Social Engineering Awareness Training Part 3: Reinforcement and Incentivization

Reinforcement and Incentivization

At this point in the awareness life cycle, the culture has been set. Training has been designed and conducted. At this point, we are trying to reinforce the training and provide incentives for those who thwart attacks or report “interesting” attempts or by volume.


Now that the training is complete and people are continuing with their normal tasking. It is time to keep security, in this case, social engineering in the forefront of people’s minds. This is critical for long term retention.

In reinforcing the training, a program that I have used is called the “Security Thought of the Month.” I abbreviated it as STOM. This is a program where concepts exist for two months at a time. The first month is training month, the second is a testing month. The first month, an initial email is sent to lay the foundation for the concept. Each week, a short email (a paragraph or less) is sent to reinforce the previous email(s) for the month.

The second month is when testing occurs. For some concepts like Social Engineering, this testing should occur more frequently than once per year. I recommend an ongoing testing campaign through various user groups each month. Services from different commercial vendors allow companies to test their people’s ability to identify and withstand clicking the phish.

Include Social Engineering in penetration testing.

I recommend ensuring social engineering be included in any penetration testing that organizations are subject to. If none are required and/or desired, some organizations like those mentioned above do perform Social Engineering Penetration Testing as well. This allows the company to get an accurate picture of how prone their employees are to fall victim to a variety of social engineering attacks.


In conjunction with reinforcement, incentivizing can help. When people do things right or save the organization from catastrophe, they should be rewarded. I like the concepts of challenge coins or free time off. I recommend 10 minute increments with a minimum of 60 minutes off to take it. Giving shirts or parking spots or gift certificates is another method that I have observed to work.

When people do things right or save the organization from catastrophe, they should be rewarded


In conclusion, training is not enough. Reinforcement should remain as an ongoing process. Keeping the concepts fresh in the mind of the people of the organization is a critical step in preventing catastrophe from the outside in. People must be equipped with the tools to determine what is legitimate and not. Subjecting them to a real-world scenario is an effective method of accomplishing this.

About the Author

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own  Blog and Podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone.

Twitter: @advpersistsec/@C_3PJoe

LinkedIn: linkedin.com/in/billyjgrayjr

Email: jgray@Advancedpersistentsecurity.net