The EAST framework developed by the UK’s Behavioural Insights Team (BIT) offers a straightforward approach to applying behavioral insights in various domains, including cybersecurity. The acronym EAST stands for Easy, Attractive, Social, and Timely—four principles that guide how to effectively influence behavior. Here’s a detailed explanation of each component of the EAST framework and how it can be applied to cybersecurity:
1. Easy
Making behaviors easy to perform is fundamental in encouraging people to take the desired actions. In the context of cybersecurity, this means reducing the effort required to comply with security measures.
- Simplification: Security processes should be simplified to minimize the burden on users. For example, simplifying password requirements or enabling password managers can make it easier for users to create and maintain secure passwords.
- Removing Friction: Reducing steps and obstacles that might prevent users from adopting secure behaviors. For instance, enabling auto-updates for software reduces the effort required to maintain up-to-date security.
Book Reference: The EAST framework is detailed in the report titled “EAST: Four Simple Ways to Apply Behavioural Insights” by the Behavioural Insights Team, which explores how making actions easier can significantly boost compliance.
2. Attractive
To capture and hold people’s attention, behaviors should be made attractive.
- Salience: Highlighting the benefits of secure behaviors or making the risks of insecure behaviors more apparent can attract attention. For example, showing how a small action like enabling two-factor authentication can significantly enhance security.
- Incentives: Offering rewards or recognizing secure behavior can motivate users. This might include gamifying security practices where users earn points or badges for following best practices.
Book Reference: The same EAST report discusses how making behaviors attractive through incentives and framing can lead to better engagement and adoption.
3. Social
People are influenced by what others around them do. Social norms can drive behavior change effectively.
- Norms: Emphasizing that most people in a group follow certain security practices can encourage others to do the same. For example, communicating that the majority of employees regularly update their passwords may encourage others to follow suit.
- Peer Influence: Encouraging group activities or peer pressure can also foster secure behaviors. For instance, security training sessions that involve group participation can build a culture of security within an organization.
Book Reference: The EAST report includes examples of how leveraging social norms can lead to significant behavior change in various settings, including cybersecurity.
4. Timely
The timing of interventions can greatly impact their effectiveness.
- Prompting at the Right Moment: Security prompts should be delivered at moments when users are most likely to act on them. For example, prompting users to change their passwords immediately after a data breach is announced.
- Time-Limited Offers: Creating a sense of urgency, such as offering limited-time incentives for adopting new security measures, can encourage quicker compliance.
Book Reference: Timing is discussed in the EAST report, where it is noted that the effectiveness of interventions can increase when they are delivered at moments of high relevance to the user.
Application in Cybersecurity
By applying the EAST framework, cybersecurity measures can become more effective by aligning with natural human tendencies. For example, simplifying the process of adopting security measures (Easy), making them appealing and rewarding (Attractive), leveraging social influence (Social), and timing interventions for maximum impact (Timely) can significantly improve the adoption of secure behaviors within an organization.
Further Reading:
- The full report “EAST: Four Simple Ways to Apply Behavioural Insights” by the Behavioural Insights Team provides a comprehensive guide to applying these principles across various domains, including cybersecurity.
This approach not only increases the likelihood of compliance but also integrates security practices more seamlessly into everyday activities, thereby reducing resistance and enhancing overall organizational security
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.