During their daily business, companies are subject to a significant economic risk because of data breaches. Organizations reduce this risk by implementing information security policies (ISPs) that guide their employees' behaviour. Employees, however, often do not adhere to these policies. While traditional approaches focus on enforcement via training or deterrence measures, this research explores the efficacy and limits of nudging as a potential behavioural intervention, grounded in dual-process theory. This theory delineates two cognitive systems: System 1, characterized by intuitive and automatic decision-making, and System 2, associated with deliberate and analytical reasoning. Through an online experimental design, this study investigates whether ISP messages tailored to System 1’s rapid responses or System 2’s reflective processes can more effectively foster secure behaviour. In addition to providing valuable insights for designing effective strategies to promote ISP compliance, this research aims to advance our understanding of behavioural interventions within the context of information security.