Threat Actors Leverage Behavioral Science; Security Teams Should, Too with Matt Wallaert

The cybersecurity industry often fixates on “behavior change,” expecting users to take on unrealistic tasks instead of designing safer, smarter systems. 

Matt Wallaert (founder of BeSci.io and author of Start at the End: How to Build Products that Create Change) explains behavioral science isn't about forcing behavior change. Instead, it's about understanding people so a thoughtfully-designed system can influence more secure outcomes.

Whether you’re a UX designer, a security engineer, or a CISO, you influence security behaviors. Here’s how you can move towards more secure outcomes:

• Stay Ahead of Threat Actors: Cybercriminals use behavioral science to their advantage. People designing the security user experience must not only catch up but outpace them.
• Define Clear Outcomes: Don’t just say “we want users to be secure.” Know exactly what behaviors you want and why. Vague goals lead to vague results.(as Matt explains, saying things like “I want people to be more secure” isn’t helpful. In fact, many people don’t know what “more secure” means in the context of their product or organization).
• Ask Better Questions: Use tools like the “sufficiency test.” For example, sure, it might be nice if users created complex passwords—but users don’t necessarily have to be the ones doing it. Why can’t the system create a complex password for them (as password managers do)?
• Understand promoting and inhibiting pressures. These concepts will help you design systems that are more resilient because they are built with people in mind. There are reasons people do and do not do things—when you understand why, you can develop systems that will be more effective in encouraging the behaviors you want. 
• Security practitioners: tired of being perceived as the “department of no”? Matt explains how behavioral science can help you better collaborate with cross-disciplinary teams.

Bonus: UX designers, after this episode you may never create another persona.