Is it OK to Reward Those Who Flag the Phish and Highlight Those Who Failed?

Testing your employees is a vital practice that should take place within a robust and mature security awareness program. It is imperative when testing employees to do so in a constructive, hands-on lesson in order for the exercise to be impactful and effective for both the receiver and for the security program. There is no shortage of different ways this can be executed.

When the decision is made to test employees, it should be a priority throughout the process that those on the receiving end do not feel tricked or duped. Testing employees to better prepare them for real life events should not make them feel as though they are being punished for having taken certain actions.

For instance, when it comes to phishing tests, clicking on the links, opening any attachments or replying to the sender should not land the employee in hot water, though there may be some exceptions such as for repeat offenders. Instead, use their click or response as an educational opportunity for them to learn and for you to communicate and market your program.

If the receiver clicks on the link it should be setup in a way so that the link directs them to a site with immediate education. Do not call out those who fail or post their information in a public forum so as to shame them: this could backfire and people may then be afraid to do anything for fear of security retaliating.

Additionally, tying a user’s response to a social engineering test to their performance reviews could also leave a bitter taste in their mouth for security which should not be the intent.

Try instead to offer advice, encouragement, training and direction. One option would be to redirect the user to additional training with a note at the beginning regarding why they are being assigned the training. The training could be optional, or the training could only be assigned if the user reaches a certain threshold such as failing so many tests.

If assigning training is not an option, or maybe not something that would be effective with associates at a specific organization, another approach could be to provide additional educational materials such as articles and other resources, either internally written, or from a secondary external source.

These articles could cover the risks of real life social engineering attacks including how it could affect employees both at work and in their personal life. Real life “war stories” about how social engineering has had a negative impact on a real company can be an effective way to drive home just how risky engaging with social engineers can be.

On the other hand, rewarding employees could also be effective if done right and the rewards can be presented in a variety of ways. They can be tangible such as prizes, giveaways, or even tokens, tickets or chips they can earn and accrue over time.

They could be as simple as recognition for a group or individuals in a newsletter or on a leaderboard. Rewards can also help to encourage participation. One example is rewarding people for reporting incidents instead of just simply ignoring or deleting them. Let people know when they did the right thing and offer words of encouragement to make it a positive and memorable experience.

There are many ways to turn a social engineering test into a constructive educational opportunity and what works for one program or company may not be as effective for another. Turning an educational opportunity into a chance to point out employees’ short comings could be catastrophic and could ultimately be a failure for your program.

Additional education for employees should not be viewed as punishment but as a way to expand their security knowledge and give them the tools they need to be active participants in helping to secure themselves and the organization.

Lauren Zink is the Manager of Security Awareness at AmTrust Financial, a global fortune 500 company in Northeast Ohio. She is an information security professional that has spent nearly a decade developing, expanding and maintaining security awareness, communications and education programs for large, global corporations.  Lauren enjoys focusing on the human aspect of security and has a strong background in teaching and training various age groups.  She thoroughly enjoys all aspects of both logical and physical security as well as educating employees on their importance

What’s Hot on Infosecurity Magazine?