New Online Courses
New Online Courses

How to effectively use incentives in your security awareness training

Secure Click News How to effectively use incentives in your security awareness training

How to effectively use incentives in your security awareness training

Robert Scanlon of SecureClick interviews Uri Gneezy, author of Mixed Signals.

First of all, thank you very much for taking part in this interview today. What was your motivation for writing a book on incentives?

I've been studying incentives for the last almost 30 years now, and I thought about it as a kid also. And I thought it was time to put it all in a book, and basically to tell the story that I really care about, which is the signal aspect of incentives. I thought that I had something new to say.

So in your experience amongst managers, is there a good understanding about how incentives work in, for example, the US and Europe?

So it's a very complicated question. I think that too often, companies, and individuals think about incentives in a simplistic way. They don't understand what they do. They think that, "Oh, we understand incentives. We'll just give people more money, or we'll just do something and it will work." And it happens that incentives don't always work that well. And in particular, people ignore the fact that they send a message when they give incentives. And this message is going to go through some kind of interpretation, and tells a story about what they care about. And it's that part, I think, that many people, many companies, organisations, individuals, and governments, don't understand. And that's what I try to talk about.

Okay. So when you say "send a message", can you give an example?

Yes. So, let's talk about the Coca-Cola example. So the CEO of Coca-Cola had a great idea. They had a vending machine, which they could put a thermometer inside. This would tell them how hot or cold it was outside. And this idea was, on cold days, let's charge say the regular price of a dollar. But on hot days, we can charge more. Let's charge $1.50 because people want the soda more. And because of that, they'll be willing to pay more for it. It makes sense. It's called price discrimination economics. It makes a lot of sense to do that. Of course, this surcharge made people really upset with Coca-Cola, with the CEO, because they thought that he was trying to take advantage of them when they really needed the soda. What he should have done is the opposite. He should have said, "Look, the regular price is $1.50. But on cold days, we're going to give you a discount of 50 cents." Right? So exactly the same prices on the same occasions, but a very different story around it. The message that he sends with the alternative pricing is, "Look, whenever I can, I'm trying to help you and give you a discount." No one is going to object. No one is going to think poorly about the company if they give a discount. So that's an example of how, without really changing the incentives, you have the same prices with the same situation but you’re telling a very different story.

So, the framing of incentives is, obviously, very important?

Yes, because the incentive tells you a story. People look at the incentives, and they build a story. Why did the CEO of Coca-Cola do what he did? So, in the first example, the way he did it, the story is, "Well, he's greedy. He wants to take advantage of us." And the story that they're telling in the second case is, "Oh, they are just trying to maximise profits. It's fine. And when they can, they give us a discount because that's better for them." Something like that. But it's not creating some kind of negative feeling.

What would you say to the managers out there who say, "Well, actually, we don't do incentives in this organisation because they're not sustainable in the long term"

They don't understand what incentives are. It's not just about money, right? So an incentive could be— I can tell you, "Look, Robert, you did a great job with this." Right? So this interview, whatever it is, wherever you work, I can tell you, "Great job with sales." Or, "Great job with writing this paper." Whatever it is. That's an incentive, right? I can give you— I can make it more official with awards. I can call it awards. That's an incentive, right? Employee of the week, or whatever it is. I can give you a better office. I can give you more vacations. All of these are incentives. There is no organisation, there is no family, without incentives, right? You have kids, you know that they use incentives on you. So, a baby is going to scream if they're not happy. And that's an incentive for us to go and find out what it is that they need. So they might be hungry, for example. What they'll do is scream. And the screaming is something negative for parents, for most parents. And that's why they'll go and try to make the baby stop screaming. Everything is an incentive. That's what motivates us.



So what about the parent who's going to say to one of their kids, "Well, actually, you're not going to go to the playground on Saturday if you don't stop screaming"? Is punishment an incentive?

Yeah, of course. Punishment is an incentive. That's an example of a very strong explicit incentive. Yes. And I'm not saying that it's going to work necessarily. I'm not saying that it's a good idea. Not all incentives are a good idea. Many of them are bad ideas, but it is an incentive.

Okay so in the workplace of 2023, would you say that managers, and I know this is a very general question, would you say that managers should use punishment as an incentive?

They shouldn't let the employees go to the playground on Saturday? [laughter] Yes. I think that punishment definitely works in some cases. So for example, let's say that I don't want you to do unethical things. I don't want to promise the customer stuff that is not true. I'm going to audit and see that you don't do it because I want to signal to you that ethics is really important for me. So if you promise the customer something, and then the customer doesn't get it, that's an unethical behaviour to me. And if I would have been your manager, I would have tried to convince you that you shouldn't do something like that. And convincing you could be telling Robert, "What you did is bad. Don't do it again." Or it could be, "If you do it again, I'll fire you." Or it could be anything in between, right? So punishment is useful in some extreme cases. It's not going to create a very— if I tell you— if I try to punish you too often, it will be, again, a negative signal about, "Look, we are trying to work over here. Instead of trust, we are trying to do something else, right? We're trying to create some kind of place where you're afraid of me." But I should say, "Look, there are some extreme cases in which I'm going to punish you." Because you want to signal there are things that you don't do, that you don't like, to customers.

So, you gave a very interesting example in your book about how sometimes incentives are able to override culture. From an organisational context, what’s the interplay between culture and incentives?

So in many cases, culture is really important for organisations. Right? That's not new. In some cases, the culture, it's just like norms that we have. In some cases, norms are created for one environment. And they keep using that. We keep using them even when the reason that we started it is not relevant anymore, right? So we created some environment in which the norms were important. Now the environment has changed and we still use them. And the same could be said about culture. Culture could have been, say, pre-pandemic coming to work every day was really important because that's the way everything was structured. And now it's not. That's a huge shift in culture. Maybe the biggest we'll see in our lifetime, right? So they're working remotely. That was done in such a short period. That really brings the change in the culture of the organisation. Incentives could really help, right? We'd get people used to it. So for example, you can say, "Even for people that work remotely, on Thursday it will be good if everyone will show up at the office so we can have meetings, and we can get to know each other in som social aspects." And that part, you can incentivise. So that would be an example in which you want to change a culture, and you adopt a new situation, and you use incentives.



Do you think that the nature of incentives since the pandemic has changed? So for example, before the pandemic, many organisations were saying to their employees, "Well hey, we’ll give you free pizza and beer on a Friday." And now the sentiment among many employees is, "Well actually, I don't want free pizza and beer. I'd rather work from home on Friday, or have Friday off."

So, it depends on how to make it happen. I would make these Fridays much more pleasurable. I would make it more enjoyable to come to the office, right? So again, one way to do it is just to say, "Look, on Friday, you need to come to the office." But then, many people will leave this organisation. They will not be happy. That's not what you want. But you can try and make it nicer. So you can make a nicer space. And make it such that you actually have some useful meetings during this time, right? Something that people really appreciate, right? So try to make the experience itself much more pleasurable. That would be an incentive to show. And it could go all the way to direct incentives. I can give you some extra bonus if you show up this Friday. That could be risky because if the bonus is not large enough, it could backfire. They could say, "Wow, you're giving me $50. I would rather not come. That gives me legitimacy not to play ball." If you incentivise it in the right way, people will show up.

In your book, you have many examples about how you have to use the social aspect of incentives, as well. Using, for example, peer pressure.

Peer pressure is important, yes. So, if you want to change the culture around working in the office on a Friday, let’s say, if I'm going to be the only one coming to the office, that's not going to be useful. There's no reason for me to comply. But if I'll be the only one not coming to the office, I'll feel really bad about it because my peers will not be happy that I didn't show up, right? So in this example, moving enough people from not coming to coming on Friday would make a difference, and could make the peer pressure that we're talking about work, right? So if I tell you, "Robert, why didn't you show up on Friday? We were all there having fun and missed you," that's a type of peer pressure. So sometimes you don't have to influence everyone. You can influence some people in the hope that these people will influence their peers.



And some employees have more influence on their peers than others, right?

Right. So whenever you talk about networks like this, you always have more important nodes than others, right? So more important people that are more connected, say. So it could be, if the boss is going to be there, it's going to be much more important for me to show up so the boss will see me. But if they don't show up, I care about it less. So incentivising the boss, in a way, would be a very useful way of incentivizing people, right? Or it could be any other function that you think is important for the people, right? So clearly like in any social media, there are people with more and less influence, and you need to look for the influencer and try to bring them in. That will increase the effectiveness.


On a more granular level now, I work in the area of IT security awareness. And at the moment in a lot of organisations, you've got a big chasm between the IT support teams, or the IT security teams, and the end users. This presents a problem because the end user is going to be less likely to report suspicious activity to their IT support or security teams. Could incentives work in a situation like that, to make reporting more frequent? Or to make reporting more commonplace?

What did you have in mind? What did you think might work? You know this area much better than I do.




So, for example, many IT security awareness managers will say, "Oh, well, actually we'll give gift cards out to people who report the most phishing emails".  So do you think something like that is a good incentive?

Right. So, you need to be careful that they will not start creating phishing emails, right, and then start reporting them. So, one thing that, for example, helped me with this is that I once received such an email. I usually delete them. I delete many of my emails. But this one, I clicked the link. The link said, "This is from your IT security team. You shouldn't have pressed this", right? And that was a very strong incentive for me not to do it again. So, I saw that I was lucky in this case, but that could have ended up really poorly. So that's a kind of incentive, right? So that if you bring an issue to the top of their mind by doing this— I felt really bad that I pressed it. And I understood that that could have ended up very badly for me. So that's one example, right? But also following up on that, for example, if they send users a simulated phishing email, you can follow up with them later on, and specify exactly what you did, right. "Steve, thank you. Thank you for reporting this. This ended up to be A, B, C, and we did X, Y, Z. And we really appreciated what you did." That would make me feel good about reporting, right? Because if I just forward something to you and you just say, "Thank you," I'm not sure if it's important or I'm just annoying you. But if you take the time to reply, "Thank you for this. It turns out that email was harmless", or "it turns out that the email was malicious," giving them a detailed reply could be a type of incentive. That would make me feel good about what I'm doing, and I'll be more likely to report something new in the future.


Right. So managers should look beyond financial or material rewards when it comes to incentives, right?

Absolutely. Going back to the example that I just gave, if you write back a detailed email to me, I see that you invested some effort to me, which signals to me that it was important for you. If it wasn't, why would you do that? If you send me just "Thank you", if you don't reply to me, I am not sure that you even received it. If you write "Thank you", I'll think, "Okay, he gets 500 of these a day. It cannot be important." If you send a detailed reply, I see that you really took it seriously, and that I really contributed something, and I should keep doing this because this is important. So that's the signal that I get out of it and that could be really important.

You mentioned there about over-reporting. How would you help prevent a situation whereby, if they're incentivised by reporting phishing emails, all of a sudden, you're going to get loads of employees reporting any email that remotely looks suspicious. This could lead to other threat becoming sidelined.

You can start creating some kind of grid, according to which you are compensating them. But I think that that's— I think that in general, the example that you give is something that I already care about. I don't want to open a phishing email. That's why when my IT department sent one to me and I clicked on it, I felt bad. I have strong incentives not to do it. So, I'm not sure that money would be the right way. But if you want to go the route of money, you need to have different tiers. This one was just, "Oh, come on. This email was a sales pitch from Amazon. That was not a phishing email. You should have known." At the other end of the scale, you might have a very sophisticated phishing email that I might forward to you. And then you can incentivise differently based on this. But that's not simple, right? I'm not recommending this kind of path because it's kind of complicated to do.

I was recently speaking to an IT security awareness manager who told me his most effective incentive ever was actually issuing promotional stainless steel coffee mugs to his employees. Can you explain why highly visible incentives like this can be so powerful?

This coffee mug, I just wanted to show you [lifts up stainless steel coffee mug to camera], that that's my NPR coffee mug, right? Those are useful, I think. Each time I drink from it, I say, "Well, my wife is a nice person. She donated. She gave money to NPR." And the same is true for IT security, right? If you give me a mug and tell me, "Oh, thank you. The phishing email that you reported was really helpful," that's definitely a good incentive.

Do you think with remote working becoming more prevalent that using these social signalling incentives is becoming more difficult?

No. I think that we are still all the same as we were also from the day we lived in caves. The environment changes very much. And it could be that now social media is more important, and I want to signal to you how terrific my life is by sending you pictures of my food on Instagram. Which I don't understand because I'm old, but it doesn't mean that, fundamentally, they are different from the incentives that worked on me when I was a kid, right? So, I want to impress people with something. So, I take actions to enable this. That's the essence of what the caveman did, and what we do today, right? And the world is changing, which means that the way we signal is going to be different, but the importance of social signalling is not less important than it was before.

Okay. Very interesting. I was recently speaking to a manager and he had just launched a new cyber security awareness program using an e-learning platform. I asked him how he was going to get his employees to engage with the platform. And he basically said, "Well, if they don’t engage with it, it's going to result in punitive action." Do you think the manager was on the right path there?

If the manager says, "Look, this is really important for me. So I don't punish you regularly. I don't threaten punishment. But this one I am going to punish," that's very useful. And that's a signal that the manager is really serious about that. So again, apart from the punishment itself, I get there are millions of things. You work. I work in the university. I signed a contract I don't know maybe 500 pages long. I didn't read it. I don't know what's really important. But if you tell me, "Look, Uri, if you do this, you're going to be punished," then I understand that this one is really important, right? So it's not just the punishment. The punishment could be small. But the fact that you told me this is a punishable action, you signal to me that, "Look, I really don't want you to do that. I don't punish you for everything but I’ll punish you for this." And that's why if we go back to the kids example, if you want punishment to be effective, you cannot punish all the time. If your three-year-old runs out onto the road, that's where you want to punish them. Because it's not, "You didn't finish your homework", or "You didn't do this". This behaviour is life and death. You want them to understand, "Look, this is important." And you can achieve this by punishing them. And punishing them could be raising your voice, or it could be not going to the playground on Saturday. I don't know what it is. But you want to make sure that they understand and remember, "This is an important event." But if you punish them five times a day, that's going to lose its effectiveness. And the same is true in your example. If the manager punishes them a few times a day, when they are faced with punishment, it's going to be less effective. If it's one thing— and it could be like the example with the parents. It could be just raising my voice. I don't regularly raise my voice, but then when you do something like this, I do, and you get the idea that this is something extreme and you shouldn't do it.



Going back to people who game the system. This has been a well publicised problem for companies like General Electric during the Jack Welch era. It's been a problem for companies all over the world where employees are so interested in meeting their metrics, they start to game the system. What's your view on this?

That's always true. Again, cave people did it, and we are doing it, right? And it's never going to change. So whenever you design incentives, you should know that on the other side, you have people that are going to be really creative in finding ways to game your incentives. So try to think about it in advance.That's the first thing. And then after that, make sure that you keep testing what you're doing. So you keep doing something like A/B testing and you see whether, first of all, your initial incentives are right, and then see, occasionally, whether they made things worse because people learned how to game the incentive system. So don't just say, "Oh, I introduced this incentive. It works great." Because it could be that it will take people a week to find a way to game the system, but they will, right? So keep on using A/B testing, just be aware of what's happening; try to figure out how people can be creative.

A lot of organisations now will use models like the BJ Fogg model of behaviour change. How do incentives tie into a model like BJ Fogg?

So, behaviour change is a whole different issue. It's really, really hard. So many of us try to eat better, exercise more, stop smoking, stop playing computer games, whatever your bad habit is. And if you don't have a bad habit, you're a really boring person. And we know that it's really hard. So let me give you one example of a way in which I can change your preferences. It could be discovery. I remember the first time that I was taken to a sushi restaurant. As a kid, you know growing up in Tel Aviv, I didn't know what sushi was. And then when I was in my 20s, I went. And the idea of eating raw fish was not very appealing. Why would I want to eat raw fish? But then you eat it, and you discover that you like it. So, in many cases, I can give you incentives to try something, and then hopefully you'll discover that you like that kind of behaviour, right? You'll discover your preferences. So that would be one example where incentives can work, but it's a whole different topic that I find extremely interesting.

So just to wrap up, for managers reading this blog, what would be the top three tips that you would give when they're going to roll out an incentive program?

That's very easy. Buy my book and read it! The first thing is to use common sense when you're looking at incentives. Try to figure out what's the signal that you're sending. The second one is to use A/B testing to actually see that what you intended happens. And maybe the third one would be keep doing the A/B testing. Developing and maintaining incentives is a dynamic process because people will learn how to game it.

Great Uri, thank you so much for taking part in this interview and sharing those very interesting insights.

Uri Gneezy is professor of economics and strategic management at the University of California, San Diego. His book Mix Signals:How Incentives Really Work (2023) is published by Yale University Press.



 

 

 


 

 

 

 
 
 
 

 


Got a question?

If you would like to make an enquiry about any of our services click the "Contact Us Now" button and fill in your details.