How to Implement Consequences and Rewards in Your Security Awareness Program
Your security awareness program can’t be based on just consequence or rewards – it needs to incorporate both. Understanding how to implement both consequences and rewards into your program can feel like a balancing act, so we’ve broken down how both work and can be easily incorporated into your existing security awareness program.
Consequences
Falling for a phishing simulation or engaging in other risky cyber behavior is associated with a sense of shame, so you should be cautious how consequences are dealt. Consequences should be used to create instant behavior change. If someone clicks on a phishing simulation, an automated email notifying them of this and having them complete remedial training is a consequence.
If you never reward employees for engaging in good cyber behavior and only provide consequences for risky cyber behavior, employees will associate cybersecurity only with consequences and it will have a negative connotation for them. Because of this, it’s important to give employees a chance to redeem themselves and reward them for completing remedial training and engaging in cyber safe behavior.
Rewards
Positive reinforcement or rewards can be used to create long-term behavioral change. They’re used to inspire employees by reinforcing good cybersecurity behaviors continuously so that employees are motivated to report phish and engage with your security awareness program to protect their organization.
After an employee completes remedial training they should be rewarded to encourage them to continue practicing good cyber behavior. Rewards shouldn’t be used sparingly like consequences. If an employee reports a phish, completes a course or survey, or anything else you want to encourage them to do again, positive reinforcement with rewards is an excellent way to motivate employees to continue the desired behavior.
In the next section we’ll break down different ways that you can reward employees for engaging in good cybersecurity behavior through positive reinforcement.
Types of Rewards
There are 2 types of rewards: intrinsic and extrinsic.
Intrinsic
Intrinsic rewards include forms of recognition, points, scores, titles, badges, certificates or other mostly intangible rewards. Often considered “feel good” rewards, they have a lasting impact on the employee and can become an integral part of your cybersecurity awareness program to reward good behavior like completing a survey, training or reporting a phish.
Extrinsic
Extrinsic rewards include gift cards, prizes and other tangible rewards. These rewards have a short-term impact but are a great way to initially increase engagement and can be awarded for the same achievements as intrinsic rewards.
Many organizations use intrinsic rewards all year and only use extrinsic rewards once or twice a year to continue to boost engagement. Cybersecurity Awareness Month is an excellent opportunity to use extrinsic rewards to place more of a focus on security in your organization.