How will we motivate the participants to perform the Ideal Actions? This is where the rubber meets the road! It’s time to take everything you now know about the target Participants, the current Setting, and the Ideal Future State and engage your creativity to brainstorm and finalize methods to encourage and incentivize your Champion’s behavior.
Define Champion Types
We previously identified the different Participant Groups who will be involved in our program. We can follow this structure to come up with different types of Security Champions as in the following example. It’s also good to list the topics that would be most interesting to the different types so you can be sure to design your program around delivering relevant training and content.
Example Champion Types
- Software Security Champions
- Technical Software Security Champions: Technical people who design and develop software
- Positions: Software Engineers, Application Architects, Enterprise Architects, Quality Engineers
- Topics: Secure Coding Practices, Threat Modeling, Application Security Testing (AST) Tools, Attacker Tactics
- Business Software Security Champions: Non-technical people which are involved in the software delivery pipeline
- Positions: Product Managers, Engineering Leaders, Product Managers, Scrum Masters, Program Managers
- Topics: Secure Software Development Lifecycle (SSDLC), Attacker Strategies
- Technical Software Security Champions: Technical people who design and develop software
- Security Awareness Champions
- Technical Security Awareness Champions: Non-software-focused technical or security people.
- Positions: Sales Engineers, Solution Architects, Analytics, Non-Software Security Positions, Legal, Customer Support, Site Reliability Engineers
- Topics: Product security features, Customer security concerns, Infrastructure security, Privacy, Compliance,
- Business Security Awareness Champions: Non-technical people who can help with general security awareness best practices.
- Positions: Marketing, Design, Sales, HR, Finance
- Topics: Social Engineering, Phishing, Passwords, Secure File Sharing, Protection of Sensitive Information
- Technical Security Awareness Champions: Non-software-focused technical or security people.
Program Structure
Decide on how you want to structure the program. I’ve added a few questions for consideration, along with recommendations based on my experience, but feel free to make the program your own and take a different direction.
- How will you build trust and provide value to the Champions?
- At its core, interactions with the Champions must be genuine and sincere. You must strive to help them grow and learn in their cybersecurity knowledge. Ensure all interactions with them express this.
- How will you train your champions?
- Brown Bags: I recommend having a monthly meeting or “brown bag” as this is a great opportunity to get all your Champions together and present training topics tailored for the audience and culture. This gets everyone on the same page as far as best practices and recommended habits. Due to the different Champion Types you may consider having multiple options for meetings every month for the Champions can choose from, like this:
- One meeting per month focused on Software Security Champion topics, alternating between technical and business topics month-to-month.
- One meeting per month focused on Security Awareness Champions, alternating between technical and business topics month-to-month.
- Brown Bags: I recommend having a monthly meeting or “brown bag” as this is a great opportunity to get all your Champions together and present training topics tailored for the audience and culture. This gets everyone on the same page as far as best practices and recommended habits. Due to the different Champion Types you may consider having multiple options for meetings every month for the Champions can choose from, like this:
- Volunteer or Voluntold?
- You want people who are excited and desire to join because of their own intrinsic motivation. It is not recommended to remove this choice by assigning them the role without vetting their willingness and excitement to engage.
- Unless you’re prepared to make this an official position with additional pay, people won’t appreciate being assigned additional responsibilities. Note that if you do desire to make being a Champion an official position, most of the methods explained in this guide are not necessary as it was built to help encourage voluntary behavior. An official Security Champion role will be subject to the same rules and policies as with other official positions (job description, performance reviews, etc.).
- Require leadership / manager approval?
- It’s important for the Champion’s supervisor to be on board with the program and okay with their report spending time on it. Without this, the supervisor may be concerned and even interfere with their report’s ability to participate. It’s also a great idea to have the supervisor reach out to those who they think would be good for the program and invite them to participate. This can be a motivating factor for the report to feel they were “chosen”, their manager believes in them, and supports their involvement. This is not an assignment as the nominee can still choose whether to sign up.
- Who is eligible to be a Champion?
- Do they have to earn their way in somehow or is it open to anyone who volunteers? In my experience, it’s best to remove initial barriers of entry and let in anyone who volunteers. You can always restrict some things (invitations to events, usage of tools like Burp, etc.) to only those Champions who have earned their way to have certain privileges. Example: anyone can be a champion, but only those who have earned it will be invited to the capture the flag event.
- How many Champions in an area?
- Ideally you should strive to have one Champion among every group of people who work closely together. This could be defined as an organizational team (everyone who reports to the same supervisor), a scrum team, or some other informal team or larger collection of people. Ultimately it’s best to work with the leadership of the org where you’re trying to recruit to determine the best way to structure Champion support in their org.
- No limit: If there’s already a champion on the team, but someone else wants to volunteer, why would you turn them away?? As long as their supervisor supports it, they should be welcome. An advantage to having more than one is to cover for each other in case one cannot make a Champion meeting, etc.
- How will you keep in touch with your Champions?
- Having a dedicated Slack or Teams channel is a great way to create a community where Champions can interact with each other as well as the security team. It’s also very useful for announcements about meetings as well as recognizing the efforts and achievements of the Champions among the larger group.
- What will be their responsibilities and estimated time commitment?
- Initial phase time commitment should be low to not cause concerns about time or the ability to perform normal job duties. The actions and activities performed by the Champions should always be optional and not required.
Example Program Structure (Initial Phase)
- Volunteer Based, with Manager Approval
- At least one champion per “team”
- 2 Professionally Hosted Monthly Meetings: one focused on Software Security Champions, one focused on Security Awareness Champions
- Dedicated Slack Channel
- Time Expectations: ~1-3 hours a month
- Capture the Flag event 2x a year: Hands-on exercises to hack a fake websites as a fun and effective way to demonstrate knowledge and apply what’s been learned.
- Steering Team meetings: Meet as a Steering Team every other week to engage in Tuning: discuss the program, metrics and make adjustments.
Motivational Methods
How do you motivate your champions? What are some specific techniques to engage the participants and prompt them to perform the Ideal Actions you’ve defined? This is a great chance for you to be creative. The more fun you have in designing the experience of your champs, the more fun they are likely to have as well. So gather around a (virtual) whiteboard with your Steering Team and come up with ideas! At this stage, don’t worry about finalizing anything, just throw your thoughts out there. It’s recommended to use human-focused motivational design (aka “gamification”) techniques, such as those I mention in my RSA 2023 talk on Building an Engaging Security Champion Program.
The motivational techniques you ultimately use should be specific to what you believe will work for your culture, keeping in mind how your Participants will react given their current motivations as captured in the Setting step. Below is an example that has been tailored over years of experience in building Security Champion programs and I’ve explained the reasoning behind the methods described.
Example Motivational Methods (Initial Phase)
- Champions earn stars for Ideal Actions
- These are the basic units of achievement. I’d highly suggest you tailor the name of this for your own organization and program theme. Midi-chlorians for a Star Wars them, rings, and so on. Use your creativity and base it on something associated with your company culture or brand.
- These basic units allow the Champions to choose their preferred way to earn. Some will prefer social aspects like speaking up, and asking questions during meetings, while others will prefer independent activities such as taking non-required training and reading.
- Stars determine Security Belt Level (orange through black belts like karate): Earning a “level” is a great way to recognize a Champion’s efforts. These milestones can be communicated to their manager and during all-hands meetings to make them feel a sense of accomplishment and to show others how they too can progress.
- Action stars count for one year, so Belt Level may drop: If a Champion reaches the highest level, “black belt” in this case, there is less incentive to continue their hard work as they’ve already reached the top. To counter this and ensure Champions continue to remain active, stars expire, which may cause the Champion to drop in level.
- If below highest Belt Level earned, all actions are worth double stars: It may be frustrating to drop in level, and may cause the Champion to give up on the program. It’s also understandable that other job responsibilities may have temporarily prevented them from spending time on Champion actions. To encourage Champions to continue, provide a “catch up” booster where all their actions are worth double until they again reach the highest level they’ve earned previously.
- Higher-Level Mentors receive half the stars their Mentees earn: Once a certain level is reached, mentor/mentee pairs can be selected by the Champions. Having a mentor can be a powerful incentive for the mentee as it makes them feel that their actions matter and they’re accountable to another for their own success. Mentors are also incentivized socially to see their mentee succeed and by the additional stars they can earn through their mentee’s actions.
- Meeting attendees randomly win a prize at the next meeting… if present: To encourage attendance in the monthly meetings, a “wheel of fortune” spin will occur at a random time during the meeting, populated with the names of the people who attended the last meeting, and a random name will be chosen. That person will win a prize, but only if they’re present. This creates a cycle of motivation for the Champions to attend the next meeting if they were present in the current one. Having this happen at a random time prevents people from just showing up for the wheel of fortune prize.
- Annual awards ceremony: Special prizes and recognition will be given to specific Champions for their unique performance throughout the year. Be creative here and go beyond just “highest total # of stars” as this could cause the same Champions to win year over year. Think of things like “greatest level jump”, “most stars in a month”, and even the top Champions in each action category (“most books read” or “most training taken”). Try to come up with unique and creative names for the awards: “Bookworm”, “Ninja Master”, “Star Collector”, and so on.
Note that the above methods are just for an initial phase of a Champion program, align with Example Goals 5, 4, and part of 3, and are tailored to encourage the initial phase Example Ideal Actions. I’ll share an example of a later stage design in the future.
Try not to think about how you will implement these methods at this stage as it may stifle your creativity. Focus on what an ideal experience for your Champions looks like. You’ll work out the implementation details in the Delivery phase. These ideas have been proven to work in my experience, but there may be better motivational methods to incentivize your Champions based on your company’s unique culture and norms. I’d be curious to know what methods you come up with, if you’d like to share!
Rewards
What specific rewards and incentives could be used in the program? Define the details of rewards and how they align with the Motivational Methods.
To help brainstorm, think of different types of rewards using the acronym SAPS:
As you can see, these are beyond just material rewards. The beauty of SAPS is that the categories are in the order of effectiveness, but in reverse-order of cost. This means, in general, the most effective rewards are typically the cheapest to implement!
This reward model won’t apply to all Champions. Some may consider certain rewards to be more important to them than others.
Example Rewards
Belt Level-up Rewards: Awarding increasingly desirable items helps solidify the feeling of accomplishment to instill a sense of pride in the Champions. It also helps spread the word about the program and piques the interest of others.
- Orange Belt: Orange Belt Logo Digital Image, Champion Program Logo Digital Images, Zoom Digital Image Background, Orange Belt Sticker, 2 Security Champion Program Stickers
- Green Belt: Green Belt Logo Digital Image, Green Belt Sticker, Green Belt Challenge Coin
- Blue Belt: Blue Belt Logo Digital Image, Blue Belt Sticker, Blue Belt Challenge Coin, Security Champion Mug, Ability to Mentor (An Access Reward)
- Purple Belt: Purple Belt Logo Digital Image, Purple Belt Sticker, Purple Belt Challenge Coin, Security Champion T-Shirt
- Brown Belt: Brown Belt Logo Digital Image, Brown Belt Sticker, Brown Belt Challenge Coin, Security Champion Sweatshirt
- Black Belt: Black Belt Logo Digital Image, Black Belt Sticker, Black Belt Challenge Coin, Challenge Coin Holder, An Actual Karate Black Belt Embroidered with the Security Champion Logo, Invitation to join the Steering Team (An Access and Power SAPS reward)
Wheel of Fortune Prize: The winner of the wheel of fortune will receive a $50 gift card to a store of their choice.
Use your creativity here and follow SAPS to come up with new unique ideas. I’d love to hear what you come up with.
Finalize Design
Take the ideas you’ve generated and refine the design. Put yourself in the Champions’ shoes and really think about their experience, taking into account how the Champions will react to the different rewards. You’ll also want to ensure you’ve aligned your Motivational Methods and rewards with what you came up with in the Concept phase, and also that they’re a step toward accomplishing the Goals you set in the Vision phase. You also should consider your Participants, and the current Setting of your program.
Once you have a design you are excited about, it’s time to settle on the details of how the different Motivational Methods work together. For instance, collecting Stars leads to attaining a Belt Level, but just how many Stars does one need to increase in level? I’d suggest adding to the Design Spreadsheet you started in the Concept phase and expanding it to include the finer details about stars or whatever gamification elements are used in your program.
Finalizing Leveling Systems
When implementing a leveling system, it is wise to graph the level progression to ensure it’s easy at first, becomes more challenging, then flattens off to ensure the higher levels feel attainable. Calculating stars earned by below-average, average, and above-average achievers can help determine the right amount of stars required for each level. The majority of your Champions should be in the middle levels to respect a normal distribution “bell curve” of stars likely to be gained by the Champions.
Example Finalized Motivational Methods
Star Value Calculations (Suggest using a spreadsheet so you can use formulas and make these calculations easier)
| Behavior | Star Value | Below Avg Earnings | Average Earnings | Above Avg Earnings * |
|---|---|---|---|---|
| Attend Champion Meeting | 20 | 40 | 120 | 260 |
| Speak up or Chat During Meeting | 10 | 0 | 30 | 95 |
| Fill out End Of Meeting Survey | 10 | 10 | 30 | 95 |
| Post a Question or Article in Slack Channel | 20 | 0 | 80 | 280 |
| Comment, Answer, or React in Slack Channel | 10 | 0 | 120 | 300 |
| Complete Non-Required Training (Secure Code, Awareness) | 50 | 0 | 300 | 750 |
| Invite Guest To Champion Meeting | 20 | 0 | 40 | 100 |
| Watch Non-Required Security Video (Internal or External) | 15 | 0 | 90 | 225 |
| Read Security Related Blog Post or Article | 10 | 0 | 120 | 300 |
| Read Security Related Book | 200 | 0 | 0 | 200 |
| Refer Someone To Become a Champion | 100 | 0 | 100 | 450 |
| Showcase Champion Logo in Slack Profile Image | 100 | 0 | 100 | 150 |
| Showcase Champion Logo in Zoom Background | 100 | 0 | 100 | 150 |
| Complete Required Training within 5 Days | 20 | 0 | 20 | 50 |
| Mentor Another Champion | 200 | 0 | 0 | 200 |
| Provide Feedback or Suggestion About Program | 50 | 0 | 50 | 175 |
| Share What You Learned With Your Team | 30 | 0 | 90 | 285 |
| Report Potential Security or Privacy Concern | 100 | 0 | 100 | 450 |
| Report Phishing Email | 20 | 0 | 40 | 180 |
| Predicted Star Earnings over 1 Year | 50 | 1530 | 4695 |
The calculations shown above were assisted with formulas and captured in this example Google Sheet to get you started.
Belt Level Calculations
20 Points = Orange Belt
220 Points = Green Belt
1050 Points = Blue Belt
2580 Points = Purple Belt
4000 Points = Brown Belt
4830 Points = Black Belt
As you can see, based on this design, the Orange Belt is attainable for even the below average participants. But that first quick win can be motivating enough to continue to try and achieve Green, which only takes a little extra bit of effort. From there it will take a significant amount of additional effort to get to Blue (our average performer in terms of points as we determined in the spreadsheet above), but at that level, you can now become a Mentor, receiving half the points of your Mentees, allowing you to skyrocket up to the Purple level. The Blue and Purple levels are the expected levels for the majority of the Champions, as shown in the bell curve above. For those above average achievers, Brown Belt is attainable by our calculations, and then as the curve flattens, it’s only a little more effort to get to Black.
The calculation of point values to produce the curve above was assisted with a formula captured in this Google Sheet to help you get started.
