Nudge

A nudge is a small intervention designed by a behavioral economist’s logic: change the choice architecture so the safer action becomes the easier one, without taking the unsafe action off the table. Richard Thaler and Cass Sunstein coined the term in Nudge (2008) to describe interventions that respect autonomy while shifting behavior at scale.

In cybersecurity, a nudge is the operational unit of behavior-centered security: a brief, contextual message delivered at the moment a risky behavior happens, not weeks later in a training module. The defining properties are:

• Contextual. The nudge references the specific thing the person just did (“you shared Q4 Pricing.docx with anyone-with-the-link”), not a generic policy reminder.
• In-channel. It arrives where work happens — Slack, Teams, Outlook — not in a separate LMS the employee has to log into.
• Fast. Acting on it takes seconds. Ignoring it carries no penalty; over time, the secure default becomes the automatic one.
• Personalized. The same risky behavior triggers different nudges depending on the person’s role and history. Sales gets one frame; finance gets another.

Done well, nudges close the knowledge-behavior gap that traditional security awareness training cannot — because awareness training tries to install knowledge once a year, while nudges work on the behavior every time it happens. Done badly, nudges become noise the employee learns to dismiss.