For cybersecurity training, positive reinforcement is best
Traditional cybersecurity training methods often focus on negative reinforcement techniques, but experts say positive reinforcement is the best way to get results.
When an employee exhibits risky behavior, the traditional reaction from IT is first to reprimand and then have the employee go through a cybersecurity training session. This isn't the best way to change a user's risky behavior, experts say, and the better option is through positive reinforcement.
Traditional cybersecurity training methods amount to negative reinforcement, according to Masha Sedova, co-founder of Elevate Security, a security management firm focused on human risk, based in Berkeley, Calif. Negative reinforcement may make employees want to avoid future training, but it won't lead to meaningful risk reduction because it focuses on giving knowledge rather than changing behavior, she said.
"The idea is, if we just give them more knowledge and they know more, they are going to be less risky in our organizations, and we will have solved for a human risk," Sedova said. "But, as we have learned over several decades, it's not what employees know, but what they do that matters."
As new and constantly evolving risks threaten companies' data, employees remain the first line of cybersecurity defense. But, as an increasingly remote workforce faces these unforeseen threats, cybersecurity training methods must evolve as well.
Using anti-phishing software and relying on technical controls are also not enough and won't help build better habits, according to April C. Wright, cybersecurity consultant and author, though she agreed positive reinforcement is lacking in most security awareness efforts.
Negative reinforcement or punishment can lead to bad judgement, an inability to focus, reduced quality of life, or even create a disgruntled insider threat.
April C. WrightCybersecurity consultant and author
"Negative reinforcement or punishment can lead to bad judgement, an inability to focus, reduced quality of life, or even create a disgruntled insider threat," Wright said. "If people are not incentivized to act, they will not."
Identifying risky employees
Before implementing better cybersecurity training programs, organizations must be able to identify employees likely to exhibit risky behavior. Studies like the 2018 Verizon Data Breach Investigations Report have shown that, if employees click a phishing link once, they are more likely to repeat that mistake.
Sedova's research also revealed that how someone performed on an initial phishing test was particularly indicative of future performance and these higher-risk individuals may need specialized training.
"Cybersecurity training [traditionally] treats everybody as a one size fits all," Sedova said. "If we know that some people are more likely to click and other people are just less likely to, those require two very different [training] programs."
Roles matter, too. Those in the C-suite and in finance will often be targeted more due to their access to sensitive data, for example, but new hires are a group of high-risk employees that might get overlooked, Wright said. Employees new to the company are often eager to prove themselves but are also bombarded with paperwork, account setup emails, training links and other information as part of the onboarding process, making them good "starter targets."
"They may not have the access or authority yet, but they can be the beginning of infiltration of an organization through which a foothold can be gained," Wright said.
Better cybersecurity training through positive reinforcement
Negative reinforcement in cybersecurity training is not only ineffective in changing user behavior, but it can lead to users not reporting risks they encounter, Wright said. The better option is to create cybersecurity training focused on positive reinforcement.
One effective technique is called social proof, which compares a user's performance with a peer group to motivate users to care about the actions needed to avoid risks, according to Sedova. Employees might know phishing is a risk, but they need to know how it affects them personally, she added.
"The trick here is getting people to care about not clicking on links," Sedova said. "The best follow-up action is explaining the impact of their decisions, using encouraging and positive language that motivates them toward action."
Another popular option for positive reinforcement is through gamification, which provides virtual or tangible rewards that recognize the positive security actions taken by employees.
Wright said gamification can help to make security fun and even competitive.
Budgeting for a small quarterly prize that employees compete for through a points system by reporting phishing emails or other cybersecurity threats is one possibility, she suggested.
"Reward-based training works for people. If there is something we want, we will work for it," Wright said. "The same security concepts taught at work can be taught as personally relevant, and employees will retain and use the concepts and knowledge because it is directly important to them."
While the reward for good security could be money or a prize, simple recognition is also a powerful tool.
Wright suggested making special announcements about employees' cybersecurity behavior via email or a company newsletter or sending them a thank you note from the CEO. For her part, Sedova suggested managers should also consider looking beyond token recognition and rewarding good security professionally.
"Meeting with a manager when an employee does well over a period of time has been incredibly effective at giving them visibility," Sedova said. "They can see that doing security well can help them with potential career promotion as well."
Adapting remote security training
While gamification and positive reinforcement can help engage employees in cybersecurity training, the increasing numbers of remote workers will also force organizations to consider new ways of training and new topics to cover.
"Everyone is now juggling home lives and kids and work-from-home environments, where those distractions might not have been there in the office," Sedova said. "It's the responsibility of the security teams to think about a different way of engaging their employees."
These distractions might make employees more apt to put off an online cybersecurity training session, but companies can offer rewards to entice people to attend training programs in person, Wright said.
"Lunch-and-learn sessions remain a good training method, and I've even seen companies provide prepaid codes for a food delivery service to encourage people to attend," Wright said. "Programs should focus on providing resources and information specifically related to remote work threats and risks."
Email should be a last resort for remote cybersecurity training, said Brooke Pearson, program manager for the Chrome security and privacy team at Google, because there are better ways to engage attention.
"Now is the time to invest in instructional design and marketing tools and videos if you can afford it," Pearson said. "If your company is using Slack, I've seen employees engage with fun content more readily there than their already overflowing inbox."
Beyond adapting the usual training sessions regarding phishing and other risks, employees need to be made aware of their roles in protecting against the new risks that arise from working remotely, including mobile device data safety, confidential information protection and network security best practices.
With more people at home, training also needs to cover basic topics, such as not letting others use your work laptop, Wright said.
"Providing intranet guidance about things like what a guest network is and how and when to use one, setting auto-updates on all devices on the home network, and what to do if anything on the home network gets compromised are good ways to help protect remote workers," Wright said. "One small thing organizations can do is provide headphones free to employees for use in meetings to protect confidentiality of conversations."
