Image: iStock/jauhari1

With all the negativity in the world, it feels like a good time to remind everyone that positive reinforcement is an effective tool for improving employee behavior when it comes to cybersecurity.

SEE: Security incident response policy (TechRepublic Premium)

To keep everyone on the same page, let’s use the definition championed in Courtney E. Ackerman’s article Positive Reinforcement in Psychology: “A desirable or pleasant stimulus after a behavior. The desirable stimulus reinforces the behavior, making it more likely that the behavior will reoccur.”

Ackerman cited famous psychologist B.F. Skinner’s Operant Conditioning Model as a way to clarify positive reinforcement. “Skinner’s model of operant conditioning is based on the assumption that studying a behavior’s cause and its consequences is the best way to understand and regulate it,” Ackerman said.

Skinner’s operant model uses the following methods of conditioning:

  • Positive reinforcement: A desirable stimulus is introduced to encourage a specific behavior.
  • Positive punishment: An undesirable stimulus is presented to discourage an existing behavior.
  • Negative reinforcement: An undesirable stimulus is removed to promote an appropriate behavior.
  • Negative punishment: A desirable stimulus is removed to discourage an existing behavior.

“Each of these four methods of conditioning can be implemented to teach, train and manage behavior,” Ackerman said.

Why is psychology important in cybersecurity?

According to the FBI, phishing was the most common type of cybercrime in 2020, and phishing only works if the intended victim is coerced into doing what the cybercriminal wants. Hence, users get blamed for their willing participation and receive a lot of what Skinner considered punishment.

SEE: DDoS attacks largely target the US and the computers and internet sectors (TechRepublic)

Sai Venkataraman, CEO of SecurityAdvisor, in his Help Net Security article, The power of positive reinforcement in combating cybercriminals, said he wants management to rethink its approach and use positive reinforcement instead.

“It’s important to recognize that cognitive bias is part of the human brain’s makeup and functionality,” Venkataraman said in his introduction. “While these subconscious mental shortcuts make it difficult to change behaviors, it’s not impossible.”

Cognitive bias is hands down the culprit. Charlotte Ruhl, in her Simple Psychology article What Is Cognitive Bias? defined cognitive bias as:

“A subconscious error in thinking that leads you to misinterpret information from the world around you and affects the rationality and accuracy of decisions and judgments.

“Biases are unconscious and automatic processes designed to make decision-making quicker and more efficient. Cognitive biases can be caused by a number of different things, such as heuristics (mental shortcuts), social pressures and emotions.”

SEE: Behind the scenes: A day in the life of a cybersecurity expert (TechRepublic)

Venkataraman said he feels strongly that positive reinforcement is the way to go. “Through repetition and contextual learning, behaviors can change over time, with positive reinforcement serving as the overarching umbrella to an organization’s broader security-awareness strategy,” he said.

To that end, Venkataraman offered the following guidelines to help those responsible affect meaningful behavioral changes:

Set clear rules: Managers in charge of cybersecurity and human resources need to clearly communicate company policies regarding cybersecurity incidents to all concerned. Also important is understanding how to correctly confront those responsible for an incident.

“This is a crucial step in ensuring that employees recognize that the organization is not trying to catch them doing something wrong, but rather provide them with the tools and guidance to identify possible malicious attacks,” Venkataraman said. “Laying down these ground rules will gain buy-in from across the organization and ensure everyone is on the same page.”

Make it personal: Managers need to communicate to each employee that they will receive personalized instruction regarding cybersecurity. “Everyone engages in unique actions and behaviors, and they’re more inclined to listen when they regard the information as directly relevant,” he said.

SEE: How to ensure your vendors are cybersecure to protect you from supply chain attacks (TechRepublic)

Don’t make employees feel stupid or shamed: This is where positive reinforcement comes into play. The only way to enact meaningful change is to establish the right tone.

“Frequently with phishing simulations, employees end up feeling stupid when they made a mistake,” Venkataraman said. “The learning experience should feel organic and authentic, while also being presented in a helpful tone—rather than bashing or pointing out mistakes.”

Dog lovers know

Dog owners will especially understand the example of puppies being encouraged with a treat after obeying a command. “The probability of an employee changing a behavior strengthens when they are successful,” Venkataraman said. “By approaching security awareness in a way that genuinely encourages and informs employees, their motivation to eliminate a negative behavior increases.”

Moving forward with positive reinforcement

This is not rocket science, but we all have been in difficult situations where any thought of positive reinforcement was nonexistent. “Instead of undoing behaviors (positive and negative punishment), we must reinforce new, positive ones,” Venkataraman said. “This will be key in properly securing organizations from today’s highly sophisticated and relentless cybercriminals.”

To quote retired U.S. Army general Stanley McChrystal: “Leaders can let you fail and yet not let you be a failure.”