I don’t like getting in trouble. Never have. In 1st grade, my teacher had a behavior chart. You could earn stars for doing good things – raising your hand to speak, answering questions correctly, putting your head down on your desk when she said so. And you could earn demerits for bad behavior – 1 strike meant sitting out 5 minutes at recess, 2 strikes 10 minutes, 3 strikes no recess at all – and the one and only time I had 1 strike, I sat next my teacher’s chair outside, tears streaming down my face not because I was missing five minutes of recess but because until then I’d been a golden child and now the class – and all the other classes out there – knew my shame.
My 4th grade teacher had a similar system but used colors. Everyone started with a green card. You could earn up to three green cards a day, but you could also lose them, replace them with yellow or, worse, the dreaded red. Red cards meant a phone call to the parents. Three red cards in a week meant detention. Some of the rowdier kids didn’t seem to care; they laughed in the face of those red cards. But to me, the goody two shoes who hates disappointing people, I never wanted to get a red card.
What I wanted was public praise. I wanted those gold stars on my homework and the A+++ for a job extra well done. I wanted the teacher to call me out for my good behavior, make an example of me in a positive way. What can I say? I was a little bit of a Hermione Granger in my youth.
You’re probably wondering what any of this has to do with security awareness training or running a successful security awareness campaign. So many organizations struggle with getting user buy-in, engaging their employees to actually give a damn about their awareness training program, to get them to click to the intranet and read the monthly newsletter and play the quarterly phishing game. Unless you’re in a situation in which you make every single bit of awareness training mandatory, you’ve probably struggled getting users to look at your training and think “Yeah, I think I’ll spend an hour tomorrow working on that!”
And this might be because you don’t have a color coded reward/demerit system in place.
Remember when we talked about what motivates people? People want to do a good job and do their job well, and unless something like extra training is mandatory many of them will probably skip it. So you’ve got to tap into their fears and desires. People are scared of getting in trouble (well, the Hermione Grangers of the world); they’re scared of looking bad and want to impress. You’ve got to exploit the desires of some employees to impress the upper levels and the anxieties of others of not doing a great job. But how do you do that without stressing out your user base? How do you motivate them, using fear and desire, without burning them out?
Try a Security Aware Employee of the Month approach. Many organizations call out bad behavior, pointing out when employees breach policy or clicked a phishing link. But unless there are real consequences (such as a Three Strike, You’re Fired! Policy), what is motivating them to actually care and change their behavior? I’ve heard from a few (not nearly enough) small-to-medium sized companies who go with the MVP approach. Each month, they choose one (or one from each department) employee who demonstrated super security aware behavior. Maybe they completed more than the mandatory amount of training modules (extra credit, ftw!), maybe they passed every phishing test you’ve thrown at them in the last quarter, maybe they reported a potential security incident in a timely manner. Whatever it was, they rewarded that behavior publicly by making a semi-big deal about it. It doesn’t cost anything to praise your security aware employees (though one of the organizations gave out $10 Amazon cards to the winner) and it encourages good behavior from other employees because maybe they secretly crave public approval or prizes as well.
Try a public demerit system. Maybe we’re all too old for color codes and smiley faces, but calling out people who make poor security decisions or go against policy should not get to slide by. Maybe you don’t have to name them, maybe you do. But other employees will not want to be like that guy who got in trouble, so they’ll read that newsletter, they’ll pay more attention to suspicious emails, maybe they’ll actually memorize the incident response phone number. After all, stopping security UNaware behavior is the short term goal. Encouraging security aware behavior is the long game.
Try a leaderboard. Many modern LMSs offer some sort of gamified functionality that allows your users to see where they stand compared to other users. This can inspire a friendly sort of competition. “Did you try that new phishing game? I got 9 out of 10 on the first try.” “Yeah well I just reached Junior Wizard level.” This approach could especially work with a younger user base – with millennials, if you will – who are already familiar with gamified apps such as Fitocracy and Duolingo that allow users to earn points for a job well done. It’s extra motivating to see that you’re a few points ahead of Jane down the hall from you, and if you just watch one more video, you’ll be in the lead for the week!
There are a lot of different approaches that you can try, and we’d love to hear from you what works and what doesn’t . Every organization has different needs and capabilities; you must find what will work within your own company structure the same way each elementary school teacher must find which system works for their kids. Strikes, color cards, smiley faces… as long as there are real consequences for the demerits and some sort of treasure box to reward the good behavior, you’ll be successful
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Monthly Newsletters - January 12, 2017