An ideal tactic for security training engagement
In this article, we’ll explore the two main approaches to employee engagement: the carrot and the stick. We’ll look at what motivates employees to engage in security awareness training, and how each strategy can positively impact a company’s security program.
When businesses get punished for bad security practices, they often try to avoid the punishment in the future. However, punishing a business for bad security is not the best long-term strategy. This is according to the panelists who spoke at CyberRisk Alliance’s InfoSec World conference. They said that when businesses are punished for security breaches, they often try their best not to get caught again. But in the long run, this can actually harm consumers and businesses alike.
But, the panelists suggested, companies should not focus on scaring people into thinking that their information will be stolen. Instead, these companies should instill good cyber habits by providing positive reinforcement and rewards for people who follow good cyber practices.
“If I can figure out how to turn [training] into a game that people will have fun playing and even want to compete against each other … that works really well,” said Stacey Wright, vice president of cyber resiliency services at the nonprofit Cybercrime Support Network.
Ideally, cybersecurity training is as much about fun as it is about education. Workers who learn and apply the lessons receive meaningful recognition. Wright’s favorite example of this is a rock painted with different security-related messages that workers pass around when they are ready to learn more. They can also use it to recognize their colleagues who are doing the right thing.
“Every time you saw somebody do something good in security, both physical and cyber, you could give them the ‘You Rock’ award,” said Wright, explaining that honorees would be given the rock along with a prize like a gift certificate.“But the trick was … the goal wasn’t to keep the ‘You Rock.’ It was to pass it on as fast as you could. So this utility company with hundreds of employees had several rocks circling around, and every time somebody passed it along, [they] noted how long they have held on to it, but also why they passed it on, and what somebody had done that was really good and really positive to earn it. And I loved that idea. I thought it worked really well.”
Karen Letain, vice president of global corporate communications and corporate marketing at Proofpoint, said that training should be a fun, interactive and enjoyable experience. However, finding the right content delivery mechanisms that everybody in your organization likes is not always easy.
“The difficulty that comes in, especially in large organizations, is that what one person considers fun is offensive to the other. So it’s really tough to get that right mix,” said Letain. “For example, I like one-minute videos. I’m not gonna watch a 20-minute video, but you know what? My colleague loves interactive journeys. And those are 20-minute ones. And then I’ve got another colleague who’s like, ‘Hey, I’d rather just read a blog…’ So it really depends.”
According to Letain, companies should give their employees a variety of training formats to choose from. This will allow them to pick and choose what they like best. This will also allow businesses to give each employee the training that is most important to them.
Negative consequence models
However, some companies believe that their employees need a wake-up call to be safe online. If an employee fails to respond correctly to a simulated phishing test or performs unsafe actions, these businesses would like to punish them with negative consequences.
We all know that fear tactics don’t work for cybersecurity awareness. So what does? According to Cindy Liebes, “The best defense against cybercrime is a good offense. The best way to prevent an attack is to find out where the vulnerabilities are.” She says that’s why cybersecurity education should focus on creating a cybersecurity culture and empowering employees to be aware and proactive.
Despite the warnings, some companies have consequences for employees misusing social media. In some cases, this has resulted in employees getting fired.
Businesses must take extreme measures to protect themselves against hackers. “Some of these organizations feel that they have to do that because their business is such … that they just can’t afford to have people do the wrong thing,” said Letain, citing a critical-infrastructure energy company as a hypothetical example.
“The first time that a phishing test goes out, you’re going to see a massive click rate,” she explained. “But after a couple of years, it’s going to start going down. And that’s how you know that it’s working.”
However, such strategies are subject to the “law of diminishing returns,” Letain continued. “Eventually they won’t work anymore and eventually, employees will retaliate. And it will probably happen in ways you don’t recognize. They’ll leave the company, and you won’t want that to happen.”
As far as the employee goes, you need to think about the end goal. Aim to make them feel safe, secure and valued in their role at the company without losing any of your integrity. You want to keep them motivated, but sometimes that means allowing them to do things differently than they were taught. It’s not always black and white, but you have to find a way to keep everyone safe while also empowering your workforce and making them feel like they’re part of the fight.
I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.
Discover more from Patrick Domingues
Subscribe to get the latest posts sent to your email.