Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Aug 25, 2017

NBlog August 25 - awareness boosters



The Information Security 101 awareness module update is going well. We might even finish slightly ahead of the deadline, provided I can resist the temptation to keep polishing and adding to the content!

One of the deliverables is a 'menu' of rewards for workers who uphold the information risk and security practises, controls and behaviors we wish to encourage. The rewards are divided into bronze, silver and gold categories.

Bronze rewards are generally free or cheap, and yet welcome - a nice way to thank workers for simply participating in awareness seminars, case study/workshop session or quiz maybe. Here are just a few examples:
  • A phone call, personal thank-you note and/or email
  • Letter of participation or commendation to be placed in the employee’s personnel file (whatever that means!)
  • Relaxed dress code for the recipient – for a defined period such as a day or a week 
  • Generic certificate acknowledging a level of competence (e.g. on completion of security induction training - there's a template in the module)
  • Note and/or photo on hall-of-fame, newsletter and/or the Security Zone (Information Security's intranet website - again there's a generic website design specification in the module)
  • Plain (dull bronze) pin badge or sticker with awareness program logo
  • Plain (dull bronze) staff pass lanyard with awareness program logo and stock message (such as how to contact the Help Desk or Site Security)

Moving up a level, silver awards are more valuable and attractive, requiring a little more money and effort:
  • Polo/tee-shirt printed with corporate and/or awareness program logo and a relevant quotation or catch-phrase
  • Fancy pin badge with awareness program logo and catch-phrase (e.g. “I’m security aware!”)
  • Informal party and presentation for the recipient and team (refreshments provided)
  • Phone call, personal thank you note and/or email to the award winner plus one to their manager copied to HR, commending them and explaining why they deserve the award
  • Business cards with awareness program logo and message, showing the recipient’s name as a 'security ambassador'
  • Shiny silver staff pass lanyard with awareness program logo, recipient's name and personalized message

Gold-level awards are of course fancier still, some quite distinctive, special and valuable:
  • Fleece or coat embroidered with security awareness logo, quotation and the recipient’s name
  • Programmable LED/LCD message badge pre-loaded with suitable rotating messages
  • Personalized business card holder containing special business cards showing the awareness program logo and maybe an appropriate awareness message or personal endorsement on the reverse side
  • Special name plate, cubicle sign or pin badge engraved with the awareness program logo and the recipient’s name and date
  • Smart, high quality, collectable trinkets (e.g. desk clock, watch, laptop bag/carry-all/in-flight luggage bag etc.) engraved/printed with the security awareness logo and ideally the recipient’s name
  • Gold staff pass lanyard or carrier, identifying the recipient as a security guru (“Ask me about information security”)

There are more than 50 suggestions along those lines in the 101 module, some quite innovative, for instance the chance for a one-on-one chat with a senior/executive manager, over coffee, lunch or dinner. Some are designed to reward entire teams such as the leaders in a corporate league table based on departmental or business unit performance, measured using specific security metrics. An awards ceremony or gala dinner might work for some organizations, perhaps as part of an annual security awareness event.

As with all the NoticeBored materials, customers are free to adapt the menu to suit their situation, requirements and constraints (including budget!). The concept is at least as valuable as the menu itself. I must day it's an awareness approach I've personally found very successful in the past, although it may not suit every organization. 

What a contrast to conventional compliance enforcement through penalizing those who don't comply. That may still be needed but hopefully not nearly as often.