Just finished up SANS MGT433 class this week at SANS 2014 in Orlando. One of the things I love most about teaching is I always learn something new. One of the students had a great idea for rewarding. In general you want to avoid providing purely monetary awards for good behavior, you quickly run out of budget. Instead, recognition is not only cheaper, but often more effective. For example, if someone receives a "Microsoft Tech Support" phone call and stops the attack cold, an organization's first response is to often to reward the person with a gift card. Instead of providing just money make a hero out of the person, post a story about what she did, how she figured out the attack and where she reported it. Not only are you publicly recognizing the individual for their great work, but promoting and reinforcing the good behaviors that secure your organization. One of our students took the idea one step further. Instead of just posting the story, they also put a bowl of Hershey kisses on the individual's desk. Not only was the individual publicly recognized for their good deed, but now other employees would stop by the desk to grab a candy, giving the individual even more recognition. I love the idea, and as usual simplicity has a way of making the biggest impact.