Security awareness education sometimes consists of a mandatory boring lecture and an even more boring multiple-answer questionnaire. Having to take the training feels like a punishment. How can we make security training a carrot instead of a stick? Rewarding is one piece of the puzzle. Maybe you can even reward training participants with this lovely carrot cake?
Fear and punishment do not create awareness
The results of poor employee security awareness can be scary. Phished credentials, stolen accounts, compromised devices, leaked data and lost money. But making people afraid of clicking links because they might lose points in a phishing test does not motivate them to learn more about information security. Instead, they will learn to hate security practices. According to Living Security’s blog, anxiety over security may lead to poor decision-making. People might also get so annoyed about the lack of trust the fear-based methods show that they become reckless and don’t take security risks as seriously as they should.
It’s a bad thing if employees are scared about security. Then they might also be too afraid to report security incidents because they fear they will be punished or someone will get angry.
Goals, rewards, and having fun while learning
Would you rather listen to a lecture for one hour or play a game? If the speaker is very charismatic, I might listen to the talk. However, repetition makes the essential security knowledge stick (pun intended). And if you can make the repeating learning activity a game where learners can score points, it works even better.
Different types of content, such as videos, cartoons, and memes make learning about security more appealing, easier to remember, and fun. That’s because not everyone learns by reading and because working life is filled with too many slides and documents you need to read anyway.
While some people are motivated just about learning more, it helps if the learners can feel a connection to the content. How does this help me with my work? How is this related to the things I do daily? And like KnowBe4 reminds us, being able to apply the training also to your personal life, such as being able to advise your children about online security, also makes the security awareness training more relatable.
Ideas for rewards and recognition
So, if rewarding motivates employees to learn more about security, what is a good reward?
According to an article by Hoxhunt, the reward should match your organization’s culture and how you reward other accomplishments.
The reward should also be something that the employees are excited about. SecurityJourney’s blog has a good reminder that some cultures and organizations value certificates, stickers, and t-shirts (as long as they are cool), whereas others don’t care.
SecurityJourney also mentions monetary rewards, and similarly, Hoxhunt names vouchers and gift cards. They can absolutely be more appealing than stickers, but there might be an extra hassle with the taxation of the benefits.
According to Living Security, you can also reward the whole team or department: by promising a free lunch or a pizza if the entire team completes the training by a set date you can create some peer pressure and nudge the slackers to take the training.
Last but not least, public recognition works! Lance Spitzer writes in the SANS blog about companies that mention employees who have done the right thing, such as reporting phishing, in their security awareness newsletters. Slack, Teams, and other internal channels also work nicely for this purpose.
A lovely carrot cake
The topic of carrots and sticks inspired me to bake a carrot cake. The full-flavored but not-too-sweet carrot cake is suitable for many occasions – maybe even as a reward for good security practices! 😊 My carrot cake recipe originally had a Halloween theme but left out the festive decoration.
Ingredients:
- 3 eggs
- 3 dl soft brown sugar (a mixture of sugar and sugar cane syrup)
- 5 dl wheat flour
- 2 tsp baking powder
- 2 tsp cinnamon
- 2 tsp vanilla sugar
- 250 g grated carrots
- 1 small tin of crushed pineapple
- 0,5 dl crushed hazelnuts
- 150 g pastry margarine
Line a springform pan (diameter around 24-28 cm) with baking paper. Butter the edges of the pan.
Mix the eggs and sugar into a foam. Mix the flour, baking powder, cinnamon, on and vanilla sugar together.
Pour the excess juice from the tin of crushed pineapples. Tip! You can save the juice and moisten the cake later with it. Melt the pastry margarine. Mix the grated carrots, crushed pineapples, pastry margarine, and hazelnuts.
Mix the dry ingredients and the carrot-pineapple mix into the sugar and egg foam in turns.
Preheat the oven to 175 degrees Celsius. Pour the dough evenly into the springform pan. Bake for 45-50 minutes or until a toothpick comes out clean. Let the cake cool for a couple of minutes, and then remove the edges of the pan. Cool the cake thoroughly.
Filling and icing:
- 200 g natural flavor cream cheese
- 200 g vanilla flavor cream cheese
- 1,5 dl powdered sugar
- 100 g pastry margarine or butter
Melt the pastry margarine. Mix all ingredients for the icing together.
Cut the cake into two layers. Moisten the bottom layer with a few spoonfuls of juice. Spread a bit less than half of the icing between the cake and the rest on top. You can decorate the cake by sprinkling some crushed hazelnuts on top.
Enjoy!
Bake Security In 