One of the challenges with creating a high-impact security awareness program is how do you reward good behavior? Obviously enforcement is important to any awareness program, but at some point we need to combine that with positive reinforcement. However this is not as simple as it seems, it turns out rewarding good behavior can have bad results.
For example, lets say you want to promote the reporting of incidents. You educate your employees the indicators of compromise and how to report them to your security team. To promote this, you decide you will give a free lunch to anyone who detects an infected computer. While at first this sounds good, in two weeks you will most likely have every employee surfing dodgy websites and downloading free screensavers in the hopes of getting infected. Your reward changed behaviors, just not the ones you wanted. Another challenge is cost. Lets say one of your employees gets hit with a social engineering phone call and your employee does the right thing. They identify the attack for what it is and report the attacker to your security team. To reinforce this behavior you immediately reward the employee a $50 gift certificate. The problem is you have now set precedence. Anytime an employee spots a real attack they will expect to get paid a reward. You can quickly bankrupt your awareness budget. The trick to rewarding is making sure you motivate the right behaviors while keeping your budget in check. Here are some tricks.
- Rewarding behavior does not require material goods, public recognition can go a long way. I know of several organizations that post an example of an employee doing the right thing with their monthly security awareness newsletters.
- If you do want to hand out a reward, keep it small. One organization I know does nightly desktop checks at the office, making sure computer are locked and sensitive materials are securely stored. When they find violators they take note. However for those who are doing the right thing they leave a jelly bean at the table. The next morning employees come in and find their reward. Little gifts like this can really have an impact.
If you really want to pump up the volume, I really like how Cindy Daily and her team at Geisinger Health Systems reward people, its a combination of both methods we just discussed. Here is their process, in her own words.
"If people are practicing good security habits we leave a slip for them to be entered into a drawing. If they are not we leave a pamphlet letting them know what they can do better to be secure or policy compliant. We post the winners on the Intranet as well as articles of our findings of what we as an organization can do better.
Rewarding is tricky. Our first reaction is to reward people as much as possible, but be sure to think things through. You want to be sure you are promoting the right behaviors and you are not setting costly precedents.