingdom know knowledge lab last lay learn learning less lesson let level like likely line link literature look loss losses lost made magnitude maintaining make makes malicious malware many marketing materials may means measure measurement message messages messaging meta metanalyses might module more most move much must need needs new not nuances nudge nudge: nudges nudging number off one ongoing online opportunity opportunity” options organ organization organizations other out over overall overlooked paper parking part party past pay payload payments people percentage perfectly permissions person phishing pick plans plate platform point points policies policy pop popular possible practice practice” pragmatics precipitously predictable preferred prefers presented preventing prevention prevents probably problem problematic problems productive program prompt proofpoint public publication published purpose putting quality question questions rarely rate rather reach reading real realistic really reasons reduce reduction reference referred reinforce reinforced reinforces reiterates related relying reporting represents results retirement revenue review richard right risk run safe salad save say scope second secret secure security see seeing sensible set several share sharing should shown significantly simple since site size small software solution solutions solve something sound sounds specific sponsored stated storage strategic strategies strategy strict success such suggests sunstein suppose system take takes taking talk target taxes tempting thaler than them then theory therefore these think third those thoughts: threat threats three through thus tickets time timed titled tool toolbox toward training triggered try trying two under understand understanding united units unsafe unsupported uptake use used useful user users violations wait want warning way wealth well what when where whereas which who will wish within without won |
| Tags | Malware Tool |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.