Continuity Bias
"We've already filled in most of it for you, you just have to... "
Have you ever noticed that making one decision can lead to other decisions being postponed for a long time? Sometimes, an overwhelming task becomes more manageable once you take the first step or purchase the necessary item.
For instance, if you've been putting off a garden project, you might find it easier to get started once you come across the perfect bench on sale. Once you've purchased the bench, buying the necessary planks, posts, and screws comes easy, and suddenly, the rest of the project may seem more straightforward. And once everything is loaded into your trailer, you might as well move it to the garden. As you move the posts for the patio, you could even dig the necessary holes immediately to save yourself time moving them again...
This phenomenon is related to a cognitive bias called continuity bias, making us more likely to continue a task we've already started.
Now, you might wonder what all this has to do with IT security.
Linking decisions and actions together can be highly effective when working with secure behavior. People find it easier to make decisions and take action when connecting them to other decisions and actions, creating a flow between them. This helps make the decision-making process smoother and more efficient, and our brain loves anything that saves energy.
A perfect example of continuity bias used correctly is when the health authorities in Denmark launched the digital health card in 2021. The process included a step where you could simultaneously register for the organ donor register.
OK, they got the idea from the UK, but hang on to learn how well thought it is.
Now, when users create their digital health cards on their phones, they are simply asked if they would like to sign up for the donor register as well.
The result of this small intervention is staggering. In a single month, they have managed to add as many new registrations to the donor register as there normally are in a whole year. Surely, it is a behavior change that matters.
So, how can we translate that into IT secure behavior?
If we want to utilize our knowledge of the continuity bias, we aim to link actions and processes.
It could, for example, be that when the organization rolls out a new IT system, the message is "When you now use your brand new IT system, just save your new password in your password vault, which you will find right here." (Remember the link which will make it a straightforward task). Then, you also play on our bias for the "path of least resistance." I’ll tell you more about that bias in a later blog post)
By linking decisions and actions, you start the chain reaction, which gets them to create their password and simultaneously start using the password vault.
A helpful detail about the continuity bias is that we continue something others have started. Maybe you've noticed that some advertising or authorities trying to influence us write: "We've already filled in most of it for you, all you have to do is... "-This is a clear example of the use of continuity bias.
You can use this by directly stealing the sentence above or incorporating it into your communication.
For example, what would happen in a colleague's head who gets the message: "Here is your new IT equipment. We have secured it well for you; you have to develop a good complex password yourself."
Your colleague will probably feel that she is almost up and running and thinking, "Wouldn't it be a shame if they do all that for me and their efforts are wasted? I might as well create a very good password."
Here, you play on reciprocity bias besides continuity. Reciprocity is about humans' urge to do something for those who do something for us. You can read more about this in yet another blog post.
So, the next time you go on a shopping spree and buy BOTH the shoes and jacket you have postponed for a long time or see a half-filled subscription field that needs the last... Then, continuity bias is at play.
