Over on CISSPforum lately, we've been discussing the use of motivational approaches to encourage desired information security behaviors, complementing the use of penalties to discourage undesireable behaviors - in other words, carrot-and-stick.
Walt Williams said:
"If I owned a antivirus company, I'd want all my employees to have my product freely available to them as a "benefit" ... An example that worked nicely at a past employer was use of the company's insurance (auto) at an employee discounted rate for life (even post employment). Other items to add to consider adding to the list: Better than standard benefits; Better pay than industry averages; Extra pay for on call time; Time off to match on call time to restore work/life balance; Ownership of service improvements (if you see a problem, with management approval, you're allowed to own fixing it). Amazing the job satisfaction this gives."
I've used the free antivirus approach myself back in the 90's: although I didn't work for an antivirus company, I cut a deal with our corporate antivirus supplier to offer free home licenses for employees. It's a win-win situation, of course, since as well as being a welcome information security-related benefit for employees, it reduces the risk of their own IT systems being infected and hence compromising corporate information. These days, I'd suggest extending the deal to mobile devices, especially BYOD of course.
Jason Burzenski said:
"[A] practice to keep in mind for maximizing the effectiveness of your security controls is managing the perception of the controls in your organization. We may ask users to sign an acceptable use policy once a year but most of them won't care until they hear how Bob in Accounting got written up for plugging in his personal laptop at work. In my experience, occasionally shining a little bit of light on the users to let them know you're watching is as effective as security training (but in no way replaces training) because you're changing the way they think."
I’ve been ‘shining a little bit of light on the users’ for decades, ever since the times I occasionally rang up workers whose usernames popped up on the VAX console when they repeatedly failed to enter the correct password at login time … partly to find out what was going on, partly to discover who was so forgetful, partly to offer assistance, but mostly to spread the word that the security log was being monitored.
Extending the idea, I like to ‘shine the warm light of recognition’ on people who Do The Right Thing – in other words, rewarding people for acting securely in some way, perhaps reporting incidents and near misses, or actively participating in information risk and security activities of all kinds (note: there's more to this than just compliance). As a profession, I feel we have a long way to go on that score.
Rewards are much more motivational than penalties, on the whole. Think about it, which would you be more likely to tell others about: receiving a reward of some kind from Information Security, or a penalty? Enforcement through penalties and disincentives is appropriate, sometimes, but so is reinforcement through rewards and incentives.
Walt suggested another cool idea:
"I have a thing at the company where I work called the Information Security Hero. I publically laud anyone who doea something to advance security, even if it is just providing me a tip about a problem. While I find it ironic that no one in IT ever won, it is presitgious, and the CEO always publically praises the winner. I'm working on getting a real prize. I've also never outed anyone's mistakes, except with their direct manager."
Building further on all of that, here's an extensive menu of rewards or prizes. It started out as a rough note scribbled on a Post-It, and gradually evolved into a 2+ page appendix to the ‘train-the-trainer’ guide in Information Security 101, our basic security awareness module.
We suggest offering appropriate rewards/prizes from the menu to winners of your security awareness quizzes, crosswords, challenges etc., for outstanding participation in security seminars, workshops etc. … and to other security heroes too.
By the way, I'm idly thinking about adding a further tongue-in-cheek category of booby prizes to the menu.
If you are willing to share creative ideas for prizes, especially prizes that are in some way relevant to information security, please comment on this blog.
PS I'm intrigued by the concept of a corporate employee rewards scheme, similar to loyalty cards, giving recipients the incentive to accrue points for Doing Good Things across the board (not just in information security) in order to earn their choice of higher-value prizes (i.e. not just the much-maligned rice-steamer!). Do you know of such a scheme actually operating anywhere? How does it work? Is it just for employees or does it extend to pseudo-employees such as temps, interns, contractors and consultants, perhaps even suppliers, business partners and customers?