Punishment is evident in all aspects of our life to everything from getting drivers to stop speeding, to getting the dog to not bark at the mailman. Because of this, it is no wonder that several go to punishment when wanting to change user behavior. While punishment is a very powerful tool- that can produce almost immediate change in behavior- it is very hard to control and very hard to maintain. For these reasons, I rarely recommend using punishment when …

Read more »

Imagine that you are the head of security awareness at an organization (not a stretch for some) and have been charged with getting people to report issues to the help desk. You decide, in your infinite wisdom, to encourage them to report issues to the help desk by giving them $1 each time they report a valid problem. The week after implementing the new reward program the number of issues reported to the help desk has increased 100 fold. You …

Read more »

Many of the products out there would lead you to believe that anyone with Word can write a newsletter but this is not the case. Think about it, you are asking someone to voluntarily take time out of his or her day, or even potential free/personal time, to read a document about security. If done right, you can have a captive audience that happily takes the time to read your content. If done wrong, then all your hard work turns …

Read more »

Making good content is hard and easy to mess up. This is evident with the loads of boring training videos, out dated posters, and cheesy slogans slapped on a mouse pad. But don’t fret, just because it’s hard, doesn’t mean it’s impossible. Making good content is all about asking the right questions before hand. What content needs to be made? What are the different options? What should be used in tandem? What can be used in place of other things? …

Read more »

Now that we know how to effectively pair a problem behavior with a solution, what happens when the problem behavior is the product of more than one reason? For example, several organizations identify ‘falling for phishing attacks’ as one of the biggest problems they have with users in their organization. A cultural assessment reveals that not only do several users have a hard time identifying the ever changing phishing emails, but they also don’t see them as very dangerous, and …

Read more »