As a security leader, you understand the need for cybersecurity awareness training. When it comes to security, the best defense is a strong offense, made with individuals in your organization. 

But from the employee point of view, traditional security training can be seen as boring, irrelevant, tedious, overwhelming, patronizing, and the list goes on. 

To make matters worse, some organizations—mostly unintentionally—use shame, fear, or punishments to motivate behavioral change. Examples of threats or punishments include reprimands, public shaming, disciplinary action, and even dismissal. 

Why fear is used as a motivation tool

Illustration of a police car on a light beige background. (Whitney Matterfiis for BrainStorm, Inc., 10-25-2021)

So why do organizations choose shock value—specifically, fear—as a motivator? Easy. Fear is effective. 

Governments, parents, leaders, teachers, marketers—anyone—may use fear to get people to act (e.g., buy, comply, obey, or learn). Most often, this happens by appealing to a sense of loss, hardship, pain, suffering, restrictions, and not fitting in. 

Imagine that you’re hurrying home, not paying attention to your speed until you see flashing lights behind your vehicle. 

We’ve all been there, sitting on the side of the road waiting for the verdict. In the case of a speeding ticket, the choice is to remit payment or appear in court. Choosing not to comply could mean the state will revoke your license.  

No surprise, most of us are completely motivated to comply. We want to keep our driver’s license and the independence that comes with it. And whenever we drive in that area, we pay attention to our speed to avoid a potential ticket.

In this scenario, fear pays. The city uses it to encourage slower and safer driving—then there's the extra money in its treasury.

But in business, a fear-based approach to cybersecurity can backfire.

Cybersecurity training and the employee experience

When employers look to improve their cybersecurity stance, they sometimes ignore the employee experience. 

According to a Forrester report, Best Practices: Successfully Influencing Employee Cybersecurity Behavior (available to Forrester subscribers or for purchase), punishing users can damage not only the employee experience, but the organization as well.  
 
In fact, Forrester finds that a punitive approach: 

  • Reinforces employees’ negative perceptions and resentment of the security team 
  • Fosters destructive behavior, which puts the organization at more risk 
  • Humiliates employees and causes psychological damage 
  • Lands organizations in a legal or brand minefield 
  • Encourages employees to hide failures and mistakes, leading to security blind spots 

Back to the speeding scenario. For most of us, getting a ticket can cause ripple effects.  

For instance, it’d be great never to see that particular officer again. Then there’s the lingering embarrassment from knowing better (but still having a heavy foot).  

Of course, an employer-employee relationship is more complex than a one-time event with an anonymous officer. Employees are motivated by paying the bills, but also by self-esteem and the pride that comes from a personal contribution to the workforce. 

At the end of the day, employers who care about the human side of cybersecurity will offer an engaging, empathetic, shame-free approach to cybersecurity training. 

Examples of ineffective training

Too many cybersecurity training events feel dry and technical to employees. And most threat awareness training doesn’t account for different learning styles. 

Phishing simulation is just one example of a cyber-awareness exercise that can go wrong. 

The concept is solid: thinking like a scammer and sending your own email to see if employees take the bait. The trouble is, many organizations create simulated phishing emails without thinking of the employee experience. 

Several simulated phishing tests have been in the news following employee backlash; namely, 

  • The global banking organization ABN Amro sent a simulated spear phishing test in December 2017 that promised a Christmas gift as a reward for excellent performance. Instead, it was the ultimate bait and switch experience to disappointed employees. 
  • The Tribune Publishing Company sent simulated phishing emails to its employees in September 2020, promising bonuses of $5,000 to $10,000 to staff members who had survived recent layoffs and pay cuts. Users were prompted to log in for more details, only to be informed that they had just failed a simulated phishing test. |

  • In December 2020, the web hosting company GoDaddy sent an email promising $650 as an appreciation bonus to hundreds of employees. Recipients shared their location and provided a few more details. Two days later, the recipients got another email explaining that they failed the company’s recent phishing test and would be required to retake security training. 

  • The West Midlands Railway in the UK created a phishing simulation test in May 2021 that promised a financial reward from the managing director for employees’ hard work during the COVID-19 pandemic. Employees who clicked the link were sent a second email letting them know it was only an exercise. 

Each of these simulated phishing attempts missed their mark. Instead of learning how to recognize a phishing attempt, employees were left with disappointment and mistrust for their organizations. 

What successful cybersecurity awareness training looks like

Illustration of a mobile phone with a drawbridge attached to its face, symbolizing cybersecurity awareness. (Whitney Matterfiis for BrainStorm, Inc.) - 10-25-2021

By contrast, a good employee cybersecurity awareness training program will lead to lower phishing click-through rates and higher reporting rates. An outstanding program will also help users become more security savvy by treating them as partners, not as liabilities. 

Follow these tips to strengthen your own cybersecurity training, including simulated phishing campaigns: 

Include the whole organization. Although some groups are more vulnerable than others, if you only send cybersecurity training to half the company, it communicates that you view only certain people as a risk. It also can make employees wonder why they were targeted, instead of helping them focus on building cyber-savvy habits. 

Keep it simple. Start small at first. Remember, even though you’re a security and IT expert, your users are not. If you make a training program that even your IT peers might fail, then it’s probably too hard. 

Create engaging content. Building a comprehensive program around every possible type of scam or threat is impossible, and a one-size-fits-all approach can alienate users. Instead, focus your content on the most pressing needs of your users.

Make context as important as content. To make a simulation realistic, include a good hook, call the recipient to action, provide a deadline, and give clear instructions. A word of caution: Your hook should avoid subjects that are sore points for employees. If your organization experienced recent layoffs or if the holidays are around the corner, don’t promise a monetary bonus. That disappointment will only reinforce a negative experience for your employees. 

Use a separate domain for phishing simulation emails. Let your security team and gateways—not your employees—monitor actual hacking attempts. If you send a phishing email from your own domain, employees might mistrust or question future internal communications. 

Stagger training or simulations. If you send all your employees a phishing simulation email on the same day, it may overwhelm your support team. Employees might also talk to co-workers and warn each other, instead of learning independently from the campaign. 

Focus on results, not failures. Track results and build data to show your progress. You can use quizzes, click metrics, simulated phishing tests, and more to chart your progress.  

Solicit feedback. How do your employees respond to security training? Be open to their ideas to improve future efforts. Publicly thank employees and let everyone in the org know about any updates or improvements that will come their way. 

Use data to strengthen your stance. After rolling out phishing simulations, polls, or assessments, gather data that can help you tailor additional training. Because some groups are more vulnerable to certain types of risks, they may benefit from a more frequent cadence.  BrainStorm can help automate your comms and pinpoint useful data.

Share positive messages, too. Focus on employee successes instead of going negative with a constant barrage of warnings about security hacks, fraud, and phishing. Celebrate and broadly communicate training completion stats, positive data points, and so on. 

Reward desirable behavior. As soon as positive behaviors occur, recognize them. Celebrate victories with posters, leaderboards, incentives, or even a wall of fame. Basically, give your employees recognition and spotlight them for displaying desirable outcomes and behavior. 

Involve security champions. Break down silos by using change champions to augment your cybersecurity efforts. Include top leadership in your incentives to stir interest and get employees excited about building their security skills.

Give immediate feedback. An effective training program includes prompt feedback. When you correct or praise behavior immediately, you reinforce positive outcomes. But if you wait hours or days, you risk resentment and negative PR. Clear and encouraging feedback boosts employee morale, not to mention performance around cybersecurity. 

Keep employee experience in mind. Understand what your employees are going through, what would disappoint them, and what would motivate them. If you’re not sure, ask. And remember, even a little empathy goes a long way in terms of culture and the bottom line. 

Sources:CybereadyCloudSecurityAllianceForrester 

Implementing a security awareness training program

Given the wealth of ideas explored here, you may wonder where to start. 

If there’s a key takeaway around security training, it’s to show empathy and respect to end users. Just as nobody appreciates a traffic ticket, employees don’t appreciate heavy-handed reprimands on security. 

If your company doesn’t have the personnel or budget for large-scale cybersecurity training (with or without simulated phishing tests) start small with one or two of the ideas shared above.  

Need more hands-on help? BrainStorm Threat Defense takes a human-focused approach to security awareness. No shame, no guilt. Just a cutting-edge platform to make your users more security savvy. 

See Threat Defense in action