Funnily enough, humans aren’t too different from dogs when it comes to changing a behavior for the better. One of the most powerful leadership tools is positive reinforcement — a proven and effective method for shaping and changing behavior. While dog owners might use treats or toys to reward desired behaviors, CISOs can leverage technology to reinforce certain behaviors conducted by employees – guiding them in their role in protecting the broader organization.
As part of this endeavor, it’s important to recognize that cognitive bias is part of the human brain makeup and functionality. While these subconscious mental shortcuts make it difficult to change behaviors, it’s not impossible. Through repetition and contextual learning, behaviors can change over time, with positive reinforcement serving as the over-arching umbrella to an organization’s broader security awareness strategy. The following guidelines will help CISOs ensure meaningful behavior changes among their workforces.
Set clear rules. CISOs and HR leaders should clearly communicate company policies regarding cybersecurity incidents and coaching. This is a crucial step in ensuring that employees recognize that the organization is not trying to catch them doing something wrong, but rather provide them with the tools and guidance to identify possible malicious attacks. Laying down these ground rules will help to gain buy-in from across the organization and ensure everyone is on the same page.
Make it personal. CISOs should communicate to employees that they will receive education that is specific to each individual. Everyone engages in unique actions and behaviors, and they’re more inclined to listen when they regard the information as directly relevant.
Don’t make employees feel stupid or shamed. The only way to enact meaningful change is to establish the right tone. Oftentimes with phishing simulations, employees end up feeling stupid when they made a mistake. The learning experience should feel organic and authentic, while also being presented in a helpful tone – rather than bashing or pointing out mistakes.
Just as puppies are encouraged with a treat after obeying a command, a human’s probability of changing a behavior strengthens when they are successful. By approaching security awareness in a way that genuinely encourages and informs employees, their motivation to change behavior increases.
Instead of undoing behaviors, we must reinforce new, positive ones. This will be key in properly securing organizations from today’s highly sophisticated and relentless cybercriminals.