#Infosec20: Positive Reinforcement Key to Managing Human Element of Risk

Speaking at the Infosecurity Europe Virtual Conference Dr Jessica Barker, co-CEO of Cygenta, discussed the importance and effectiveness of positive reinforcement in managing the human element of risk.

Dr Barker said: “Using the ‘carrot’ or rewarding people is the most effective avenue to go down. In security, we have this tradition of always being very negative and first thinking how we can ‘scare’ people and how we can use authority to tell people off if they get things wrong. That has created such a negative culture around security.”

Dr Barker argued that, when managing human-related risk, it is much more effective to use positivity. “For example, with phishing simulations, there are a couple of things organizations could be doing better. The first is, if we are reporting on how many people have clicked or haven’t clicked on a phishing email, organizations will generally always focus on how many people clicked,” ignoring the positive message of how many people did not click, which is very often higher.

In that case, businesses should use “positive reinforcement and social proof to demonstrate that the majority of people are engaging with positive behavior and encourage the minority to join them next time.”

Beyond that, Dr Barker continued, the behavior we really want to see with regards to phishing simulation is reporting: how many people reported an incident, how long did it take, do some emails get reported more than others? “These are the kind of metrics that are far more insightful and useful and focus on the behaviors we actually want to be seeing, rather than just trying to drive down the click rate.”

If we only focus on the negatives and punish people for clicking on phishing links or for reporting incidents, all we are doing is “driving a culture of fear – driving incidents underground and creating more distance between security and the rest of the business. That creates more risk.

“We know the culture of fear around security doesn’t work – what we need is a much more empowering, much more positive culture.”

What’s Hot on Infosecurity Magazine?