Culture and Org. -> Education and Guidance: Reward of good communication
Risk and Opportunity
Risk: Employees are not getting excited about security.
Opportunity: Good communication and transparency encourages cross-organisational support. Gamification of security is also known to help, examples include T-Shirts, mugs, cups, giftcards and 'High-Fives'.
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
- Enhance motivation can be performed with the distribution of pins as a reward, see OWASP Security Pins Project
ISO27001:2017 Controls Mapping:
- not required by ISO 27001
- interestingly enough A7.2.3 is requiring a process to handle misconduct but nothing to promote good behavior.