Phishing continues to be the number one risk to organizational security, and companies are taking matters into their own hands, using security awareness training (SAT) and simulated phishing campaigns to educate their users to avoid malicious emails. Alongside those efforts comes another element: incentives. Many companies are using methods such as negative consequences for clicking on phishing emails, or positive rewards for reporting them. In a recent article for InfoSecurity Magazine, Arun Vishwanath discussed and weighed these methods, from threatening employees who click on phishing emails with more extreme punitive measures to financially rewarding those who report them. He found a rewards system is likely the most effective approach, although perhaps not one that doles out monetary rewards.
According to Vishwanath, “monetary incentives appeal to employees’ base needs, which are already met through their jobs, while social recognition appeals to higher order needs—what the famous motivational psychologist, Abraham Maslow, termed ‘esteem needs’: the human need for achievement, for respect, for prestige, and for a sense of accomplishment.” Vishwanath argues that, over and against any other form of incentive or disincentive, social recognition promotes the correct behavior, for the right reasons.
In an organization’s ongoing quest to create a widespread security-minded culture, this is extremely important. The goal is to aim for a system that will not only achieve the result of getting potential threats reported quickly and effectively, but also foster positive habits in employees.
How can these incentives be established? And if we already have anti-phishing programs in place–such as training or simulations–how can we tie them all together to create the most effective possible program? Well, if you’re using Global Learning Systems’ preferred method of anti-phishing education, then start by rolling out internal marketing campaigns that raise awareness of the gravity of the phishing threat, followed by courses that show users what to look for and avoid. Then, test their recognition with phishing simulation tests that provide just-in-time remediation for anyone “hooked” by the phish. And, ensure you make it easy to report a phish, using a tool like our PhishFinder.
We also recommend including security-based competencies in employee performance reviews and establishing a “CyberSec Stars” type of program that publicly recognizes individuals and teams with exceptional performance. As Vishwanath suggests: don’t worry too much about what you give them. Instead, focus on praising employees (publicly!) for prioritizing your organization’s best security interests.
Because phishing is so common–and so destructive–it’s easy to develop a purely reactive mentality toward phishing prevention. But it’s important to remember that, first and foremost, our goal is not to instruct employees simply not to do something dangerous or potentially harmful to company security, but instead to train them to take positive actions toward a more secure organization. The more we cement strong, diverse training programs that give users the tools to spot these threats, and–as Vishwanath argues–the more we incentivize their progress and continued education, the more we create a proactive mentality that encourages growth and awareness organization-wide.