Wanna motivate staff to be more secure? Don't bother bribing 'em
It's frustrating getting users to keep information and systems secure on a daily basis. However, don't try any smart gimmicks – particularly offering wedges of cash or other prizes for good behavior. It doesn't work. Quite the opposite, it can make things worse.
Paying out a bonus to those who make few or zero security mistakes ultimately demotivates staff, Masha Sedova, cofounder of Elevate security, told Usenix's Enigma 2018 security conference. This is, in part, because once an incentive – especially a financial one – is dangled as a carrot, it's usually never substantial enough to warrant the extra effort required to follow security best practices. Thus, most people don't bother at all to meet the standard, reducing overall security.
Another, er, motivational technique – naming and shaming of employees by the BOFH – doesn’t work either. Sedova said this massively demotivates staff. Instead, IT security teams need to be more positive with users. And by positive, she meant that workers should be praised for good behavior, and be given better tools to tackle threats to the network.
Sedova said that research, and her experience, shows that around 20 per cent of the workforce are very motivated to secure their systems. Around 70 per cent are ambivalent about it and will use security if it’s easy enough, but 10 per cent won’t touch security at all – and in the latter case, naming and shaming may be the only option.
research also revealed that Facebook users are more concerned about the security of their friends and family than they are about their own accounts. This means it should be possible to make security awareness spread in a viral way. "Reminding family about security techniques can be very effective in changing behavior," Das said. "But it has limitations – warn people too often and you're seen as a nag."