There have been stories of organisations imposing sanctions, including suspension, on employees who persistently fail security tests. The question is whether it’s really the people who are at fault.

“I would ask a question here about the training their users are receiving,” says James Griffiths, technical director at Cyber Security Associates. “Why is the user failing? This would seem to be more of a problem relating to the company-led training and the staff not understanding it.”

What’s more, seeing your staff as the problem does not promote a healthy environment.

“Organisations need to appreciate that, in security, an ‘us’ vs ‘them’ mentality isn’t effective,” explains Dr Jason Nurse, CybSafe’s director of science & research and senior lecturer at the University of Kent.

“Both employers and employees are on the same journey; employees rarely actively seek out to harm their organisation. If employees are failing tests repeatedly, the best way to consider this is to understand why, so their engagement and related security behaviours can be addressed,” adds Nurse.

Dishing out blame rarely works

There’s a real danger that, in handing out blame, you could actually weaken your organisation’s security.

“If staff are aware that punishment is the result of reporting or having an incident then this will potentially have the opposite effect and stop staff feeling comfortable about reporting potential security issues,” explains Griffiths. “This could result in a much larger issue moving forward.”

It can also have an impact on productivity.

“For example, take the case of a security team targeting the sales department with a phishing simulation including malicious invoice PDFs, and then they single out sales employees who open them,” says Nurse. “There is a real possibility that those individuals, in fear of being reprimanded, may avoid opening all PDFs going forward, even the legitimate ones!”

Naming and shaming is last resort

If a serious security situation arises, some blame may be appropriate. “There should be a consequence for gross negligence or wilful failure to follow policy but these should be in extremis, not routine,” says Alan Jenkins, managing partner, advisory services, Decipher Cyber Consulting. “Naming and shaming should be a last resort, though naming to praise a good example can be a good thing, provided the individual is okay with that.”

It's crucial that all of this is handled within a positive security culture. And that may mean the security function making a concerted effort to reach out to staff.

“In many cases when a member of staff reports something, they never get feedback,” explains Griffiths. “If organisations started giving feedback and showed the member of staff what they found, and how this protected both the company and other members of staff, this would encourage more good reporting.”

Security exercises and genuine security incidents are both likely to hone in on one person or a small group as the root of the issue. So how do you handle this in a positive way?

“By having a good company security culture and operating a ‘no blame’ model,” says Griffiths. “Encouraging employees to report things they think are suspicious, as well as having a dedicated process and team to look into things, can really improve the engagement from the staff. People want to help but just need to be given the tools and processes to do so.”

Aim for incentives rather than punishment

Security staff also need to examine how they handle the results of any tests or exercises.

“Oftentimes, companies treat phishing simulations like a compliance, or tick-box exercise, where catching people out will scare people into acting safely,” says Nurse. “However, if little is done to look into why that malicious link was clicked, you have learned nothing. The question should be, why did they click the link or fall for the attack? And next, what mechanisms can we put in place to help them and target the right security behaviour?”

This carrot approach is predicated on finding the positive benefits in any exercise or incident. Conversely, punishment creates a culture of fear, which is likely to drive people out of your organisation altogether.

“People will not be as efficient, and will focus on self-preservation,” says Nurse. “We should be aiming for incentivisation more than punishment. In many ways, incentivising people to do the right thing makes them happy, and it works well for the organisation.

“People who are doing well can be spotlighted and can be champions for others, ultimately helping security across the organisation. This is more likely to actually change behaviour across the organisation.”

Text by Steve Mansfield-Devine