Taking a Carrot Approach to Cyber Training

Katie Whitt
IT Security Analyst
Automatic Summary

Taking the Carrot Approach to Cybersecurity Training in Your Organization

In today’s digital age, cybersecurity training within an organization is crucial. The carrot approach, based on motivation rather than consequence, is the best way to improve the cybersecurity posture within your organization. In this article, we review the ideology behind this approach, present how organizations implement this strategy, and discuss ways to measure progress over time.

Carrot vs. Stick Approach

When teaching staff about cybersecurity, the carrot approach motivates them towards good behavior, while the stick approach uses consequences to dissuade bad behavior. The carrot approach encourages movement towards a goal and fosters a sense of achievement and recognition. In contrast, the stick approach tends to be short-lived and effective only during its enforcement. The key to success in cybersecurity training is to create an environment of openness and availability and to motivate and educate rather than just impose rules.

Implementing the Carrot Approach

Making cybersecurity training rewarding for your staff, helps create positive engagement. Here are some ways we've implemented this in our organization:

  • Rewarding correct responses: We rewarded our staff quarterly for passing simulations, creating a positive dialogue and reinforcing the correct behavior.
  • Recognition of improvement: When employees improved from previous training sessions, we sent them appreciation e-cards to applaud their progress.
  • Participation in Cybersecurity Month: Throughout October, we disseminated training documentation, created quick cyber tips, and held informative events.

Note: While the strategies mentioned have been successful in our organization, they may not apply to every organization. The key is to adapt them to best fit your organization’s unique needs.

Measure Your Progress: Why Metrics Matter

To track the effectiveness of your training program and justify its continued investment, you need to leverage metrics, some examples include:

  • Click rates: A common metric that shows the percentage of people who have clicked or responded to simulation phishing emails.
  • Interactions: Tracking how many people interact with, or open a phishing email can reveal your staff's understanding of the threats.
  • Reporting rates: Increasing the reporting rate of known phishing emails can help your IT security teams respond quicker to real threats.
  • Readership metrics: Tracking engagement with distributed cybersecurity materials can give valuable insights into awareness among your staff.

Key Takeaways

Here are quick points to remember:

  1. Understanding the importance of positive staff engagement can help build trust and open dialogue.
  2. Training should be engaging and hands-on to drive effectiveness.
  3. Tracking progress and development based on set goals is vital to the success of your training program.
  4. Tracking your program's progress through data metrics is critical for showing its impact and effectiveness.

In conclusion, the "carrot" approach plays a pivotal role in the successful implementation of an effective cybersecurity training program for an organization. Implementing rewarding cybersecurity measures and tracking progress through metrics will encourage employees to engage mainly in safe cyber practices. Remember, the key to successful cybersecurity training is not just to impose rules but to motivate and educate.


Video Transcription

Um I want to thank everybody for joining. My name is Katie Wit. And today, as suggested by the title, uh we're gonna talk about ways in which you can take the Carrot approach to your cybersecurity training within your organization. All right.So here's a little bit of a quick rundown of the agenda. First, of course, there has to be a small blurb about myself. Uh And then we'll move on to the ideology behind the carrot versus the stick approach. We'll talk about the ways in which your organization and my organization uses the carrot approach to train our staff on cybersecurity. We'll talk about metrics and how you can use those to show progress of your program over time. We'll talk about some key takeaways and I will leave time at the end for questions about five minutes. You do wanna make sure you're using the Q and A portion and not the chat. They said that the chat is closed and we should use the Q and A. So if you have questions, go ahead and throw them in there and we'll um go over them in the end. All right. So, like I stated, already. My name is Katie Wit. I am a ge certified security analysts and I work for Nationwide Children's Hospital. Uh I've been in it for a little over 10 years and I've been at children's for almost eight now. At this point, September will be eight years. I started at children's as a service desk analyst actually.

And I worked my way up to the Infosec team and I've been on the team for about four years. Some of my previous roles at children's uh have included knowledge manager. I ran our, I was our process owner, knowledge manager uh for service. Now, I was also a service desk engineer and a trainer. And as I stated already, I was, I started that uh the service desk as an analyst. Um I have a little bit of a less traditional path than most. You'd probably see. I have a undergraduate degree in fine art photography. And I also hold a master's in marketing. I will say though that I have been able to utilize those nontraditional paths and my experience with design and customer service that I have quite a bit of as well uh to help shape our current program. So it, it's helped. So enough about me, let's talk about the ideology between the carrot and the stick approach. Uh So when it comes to teaching staff about cybersecurity, the idea behind the carrot approach is that it's more of a pull approach to motivate while the stick is more of a poke, push or prod consequential approach. With a carrot.

You're moving towards something while the stick, you move away from something while the stick is often short lived and only works when the stick is actually there. The carrot approach you'll witness much more longevity. Let's be honest when we think about times in our life, especially if maybe you have Children or something like that. Uh You often remember the good things about having a newborn as they get older and not so much the bad things like uh the endless diapers and the late nights and, and things like that. So you remember the good things though, right? You remember the first time they said their first words, they said mommy or daddy or maybe the first steps they took as they got older. It's similar in our work atmosphere that people have to remember the good things that they've done or the good times rather than those bad ones, right? We remember being rewarded for something and sometimes we even display those rewards, but no one wants to be remembered for the bad things, um or something they did wrong. We are achievers at heart and we enjoy getting recognition and praise.

Also, the car approach helps to build community between your security staff and the rest of your organization. Uh too often in my role and I'm sure that you probably feel this way as well. If you're in infosec, we feel like we're the bad guys. Uh We're telling them what they can and cannot do and while it sometimes in, in some situations that can be true, uh We want to project an image of openness and availability. If your staff is too afraid to say something uh about something they clicked on or too afraid to ask questions, something seems off. Uh Then we're losing out on the opportunity to have that open dialogue to be teachers. Not just bad guys. I do want to provide a disclaimer though. I'm not saying the cared approach will work for every single situation. I will not reward something and our organization would not reward something or someone for knowingly causing harm to the organization. So now that I've thoroughly convinced you that you should take more of a carrot approach when it comes to cybersecurity training. Let's talk about ways that that can be achieved. Of course, I'm gonna present you with things that my organization has done. And while this may not work for every organization, I'm hoping that it can be a jumping platform to help elevate your cybersecurity program. So let's talk about ways in which uh we have elevated our program and what we've developed over the last few years.

So here's a small list and I'm gonna go through each of these. So I don't have to read them off. So when I started on my team, we did have a fishing program, but it was seen as more of a compliance driven thorn in the side. Uh One of the first things we started doing was rewarding our staff on a quarterly basis for passing all three simulations. So this is creating that positive open dialogue with a cared approach by reward. What we do is we run three simulations. So one for our corridor, we won one a month. And at the end of the month, once we've run a simulation, we pick three people that passed all three simulations. We pick them at random. We uh have a team meeting with them. So we have their manager myself and that employee and we present them with what you can see here is a certificate uh joining the ranks of our cybersecurity defenders. Of course, that's the best part, right? Not the $50 gift card we also present them with and they get a choice of about three or four different things that they can pick what they want. Uh We also ask if we uh can take a picture as you can see here and we post it on our digital signage throughout our hospital and we also put it on our internet site.

So yes, we do this every quarter and we have three winners per quarter, which equates to 12 a year. Honestly, this is my favorite program that we've done so far. People are really engaged. Um Yes, they love the gift that we give them. But they're really excited to have done such a good job and I, I enjoy it. So, another program that we do is a bit more of a hybrid carrot stick approach. Uh, but I wouldn't necessarily call a stick per se. The program is built off our fishing simulations as well. If someone fails at least two of the three simulations, we do send them training, which is that more of a stick approach. But I wouldn't necessarily call training a stick. But because you're assigning it based off a bad behavior, I guess you could call it a little more stick like. Uh however, we do recognize when they've improved since the last quarter. So perhaps you've had an employee that has assigned, was assigned training because they didn't do so well in the last quarter. And then this quarter, they passed all three simulations. We recognize their good work and improvement by sending them a e-card expressing appreciation for continued improvement.

Speaking of training, we also started participating in cybersecurity month which takes place every October. We started off slow the first year uh by just creating some training documentation that we put out on our internet site. We essentially took over the front page of the site for the whole week. We also created a quick cyber tips that we could rotate through our digital signage as well. And we worked with marketing to achieve that this last year though, we did step up our game a little bit which we'll continue to do. And we asked and invited a Proofpoint member uh to come talk to our organization about cybersecurity training. The nice part was it was free to us because we are uh a user of their um uh we are a user of their, of proofpoint. So we got to utilize that do online training with them and it was a 30 minute session. We got some really good feedback on it. One other thing that we did this year is we worked with our privacy team as well in compliance and we did an in person event where we had tables throughout uh organization throughout our hospital and our research building. And we presented people with the option of entering a raffle if they came to our table to collect some printed material. This is part of that building a community piece on what's really great about cybersecurity month is that there's a ton of free documentation already created.

So you don't have to spend a time, a ton of time doing it. Maybe you could brand it for your or organization uh to make it a little more fancy. But uh at the bottom of my slide, here is the link to the website. And again, they do it once once a year in October. So the last thing it's a little new to us in the partnership we have with a company that creates custom cybersecurity newsletters. This company delivers some terrific cybersecurity newsletters and it's engaging, it provides topical cybersecurity videos and quizzes and fishing exercise and even cybersecurity headlines. If you have specific content that you would like to have them create as opposed to maybe what they sent you, they will do that for you as well. This takes the burden off your team and specifically me in my organization to create that invaluable content. They provide engagement and viewership metrics as well to see how engaged your staff really is. Uh We also have our co send an organization wide email every quarter with this content. That way we're not bombarding people with emails. Uh By by weekly, essentially the way that the program works is they put it in an format that you can send twice a month. But we've chosen to do our internet as well as yammer and, and an email update.

So we're not bombarding people with emails all the time and it's flexible in the way that you can do uh and distribute the way in which you want to as an organization, whatever works best for you. So while these programs really sound great, at least I hope they do. You need a way to quantify them in order to really do that, you really need to think about the goals of your program. So perhaps your goal is to reduce clicks on phishing emails really uh simple, uh very specific or even more simply you want to reduce the interaction with phishing emails or maybe your organization is pretty good at avoiding phishing emails, but they aren't really very good at reporting the phishing emails.

So you want to increase the reporting, maybe your staff isn't even aware that you have these programs uh and that they have a lack of knowledge on how to stay cyber safe and you want to increase the awareness. So these are all different goals. I'm not saying you have to just pick one, you can do multiple. But if you're starting with your program, I would suggest picking one and going from there first. So let's talk about click rates, click rates are probably the most commonly used metric and it can be a really good indicator of the effectiveness of your fishing program. Here's a look at some of our metrics from the past simulations first, you'll notice that we categorize each simulation.

So if you want to, we can filter by type of simulation. Uh and we can determine which simulations might be harder for our staff or maybe which they excel. In. Second, of course, we look at just raw numbers of responses, responses being staff that clicked on the simulation. Uh Now because our staff population is continually growing because we work at a hospital and we have research as well. We focus on the percentage of people that have clicked or responded. So on the second image here, you'll see trends over time. So you'll see a response rate has declined since 2018, which is great. So, click rates may be the most popular, but it may not be the best place to start for your organization. Perhaps you have several inquiries about phishing emails and you feel your staff is not quite uh understand what it is to interact with her, open an email and they're not sure if it's a phishing. Um And they just don't quite understand it. You could simply start with a metric that shows how many people are interacting with her, opening an email uh or a phishing email. This one can be a little harder to track though I will say because the way that we typically have our email set up is there's a preview pane.

So when you click on the message, it just shows a preview that's not considered in an an an interaction, an interaction would be if they double clicked on the email and it opened a new window and they're investigating and looking at. So that would be considered an interaction.

So the goal of this metric is really simply to say that we want less people interacting with these types of email and less people being curious and just ignore them if it, it's as simple as that. So another goal uh would be to increase your reporting. This allows your se ops teams to respond quicker in a real fishing simulation or real fishing situation. Sometimes the technology we have in place may not catch the real fish and we need to rely on our staff to report these types of situations to us. So the goal of the other metrics is to do the right thing, right, to not click on a fish, uh and not do something that they shouldn't be. The goal of this metric takes that one step further. Uh When, when we are, when we're looking at reporting, we want them to do it, but it's not necessarily something that they have to do. It's more of a nice to have. So an example would be speeding. We know that we shouldn't speed and we know we shouldn't click out a phishing email, but we also have the option to report fishing or report those who are speeding. It's not something we have to do, but it helps keep us and those around us safe. It's, it's similar in the type of situation of reporting. It would be nice to have and it would help keep our organization safe and we want to encourage people to do so.

So if you want your pa uh your staff to feel empowered and feel like they're part of your organization uh and helping keep them safe and staff around them safe. So the last metric I want to look at is changing gears a little bit. Remember when I talked about the cybersecurity month and cybersecurity newsletters. Well, we wanted a way to see if our staff was interacting and learning from the documentation that we were disturbing on the way you can do. This is by simply looking at readership metrics. Since the cybersecurity company that we use is still a new program, we only have a few months of metrics. As you can see by my slide here, we decided to try a couple of different various sources of distribution to see which one works best. So we use our internet site email and the Amer as you can see on the bar graph, um by using different platforms, we could just see what's, what's, what's doing well. And I think email tends to do pretty well, but as you can see from all of them, it's kind of, it, it really depends honestly. So we, we need a few more months of metrics to really understand what is doing best. So overall, we look at readership metrics and we look at how staff members are interacting with quizzes and downloading PDF S as well. I'm not showing that here, but that's something um that's coming.

We're also gonna start looking at how well people are doing in quizzes and start rewarding them for those types of behaviors as well. But that's something again, that's still kind of new to us. So we also do things like uh track time to report, we also do time to report versus time to click. So these are metrics that I haven't shown, but these are o other things you could focus on if you want, uh you could benchmark with other organizations, other health care providers if your health care like we are. But the point here is that if you want to show progress and improvement of your program or, or even lack of progress, you have to metricize your program. So uh just a few key takeaways here. Um First, you have to understand just how important it is to positively engage with your staff. This helps build trust and allow for open dialogue uh to positively engage with your staff. It helps build trust and allows for open dialogue. Second, you need to make sure that you are not just throwing training at your staff. Um You need to make it stick, you need it to be good and it has to be engaging coupled with a little bit of a more hands on approach.

Third, before you even start going down the path of revamping or simply starting your training program, you have to figure out what your goals are first and you have to metricize those goals or it's kind of all for not. The last thing is you have to track your progress to develop the best program out there. But as I stated already, it may not have, you may not know what the impact is unless you met your size. So that is the last key takeaway. I really appreciate everybody. I know that um we, I did it fairly quick. Here, but I wanna of course, make sure I'm leaving a little bit of time at the end. Um I wanna make sure if anybody has questions, it looks like I might have one in the chat. Uh Let's see. Do you create your own simulations and training content or do you use content from cybersecurity training? So we do a little bit of everything. Um So the question was sorry if I rambled through that, do you create your own simulations and training content or do you use content from cybersecurity training company? So we do have a company that we already use to tra uh create our training content for us. Um And we have two different programs. So we use one for our phishing simulations. And again, they, they create most of it for us. I may manipulate a little bit and I manipulate a little bit of the training content.

So if it's a phishing simulation and somebody clicks an attachment, we create the attachment that's branded for us. So people understand when they click on the simulation of the attachment or something that it's our content, they're clicking on. Um Some people were confused that it was or was not a simulation. So we had to make sure we branded it. So a little bit of both the company that we're using for our cybersecurity newsletters that we just started a few months back. They create most of the content for us, but there have been occasions where things have come up in our organization where we wanted to specify certain problems that we're seeing. So we'll send them subjects or a little bit of content. Maybe like A I chat G BT have been some huge ones. Uh We also had some, a lot of fishing calls for some reason come in and we told them the problems that we were having in the next newsletters that they provided us with included that content. So it's a little bit of both. The first year we did cybersecurity month. I created all the content and then I started digging more into that website and pulling some of their content and kind of doing a hybrid approach. So, um let's see, I don't think I see any other questions. Um Does anybody else have anything? I wanna make sure I'm leaving enough time. So I ran through it pretty quick. Ok. Well, I appreciate everybody joining. I'm gonna cut it a little short unless anybody has questions.

Uh feel free to look me up on linkedin. Like I said, my name is Katie Wit. I work at Nationwide Children's Hospital. I'm a security analyst there and I appreciate everybody joining. Thank you.