Imagine that one of your employees clicks on a malicious link in an email. Fearing the consequences, they delete the email and keep quiet, hoping the incident will go unnoticed. Two weeks later, the company discovers that hackers have infiltrated internal systems and compromised sensitive information. By then, it’s too late to mitigate the damage. Now, consider another situation where the employee makes the same mistake but, feeling safe and supported, immediately reports it to the security team. The team acts quickly to restrict access and remediate the risk, preventing serious consequences.
There’s no doubt that any security team would rather be in the second situation. And yet, some business leaders and security professionals still rely on fear-based, punitive approaches in their cyber security training programs. In the survey we conducted for our Human Risk Review 2024, 81% of security professionals said they still believe that disciplining or reprimanding users is an effective way to get them to change their behavior – although only 56% of these 81% end up implementing these corrective measures.
Punitive approaches still seem to be a popular strategy to correct unsafe behavior among security experts, despite being controversial. They remain popular because they are easy to apply and initially effective, as people often react to fear. However, many researchers in different areas, such as Brock University’s professor Rebecca Raby’s work on discipline at schools, have shown that these methods fail to consider the complex factors that contribute to an individual’s behavior. For employees to make informed decisions and trust their security teams with their mistakes, they need to be motivated and empowered, not blamed. Positive reinforcement is a proven behavioral science technique that can help you do just that.
The root of the problem: Victim blaming and learned helplessness
Before we talk about how to motivate employees to learn secure behaviors through positive reinforcement, it’s important to understand the root of the problem. Employees have long – and unfairly – been viewed as the weakest link in an organization. For a long time, this perspective has placed a burden of guilt and fear on their shoulders. And while it’s clear that they bear responsibility for their actions, the reality is that we can fall into the human error fallacy by blaming them for all their mistakes.
Not only is the blame approach far removed from the reality of human complexity, but it has several consequences for the psychology of employees and, therefore, their behavior. One of these consequences is that employees are pushed into a state of “learned helplessness,” where they feel deprived of their ability to protect themselves and their organization.
In the context of cyber security within the workforce, this can leave employees feeling isolated, without the support or knowledge they need to make the right decisions, or afraid of retribution if they admit their mistakes. This fear of retribution leads CISOs, security teams, and IT managers to be seen as the “bad guys,” whose goal is to go after the employees instead of being there to help.
To solve this, we need to tackle the problem by taking two complementary approaches. The first one is to motivate employees to learn what secure behavior is and how to act in each situation with the help of positive reinforcement practices. The second one is to entice our employees to take ownership – but to do this, they must understand the consequences of the threats they face. Let’s start with the first one.
The first step: Motivating employees to learn secure behaviors
The way you train your employees on secure behaviors matters – a lot. Learning science tells us that the information retention level differs depending on how the learning is delivered. If learners enjoy the learning experience, information retention is multiplied. This may seem obvious, but it has not always been taken into consideration when it comes to cyber security awareness programs. Traditional programs used to sporadically deliver a “firehose” of information to employees to ensure that organizations achieved compliance with regulations. This type of training failed to consider the complexities of human beings – their emotions, attitudes, and motivations – and, therefore, failed to engage with employees on all those levels, making it impossible to achieve meaningful and lasting behavioral change.
One way to improve these programs and to achieve enjoyable, memorable cyber security training is to include gamified elements, such as allowing employees to earn points, badges, or levels for completing security-related tasks or learning modules. This not only makes the learning process more engaging but also taps into the natural human desire for competition and achievement.
If we also add storytelling to the mix, with characters that stick and learning experiences that follow a narrative sequence instead of isolated videos with no connection to each other, cyber security training becomes a dynamic and impactful learning experience that equips employees with the skills they need to protect themselves and their organization from cyber threats.
Another way of applying positive reinforcement is experiential learning or “learning by doing,” specifically in the context of personalized attack simulations. Experiential learning transforms abstract concepts into concrete, relatable situations, allowing employees to see the direct consequences of their actions in a controlled, risk-free environment. In this learning experience, it’s crucial to offer the necessary tools to facilitate learning, such as phishing reporting tools, that can become an opportunity to reinforce positive behaviors with positive feedback.
Boosting confidence with positive feedback
Everyone likes a little reassurance when they’re on the right track. When employees receive positive feedback, it feels like a warm pat on their back acknowledging their efforts and achievements. This not only reinforces the right behavior but also significantly boosts their confidence and their trust in you, which is key to being willing to report a mistake without fear of retribution. This constant support is important for keeping people excited and motivated, especially in a demanding field like cyber security, where staying alert and adapting to emergent threats is part of the daily routine. This is why using tools like SoSafe’s Report Button, which offers the opportunity to give feedback to employees about the phishing attempts they report – both phishing simulations sent by their security teams and real phishing attempts – is a great way of cultivating a supportive and collaborative work environment.
Step 2: How to switch blame for ownership
Blame sets humans in a “defensive mode” that allows them to see only the most serious consequences they face. As a result, when someone makes a mistake, they are likely to fear the consequences to themselves as an employee and as a person, rather than prioritizing reporting the mistake to protect their organization from the threat.
This means that for employees to move beyond fear, they must first know that their jobs are not on the line and that they will not be blamed or publicly shamed for their mistakes. This is only possible within the context of a “just culture” where, beyond using positive reinforcement as a training tool, the company is the one taking responsibility first and making sure to improve their processes and provide the employee with the right tools, processes, and controls to avoid a similar mistake in the future.
In a just culture, empowering your employees means not only eliminating the fear of instant punishment and blame but also educating them about the consequences that their actions can have at all levels. They first need to understand how a potential breach or attack would affect their company and how that would affect them as employees. For example, a substantial financial loss caused by a cyberattack could make the company lose its reputation, which could, in turn, make it lose clients and revenue. This would impact all employees, who could see their bonuses stopped or promotions suspended due to a low company budget.
But applying a just culture does not mean avoiding retribution when it is really needed. Employees need to feel confident that they will not be blamed instantly or held accountable if they make an honest mistake, but they also need to understand the consequences that a deliberate or negligent mistake could have. For example, in extreme cases of substance abuse or intentional damaging behavior, severe measures would be applied, such as legal consequences or ending their professional relationship.
The following table shows the different consequence types that need to be communicated to the team:
Corporate consequences | Personal consequences | Negative personal consequences |
Company will lose reputation | Promotions may be suspended | Legal consequences |
Projects may be canceled | Bonuses may be stopped | Firing an employee |
Company will lose clients | Family photos may be lost |
These consequences need to be communicated from a non-fear-based perspective and in a way that doesn’t lead to powerlessness and fear. We need to inspire them to recognize that they are the primary attack surface of an organization and that they have both a personal and collective power and responsibility for maintaining security. In cases where you find employees who only focus on the negative consequences without seeing the bigger picture, the following culpability matrix might be useful to clear things up:
Ultimately, employees should feel that they are the first line of defense against cyberattacks, not the weakest link in the organization. Reframing security as a collective responsibility can foster a culture of ownership at every organizational level.
Practical tips to implement positive reinforcement and creating a “just culture” in your organization
You have already seen how positive reinforcement is all about choosing the right way to communicate with your employees and empowering them to feel in control of their decisions. If you want more tangible advice on how to do this, here are some tips:
- Offer training that shows the real effects of cyber threats, while also sharing stories of successful interventions and solutions by relatable individuals.
- Design learning modules that integrate cyber security principles into captivating narratives or scenarios that employees find engaging and relevant.
- Consistently discuss cyber security matters with honesty and transparency, while underlining your organization’s controls and preparedness.
- Develop a communication strategy where employees from across the organization act as spokespersons. This way, everyone will see that security is everyone’s responsibility and everyone, from their peers to their local managers, is involved.
- Develop and disseminate clear policies that differentiate between honest mistakes and negligent or intentional misconduct.
- Avoid using complex technical language that could confuse or alienate employees.
- Equip employees with user-friendly tools and clear guidelines for responding to a cyberattack.
- Acknowledge and reward proactive security measures, from simple thank-you emails and awards at company meetings to monetary rewards or gamified incentives like points, badges, and leaderboards to encourage engagement.
- Cultivate an environment where employees can report mistakes and security issues without fear of retribution or blame. If necessary, set up anonymous reporting channels.
How SoSafe supports your security culture through training and positive reinforcement
Positive reinforcement plays a crucial role in building a strong security culture within an organization. Creating an environment where employees feel supported and confident to report incidents can prevent severe consequences.
The first step – as we previously mentioned – is to empower and train them to make better decisions. SoSafe’s gamified, interactive learning platform makes learning engaging and relatable, enhancing information retention and application in real scenarios and with personalized training for each employee’s risks and needs.
We also showed how our Phishing Report Button allows users to report phishing emails directly. Furthermore, our PhishFeedback feature integrates positive feedback to keep employees motivated and eager to learn. This tool sends users feedback on whether the reported email was malicious, along with recommendations and specific training if it wasn’t.
Our chatbot, Sofie, further enhances the learning experience by delivering bite-sized, instantaneous alerts to employees, making learning quick, easy, and attractive. She can also act as your organization’s level zero support, answering security doubts and helping your employees solve security issues or escalate them to the security team when needed.
If you want to learn more about how our product can help you create a positive security culture within your organization, request a demo, and one of our experts will contact you soon.