This blog was co-written by Perry Carpenter and Roger A. Grimes.
As I sit in the 2024 Seattle Convene conference this week and listen to speaker after speaker talk about their successful security awareness training programs, one thing is perfectly clear. They all prefer carrots and fewer sticks.
A question human risk managers frequently ask me is what role negative consequences should play in a successful security awareness training program? This touches on a fundamental principle that my colleague, Perry Carpenter, is well known for emphasizing - the importance of working with human nature rather than against it.
Because of that, I invited him to co-write this blog post with me. Consider this a two-for-one blog special…The rest of this post represents our combined thoughts.
What’s the end-goal, anyway?
Some of our customers have a policy of firing people for first-time offenses, whether that offense is clicking on a simulated phishing email URL link or interacting with a real phishing scam. We have many customers who have no defined policy for “missed” phishing tests and who never interact with an employee for either “failing” or not failing a simulated phishing test. The right policy lies somewhere in between.
The goal is to reduce cybersecurity risk most efficiently and effectively without significantly impacting business and revenues. Firing your best employees because they failed a phishing test doesn’t seem overly productive.
Punitive approaches often backfire and can create a culture of fear rather than one of shared responsibility.
This is especially true because anyone…ANYONE!! can be phished. If you think you can’t be socially engineered into doing something against your own best interests, you are at higher risk for a successful phishing attack, not less.
No one wants to click on a phish. And yes, we have people who are more susceptible to phishing than others. And we need a way to motivate the poorer performers to become better. But, how do we do this effectively?
More Carrots
Here are some common carrot ideas.
More Training
Certainly, one of the best ways to positively motivate a particular behavior and culture is with more or better education, and it doesn’t have to be perfect. I’ve seen enough repeated warnings to know that speeding increases my risk of a vehicle crash, and because of that, often I look at my speedometer and, if needed, slow down.
If you have someone who is frequently clicking on things they shouldn’t, give them more frequent training and testing about when they should and shouldn’t click. We recommend monthly training and simulated phishing tests weekly to monthly. We have the data to show that the more frequently you train and test the better users perform and reduce risk.
While you’re at it, make sure the training is relevant and engaging. It's not just about frequency, but about connecting the training to the user's day-to-day experiences and making it personally meaningful. People won’t remember training that feels irrelevant and disengaged from their ‘real life.’ You’ve got their attention – make it count.
Gamification
When done well, gamification helps to create engaging, memorable experiences that can drive behavior change. You may be wondering what I mean by gamification. Think of elements like leaderboards, point systems, and challenges to tap into people's natural competitiveness and desire for achievement. Most people love little challenges, getting success “badges”, and winning at tasks. If you have the necessary content, have them play more games related to the behavior you’re trying to encourage. The more fun the task is, the more likely they are to complete it.
Partnering
Leverage the power of social dynamics and peer influence. It might help to partner a sub-performer with a high-performer on the same team. The closer the helper is to the person on a daily basis the better the cross-over education can be. Perry calls these people "culture carriers" - influential individuals within the organization who can help spread and reinforce security-conscious behaviors. The opposite may be true for some people, and an “outsider” assisting may be a better partner for some. Figure out what works to best motivate the individual who needs the help. This also allows some behaviors and mindsets to be caught rather than taught.
Lead By Example
Senior management should lead by example, writing or showing up in public to tell employees how important good cybersecurity practices are to the health of the organization, their customers, and their jobs. Senior management should not only welcome security awareness training and simulated phishing testing, but let everyone know that they support it.
Personal Recognition
Never underestimate the value of simply recognizing someone for a job well done. If you’ve got a “frequent clicker” and they go for months without failing a simulated phishing test, give them a certificate, send them a congratulatory email, or some other small personal recognition “touch”. The more public, the better. This is one of the key influencers of human behavior. People are more likely to adopt behaviors when they feel appreciated and liked for doing so.
Prizes
When someone demonstrates a positive behavior you’re trying to encourage, give them a prize. It can be small (e.g., a company-branded gift, dinner gift certificate, free team dinner etc.) or large. A few organizations I know give every employee a cash bonus if they don’t click on a real or simulated phish during the year (although you need to position this as a positive thing and not as a negative…to be taken away…because of a failure).
Awarding their team a prize, such as a free pizza party, because of a single individual’s continued success is a good way to foster improvement. If I did something that earned my team something good, my team is going to be appreciative, and that’s going to make me feel better and happier.
Keep in mind however, that not all rewards are created equal… and some can even backfire by essentially setting a monetary value for the behavior (or absence thereof). Seek rewards that increase the person’s sense of self-value and appreciation. There is also a lot to be said about the power of variable (less predictable) reward schedules. Unpredictable rewards can be even more motivating than consistent ones, tapping into the same principles that make games and social media so engaging.
Cascading Level of Actions
Not every response should be a gift. A good security awareness program includes a list of prescribed actions that will occur based on one or more simulated phishing failures. For example, one phishing failure (in a year) results in having to take more (but short) anti-phishing training immediately. The second phishing failure results in more, longer training, perhaps 15-45 minutes. A third failure in a year might result in having to talk to your boss. A fourth one might result in a counseling session with someone who specializes in trying to reduce phishing failures. Each of these actions can be framed to focus on education and support rather than punishment.
Personal Counseling
Once, when I had failed three phishing tests in a short period of time, I was instructed to talk to a co-worker who I knew but I didn’t know they specialized in counseling people who failed multiple phishing tests. I was a little resentful…or maybe bothered and inconvenienced are better words, because I had to have this meeting.
In a short period of time, he identified a commonality in my phishing failures… particularly emotional triggers that made me click too fast, and he made suggestions that I followed that ended up making me not fail any more phishing tests. Sometimes, others can more easily see what we cannot.
This demonstrates the importance of understanding individual motivations, contexts, and challenges when trying to shape behavior. This is also an opportunity to get to potential root causes within the job environment, technology stack being used, or other factors. Is something about the employee’s situation essentially designed to work against them?
Your cascading level of actions may even include some negative career impact (i.e., stick), such as an HR action or even possibly separation of employment. But these should be used as a last resort. You want to see these types of failures as that of the system if anything else reasonable can be done for the particular risk scenario. I can also see where some rarer risk scenarios absolutely require strong, more immediate consequences. No matter what these actions are, they should be clearly communicated and understood by employees.
Mindfulness Training
A lot of successful phishing occurs because a person is too busy multitasking or stressed. There is a growing body of research showing that people who are taught to slow down or be more “mindful” are less likely to fall for phishing attacks. This angle of security awareness training is gaining increased importance over time. My friend and work colleague, Anna Collard, has done a lot of work in this area. If you are interested in how mindfulness can increase the success of your security awareness program, I encourage you to check out her LinkedIn page. Over time, employees can develop a "security mindset" that becomes second nature, rather than just following a set of rules.
Ask Them To Teach Others
When people write about or teach things to others, they learn that information better. Teaching is one of the best ways to learn something. Although it might seem counterintuitive, asking a frequent clicker to teach others about how to spot phishing is not the worst idea on this list.
Ask What They Need
It can’t hurt to ask someone what they think might help them to be more successful. I’ve asked several problematic individuals who had negative behaviors that all the other suggestions I made did not fix. I asked them how I could help them to improve and sometimes the answers…to me…seemed a bit comical. But when I assisted them in getting that requested thing, most of the time, it worked. Never underestimate the value of asking someone how they can help themselves.
Carrots and positive reinforcement may need to be customized per person. Nothing works the same for everyone because we all learn differently. Try different things and see what works.
This is not to say that some people and some circumstances may require a response that the recipient may see as negative. Sometimes, people need to be aware of negative consequences in order to perform better. The key is to focus more on carrots most of the time and only result in threats of sticks when absolutely needed. You get more bees with honey.
This reminds me of some Dear Abby advice. Personal advice columnist Dear Abby was frequently contacted by people who asked how they should deal with a very difficult personal relationship where it had devolved into a steady stream of criticisms, unmet expectations, and disappointment (on both sides).
Dear Abby responded that the writer should resolve only to say positive things to that person for 30 days. No matter how angry or disappointed they felt with the other person’s behavior, the writer was to only say good things, give compliments, and give honest, positive encouragement. And if they couldn’t say something good at a particular moment, to keep quiet. In every case I’ve personally read, the writer said the negative relationship they were involved in significantly improved. I never read of a failure. In many cases, the relationship improved so much that the writer felt they no longer had a problem that needed to be resolved. I’ve used this advice in my own life to great success. Sometimes, newspaper advice columnists have all the answers.
If your security awareness training program is making a significant percentage of your employees upset, angry, or getting them in trouble, you’re likely doing it wrong.
In the end, this approach emphasizes empathy and understanding. Effective security awareness programs are built on a deep understanding of the user's perspective, challenges, and needs. If you’re asking what most successful security awareness training program managers do, the answer is clear: More carrots, fewer sticks.