Positive reinforcement to build a healthy security culture

Travis Good
November 21, 2022

We need more positive connections between security and employees. And who doesn’t smile when they hear or see an ice cream truck?

Every negative connection - message, training, nudge, alert, etc. - between employees and infosec is not just a missed opportunity but pushes employees further from security. And, given the state and scale of direct user threats today, every employee should be more closely aligned with security.

Below are some of the examples that risk being perceived by employees as negative.

👉 Phishing training when employees fall for phishing campaigns.

👉 Failure to pass or complete security awareness training.

👉 Flagging people for reusing passwords exposed in data breaches.

👉 Assigning and forcing employees to complete security awareness training that feels irrelevant and like a waste of time.

👉 Telling employees they have a high “human risk” or that they are higher risk than their co-workers.

Employees need positive interactions with security so they don’t come to dread seeing messages from security teams and security apps. Security needs to build (back) goodwill with employees while at the same time increasing the number of touchpoints.

Building Goodwill Between Employees and Security

How does security build back goodwill with employees? And how do you do it with workforces that are remote and being asked to do more with less?

It takes time. But it does not have to be hard. The most important thing is to be consistent. To do that, some of the below (or some other approaches) need to be baked into your human risk and infosec programs.

Below are techniques that can help build positive perceptions of security.

Make Security Messages and Content Personal

Getting generic messages - security alerts or nudges, notifications, reminders, and even training - is a fast way to get an eye roll and push employees towards simply checking a box on whatever is being asked of them. And, they will feel like it was not important. Make conenctions between security and employees personal based on user actions or user questions or even things that are relevant to the job a person does or the apps they use. Security awareness training can easily be tailored to individuals and groups by most vendors.

Don’t just Gamify Human Risk

Gamification of security training and especially human risk has become a common technique with vendors. This is fine. But it does not go far enough. Using negative human psychology against your employees is a fast way to turn them off to security. Some companies market showing users benchmarks against other employees, in at least half the cases showing them not doing some proper security technique that most of their colleagues are doing. Use positive gaming mechanics for security awareness to engage and motivate your employees.

Encouraging Good Security Hygiene

Instead of shaming people into doing things because other people do them, simply encourage positive security hygiene by sending kudos when they do it. If you run a periodic check on a specific setting, send a positive note to users that have this setting set correctly. It is really that simple. You’d be surprised how this very small action builds goodwill.

Workflows - Positive User Behavior in SaaS

At Haekka, we have found that users appreciate positive feedback more than negative and sometimes punitive feedback. With Workflows, we encourage managers and admins to send just as many positive sentiment messages for good security decision making as negative or instructive feedback. This is particularly effective with Workflows as it compresses the feedback loop so that users are getting positive feedback the instant they take the associated action.

Phishing - Keep Kudos Coming

Phishing campaigns often have a negative connotation. That’s because users are often shamed for clicking on links in phishing campaigns and forced to do extra training when they do. It’s just more work. Haekka’s phishing simulator instantly sends positive reinforcement to users and optimally managers when users either simply do not take an action on a phishing email or when they report it as phishing. And, because all messages from our phishing simulator are delivered instantly in Slack, users attach that warm fuzzy feeling to the positive action.

Goodwill Increases Reporting of Security Incidents

One of the offshoots of building goodwill between security and employees is that employees will be less resistant to approaching security with questions or when security incidents happen. This alone is a reason to consider implementing more positivity into your security awareness and phishing programs.