How to create security awareness with incentives

Gamification is an alternative to pushing employees to improve security awareness.

One of the reasons many security awareness programs fail is that they rely on a "push" mentality, where they force employees to take awareness training and expect or, more likely, hope that employees will seek out additional training, because it is the right thing to do. While many there are programs that do this that are successful, they are relatively rare.

[Slideshow: 9 tips, tricks and must-haves for security awareness programs]

Recently, we began experimenting with helping our clients implement gamification techniques, which switches the whole awareness paradigm. Instead of employees being forced to take training or risk potential punishment, employees do the right things by default and seek out additional training, because they want to.

Too many people confuse the term gamification to mean that you create a game to do awareness training, and there are many companies who are developing such games. They can be useful, but much like a poster, newsletter, or phishing campaign, they are just a single component in what should be a well rounded security awareness program.

Gamification is actually a scientific term that roughly means applying game principles to a situation. The simplest definition of those principles is: 1) Goal establishment, 2) Rules, 3) Feedback, and 4) Participation is voluntary. Every game has to incorporate those principles. Goal establishment is the desired outcome for people participating in the game. Rules are actually limitations that people adhere to that allow the game to be a challenge. Feedback means that participants are made aware of how they are doing compared to their goal. Voluntary participation means that nobody is forced to play the game.

Using golf as an example, which we will highlight is in no way a computer-based game, the goal is to go 18 holes with the fewest number of strokes. The rules provide limitations as to how the player can get the ball in the hole. After all, the easiest way to get the ball in the hole would be to carry it and place it in the hole, but people seek out the challenge of accomplishing the goal through skill. The running number of strokes is the feedback mechanism. And, short of peer or work pressure, almost everyone plays golf on a voluntary basis. All games generally exhibit the same principles. This includes all sports, card games, playground games, chess, checkers, etc. Games do not need to involve computers.

[Challenge your security awareness with the NEW clean desk test]

As the term is confusing, we began to call our process, "Incentivized Awareness Programs". That better represents what we are talking about, as a comprehensive awareness program does not limit itself to a single tool. With incentivized awareness, you create a reward structure that incentivizes people to exercise the desired behaviors, which could include seeking out additional training. The incentives ideally make demonstrating or learning about awareness behaviors fun.

Depending on the program and the job functions, people earn points by finding bugs in software, taking a training course, reporting a phishing message, reading a security related publication, stopping a tailgater attempting to enter the facilities, etc. Different activities are worth different points, and people can accumulate points.

The points go towards earning rewards. Some organizations recognize people with martial arts belts equivalents, like Six Sigma training. Some organizations provide recognition and certificates. Others provide cash awards when certain point thresholds are met. Whatever the reward system is, it should be something that is appropriate to the organization's culture. Depending on the size of the organization, you might want to have different reward structures for different subcultures. Roles, divisions, or geography might define these subcultures. For example, Japanese workers tend to be much more impressed by being personally recognized by a senior manager and the rewards should reflect this preference.

Clearly, some points would lead to the professional equivalent of "participation" trophies that many children's sports leagues now give out, which basically reward people for just showing up. There is actually nothing wrong with that. Security Department's tend to get a bad reputation for being organizations that punish people for bad behavior. Rewarding people for doing the right behaviors gets them to be more security conscious, while creating a better reputation for the Security Department as a whole.

[Essential considerations when making changes to security]

There of course must be an appropriate balance between points awarded for meeting base expectations and points awarded for going beyond those limited expectations. Give a low value reward for meeting base expectations. A second level should be created that is within reasonable reach for most employees by demonstrating some additional, relatively simple behaviors. Further levels and rewards should be increasingly more difficult to achieve, but the rewards should be on par with the required level of effort.

Some people might say that many of their employees will not participate in this type of reward system, and that is reasonable. However, they might be surprised at the number of people who are interested in some type of reward system. Nevertheless, even if the program is not accepted by the entire employee base, the measure of success is not in participation, but in the metrics that matter to the organization. Our past article discusses this in more detail, that fundamentally any security measure is measured not in participation or perfection, but in the amount of loss mitigated by the measure compared to the cost of implementing the program.

Creating an Incentivized Awareness program does take some effort, but the companies that have successfully implemented such a program are reaping the benefits by reduced losses and having better relationship between the security team and the general user base. Gamification has proven itself to be an effective measure to further a wide variety of business interests. It is time to start implementing it to further security awareness and educate your employees to the next level.

Ira Winkler, CISSP and Samantha Manke can be contacted at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Sigma

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler and Samantha Manke

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place