With the rise in cyber threats, many IT and cybersecurity personnel are on edge. When an incident happens, managers can be quick to blame employees. Don’t let cognitive biases cloud your brain. Experts say positive reinforcement is an effective tool for improving employee behavior when it comes to cybersecurity.
Sai Venkataraman, CEO of Security Advisor, in his Help Net Security article, says, “Through repetition and contextual learning, behaviors can change over time, with positive reinforcement serving as the overarching umbrella to an organization’s broader security-awareness strategy.”
Tips For Managers:
Set clear rules: The IT and HR department must work together to clearly communicate company policies regarding cybersecurity to all whom it applies to. It’s also important for both departments to understand how to correctly confront those responsible for an incident.
“This is a crucial step in ensuring that employees recognize that the organization is not trying to catch them doing something wrong, but rather provide them with the tools and guidance to identify possible malicious attacks,” Venkataraman said. “Laying down these ground rules will gain buy-in from across the organization and ensure everyone is on the same page.”
Make it personal: Mangers must communicate with employees that they will receive instruction regarding cybersecurity. “Everyone engages in unique actions and behaviors, and they’re more inclined to listen when they regard the information as directly relevant,” he said.
Don’t make employees feel stupid or shamed: Establishing the right tone makes the difference. “Frequently with phishing simulations, employees end up feeling stupid when they made a mistake,” Venkataraman said. “The learning experience should feel organic and authentic, while also being presented in a helpful tone—rather than bashing or pointing out mistakes.”
Moving Forward with Positive Reinforcement
Managers in IT should not blame Karen in accounting when she follows through with paying a past day invoice, disguised as a phishing email. Instead, managers should apply positive reinforcement to correct and prevent the behavior from happening again.
“The probability of an employee changing a behavior strengthens when they are successful,” Venkataraman said. “By approaching security awareness in a way that genuinely encourages and informs employees, their motivation to eliminate a negative behavior increases.”