Human cyber risk management by security awareness professionals: Carrots or sticks to drive behaviour change?

Cyber crime is rising at an unprecedented rate. Organisations are spending more than ever combating the human element through training and other interventions, such as simulated phishing. Organisations employ “carrots” (rewards) and “sticks” (sanctions) to reduce risky behaviour. Sanctions (such as locking computers and informing one’s line manager) are problematic as they lead to unintended consequences towards employee trust and productivity. This study explored how organisations use rewards and sanctions both in their campaigns and specifically following simulated phishing. We also assessed what factors (such as control over rewards, tendency to blame users) influenced security awareness professionals’ use of rewards and sanctions. The findings revealed that organisations use a variety of rewards and sanctions within their campaigns, with sanctions being used across 90% of the organisations. We did not find any factors that influence security awareness professionals’ usage of rewards and sanctions. Our findings suggest the need for a greater consideration of the human element of cyber security. In particular, campaigns should take a more informed approach to use of behaviour change strategies that consider the organisational structure in which they are implemented and the role (and influence) of security awareness professionals within that structure.