BIG PASSWORD ENERGY: New Zealand uses behavioural insights to drive cyber hygiene

In 2022, bright yellow posters declaring that a cast of characters have #BigPasswordEnergy populated the streets of New Zealand. The irreverent play on a cheeky digital colloquialism targeted Kiwis from all walks of life to encourage them to adopt stronger and longer passwords – or passphrases.

What are passphrases? Passphrases are passwords that comprise multiple words in a sentencelike string. Since 2020, American security services have recommended that citizens embrace password length over password complexity, as these are harder to crack than short and complex passwords which include special characters.

“One of the really basic things that [New Zealanders] were not so great on was passwords,” says Olivia Lacey, former Senior Communications and Engagement Advisor at CERT NZ, the New Zealand government’s computer emergency response team which ran the #BigPasswordEnergy ad campaign from July to August 2022.

From their research, CERT NZ found that over half of respondents did not use strong passwords, and were “quite high risk on quite a basic thing,” Lacey tells GovInsider. In order to shift the kinds of passwords citizens use, the agency has turned to behavioural insights to guide such campaigns in making a splash. 

The human factor

The threat of cyber security incidents continues to be cause for concern in New Zealand. In 2022, New Zealanders reported losing nearly NZD $9 million (USD $5.6 million) over the course of July to September, according to a report by CERT NZ, making it the highest quarterly loss since 2017.

This is why it was important for CERT NZ to bring in a human face to the issue of cyber security and empower people to protect themselves, says Lacey.

“Make it human” was one insight gleaned from a research study conducted by CERT NZ and The Research Agency, which aimed to uncover how CERT NZ could use behavioural ‘nudges’ to encourage better cyber practices. 

For instance, the #BigPasswordEnergy campaign used photos of everyday folks rather than men in suits using advanced computers. This can subconsciously motivate people to act and encourage those with low cyber confidence to take active steps, according to the Cyber Change: Behavioural insights for being secure online guide published by CERT NZ in August 2022.

“This research has really helped us to take a more evidence based approach and be more confident,” says Lacey. The #BigPasswordEnergy campaign was the first campaign they ran using insights gathered from their research.

The campaign also sought to reframe passwords to passphrases, highlighted Lacey. 

The perception of ease around passphrases was much higher, and people are more likely to act when concepts are framed in simpler ways, says Lacey.

“Little tweaks to language can make a big difference,” she notes.

“We also used a little bit of humour [in the pictures], because New Zealanders like a bit of humour.”

Working with organisations

CERT NZ also plans to work with organisations that are involved in promoting stronger cybersecurity behaviours to adopt the tips recommended by the Cyber Change booklet. These could include financial institutions, government agencies, and telecommunications providers, says Lacey. 

“It’s really important that we’re all saying the same thing and that New Zealanders have clarity and consistency in the cyber security advice they’re receiving,” says Lacey. 

Beyond informing their campaigns and communication practices, these tools may also soon inform reporting processes, web tools, and the creation of how-to guides, notes Lacey.
 

For example, CERT NZ’s Twitter account posted a Christmas message that “chunked” various recommendations into an easy to digest guide for followers. “Chunking” aims to make information less complex and straightforward for online users.

Among other advice, the guide urges agencies to make reporting processes seamless and provides individuals with suggested phrases they can use to end a suspected scam call.