One of the main tenants of behavior science is something called “operant conditioning.” It’s a fancy phrase for a concept that’s actually pretty simple: a behavior followed by a reward is more likely to be repeated than a behavior followed by a punishment. While this is a pretty common sense idea, when it comes to our own goals, we don’t often think this way. Instead, we’ve grown up with a myth that true success comes only with struggle and that our biggest opponent is ourselves. Instead of focusing on our wins, we focus on our loses and think that to get anything accomplished we have to be hard on ourselves. And how well does that usually work out?
In order to create new behaviors that you can actually sustain, you need to have positive reinforcement. In other words, if you set yourself a goal that is too difficult or takes too long to achieve, your focus will be on what you’re doing wrong and lead you to give up. Instead, it’s important build on goals that you can actually achieve and feel positive about. This isn’t to say you shouldn’t set big goals for yourself, but that in, order to get there, you first have to focus on the wins: the small, achievable goals that you can then build upon to make the changes you want for yourself.
This is a lesson that most cybersecurity training programs have yet to understand. Phish simulation programs often will often focus on the loses: when you click on a phish or don’t report it to your IT department. Instead, accountability with compassion is far more effective for driving long term behavior change, and training programs that reward positive behaviors rather than punish bad ones are more likely to help users achieve their goals.
Using positive reinforcement and focusing on the wins helps us build the skills and abilities that enable us to do great things. And, perhaps after we have accomplished the large goal we were after, we’ll realize that the actual goal was to just feel better about ourselves.