Cultivating Cyber Resilience Stewards

Research that my colleagues and I have conducted finds that nearly one-third of employees report multiple scam emails in phishing training campaigns, without falling prey to single one.[i] These “cyber resilience stewards” represent the human shield of an organization and may be the first to alert a security department of a real-world malicious email attack that evades automated detection.

While we in the security field often focus on the negative — that is, reducing risk by teaching people not to do bad things — we also stand to gain a significant benefit from boosting the positive by increasing the number of people doing good things. The challenge for security awareness staff is how to cultivate cyber stewards and increase their prevalence among employees.

Motivating Security Behaviors

Some researchers suggest that people engage in behaviors based on a tradeoff between the difficulty of an action and the motivation for performing that action.[ii] If a step is easy to take, people will be more likely to take it. Conversely, if it is difficult to accomplish a task, then an individual will need to be highly motivated to do it. Think of it this way: If buying something online were as difficult as completing forms on irs.gov, Amazon would have gone out of business decades ago. People file their taxes because the cost of not doing so is extremely high and therefore so is their motivation.

Prompting people to engage in behaviors that will help strengthen an organization’s cybersecurity then becomes a question of either making these actions easier to take, or motivating people to want to take them. This article focuses on the second option.

Psychologists consider motivation from two perspectives: extrinsic and intrinsic.[iii] Extrinsic motivation often refers to the motivation to perform certain actions because they hold the prospect of receiving a reward. Intrinsic motivation includes the motivation to engage in a behavior because of the enjoyment derived from pursuing that course of action.

Economists and security awareness professionals love extrinsic motivation because it is easy to cultivate and measure — if we want people to do X, we give them Y as a reward. However, extrinsically motivating someone to engage in an action has a downside: People do not typically continue to engage in the desired behavior after the external reward is no longer available. And why should they? Their reason for doing so no longer exists. While external motives are appealing because they are easy to implement and produce better short-term results, their longer-term impact can be detrimental.

Gamifying Secure Behaviors

So how do we increase intrinsic motivation in people? Unfortunately, there is not a one-size-fits-all answer to this problem, and we need to accept that we will never intrinsically motivate everyone. However, one solution with which my colleagues and I have found success is gamification.

By turning phishing detection into a game, it is framed more playfully. We did this by creating a “Phishing Derby” as a part of Cybersecurity Awareness Month.[iv] Employees competed in the derby to detect an unknown number of simulated phishing emails during the month-long exercise. They were awarded points not only for correctly identifying these emails, but also for reporting them in a timely manner.

There were two key differences between this competition and normal phishing training exercises. First, the Phishing Derby was completely voluntary, and participants had to actively opt-in to the competition. Opting-in leverages a psychological hack known as the principle of commitment and consistency, in which someone will justify their actions by convincing themselves that those actions are significant and important.[v] Second, the competition emails that participants were to report were significantly more difficult to detect than those sent during normal campaigns. In fact, our group went out of our way to build the most difficult phishing emails that we could possibly conceive of.

Gauging the Results of Gamification

The feedback that we received was overwhelmingly positive. And almost everyone commented that they are looking forward to the second annual Phishing Derby to be held this coming October.

How effective was this as training? We do not yet know. We are currently observing the performance of volunteers over the course of this year’s regular phishing training campaigns to see if participant performance improves compared to the rest of the organization.

Preliminary results suggest that they are performing better. Of course, this a classic correlation versus causation question. Are these individuals performing better because the competition motivated them to perform better or was it the case that only the high performers volunteered to compete in the Phishing Derby because they were already outstanding performers? This is a research question that we are currently looking at.

Meanwhile, there were two feedback trends that we received during the post-competition debrief session that incline me to believe that the competition did have a positive effect. First, many participants had not previously understood the significance of reporting potentially malicious emails. In the competition wrap-up, we discussed why reporting is helpful for keeping other employees within the organization secure. The competition and these insights appear to have inspired the participants to be more vigilant in reporting. Second, many participants reported that they received a sense of enjoyment from trying to spot exceedingly difficult-to-detect phishing emails. They said that the challenge this presented motivated them to look for more emails that might be malicious.

There are several research questions that need to be answered to better understand the effectiveness of our Phishing Derby on increasing employees’ phish detection performance. However, the preliminary results demonstrate that they enjoyed the experience and that they thought they benefited from the competition. From this trial run, I believe that gamification may be an effective way of expanding the upper boundaries of what employees are capable of.

The Bottom Line

Cyber stewards can improve your organization’s cybersecurity performance, as users who are most likely to report scam emails or other evidence of a cyberattack. Gamifying security awareness training can help cultivate more of them in your company. 

[i] “Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards, SAGE Journals

[ii] “Fogg Behavior Model,” Stanford University

[iii] “Intrinsic and extrinsic motivations: Classic definitions and new directions,” Occidental College

[iv] “Gamifying Security Awareness with a Phishing Derby” (paper under review), Canham, M., Posey, C., Constantino, M., & Grimes, R.

[v] “The Power of Persuasion,” Stanford Social Innovation Review