How to Implement Consequences and Rewards in Your Security Awareness Program

Written By Guest User

Your security awareness program can’t be based on just consequence or rewards – it needs to incorporate both. Understanding how to implement both consequences and rewards into your program can feel like a balancing act, so we’ve broken down how both work and can be easily incorporated into your existing security awareness program.

Cartoon graphc of people on laptop - one character taking off on a rocket

Consequences

Falling for a phishing simulation or engaging in other risky cyber behavior is associated with a sense of shame, so you should be cautious how consequences are dealt. Consequences should be used to create instant behavior change.  If someone clicks on a phishing simulation, an automated email notifying them of this and having them complete remedial training is a consequence.

If you never reward employees for engaging in good cyber behavior and only provide consequences for risky cyber behavior, employees will associate cybersecurity only with consequences and it will have a negative connotation for them. Because of this, it’s important to give employees a chance to redeem themselves and reward them for completing remedial training and engaging in cyber safe behavior.

Cartoon graphic of man sitting at desk looking stressed

Rewards

Positive reinforcement or rewards can be used to create long-term behavioral change. They’re used to inspire employees by reinforcing good cybersecurity behaviors continuously so that employees are motivated to report phish and engage with your security awareness program to protect their organization.

After an employee completes remedial training they should be rewarded to encourage them to continue practicing good cyber behavior. Rewards shouldn’t be used sparingly like consequences. If an employee reports a phish, completes a course or survey, or anything else you want to encourage them to do again, positive reinforcement with rewards is an excellent way to motivate employees to continue the desired behavior.

 In the next section we’ll break down different ways that you can reward employees for engaging in good cybersecurity behavior through positive reinforcement.

Cartoon graphic of man walking up steps of books toward giant award

Types of Rewards

There are 2 types of rewards: intrinsic and extrinsic.

Intrinsic

Intrinsic rewards include forms of recognition, points, scores, titles, badges, certificates or other mostly intangible rewards. Often considered “feel good” rewards, they have a lasting impact on the employee and can become an integral part of your cybersecurity awareness program to reward good behavior like completing a survey, training or reporting a phish.

Extrinsic

Extrinsic rewards include gift cards, prizes and other tangible rewards. These rewards have a short-term impact but are a great way to initially increase engagement and can be awarded for the same achievements as intrinsic rewards.

Many organizations use intrinsic rewards all year and only use extrinsic rewards once or twice a year to continue to boost engagement. Cybersecurity Awareness Month is an excellent opportunity to use extrinsic rewards to place more of a focus on security in your organization.

Guest User
Previous

Phishing Deep Dive: How to Effectively Phish Employees
Next

The Fundamentals of a Security Awareness Program