Carrot or Stick: How Do You Get Your Users To Take Cybersecurity Seriously?

Cybersecurity is serious business; companies that ignore it do so at their own risk. And that risk is pretty big these days, with the average cost of a data breach in 2021 clocking in at well over $4 million. 

But if you’re a CISO or a security awareness program owner, you know that trying to get senior management and users to take your organization’s physical and digital security as seriously as you do can feel like an uphill battle. Let’s face it: your people are busy. Trying to build awareness—let alone establish new habits—in your users requires bandwidth, something most people feel short on these days. 

That being the case, how do you get your users to give cybersecurity the attention it deserves? When it comes down to it, are you Team Carrot or Team Stick?

Does fear make organizations safer?

Team Stick says that leaning hard into scare tactics and discipline is the way to go. Penalizing users who fail to pass phishing tests or who score low on post-training assessments. Policing employee behavior with long lists of do’s and don’ts. Scaring users straight with dire warnings about the consequences of clicking the wrong link.

Be honest, though—do you really think that approach actually works? In our experience, attempting to police employees’ behavior with restrictive policies doesn’t inspire their best performance. Instead, it tells users loud and clear that you don’t trust them and that you’re waiting for them to screw up. Your role is constable, not coach. 

Does empowering your employees work?

If you’re at all familiar with our team and self-paced security awareness programs, you can probably guess that Living Security is firmly on Team Carrot. We’re a people-first organization, which means we see end users as assets instead of mistakes waiting to happen. We believe that respecting people’s intelligence, teaching them to recognize threats, and helping them cultivate safe habits are the keys to take ownership for your company’s cybersecurity. 

What research says about fear-based approaches to cybersecurity

As it turns out, science backs up our approach. Research conducted by Karen Renaud and Marc DuPuis shows that when it comes to cybersecurity, fear-based motivators often backfire. Punitive, fear-based tactics may be successful in getting users to make safe decisions in the short term but often fail to instill any kind of long-term investment in cybersecurity. Even worse, chronic anxiety over cybersecurity can leave some employees unable to think clearly, which can lead to poor decision-making. Those who aren’t anxious may instead feel disgruntled by their employer’s heavy-handed approach and not take the risks as seriously as they should. 

blog_carrotstick (2)

How do you encourage employees to engage with security awareness training?

Clearly, empowering your employees around cybersecurity is the way to go. But how do you get them to actually engage with your security awareness training in the first place? Prizes and incentives are a good start—you can even tie them into existing programs that your company offers. That said, not everyone is motivated by external rewards and not every reward will be universally appealing to your users. 

We think a better, more reliable way to get your users to give their time and attention to learning about security is to get rid of the yawn factor. Make it fun! That’s exactly what we do at Living Security. With engaging plot lines, cheeky pop culture references, Netflix-quality production, hands-on puzzles, and gamification, our videos and assessments make for a training experience users actually look forward to taking. It’s a built-in carrot, one that’s way more effective at spurring lasting culture change than a branded koozie or a Visa gift card. Ready to experience our end-to-end, team-based training platform for yourself?  Request a demo.


Living Security is the security awareness training that employees love:

  • 94% of employees preferred Living Security over their prior cybersecurity training.
  • 96% would recommend Living Security training to a friend or colleague.
  • 100% feel more confident in recognizing and reacting to cybersecurity threats after Living Security training.

Learn more about our enterprise training platform and our gamified, team-based training experience.

Popular Articles

Cybersecurity Games To Make Your Employees Cyber Aware
metrics to track in your cybersecurity awareness training campaign
6 Metrics to Track in Your Cybersecurity Awareness Training Campaign
Know how to calculate your ROSI - Return On Security Investment?
What Is Human Risk Management? Why Should Cybersecurity Pros Care?

Subscribe To Learn How To Prevent Cybersecurity Breaches

Share this Article