The old carrot vs. the stick question...

We setup initial security awareness training for new hires before we allow full access to network resources. If they don't pass they don't get access, easy enough. They can take it as many times as they would like, it's not a fail once and done scenario. Current staff are enrolled into two KnowBe4 interactive video training that take part in the first half and second half of the year. On top of that we send out phishing test emails two times a week. The first time they click on a link or open an email attachment on a test email it gives them a warning and lets them know what they did wrong. The second time they do it, we have them enrolled into remedial smaller 15 minute courses, typically around four extra courses. We've never had anyone get to this point btw. If it did we would cut off access to our client records platform because they are a risk to the company we can't allow.

Security has been built into our culture and that's why we don't typically have any issues. I even tell staff to email us suspicious emails if they have any questions of legitimacy at all. I know it's not advised but I want staff to feel comfortable communicating with us when they have any questions at all. If it's a legitimate email, I tell them so and thank them for being proactive.

Long story short, we use the data from when they first start and until they leave. If we re-hire them, I just pull them out of the archive and keep building on the data we already have of them. Their supervisors are notified upon first enrollment into the program, training they need to take/finish, and any outstanding training needed. I hope this helps, whatever you decide to do make sure this gets into a written policy and approved. Then just always fall back to policy.

---

@JK1 wrote:

...

I was wondering how others approach internal phishing tests and consequences? Do you consider tests over a year old? If not how many tests do you run and what is the escalation process?

---

Joseph,

Dr. M. Eric Johnson, Vanderbilt U.,  along with one of my former colleagues Dr. Deanna Caputo, MITRE,  have been researching this very issue for years. (I  was an unwitting participant in one of their research tests Deanna conducted internally in our company some years ago.) Much of their work looks at using the failures as points to introduce the training, rather than punishment. I recommend you search out their publications for more  detail on what they find works and what doesn't.

You can watch Dr. Johnson's 2011 keynote address to the ISSA International Conference in Baltimore, Human Behavior – The Weakest Link? at

https://www.members.issa.org/page/2011ConferenceRecord?PrivacyNotice

where I first learned of his research (and figured out that Deanna had used me in one of their experiments)

 

To get you started on their recent work, look at

Spear phishing in a barrel: Insights from a targeted phishing campaign
Article (PDF Available) in Journal of Organizational Computing and Electronic Commerce 29(1):24-39 · January 2019 

The actual journal source is here, but tat that site you have to pay $51 USD for the paper. the Researchgate link above has it for free.

 

Here are a few more potentially informative links:

Point-Of-Failure Phishing Training Does Not Work

Going Spear Phishing: Exploring Embedded Training and Awareness Jan.-Feb. 2014, pp. 28-38, vol. 12

 

I recommend a web search on ["m. eric johnson" "deanna caputo" phishing] to find more journal articles and interviews with them on the subject. 

 

For those who run into horrid paywalls for individual papers in professional journals, be sure to search researchgate.net and academia.edu, where authors often post their works for free. Also, write the authors directly to request copies. Most are happy to send out PDFs for free, to get the exposure.

 

Next, a suggestion of my own:

Do not even think about using the punishment route you have outlined until you have in writing a statement from the President, CEO, or Board Chair, approved for broad dissemination in the organization,  stating that the policy and consequences applies to all employees, including senior managers, vice presidents, and all direct reports to that top official.

 

Good luck . You have taken on a tough problem.

 

Craig

 

So it seems (MHOO) that HR has not bought into Security or the risks.  Each organization is different and depending where HR resides you might have different routes to take.

 

I agree with you that there should be a history kept (and HR records are the best place to keep them).  I disagree with the HR department that only keeping the information for a year is wrong.  I am a firm believe that these types of infractions should become part of the employees permanent file.

 

HR is probably of the mindset that the tests are not real so no damage was done.

 

Do you have a specific awareness program for senior management?  If not, this is a good place to start.  I would use real world stats on things like phishing, virus, ransomware.  Once you have buy in at the most senior levels then your plan will work....otherwise its your dept vs their dept.

 

my two cents

 

d

 

Thank you all for the responses and for the resources, there is lots of food for thought to take away. I feel one thing that I didn't get across is that the thinking behind this is really that disciplinary is a last resort and we would much rather focus on awareness and training.

 

We are attempting to foster a culture of security that encompasses everyone from the top down and C-suite focused awareness is something I think would definitely be of benefit.

 

Joe