Has anyone ever wondered why on their electricity bill there is a representation of their household’s usage against the average two-, three- or four-person household telling them whether they are over or under? How does it make people feel?
The term behavioural economics has been around for maybe two decades. The marketing profession has been using the techniques it describes for even longer to get consumers to buy their brand. However, the use of behavioural economics as a tool for enterprise security is just emerging. It is time for security professionals to start using these techniques to help protect organisations and not just to influence people to buy a particular soap, car or follow a sporting code.
What is Behavioural Economics
Behavioural economics looks at the relationship between the decisions that people make and the psychological and social factors that influence them. A significant amount of study in this area has been on people’s economic decisions, but the tools and techniques that have been tested can be applied in many other contexts.
Daniel Kahneman and his late research partner, Amos Tversky, are the two research psychologists most associated with behavioural economics. In 2002, Kahneman shared the Swedish Banker’s Prize in Economic Sciences in Memory of Alfred Nobel for this work. Kahneman’s 2011 book Thinking Fast and Slow explains many of the concepts in accessible terms. Kahneman and Tversky built on earlier studies that cut down an idea that now sounds quaint – the idea that humans act entirely rationally at the population or large group level. Even so, this idea was at the heart of much classical economic thinking.
At first, this may not seem to entirely relate to enterprise security. However, if one considers that the premise of behavioural economics is that people do not always make decisions that are entirely rational, they would probably see the connection. In addition, the idea that small (and sometimes even intangible) incentives and disincentives can be used to guide individual actions on a large scale is also very important. It is this second aspect which is of greatest use to the enterprise security practitioner.
Behaviour is at the heart of enterprise security, because people are an organisation’s greatest asset and often also its greatest risk. At its simplest, the key aim of good enterprise security is ensuring that individuals are encouraged to make the right decisions that benefit their organisation. Behavioural economics works by assuming that, in many cases, people making the ‘wrong’ decision within an organisation do so because they have imperfect information or lack the right incentives or disincentives.
Psychologists have also found that people often exhibit a strong inclination to conform to social norms. The social norms change with the social groups that they participate in. Essentially, people often do things because their friends, colleagues or those they admire do. Friends and colleagues provide them with informational social influence or social proof. In plain English, people like to follow their herd and ‘keep up with the Joneses’.
Curiously though, people seem to struggle more with changing their minds than coming to a decision in the first place. The idea that people change their minds when the facts change is a bit tricky for many. Associated with this curious aspect, researchers from Harvard Business School have claimed that people tend to think they are more moral than they actually are and inhabit an “ethical mirage”. This can mean there is a disconnect between how they describe their decisions and how they actually behave. If one accepts this somewhat unflattering portrait of human behaviour, it means that people tend to take a position that justifies their actions, whatever they were, once they have made a decision. And they want more justification to change their minds than they needed to come to the decision in the first place!
But what if it is possible to get people to make the ‘right’ decision in the first place? Then they would not have to justify wrong decisions. This is where the research findings of behavioural economics are tested at organisational and national scale.
Behavioural economics concepts are being applied at the public policy level by governments wanting to encourage certain behaviour without going to the expense of legislating compliance. It is expensive to make something illegal. Sometimes, it is absolutely necessary ( murder, for example), but the society has to create enforcement systems and pay the enforcers; but who watches the watchers? Some enlightened government agencies are dabbling with the use of behavioural economics to achieve high levels of compliance.
In the UK and lately also in Australia, tax authorities have been attempting to use behavioural economics techniques. So-called nudge units have been set up to coax people to do their taxes by using social proof methods. Informing taxpayers who are late paying that “90 percent of people pay their taxes on time” increases the rate of taxpayer compliance. This achieves the policy objective of getting timely tax payments, but does it in a way that will not generate negative headlines. This in turn allows the tax agency to focus on individuals who are intentionally breaking the law, rather than doing so because life got in the way.
Another recent example has been the introduction of the No Jab, No Pay policy by the Australian Government, where parents do not get all of their family tax benefits unless they are willing to vaccinate their children. Rather than making it illegal for children to remain unvaccinated, the government has incentivised parents to vaccinate. This, added to significant social pressure from almost all of the medical community, means that Australia’s childhood vaccination rates are generally very high and fewer distressing pictures of children with whooping cough around the country are seen.
One interesting way that companies are using social proof is in encouraging households to save water and electricity. Increasingly, utility bills show householders where they stand in comparison to their suburb in terms of water or electricity use. Householders can then consider whether they want to moderate their behaviour.
Marketing firms use many behavioural economics techniques to encourage consumers to use particular products. Many people take advantage of airline frequent flyer programs that give rewards for the flights taken by members. The extremely successful travel website TripAdvisor awards points to its website users for the travel reviews that they produce. However, TripAdvisor points have absolutely no dollar value. They are valuable only to users in terms of social proof to that community that a member is a well-seasoned traveller. The majority of social media operates in a similar way.
Why should enterprise security professionals consider using behavioural economics in their organisation? It is expensive and time consuming to maintain rules for the increasingly complex environment that organisations operate in. Rules are difficult to write well and often only work in limited circumstances. The more detail, the more exceptions need to be built in. Quite often, rules also create a culture where individuals only follow the letter, not the spirit of the rules. This can contribute to the creation of a workplace that is not adaptable and where security is blamed for the problems of the organisation.
This can lead to situations where workers sometimes choose to circumvent organisational rules in order to achieve local goals. A worker might shortcut a process to ensure that his team is able to complete it faster. The individual might rationalise this as being good for the company in that the job is completed faster and good for himself in that he can go home earlier. However, the decision that he has rationally come to might be the ‘wrong’ decision from the perspective of the organisation. The shortcuts that have been introduced may decrease organisational security.
How do organisations change this? By changing the decision-equation the worker takes when he or she makes that decision. This is very much the place of behavioural economics in enterprise security. Organisational messaging that demonstrates the social norms of the organisation from a security perspective is vital. So too are tools and procedures which endeavour, where possible, to make the secure decision the easiest one to make. In many ways, the decision is very much linked to the security culture – the customs and practices – of the organisation.
Organisations are increasingly moving to principles- and risk-based frameworks in many areas, including security, because they find the sheer complexity of business otherwise overwhelming. This was one of the main drivers for the creation of the Australian Government’s Protective Security Policy Framework (PSPF). The PSPF tries to get government agencies to focus on their security outcomes, rather than on process.
One financial institution has used behavioural economics to give nudges to staff regarding personnel security. In one case, to improve their reporting of change of circumstances, the organisation gave staff the simple message, “Most people in our organisation report their change of personal circumstances within four weeks.”
In the government space, there has been debate about whether it is possible to create an ‘information classification market’ which balances the need to classify information appropriately against the costs to organisations of over-classification in terms of long-term storage and devaluation of security markings. Such a market could work by incentivising managers to ensure that staff were classifying information as accurately as possible. As always, the trick would be to ensure that the incentives match the risk profile of the organisation.
Enterprise security professionals should be asking where they can apply these behavioural economics techniques in their organisations. The possibilities are varied and many and every organisation is different – so are the opportunities for using these techniques to improve enterprise security.
Alex Webling BSc, BA (Hons), Gdip Comms, GdipEd, ZOP, AARPI has been the Director of Resilience Outcomes Pty Ltd since 2012. Resilience Outcomes is a consultancy specialising in organisational strategy and resilience, identity, privacy and information security. Alex is also the current Deputy Chair of Security Professionals Australasia, a member of the Standards Australia Board on Security and a Director of the International Association of Privacy Professionals (A/NZ). He is a registered security professional in the area of enterprise security. Alex can be contacted via email Services@resilienceoutcomes.com