checkmark SANS

One of the levers we have to changing behaviors is reward and punishment.  Reward behaviors we want to encourage, punish behaviors we want to stop.  But which one is more effective, and which ones should we use?  To be honest, this is a complex question and in part depends on your environment.  However this is the approach I prefer.

Rewards: I always like to start by rewarding good behavior.  By taking this initial approach you creative a positive environment, people associate good with security, not bad.  Examples of rewards can be as simple as public recognition or someone finding a chocolate candy on their table, or it can be more substantial such as being entered in a raffle for a iPad or free lunch.  The advantage with reward is you are positively re-enforcing the behaviors you want people to continue.  However make sure you are rewarding behaviors you want.  Telling people you will give anyone a gif certificate who identifies an infected system may sound good at first, but you may end up encouraging people to infect their computers.

Punishment: Sometime people refuse to change behavior.  Before you move to punishment make sure they understand the message being communicated and have the resources to change behaviors effectively.  For example, if you are telling everyone they must encrypt all data at rest, make sure they understand what encryption is and which data has to be encrypted.  Then ensure they have tools and knowledge to encrypt the data.  However, if even after all of this they refuse to change behavior you are going to have to take action.  This can be something as simple as additional training or a report sent to their boss, or something more serious such as having the person moved to another position or potentially even fired. Mike Murr @socialexploits said it well.  The advantage with rewarding is you are encouraging specific behaviors.  The problem with punishment is you are discouraging only one specific behavior.  While people may stop that specific unwanted behavior they may simply migrate to another, unwanted behavior.