Punishing users for undesired security behaviour? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behaviour. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behaviour.
Those familiar with PhishMe know how much we value the potential intelligence you can gather from user reports, and a user base that lives in fear of reprisal will weaken your security by being afraid to provide information about threats. If, as a security administrator, you have scared your users from reporting incidents, then aren’t you part of the problem as well?
As security administrators, we should look at ourselves first when users make mistakes. Have you provided your users with the knowledge they need to avoid those mistakes? If you feel you have, did you provide training in an engaging manner?
When the human resources department of a Fortune 500 turned off escalators at peak lunch hour to foster healthy behavior (the punishing approach), people worked around the measure and had an early or late lunch. On the other hand, when the same HR department adopted a rewarding approach of placing piano keys on the stairs, people were engaged and behaviors changed positively. Let’s get out of the geeky mindset of admonishing the ‘stupid user’; instead, make them part of your organization’s security posture by cultivating relationships through open communications and positive criticism.
The full blog post can be found here
About PhishMe
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.