"Kudos, Not Consequences, Are an Ideal Tactic for Security Training Engagement"

It is essential to continue finding strategies that could help companies ensure employee engagement in security awareness training programs. According to panelists who spoke at CyberRisk Alliance's 2021 InfoSec World conference, giving out punishments for bad security practices may be effective for reducing undesirable behavior in the short term, but it is not effective in the long run. They suggested instilling good cyber habits through positive reinforcement, rewards, gamification, and interactivity instead. However, some companies believe in giving employees a wake-up call in the form of negative consequences if they perform an unsafe action or fail a simulated phishing test. The panel moderator Cindy Liebes pointed out that many researchers and cybersecurity awareness experts will say fear tactics and cybersecurity training do not really change behavior. In some cases, punishments could stop employees from reporting incidents out of fear. Companies are encouraged to move away from consequence models to models in which employees are empowered and made to feel like they are part of the fight against cybercrime. This article continues to discuss the negative consequence models put in place by some companies to deter reckless security behavior and why they should adopt positive reinforcement models to improve security training engagement.

SC Magazine reports "Kudos, Not Consequences, Are an Ideal Tactic for Security Training Engagement"