The Carrot & The Stick: How to Incentivize Employee Cybersecurity Training

Sep 30, 2021 | Uncategorized

Cybersecurity standards in a post-Covid world are changing. Without the safety of having all of your employees under one roof and behind one firewall, it can be difficult to protect against threats. With employees working from their home wifi networks, coffee shops, and other locations outside the office, your data becomes increasingly vulnerable. We’ve already discussed how your biggest cybersecurity threat comes from your own employees and thus how important it is for standardized employee cybersecurity training, but how can you actually promote cybersafe actions from your employees in a way that lasts? By using psychology 101, of course! 

The Stick

When we talk about the stick, we’re not talking about punitive measures. As we’ve mentioned, most cybersecurity breaches aren’t intentional, they simply come from uninformed actions. Your employees could potentially feel that a data breach may impact the company, but not themselves personally, so cybersafe measures are more a nuisance than a necessity. One way to heighten the stakes is to remind your employees that data breaches affect the whole company. Leaked access to company accounts and information could have financial ramifications that affect company 401k programs, bonuses, and even the very stability of the business itself. 

The Carrot 

Positive conditioning works much better than aversive conditioning, so what better way to make cybersafe actions stick than by gamifying them? It can seem corny, but an office leaderboard can be a good motivator in changing habits and behaviors. By incentivizing cybersecurity among your employees with games and contests, you will be associating their cyber-awareness with a positive response. The best example of this is simulating phishing attacks so employees learn to identify and avoid techniques frequently used in phishing emails. Other games can include a last-man-standing elimination game to see who never leaves their computer unlocked when they get up from their desk. 

Turning Cybersafe Actions Into Habits

So, what are we using the carrot and the stick to encourage? Basic cybersafe tips you should encourage among your employees include: 



  • We’ve already discussed the dangers of phishing, but it’s still worth listing again here. 


  • Encourage your employees not to ignore new downloads of security patches and OS updates as these help protect against changing bugs and viruses.

Data Storage

  • Back up your work files to a reliable cloud provider; never store these files only on laptops and workstations.

Social Media

  • Ask employees to be careful of what they post! Selfies on the job can sometimes reveal more than they intend to if a computer screen or paperwork is in the background. 


  • Enable screen locks when employees are away from their computers. A password-protected desktop is useless when it’s left unattended!

The Limits to Internal Cybersecurity Training 

Know your limits, though. Over-securing your company data can backfire if the requirements are too high. Cybersafe measures that are too restrictive will lead to a kind of rationalization of noncompliance among your employees. For example, having your employees change passwords weekly will lead to passwords being written on post-its in plain sight. So, by having employees understand the reason for the security protocols, and enacting protocols that make sense, employee compliance and engagement in cybersecurity will increase. 

Many of the examples we gave are simple ways to “up your cybersecurity.” But you don’t want cybersecurity to become your full-time job. To ensure your business is protected against internal and external threats, your business needs a comprehensive cybersecurity plan. What does this look like? Well, that depends on the size of your business, your industry, and your specific needs. But don’t worry — we can figure all that out in just a phone call or two. 

For more tips on employee cybersecurity training, or to find out if you have the right cybersecurity plan in place, reach out to us at Sawyer Solutions!