Using Reward Systems In Your Security Awareness Training Program
Posted by Mark Chapman—President & CEO of PhishLine • 5/16/2016
The effectiveness of reward systems in training greatly depends on the culture of the organization and the age, background, and job role of the various groups of employees.
The most interesting pattern for success we see is when organizations align their security awareness training reward system with the most effective incentive systems engrained in the business.
Is your organization metrics driven? We have seen great success where managers at every level of an organization include a security awareness scorecard every month, as part of their overall metrics scorecards. Of course, the managers need to see how this helps them be more effective rather than it being punitive. Work with the managers to find out what they are most afraid of happening in the business. If their fear is susceptible to happening because of a cyber or social attack, they are more likely to embrace your program as a solution to their problem rather than a distraction.
Is your organization audit-driven? We have seen great success where results of the awareness program were put in terms of formal observations or risk based audit findings with observation descriptions, potential business impact statements, recommendations and the whole audit-committee-style management response mechanisms.
Is your organization profit driven? Quality driven? Figure out how things actually get done and model the reward system for information security after the most effective reward system at the company.
Don’t reinvent the wheel! We have seen companies emulate very effective safety programs as the model for a security awareness program. This does not mean that they are merged. It simply means that if your organization values safety, talk to the safety director to see how success is measured, communicated, and rewarded.
Ultimately, the most consistent path to success is to tightly integrate the reward at all levels with the rest of the business reward structure to take advantage of the tone at the top, and to align the existing management structure to support the program because it provides real business value.
PhishLine’s in-depth reporting and Risk Based Surveys make it easy to test, report on, and then reward your employees in the way that mirrors successful programs at your organization. Contact us for ideas on how you can introduce a program to reduce risk and increase knowledge retention.