I'd like to create a rubric by which our enterprise can judge (and then reward) those among our employees who are 'most secure,' i.e., those who most frequently follow security procedures. What sort of things would you suggest the rubric include?