Do you think rewarding or recognizing individuals for secure behavior is an effective strategy? How is this tactic applied at your organization?

Acknowledging and rewarding good performance is normal people development best practice in the workplace. As such, doing so for compliance with security (and other corporate) policies and behaviors should not be any different. I don’t believe the strategy to incentivize security mindset should be questioned; however, I agree it is difficult to execute. Prescriptive policies are useful, but the mindset needs to be embedded as corporate culture.

 

At our organization, it’s done through events and celebrations (e.g., gamification and contests with prizes and corporate recognitions), especially during the month of October (National cybersecurity month). These regular activities keep the importance of cybersecurity top of mind for all staff reinforced with gifts and cash prizes as well as public recognition amongst peers.

 

Note, we also have other tactics including phishing campaigns. Although, the offenders are not named publicly, they are made aware that they’ve fallen for the test. So, we employ a combination of different tactics in addition to reward and recognition

At our office, we focus more on intrinsic motivation. While extrinsic rewards can be effective, we aim to build a sense of ownership and understanding of the importance of security among our staff. We continuously monitor the environment and look for certain behaviors and patterns in network usage. Our focus is on fostering pride in working for the organization and building a team mindset.

Our organization has a tradition of recognizing individuals for their contributions, not just in cybersecurity. We have a program called Apple Way where we share stories about individuals or groups who have done something remarkable to help our members or the credit union stay safe. We vote on these nominees and the winners are formally recognized. They also receive points which can be redeemed for various items.

While we don't currently reward or recognize individuals for secure behavior in my organization, I do see the value in this approach. The challenge lies in determining how to effectively reward people without disincentivizing others. For example, how would we reward people for not clicking on phishing emails? It's a great idea in theory, but operationalizing it can be tricky.

I believe that rewarding or recognizing individuals for secure behavior is an effective strategy. At the college, we allocate a significant portion of our budget for Cybersecurity Awareness Month in October. We offer educational opportunities, awareness events, and even campus tours to raise awareness about cybersecurity. We also have a recognition program called the CC coins program, which is a digital currency that we award to staff for various achievements, including excellence in cybersecurity. These coins can be redeemed for physical prizes or school swag.

I'd like to add that rewards don't necessarily have to be monetary. For example, we run phishing campaigns and there's a sense of competition among our Vice Presidents to identify phishing emails. We even made a custom shirt for the person who identified the most phishing emails. Recognition can be just as effective as a reward.