In this latest edition of our Thought Leadership series, Ben Brabyn from GenieShares discusses how a few surprises can help you improve security and trust within your organisation.
Scared to care
I was recently asked to provide a course to help international bankers improve their cyber security awareness. The brief was simple and clear; I was to shock and scare people into taking more care of their own and their employers’ security.
I turned down the invitation. It’s increasingly rare to find managers who believe that fear is the best route to compliance, and I was curious that some should think that cyber security was an exception to this general trend. When I questioned the brief, I was told that the banks wanted their people to be scared as they feared that complacency was taking hold and threatening security. Perhaps telling some shocking stories of cyber security disasters would terrify people into safer behaviour.
A collective action problem
Security is often a collective action problem, and in global corporates this is clearly the case. Since attackers can choose from many different potential vulnerabilities - and people - when they plan an attack, security measures impose costs on all employees. Meanwhile the benefits of maintaining security may be concentrated among relatively few employees.
This asymmetry between the costs and benefits paves the way for exploitation of those whose incentives are not guiding them to secure behaviour. Scaring employees is a way of addressing this by raising the costs of non-compliance with security policies - not changing the distribution of benefits.
This, of course, embeds resentment more than trust, and there is a better way.
Surprise and delight
Rather than focusing on the high impact / low probability horror stories, consider giving every employee more of a stake in the upside of good security policy and behaviour. Rather than threatening dire consequences to all, reward good behaviour stochastically. You probably won’t be able to share equally all the benefits that the organisation accrues through good behaviour, but from praise to prizes you can recognise and highlight good behaviour.
Motivating behaviour change by coercion or threat is hard, but since you’re trying to enlist the help of colleagues in warding off low probability but high impact threats, it’s sensible to offer them a low probability but high impact stake in the results - a kind of premium bond for good secure behaviour.
So why not consider creating a security bounty? A prize fund committed to rewarding colleagues provided that no major security breaches occur. The bounty could be set in proportion to the findings of audits or weighted according to internal measures of collective compliance - and then allocated like premium bond prizes with a small number of large jackpots and a larger number of smaller rewards for colleagues.
Research at Harvard Business School in 2008 illustrates how premium bonds both increase savings rates and broaden participation - persuading people to save who previously did not. Cyber security is comparable to saving in that it involves short term forbearance to provide long term security. But we are almost all susceptible to the jackpot effect - so why not use this to motivate engagement with security in your organisation? People knowing that there is a low but non-zero chance of a major reward for good collective security will be keen to practice and encourage others to practice good security hygiene.
Exploiting jeopardy beyond the boundaries of the firm
Of course, this exercise in sharing the upside of collective security can extend beyond your firm, and beyond security to broader concepts of trust and social cohesion. At GenieShares – a campaign I run – we’ve seen that entrepreneurs who surprise and delight people beyond their payroll see an increase in sales, valuations and employee retention. The benefits of exploiting jeopardy can extend well beyond the boundaries of the firm, and if you can tap into jeopardy as a constructive force you will have a motivational tool that can solve many collective action problems in security and beyond.
This kind of incentive design has great potential to effect change, as the HBS research demonstrates. Carrots are more effective than sticks, and you can choose to make cyber security an engaging rather than a terrifying experience.
Meanwhile I’m still trying to figure out what it says about me that someone would ask me to terrify all their employees!
About the author:
Ben Brabyn is an innovation ecosystem specialist working for corporates, governments, and startups. He is the founder of the GenieShares campaign which brings equity ownership to a wider share of society.