Wearing SCARF in Security


When it comes to detecting and reacting to advanced cyber attacks, the best solution isn't the latest machine-learning algorithm powering your anti-virus, firewall or security analytics solutions. 

It's your people. 

There is not a product on the market today that is smarter than an educated and empowered human being when it comes to catching the latest e-mail scams. 

And your people want to be part of the solution. From the user awareness surveys built into our platform, over 60% of users say that they always report phishing attacks.

That's over half of your organization that wants to actively protect the company. Are you leveraging that desire and empowering that behaviour?

Importance of Reporting

We know from the COBIT framework that best practices for incident response include a way for users to report potential security incidents. 

Reporting is important from a security perspective because it enables your incident response team to have insight into the real attacks in real time. This allows the security team to classify and investigate any real threats if necessary, speeding up the incident response process dramatically.

Keeping track of these metrics over time can also quantify normal phishing rates. This provides crucial insight that there may be an organized attack on the company if the rate skyrockets over a short period of time. 

Another benefit of encouraging users to report phishes or other security concerns is empowering them to become active members of the defense. This also opens up an opportunity for security teams to recognize and reward good behaviour. 

Engaging your community goes beyond compliance-focused annual cybersecurity training. 


Empowering your community requires you to tap into some of the driving forces of human behaviour. 

First published by David Rock, the SCARF model explains how the neurological instinct to minimize danger and maximize reward can impact the workplace culture. It highlights five key factors that, when properly leveraged within your organization, can help engage folks in the security program. 


While companies often think of bonuses or promotions as the only way to increase an individual's status, from David's research we see that praise is often all that's required. Whether it's a quick e-mail to thank someone for reporting a phish, or just stopping by their office, it's a simple message to communicate, that can make a big difference. 


People function better when complex problems, or concepts and terminology in the security industry, are broken down into smaller projects and language that's easy to understand. While very little is certain in the security industry, it's possible to clearly communicate the steps that the organization is taking to reduce risk.  


While autonomy can be difficult, especially in a managed IT environment,  it's critical to educate users on basic cyber hygiene. This enables them to reduce their risk to the organization and helps folks better secure their personal devices. 


Don't be tempted into blaming different parts of the organization for security issues. This only increasingly isolates divisions, disengaging employees in the process. Instead, strive to include teams from across the organization in the security planning.


Employees increasingly want transparency from their employers. If changes or new security controls are being implemented, communicating why they are occurring and how the changes will help the organization can go a long way.

Automating the Process

Beauceron was created with this model in mind and automating it to reduce strain on stretched IT resources. If you'd like to learn more about how Beauceron can help transform the security culture within your organization please contact us.  

Contributed by Kathryn Chamberlain. Kathryn is a business development officer at Beauceron and a Venture for Canada fellow. Kathryn holds an honours Bachelor of Commerce with a minor in Mathematics from Mount Allison University ('17). Her research interests include organizational behaviour and culture. She can be found on Twitter @_kachamberlain.