Employee motivation in cyber security awareness programs

As a security executive for over 15 years, I’ve been analyzing employee motivation for a long time. I’ve seen many executives use “carrots” to motivate their employees to complete training, but I’ve also seen many use “sticks” to punish their employees into submission.

Jim Guckin (JG) – Jim is also a returning panelist and 20-year veteran in the IT and information security field. He has worked for or with many different organizations in many different industries and is currently the SVP of Digital Security Operations at Customers Bank. 

Tyler Sweaney (TS) – Tyler is also a returning panelist and a Cyber Security & Telecom Specialist and Account Manager at Global CTO where he is powering California Businesses with tech solutions. 

Dany Durand (DD) – Dany is a first-time panelist and is also joining us from Greenpeace where he is the Head of People and Culture. 

Chris Kayser – Another returning panelist, Chris is the Founder and CEO of Cybercrime Analytics Ltd, a cybercrime consulting and research firm. Chris is currently researching the effects and targeting that cyber attacks have on different generations. 

Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development, he holds a passion for security awareness, education, and technology and how it relates to people. 

And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on timely news stories:

What “carrots” or positive reinforcement should be used?

JG: I would say the best in general is to publicly acknowledge people who do a good job, even if it’s just a paper certificate you print out from the office and it just has their name on it. 

Another option is a leader board. Some people like to see their name on the top. Mainly, you have to really understand your audience and what motivates them, but those are the two best in general. 

EG: Piggybacking on what Jim said, it’s actually great to have a mix of all of those. You can’t succeed in any one particular answer because everybody’s motivation is different. If there’s anything I’ve learned from working with 1,200 to 500000 people, everybody is motivated differently, just like everybody can be an extra or an introvert. 

But I will say one of the most effective ways for a lot of people is making experiences enjoyable. My best example of that is that I’ve gotten a lot of feedback from people that they don’t like phishing simulations because it feels deceptive and it feels like you’re just tricking your employees and there’s no real benefit to it.

We’ve been able to make that adjustment, to make that a more pleasurable experience for people by rewarding people with a certificate. Just a quick good job. You reported a fish, keep up the good work and we would just add that directly to them in an email.

SC: I agree, making experiences enjoyable is fundamental. The hard thing with carrots is that if it is done in a public forum then not having that badge or that start can be a stick. If everyone in a forum has a badge, and someone specifically doesn’t, that can be negative reinforcement and I think that’s something we have to think about. Your carrots can turn into sticks. 

But then, a stick can be turned into a carrot. So, anything you see as a negative can be turned into a motivating or positive conversation, instead of a stick. 

DD: For carrots, I think it’s really great to look at the teams to hand it out. The carrots come from your teammates because you are doing something together. So, rather than a leaderboard, you are just doing something together and completing something together and your teammates cheer you on. 

Are there “sticks” or negative reinforcement that should be used?

SW: There are certain policies that people have to comply with and there are always sections in a policy that talk about consequences. So, I think sometimes there has to be a stick at the very highest level where, from a governance point of view, it’s part of the actual running of the organization.

EG: I will always believe in staying as positive as possible. I think not approaching anything with positivity and trying to build leverage between the organization and security should always stick to being more optimistic and uplifting as possible. However, I do think there is a balance to be struck. 

When we talk about sticks, a lot of people think of bonuses being docked and privilege access being taken away and all these technical pieces being implemented. But, a lot of people forget to think that a stick could simply be meeting with your manager who says, “Hey, you haven’t been doing your security training. It’s long and I get that, but you do need to complete it.” That’s still a stick. 

We need to make sure that not only are we creating a program that encourages people to want to participate and engage, but also we have the compliance and audit side too that we have to that we’re beholden to, which is where sticks come in. But, they don’t have to be aggressive. 

TS: If someone continues to fail phishing tests and you find out it’s because they  just don’t care, that’s when sticks tend to be a little bit more motivating. With those types of people, typically that apathy transcends security awareness.

If they just don’t understand, that’s a different story, they can be met with education. But, there are people who just don’t care to learn. 

CK: One approach to handle those types of people is to say to them “You’re actually not the problem. You’re part of the solution. You’re part of the team.” And explain to them that yes, we have an IT department, but they can’t check everything. And that they need to help protect the organization. By reaching out and encouraging people that they can be part of the solution and not just the problem, is a nice carrot to have to put out instead of beating with a stick. 

— 

So, what team are you: carrots or sticks? Hopefully after hearing from our panel, you understand that it’s a balance that is needed, not one or the other. Putting carrots first should always be the priority, but you’ll need sticks in order to meet compliance requirements or target the specific group of people who just don’t care. To learn more about motivating your employees watch the full panel on our YouTube.

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.

 

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.