The impact of corporate culture on security awareness is often misunderstood. Many companies are training employees with carrots, not sticks. Changing from a “fear “ to a “reward” based culture. Some companies are using games, contests and prizes to train employees on safe practices for cyber security and having great results.

Companies are starting to take a new approach to getting employees to be more vigilant about cyber security. Instead of punishing employees when they make mistakes, they’re rewarding them when they do something good.

The problem is that the usual security training is a big turnoff for employees. Most of the time, all it does is try to instill fear of clicking on suspicious links or using weak passwords. But research shows that approach doesn’t work. Even with training, employees are still prone to making simple security mistakes that leave a company vulnerable to damaging hacks.

Now some companies are abandoning the stick for the carrot. In some cases, they’re using rewards, games, contests and prizes to teach employees lessons about staying safe, and research suggests the new approaches are working.

The current training sends the wrong message. Ask a young colleague to do word association, when you say dog, they say cat. But when you say cybersecurity, they will say, ‘I’m sorry I clicked that email, please don’t send me to cybersecurity training.’ They’re terrified.”

Prizes for safety

Success is crucial since many security experts say that the biggest threat companies face is from within, from careless employees. Despite years of employee training, an estimated 91% of cyberattacks begin with a “phishing” email, in which an employee clicks on an unsafe link.

One of the biggest efforts to rethink training comes from Facebook Inc., which holds a “Hacktober” event every October to coincide with National Cybersecurity Awareness Month. In this monthlong program, Facebook tests employees by simulating a variety of phishing attacks, spam campaigns and other threats. Staffers who fend off the attacks are rewarded with memorabilia and other prizes. Betsy Bevilacqua, head of security programs and operations at Facebook, says the program has experienced “high engagement rates” and has been met with “a lot of positive feedback.”

At Layer 8 Security, we take traditional training methods and make them more personal. Some, for instance, use a system where security teams identify executives who present especially valuable targets for hackers, then train the executives and their families at home. The personal setting helps to get the lessons across.

Some major companies have adopted a method where security experts don’t do the knowledge training yet their regular employees do. In this setup, employees without a security background are trained in best practices. Then they get incentives to help their co-workers by conducting training sessions, organizing contests and approaching security in a way non-technical employees can understand.

It’s one thing to hear from the corporate security team, but another to hear about these things from your mate.

The employees who led training would get points “which could be turned in for airline tickets, a parking spot, free clothing or something fun like a lock-picking class.

Slow to catch on

Positive-reinforcement campaigns are often one of the best ways to modify risky behaviour, but they’re “definitely an outlier” in the corporate world. Companies typically rely on awareness tests and off-the-shelf tutorials, which are often useless because employees see them as a chore.

Other simple security measures are often ignored as well. In 2016, researchers at the Computing Technology Industry Association, dropped 200 USB sticks in airports and coffee shops around the country, only to find that a significant number of passers-by, including several IT industry workers, cybersecurity experts and people who said they were aware the device may have been infected with malware, picked up the devices and plugged them into a computer.

Evidence is piling up that games and other exercises using positive incentives do get the job done. It is also been found that staff changed their cybersecurity behaviour after a phishing exercise that sent encouraging emails for correct behaviour and reprimanding emails for incorrect behaviour. Feedback and behavioural reinforcement messaging in our experiments led to improvements in risky behaviour on both phishing email and password use.