Industry insights

Managing a security awareness program: Carrots, sticks, and repeat offenders

Susan Morrow
May 2, 2022 by
Susan Morrow

Effective security awareness programs must be designed to motivate employees and change poor security behavior. But how easy is it to achieve this in reality? Cybersecurity awareness training is repeatedly shown to be a crucial part of preventing cybersecurity incidents. 

The reason why is simple: cybercriminals target humans because tactics like phishing work. The statistics stack up: research from IBM shows that people click phishing links, with at least one person in 86% of organizations finding the urge to click the malicious link just too hard to resist. The result is that 90% of data breaches start with phishing emails.

With this level of phishing success, ensuring that a security awareness training program is effective is paramount. One of the debates raging in the security industry is how to make sure that education in security awareness works: do you use carrots, or do you use sticks? And those repeat offenders, how do you turn them into your best learners?

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

Here is a look at the raging debate, including insights from some of the best minds in the business.


Carrots, sticks and repeat offenders


Security awareness training programs must appeal to a very broad demographic of learners. Trying to reach all roles and types of employees and non-employees means that you must understand how people learn. This is highlighted in a recent Infosec report, “Cybersecurity Culture — Quantified,” which found that 31% of an organization’s cybersecurity training was seen by employees as “only a little engaging or not engaging at all.”

The fact that almost a third of employees are switched off by security awareness training maps neatly to the neverending cycle of human-centric attacks based on phishing and social engineering. If a single inattentive employee can potentially lead to a major data breach, lack of engagement needs to be resolved.

Creating awareness programs that keep staff focused on security requires the keen mind of experienced cybersecurity folks who deliver compelling and engaging security awareness programs. Fix the folks that need carrots and those that need sticks, and you have an all-around, optimized security awareness program that develops that all-important culture of security.


The carrots and sticks behind a successful security awareness program


The security industry has taken a while to recognize that people are both our greatest asset and our weakest link. But this recognition has resulted in some exceptional security practices in co-opting employees and non-employees into the protection of the enterprise. As Shannon McPherson of IEE puts it, “We know that the human element is the most important because they are our greatest asset and potentially our greatest threat.” 

This duality of vision extends to learning motivation regarding security awareness training — give trainees a carrot or use a stick?


Sticks or carrot lovers?


Like anything in life and work, keeping people motivated requires a reason and a goal, i.e., a carrot. The carrot approach to awareness training can empower staff by handing control back to them, so they no longer live with the fear of being the person behind a security mishap.

The “carrot of engagement” is acknowledged as an important part of security awareness programs by many experts in the security industry. McPherson believes successful awareness training requires a balanced mix of carrots and sticks. But above all, accountability is key, according to McPherson, who explains, “The goal of any security program is to understand when, where and why the probability and risk of a business lies, and to reduce that risk. 

“We can’t minimize security risks without implementing various forms of accountability.” Carrots create increased morale amongst security learners; the IEE example perfectly demonstrates this.

IEE’s baseline for phishing awareness in 2019 was about 75%, which is above the industry average for nonprofit organizations. However, IEE performed a year of regular phishing test simulations, and by changing from presenting a failure rate to a pass rate, IEE celebrated its employees’ success. The result was increased morale, which led to a culture shift. McPherson described this as a “gentle, compassionate approach that worked well at IEE”.

Another carrot lover is Dr. Erik Huffman of BombBombIT, who described his approach to security awareness engagement as being “100% carrots, all of the way.” Huffman described to Infosec his view of engagement as often being dictated by the “Pygmalion effect.” This describes a self-fulfilling prophecy of not if but when and how often the company is hacked. This has led to employees feeling, “Well, you said we’re going to get hacked anyway, so why is it a big deal?”  


Reactive to proactive awareness training engagement


Robust policies and governance should inform the development and implementation of security training programs. McPherson from IEE suggests modifying employee behavior by moving the dial from “reactive to proactive security behavior” is an important success factor. McPherson told Infosec: “IIE has intuitively taken a strategy to customize our program. We had the chance to pioneer, build from the ground up. Using this process, we were able to address the business mission, but also look at the impressive archetype of our people.


Dealing with those pesky repeat offenders – what makes them click?


Repeat offenders are those who seem to never learn. They repeat poor security behavior even after security awareness training sessions. Dealing with this edge case of users challenges even the most experienced awareness training practitioner. Infosec asked Huffman how he deals with repeat offenders. “Train then retrain,” he said, but use tried and tested psychological techniques. Huffman stresses to “focus on a person’s personality type and see what’s literally making them click.”

Behavioral psychology is part of a human-centric approach to security awareness training. The place of "human factors" in cybersecurity risk is well-established. One recent study found that a security breach's second most likely cause is “careless or uninformed staff.” Huffman uses an informed human-centric approach to retraining, focusing on an individual’s personality type and adjusting the training to fit this archetype. Semi-structured interviews after training sessions are a strategy used by companies like BombBombIT to help change repeat offenders into successful cyber security trainees.

To back up his claim of tailoring delivery of security awareness programs to the individual, Huffman told Infosec that “we have people that have failed multiple times; but if you understand what makes the person click and you understand their personality type, then you can cater training within that realm, to help that individual succeed.”


The retraining stick for repeat offenders


Retraining may be a last resort but a useful stick for certain individual learners.

IEE has established a retraining protocol that holds team members accountable. This translates to re-testing after a specific evaluation window. If an employee does not pass one test within that evaluation window, they receive "spot training." If they fail two tests during that window, they must then take interactive remedial training. If an employee fails three or more tests, they are then sent to HR. As McPherson from IEE puts it, “HR is involved as this supports a holistic, ‘it takes a village approach’, to be able to hold people accountable.”


How to measure the overall effectiveness of security awareness training


Whether you use a carrot or stick, measuring security awareness training effectiveness is an important way to see if the tactic is working. IEE uses the reports function within the Infosec IQ PhishSim tool to identify repeat offenders. They then customize this report to make it accessible for the executive team, specific repeat offenders and their managers. McPherson told Infosec that they prefer to use this “top-down approach, holding everyone accountable. IEE then uses these reported metrics to schedule remedial training or meetings between repeat offenders and HR. IEE does not believe in publicly shaming people, but as IEE works within an academic culture, a report can be a compelling way to demonstrate and improve success rates. 

BombBombIT applies this 100% carrot approach to shore up a systematic three-tier system to measure success rates. The tiers go from an obvious phishing message to a more subtle phish. The response is then tailored to these three tiers. If a person repeatedly misses an obvious phishing message, the training needs to reflect this additional requirement.

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.


The carrot and stick of relationship building


When running successful security awareness training programs, adaptability to different learners is key to success. But this adaptation must also reflect the current phishing campaign focus; the Covid-19 pandemic is a case in point, where phishing campaigns during the pandemic reflected the branding of the World Health Organization, along with fear and doubt about the pandemic, to make the campaigns a success. In the same vein, the pandemic has led IEE to expand the classification of what they consider a successful win in terms of employee engagement. Rather than just focusing on the quantitative metrics, IEE looks at measurement of success that relates to relationship building, communication, connections, and trust.

“IEE considers during this period of remote work, all of the inquiries, the random questions that security professionals are receiving from employees or team members, people reaching out to verify or validate something that looks off, that is a cultural win. It’s not just about quantitative stats on the scoreboard or reporting, dashboarding to send to executives.” Top-down engagement and support for home working is part of our overall success determination.

The folks working in security awareness training can offer important insight and advice from a practical view. A carrot approach to security awareness training, augmented with security know-how and focused training, can turn repeat offenders into sterling learners.




Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.