The traditional approach to cybersecurity training is to use it as a punishment for employees who exhibit risky digital behavior. However, experts say this is not an effective approach to building better habits. This type of negative reinforcement makes employees want to avoid training and won't lead to any sort of risk reduction because it focuses on forcing information onto the learner rather than providing ways for them to change their behaviors. “The idea is, if we just give them more knowledge and they know more, they are going to be less risky in our organizations, and we will have solved for a human risk,” Masha Sedova, co-founder of Elevate Security, said. “But, as we have learned over several decades, it’s not what employees know, but what they do that matters.” Rather than taking the traditional approach, risky employees should be identified and provided better cybersecurity training through positive reinforcement. One such method is called “social proof,” which compares a user’s performance with a peer group to motivate them and buy into the behaviors needed to reduce risk. Employees might understand phishing is a risk, but they need to understand how it affects them on a personal level. “The trick here is getting people to care about not clicking on links,” Sedova said. “The best follow-up action is explaining the impact of their decisions, using encouraging and positive language that motivates them toward action.”