Punishing Users Is The Wrong Approach To Improving Security

By   ISBuzz Team
Writer , Information Security Buzz | Feb 05, 2014 03:12 am PST

Punishing users for undesired security behaviour? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behaviour. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behaviour.

Those familiar with PhishMe know how much we value the potential intelligence you can gather from user reports, and a user base that lives in fear of reprisal will weaken your security by being afraid to provide information about threats. If, as a security administrator, you have scared your users from reporting incidents, then aren’t you part of the problem as well?

As security administrators, we should look at ourselves first when users make mistakes. Have you provided your users with the knowledge they need to avoid those mistakes? If you feel you have, did you provide training in an engaging manner?

When the human resources department of a Fortune 500 turned off escalators at peak lunch hour to foster healthy behavior (the punishing approach), people worked around the measure and had an early or late lunch. On the other hand, when the same HR department adopted a rewarding approach of placing piano keys on the stairs, people were engaged and behaviors changed positively. Let’s get out of the geeky mindset of admonishing the ‘stupid user’; instead, make them part of your organization’s security posture by cultivating relationships through open communications and positive criticism.

The full blog post can be found here

About PhishMe

PhishMePhishMe® provides organizations the ability to improve their employees’ resilience towards spear phishing, malware, and drive-by attacks. Our approach entails immersive training to effectively change employee behavior, empower users to detect and report targeted phishing attacks, and augment an organization’s existing security operations and incident response processes. With over 4 million individuals trained in 160 countries, PhishMe has been proven to reduce the threat of employees falling victim to advanced cyber-attacks by up to 80 percent. PhishMe works with Fortune 1,000 companies across many industries, including defense industrial base, energy, financial services, government, healthcare, and retail. For additional information, please visit: www.phishme.com.