The first challenge security professionals who want to implement security awareness training face is that this training is usually perceived as a punishment or a chore. This perception varies based on how the training is contextualized, its delivery method, and the organizational culture in which it is introduced.
As the renowned psychologist and behaviorist B.F. Skinner put it, “The behavior of the individual has been shaped according to revelations of 'good conduct' never as the result of experimental study.”
Skinner's theory of user conditioning suggests that learning and behavior change are the result of both reinforcement and punishment.
Positive reinforcement strengthens a response and makes it more likely that the behavior will be repeated by the users in the future, while punishment, not to be confused with negative reinforcement, weakens responses and makes users less likely to repeat that punished action.
For example, you implement a reward system through which employees receive a token for completing a training module or a reward for reporting a phishing email. These rewards create a positive experience and encourage repetition of the desired behavior.
However, if an employee falls for a phishing simulation and is then told, "Because you clicked on a phishing link, you must attend additional training," this approach can come off as negative and sends a signal in the user’s brain not to repeat this action or to be more careful next time. But in this case employees start associating training as a consequence to a negative action, a punishment.
The challenge lies in crafting security awareness communications and training that embeds healthy cybersecurity habits in an engaging and effective manner. Terranova Security's CISO, Theo Zafirakos, offers practical advice on achieving this, emphasizing the importance of framing messages related to training to encourage positive behavior change.
What can organizations do?
Organizations can shape the effectiveness of cybersecurity training with their approach to presentation. Highlighting the positive outcomes of engaging with the training, such as using tokens of appreciation and gamification, can reinforce secure online habits and present the training as a beneficial reward.
Conversely, implementing remedial training as a consequence of actions like clicking on phishing links can serve as a deterrent, reducing the likelihood of such behaviors being repeated.
However, ensuring that this approach does not lead to employees feeling isolated or embarrassed is crucial, particularly if they are the only ones undergoing the training.
Offering comprehensive training to all employees, regardless of their performance in phishing simulations or other assessments, promotes a more inclusive learning environment.
This fosters a culture of continuous improvement and helps reframe mistakes as opportunities for growth rather than reasons for shame.
“The overall culture and approach of an organization towards “mistakes” can influence perceptions. In a learning and growth-focused environment where continuous improvement is encouraged, additional training might be seen in a positive light. The organization is investing in its staff’s development. Conversely, in a disciplinary culture where mistakes are not tolerated, it could be seen as a form of punishment. “
Theo Zafirakos, CISO, Terranova Security
Cybersecurity Positive Reinforcement Tools
Despite its importance, cybersecurity training rarely excites employees. Making it engaging requires creative incentives, turning a necessary task into a source of pride and enjoyment for employees.
Here are the most efficient reward categories:
Show your recognition and appreciation
Display and publish the best performers of your cybersecurity training program. This can be a simple email or status on your intranet or an elaborate affair with posters and a ceremony to celebrate the employees with the highest grades.
Gamification modules can also achieve this with leaderboards that all employees can consult. Here, employees can compare their scores with their colleagues, driving friendly competition and encouraging them to do better every time.
Provide tangible rewards
You may also consider fun rewards to employees that promote the importance of cybersecurity, such as webcam covers, privacy screens, or screen cleaning cloths with best practices printed on them. These items reward training attendance while providing helpful reminders of cyber-threats.
Implement a cybersecurity ambassador program
Once your cybersecurity training reaches maturity, adding a security awareness ambassador program can be a good idea. This program helps raise awareness about information security effectively by empowering employees—users—to help promote security awareness.
Cybersecurity ambassadors are great when used to break up how content is presented and provide a more relatable approach to cybersecurity in the workplace.
Monetary Incentives
You can offer rewards to teams or departments that achieve or surpass security awareness objectives, such as cash bonuses, company merchandise, gift cards, or team lunches.
Enacting Behavioral Changes Through Emotions
Most modern cyber-threats don’t rely on software vulnerabilities. Instead, the goal is to catch users when they are inattentive or stressed. For this reason, cybersecurity awareness programs should focus on enacting lasting behavior changes. One of the most powerful ways to achieve this result is by focusing on the positive emotions your users experience when they have the correct cybersecurity habits.
Once users start applying what they learn, their positive emotions become an additional reward. Here are the emotions you should target in your training:
Pride
A sense of approval of oneself and pleasure when detecting a phish. Employees feel proud for not falling victim and outsmarting the attacker, whether real or simulated.
Confidence
Emotion involves a strong sense of self-esteem to detect a phish. The users stop worrying about getting caught as they are confident, they have the adequate knowledge to detect a phishing attempt.
Relief
Relief is the sense of joy or comfort when a situation you're unsure about ends positively or when you successfully avoid a negative result. This can happen after you click on a link but realize you landed on a phishing website and do not submit any data.
Admiration
The feeling of approval, respect, and appreciation for the security awareness program occurs when the users can apply what they learned in the real world.
Motivation
This is the desire to do the right thing to achieve a specific goal. For example, users take the time to report detected phishing attempts instead of simply deleting them. Reporting allows the security operations center to identify any other victims and block the attack.
The Importance of Gamification in Cybersecurity Awareness Training
Gamification refers to training that borrows elements of video games, such as player scores and leaderboards, to reinforce crucial concepts.
Another common element of gamification is the type of content. Video games are popular because they offer immersive experiences, encouraging users to keep playing. Creating rudimentary point-and-click video games can be a great way to make cybersecurity more engaged, leading to more retained information.
In addition to these methods, scenario-based microlearning modules allow learners to navigate through different situations, receiving feedback on their decisions in a controlled environment. This method supports the reinforcement of key concepts through practical application.
Cyber Game modules help reinforce crucial information security knowledge, add an engaging element to your existing training program, and build threat resilience by educating end users on tactics used in phishing, social engineering, ransomware, and other cyber-attacks.
LEARN MORE ABOUT GAMIFIED TRAINING CONTENT HERE.
Better Habits for Better Cybersecurity
Cultivating a culture where cybersecurity habits are second nature starts with positive reinforcement, making the learning process both rewarding and engaging.
Coupled with gamification, which adds an element of friendly competition through leaderboards and interactive content, these strategies ensure that cybersecurity education is practical and enjoyable.
Organizations can encourage active participation in cybersecurity training by focusing on these positive reinforcement techniques and integrating gamification.
This enhances the learning experience and reinforces the importance of cybersecurity in a way that sticks, laying the foundation for a resilient and aware workforce equipped to tackle the challenges of the digital age. Ready to see the difference for yourself?
Try our gamified content for free and experience firsthand how engaging cybersecurity training can be.
