Security Awareness Training Policy:  Consequences for Employees Who Fail?

"After three warnings, we will shut down their incoming and outgoing email," says Mitchell Sprinsky.

The Chief Information Officer at Spectrum Pharmaceuticals told a recent SecureWorld web conference the company's security awareness policy includes tough consequences for end-users who continue bad security behavior.

Security awareness policy includes consequences

"First is a discussion with their manager. If there are persistent problems, the employee is referred to HR for an improvement program. If there is no improvement, then there is possible termination, but we've never gotten to that point."

He says this method, along with awareness training and phishing exercises, have greatly increased employee vigilance.

But there is significant debate on this part of an organization's security awareness policy. How do you handle those who continue to click on suspicious links despite their awareness training?

Security awareness policy focuses on education

Donna Vieira, CRISC, is on the other side. She is the Security Risk and Compliance Analyst for Johnson County, Kansas, which serves a population of about 600,000 residents.

She says heavy-handed consequences can drive some employees to hide their cybersecurity mistakes.

"Encourage them to report, don't punish them for making a mistake. Encourage them to learn from past mistakes for the future, to do a better job. Everyone's going to make a mistake, and everyone at one point will get tricked into clicking that link," she told us at the SecureWorld Kansas City cybersecurity conference.

"What do you do after you click that link? Let's educate and focus on the solution."

Security awareness debate: consequences or not?

"People have strong opinions on this, on both sides of the fence," says Sam Masiello, Chief Information Security Officer at Gates Corporation. "Do you have the support of your management team when employees fail?"

Masiello moderated the SecureWorld web conference, Risky Business: When End-Users Continue Bad Security Behavior, which you can watch on-demand.

Security awareness policy survey

Masiello did a poll of the several hundred cybersecurity practitioners who were live attendees on the web conference. He asked if their organizations have consequences for risky cyber behavior where employees get themselves into trouble.

Interestingly, only 11% report being strict, while another 16.5% "sort of" have consequences. Clearly, many businesses err on the side of education and awareness rather than punishment.

So what is your organization's security awareness policy for those who violate best practices? 

No matter where you stand on the issue, chances are good you can find an information security peer who will agree with you!