The following is a guest post from our partner PhishLine.

Most successful security awareness programs leverage some kind of reward for participation, completion of training, and demonstration of safe behaviors. Organizations who need to take their program to the next level require a thoughtful and proven approach to create the best reward system using the secrets for success already embedded in their particular environment.

At the individual employee level, what works or does not greatly depends on the culture of the organization and the age, background, and job role of the various groups of employees.

The most interesting pattern for success we see is when organizations align the security awareness training reward system with the most effective incentive systems ingrained in the business.

Is your organization metrics driven?

We have seen great success where managers at every level of an organization include a security awareness scorecard every month as part of their overall metrics reporting process. Of course, the managers need to see how this helps them be more effective rather than it being punitive. Work with them to find out what they are most afraid of happening in the business. If that is susceptible to happening because of a cyber or social attack, they are more likely to embrace your program as a solution to their problem rather than a distraction.

Is your organization audit-driven?

We have seen great success where results of the awareness program were put in terms of formal observations or risk based audit findings with observation descriptions, potential business impact statements, recommendations and the whole audit-committee-style management response mechanisms.

Is your organization profit driven? Quality driven?

Figure out how things actually get done and model the reward system for information security after the most effective reward system at the company.

Is there a similar program that has been effective?

We have seen companies emulate very effective safety programs as the model for a security awareness program. This does not mean that they are merged. It simply means that if your organization values safety, talk to the safety director to see how success is measured, communicated, and rewarded.

Ultimately, the most consistent path to success is to tightly integrate the reward at all levels with the rest of the business reward structure to take advantage of the tone at the top, and to align the existing management structure to support the program because it provides real business value.


Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us:

Mark Chapman for PhishLine

President & CEO at PhishLine
PhishLine specializes in helping Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing threats. PhishLine provides a powerful blend of risk-based objectivity and robust metrics and reporting to human layer security efforts.