top of page

Security Culture: Stick vs Carrot

Stick vs Carrot Header Image

We all know that cyber security is crucial for any business to stay safe and secure in the digital world. But how do we ensure that everyone in the company knows the potential risks and actively works towards keeping the organisation safe? One way to do that is by building a strong company culture around cyber security awareness.

So, what’s this stick and carrot method you speak of? I’m not a donkey.

“Stick” methodology, in the context of building company cultures, refers to using negative consequences or punishments to deter bad behaviour. "Carrot" methods, on the other hand, involve offering rewards or incentives for good behaviour.

So, which method is better for building a company culture around security awareness? Well, it's a bit of a tricky one, because both methods have their pros and cons.


Stick Methods

The stick approach to building a secure culture involves using negative consequences to deter employees from engaging in risky behaviour. Examples include:

Reprimand Icon

​​Reprimanding or disciplining employees who violate company security policies.

Termination Icon

​​Threatening to terminate employees who repeatedly violate security policies.

Phishing Icon

​​Running simulated phishing attacks to test employee susceptibility and penalising those who fall for them.



​The main advantage of stick methods is that they can be very effective in deterring bad behaviour of employees who don’t care and are repeat offenders. Fear of punishment can be a strong motivator, and the threat of disciplinary action can encourage employees to take cyber security seriously.

​There are certainly downsides to using stick methods as well. For one thing, they can create a negative work environment that's focused on punishment rather than positive reinforcement. Additionally, employees may become resentful or defensive if they feel they're being unfairly targeted or punished. Stick methods can be demotivating and may not encourage employees to be proactive about improving their cyber security practices.

Carrot Methods

The carrot approach to building a cyber secure culture involves offering rewards or incentives for good behaviour and actively demonstrating the advantages of adopting good cyber hygiene (both at home and in the workplace). Examples of carrot methods include:

Rewards Icon

​​Creating a rewards program that recognises and rewards employees for following security protocols, reporting incidents, or completing security training. Rewards can be anything from gift cards to extra time off.

Recognition Icon

​​Simple recognition of those employees who have successfully completed training, or an automated “thank you” message from the IT team when an employee reports something suspicious.

Awareness Training Icon

​​Providing training and resources to help employees improve their personal cyber security knowledge and skills, and those of their loved ones.

Positive Work Icon

​​Creating a positive and supportive work environment that encourages open communication and collaboration around cyber security issues.

Fun Training Icon

​​Providing fun engaging training content that makes cyber best practices simple and understandable, as opposed to trying to scare compliance into them. Make cyber security personal!



​The main advantage of carrot methods is that they can be very motivating and encouraging for employees. By offering rewards and resources, companies can create a culture that values cyber security and encourages employees to actively protect company assets. Additionally, a positive work environment can help build a sense of community and encourage employees to work together to improve their cyber security practices.

​However, there are also some downsides to using carrot methods. For one thing, they may not be as effective at deterring bad behaviour as stick methods. Additionally, rewards and incentives can be expensive, and companies may not have the resources to offer significant bonuses or perks to all employees. Finally, if not implemented properly, carrot methods can create a sense of entitlement or complacency among employees, leading to a lax attitude toward cyber security.


At the end of the day, both stick and carrot methods can be effective in building a culture around security awareness. The stick can be useful for enforcing important policies and deterring repeated bad behaviour, while dangling the carrot can be motivating and encouraging for employees. The trick is finding a balanced approach that combines both methods and avoids the downsides of each. It's ultimately about creating a culture where cyber security is seen as a shared responsibility, not just a set of rules to be followed begrudgingly.

By creating a positive and supportive work environment, providing fun engaging resources and training, and enforcing policies fairly and consistently, companies can build a strong security culture that protects their assets and encourages employee engagement.

Remember, building a company culture around cyber security awareness isn't a one-time event or a box to be checked. It's an ongoing process that requires constant attention and effort. But with the right mix of stick and carrot methods, you can create a culture that values cyber security, builds an army of cyber-savvy ninjas🥷🏼 and protects your company from potential threats.


GoldPhish educates end-users on the cyber threat and helps build more secure organisations with awareness training and simulated phishing

Get in touch for more information:


bottom of page