The Beatings Will Continue Until Security Improves

Not many of us go to sleep at night thinking "I protected data today" or "my data wasn't compromised today" or "nobody is impersonating me to access my financial accounts today."

For most people, it is difficult to get excited for something negative that doesn't happen. After all, who goes to sleep comforting themselves to thoughts of "my house didn't burn down today" or "I didn't total the car today." This is human nature for most of us, we just don't get excited about bad things not happening, certainly not the way we get excited about good things that do happen. (There are always exceptions, of course)

So how do we motivate ourselves to prioritize good cybersecurity? In our current system we generally seem to focus on punishments:

• Civil fines for data loss, law suits, and similar financial penalties
• Criminal charges for some data loss, such as HIPAA data
• Complicated and costly recovery processes

Where has this gotten us? <gestures around at everything> Not where we want to be I'd say.

Any good dog trainer can tell us what we're doing wrong here: we aren't rewarding good cybersecurity, we're merely punishing bad cybersecurity. We train dogs most effectively by rewarding them when the perform the behaviors we want them to. In this way people are not dissimilar from animals, we are reward motivated. (For me, it's a good scratch behind the ears that motivates)

Any behavioral psychologist will tell you the same thing, human beings respond to rewards with more vigor than we do penalties. You need not look any farther then whatever bonus plan you have at work - many of us have some sort of additional pay tied to meeting particular organizational goals. I, for one, have never been threatened with having my pay taken back away from me if the organization doesn't meet goals, only having additional pay provided if it does. Inherently, your organization understands this concept. Yet when it comes to rewarding people for good cybersecurity we tend to pick out one or two individuals and offer them rewards like $50 to spend at the company merchandise store. Perhaps rewarding people with company branded golf shirts isn't the motivation some think it is.

So Why Aren't We Rewarding Good Cybersecurity?

One of the tenants of being able to provide a reward is to be able to measure a result. If you get all the questions right on your math test you can be rewarded. If your dog sits when you tell it to it can be rewarded. In the world of cybersecurity we tend not to deal in such measurable content. It is extremely difficult to prove that you haven't had any data loss in the past year - remembering that absence of evidence is not evidence of absence. The things we can prove in cybersecurity are so granular as to not be indicative of "good cybersecurity" by themselves: the percentage of company systems that are up to date on anti-malware software and definitions, or the number of employees who did and did not fall for the latest phishing exercise. Still others are at cross-purposes to their intended outcomes, such as rewarding a company that doesn't report any data breaches - this leads to companies covering up data breaches as if they were some other activity or issue.

So one of the hurdles we have to properly rewarding good cybersecurity is we still don't have a way to reliably define good cybersecurity. At least, we don't have a way that enough of us all agree on. After all, you can't throw a rock without hitting some sort of compliance or security standard or framework that is supposed to be the bee's knees.

So to reward organizations for good cybersecurity we'd have to develop a testable standard that could reasonably demonstrate a good cybersecurity program, and we'd have to develop an inexpensive means of performing that testing from an unbiased 3rd party - sounds a bit like what the credit card industry tried to do with PCI but didn't. Hey, nobody said this would be an easy thing to resolve.

But What Kinds of Rewards Might Be Useful Anyway?

Off the top of my head I think that tax incentives could be a useful reward for organizations. Incentives for things like 100% customer compliance with a quality MFA solution is one thought. Of course that leaves tax-free entities out in the cold, but certainly there's room for grants and other funding opportunities based on good cybersecurity to support those organizations. Why do I think government should be involved here? Well, government is already providing the largest "sticks" in the fight for good cybersecurity, it seems that offering a carrot would go hand in hand with that. Besides, good cybersecurity is an issue that impacts everyone, and that seems like the time government should step in.

Employees can certainly be financially motivated for good cybersecurity as well, but it can't be a "contest." When the reward for something only goes to one or two "lucky" contestants a great many employees will be unmotivated. Necessarily this means that rewards that could conceivably go to every employee need to be smaller, but then again I've seen companies reward every employee for completing their annual insurance registration with $100 per person. Seems to me there's room for similar rewards to employees for things like successfully completing their annual security training (with testing even), or for other, more proactive cybersecurity actions. Coupling these "easy" rewards with a contest can help motivate everyone.

As for individuals, It seems to me there are plenty of small ways to reward good cybersecurity. Perks and freebies for things like enabling "good" MFA seem easy enough at a variety of businesses. (Good MFA being defined as anything besides "we'll send you an SMS or we'll send you an email" mechanisms) Similarly, convincing users to switch to Passkeys, or long passwords/passphrases via incentives seems reasonable as well. Cellular providers could encourage users to better protect their accounts against cloning intrusions through bonuses as well. If you think any of these seem silly, remember that most of these companies offer you a discount for switching from paper statements to online statements, so there's already a model in place we could use more of.

No, rewards for good cybersecurity isn't an overnight fix. It isn't a panacea. But if we're going to move on from the state of cybersecurity today we're not going to do it using the same strategies that are failing us today. I think rewards need to be part of our societal, business, and personal cybersecurity improvement plans.

No humans or animals were punished or harmed in the making of this post. I did reward myself with some candy after completing it though.