How doughnuts can make or break your cyber security culture

Company context is a critical consideration when implementing and approving quirky initiatives to improve cyber security culture

I came across a LinkedIn post a few weeks ago that provided a peek into, what I considered to be, a fun and tasty way of promoting better cyber security habits within a company.

The company: Yonder, a London-based financial start-up founded in 2020. Yonder appears to have around two-dozen employees (sources: LinkedIn; Crunchbase).

The initiative: If someone leaves a laptop unlocked and unattended – a common, potentially risky occurrence in many settings – and someone else jumps onto it and posts a message to Slack from the offender’s account, the offender has to buy a round of doughnuts for the team as “punishment”.

Anya Jackson’s post on LinkedIn

I took a quick look through some of the comments. Not unexpectedly, opinions on the approach were divided. On one side, some users saw a humorous, playful approach to learning. On the other side, some users – more typically with security-related job titles – felt the approach uses shame as a teacher, or potentially increases risks to the organisation by promoting the brand of doughnuts employees are familiar with and under what circumstances. Doughnuts have been used as a way to by-pass security and gain access to premises in the past.

Genuinely shaming users into complying with security policies as a form of punishment is a sure fire way to dent morale and should not be done. Shaming can have unintended consequences when trying to promote positive, healthy security cultures.

Company context is important when implementing initiatives designed to improve security culture

What I took away from the comments was the importance of company context when it comes to cyber security culture.

Inspired by the situation, below are five contextual factors that I think should be considered, separately and collectively, when designing and approving quirky initiatives to improve an organisation’s cyber security culture and knowledge.

Severity of the violation

First and foremost, violations and associated corrective actions must be assessed from a severity perspective. Buying a round of doughnuts for publicly distributing a register of personally identifiable customer information isn’t an appropriate consequence.

However, leaving a laptop momentarily unlocked in a restricted access office of friendly colleagues, all of whom have stock options and a vested interest in the company’s success, whilst not good practice, is likely to be a fairly low-risk misdemeanour.

Other policies and positions

Avoid creating confusion with conflicting policies and positions. If you’re introducing an initiative like the doughnuts example, weigh up how it might conflict with a policy, such as not using another person’s account in this case. The outcome could cause confusion, or worse, conflict.

Number of employees

As cohorts grow and people are less personally connected or familiar with each other, so the risk of someone feeling humiliated or embarrassed grows if someone is made to do something fairly public like treat a group to doughnuts. In this case there’s also the scale of financial impact on individuals to consider.

Perception and message management is also harder amongst larger cohorts. A quirky, fun initiative like buying doughnuts within a small group can be quickly and easily rolled out, or wrapped up; it doesn’t take much more than an impromptu stand-up either way.

The number of employees in an organisation is also a factor when considering severity of violations (discussed above). What may be a low-risk misdemeanour in a small company may be more significant in a larger one, where the chances of users with more sinister dispositions existing are higher.

Ability to get buy-in

Unanimous buy-in to an initiative like buying a round of doughnuts is imperative as there’s a personal financial implication. Remain cognisant of factors like physical, mental and psychological ability too; five push-ups instead of buying five doughnuts might not be possible for everyone.

Be mindful of peer-pressure and people opting in because they feel they have to as well.

The ability to get buy-in is closely related to number of employees. Amongst a small group with which you sit closely, it will be easier to determine if the initiative is a no-go or eventually runs its course. This will not be the case within larger settings.

Overall company culture

Overall company culture should be considered when devising initiatives. Cultures where there’s an underlying suspicion of management, personnel are generally fairly conservative or there’s a diverse mix of backgrounds, may pose too much risk for quirky initiatives to be successful and easily managed.

Don’t forget to reward

Quirky initiatives won’t always be an option, or appropriate, for every initiative deployed as part of a cyber security culture uplift program. Most lessons when it comes to security should be treated with the utmost seriousness so as to not trivialise matters. But, with care and consideration, the odd initiative like buying a round of doughnuts or having to tell the group a joke as a consequence for a misdemeanour can be a fun way to convey and reinforce messages that can sometimes be a bit dry.

Implementing a reward program is a recommended approach to promoting compliance, as well as rewarding users who go the extra mile. Rewarding staff for helping others improve their cyber security knowledge or reporting suspicious e-mails is always a positive step. Simple, visible rewards like mugs, badges and t-shirts not only identify those who’ve done well, but keep the messaging visible.

And don’t forget the doughnuts – they can be used as rewards too!

Monthly cyber security insights, news and tips direct to your inbox

More information here. You can unsubscribe at any time. See Privacy Policy for further details.