Ambassadors of security training programs often struggle with the most effective way to drive success. The ultimate purpose of these programs is to change employee behavior and create a more secure organization.
Put simply, behavior is influenced by either reinforcement (i.e., encouraging employees to perform behaviors that we like) or punishment (i.e., discouraging employees from performing behaviors we don't like). This framework has to do with how the human brain works. Our neural pathways are designed to prompt action when we've learned that we will get a reward and to avoid action when we've learned that a bad result will follow.
What is best when it comes to driving success in a security training program, the carrot or the stick? The answer is, it depends. Let's dig a little deeper.
When we want to drive employees to action, for example completing training or practicing secure behaviors, research shows that positive reinforcement or providing a reward to encourage the desired behavior is most effective. By providing a reward for the desired behavior, we teach the brain to elicit a go response when prompted with the same context.
For example, we implement a reward system through which employees receive a token for completing a training module and a prize after accruing a certain number of tokens. Knowing this, when employees receive a notification to complete training - a go response is triggered. See notification, complete training, get reward.
Alternatively, our neural pathways are trained to send a no-go signal when we have learned that a given behavior, in a given context, results in a negative result. For example, a user clicks a link in a simulated phishing campaign and receives a Whoops! You clicked a suspicious link! message on a point of failure page, and is automatically enrolled in remediation training.
This is unpleasant and our brain wants to avoid unpleasant results. Over time, that user learns to PAUSE and think before clicking on a link (i.e., a no-go signal from the brain) to avoid the negative result.
Let's bring these two concepts together in the context of a simulated phish. We should discourage clicking while also encouraging the user to report suspicious emails. Consider implementing punishment in the form of point of failure training and a reward for reporting suspicious emails. This frameworks conditions the no-go signal to encourage users to PAUSE before clicking and the go signal to encourage users to report suspicious emails.
A successful motivational and behavior change strategy requires thoughtful intervention designed for the way humans learn. When you're designing your security training program, consider which behaviors you want to encourage and which you want to eliminate and choose appropriate rewards and punishments accordingly.