Kudos, not consequences, are an ideal tactic for security training engagement

The carrot or the stick — which strategy best helps companies ensure employee engagement in their security awareness training program? 

While doling out punishments for bad security practices might be effective in curbing undesirable behavior the short term, this tactic tends to backfire in the long run, according to panelists speaking today at CyberRisk Alliance’s InfoSec World conference.

Instead, they suggested, companies should aim to instill good cyber habits through positive reinforcement and rewards, gamification and interactivity.

“If I can figure out how to turn [training] into a game that people will have fun playing and even want to compete against each other … that works really well,” said Stacey Wright, vice president of cyber resiliency services at the nonprofit Cybercrime Support Network. Ideally, such games not only educate employees on why cybersecurity is important, but also recognize and honor workers who adhere to the lessons. One of Wright’s favorite examples involved an unnamed utility company that would pass around a painted rock in what she described as a “hot potato” game.

“Every time you saw somebody do something good in security, both physical and cyber, you could give them the ‘You Rock’ award,” said Wright, explaining that honorees would be given the rock along with a prize like a gift certificate.

“But the trick was … the goal wasn't to keep the ‘You Rock.’ It was to pass it on as fast as you could. So this utility company with hundreds of employees had several rocks circling around, and every time somebody passed it along, [they] noted how long they have held on to it, but also why they passed it on, [and] what somebody had done that was really good and really positive to [earn it]. And I loved that idea. I thought it worked really well.”

Click here to register for InfoSec World to watch the full keynote fireside discussion, and access the rest of the Nov. 9-10 conference agenda.

Karen Letain, vice president of global corporate communications and corporate marketing at Proofpoint, agreed that training should be fun, interactive and enjoyable. However, it’s not always that simple to find content delivery mechanisms that everybody in your organization likes.

“The difficulty that comes in, especially in large organizations, is that what one person considers fun is offensive to the other. So it's really tough to get that right mix,” said Letain. “For example, I like one-minute videos. I'm not gonna watch a 20-minute video, but you know what? My colleague loves interactive journeys. And those are 20-minute ones. And then I've got another colleague who's like, ‘Hey, I'd rather just read a blog…’ So it really depends.”

Certain formats might cause some people to tune in, but others to tune out, so the key is to “give people a variety of things” enabling them to “pick and choose,” said Letain. Ideally, this will allow companies to personalize or customize their training in ways that best fit each trainee.

Negative consequence models

Apparently, however, some companies believe what employees need is a wake-up call in the form of negative consequences if they perform an unsafe action or fail a simulated phishing test.

As noted by panel moderator Cindy Liebes, chief program officer at the Cybercrime Support Network, many researchers and cybersecurity awareness experts will tell you that “fear tactics and cybersecurity training [don’t] really result in behavioral change — and sometimes, in a worst case scenario it could stop employees from actually reporting the incidents out of fear.”

And yet, despite these warnings, “we have a number of customers that actually have consequence models in place,” said Letain. “And the consequence models are fairly dire.” In some cases, that can include employees actually being fired.

Why such extreme measures? “Some of these organizations feel that they have to do that because their business is such … that they just can't afford to have people do the wrong thing,” said Letain, citing a critical-infrastructure energy company as a hypothetical example.

And, at least in the short term, such tactics can have desirable impact.

“Initially, it works really well,” she said. “And that's why people have a hard time getting off of it as an organization. ’Cause they're like, ‘Oh my God, my [phishing test] click rate went down … nobody's clicking anymore … and so it's working.’”

But in reality, such strategies are subject to the “law of diminishing returns,” Letain continued. “Eventually, it won't work anymore, and eventually employees are going to retaliate. And it will probably be in ways that you might not recognize. They’ll just leave the company and you don't want that to happen.”

Granted, not every employee responds to positive reinforcement, and certain companies may want to add some form of disincentive — short of firing — to deter reckless behavior, Letain said. But what you really want, she continued, is to empower your employees and make them feel like they’re part of the fight against cybercrime. “To do that they have to feel safe, they have to be secure and they have to be able to talk if something is suspicious — and if you've got this negative consequence behind your program, they're not going to want to do that.”