cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion

Shaming amongst most effective technique to deter Phishing

I read this article in dis-belief.  I do not think shaming should be used as a technique in Security Awareness.  I worked for a boss that one time wanted to advertise bad actors when it came to security UNTIL that bad actor was the CEO of the company.  He changed his mind quickly.

 

I am not sure how the research was done.

 

https://www.scmagazine.com/home/security-news/phishing/you-clicked-on-what-shaming-among-the-most-ef...

 

What do others think?

 

d

 

12 Replies
cindelicato
Contributor I

Perhaps we need ground rules for, or a clear definition of, shaming.

 

At another organization where I worked, the InfoSec team had a spreadsheet on SharePoint - accessible to all Cleared personnel - listing the security infractions of anyone who was counseled or formally reprimanded. A description of the infraction - leaving a workstation unlocked and unattended, leakage of classified material, sharing of passwords, etc. - how the infraction was discovered, and what steps were taken (staff was counseled, reported to Supervisor, etc.).   The tabs broke down infractions by locations, and a running tally showed year over year.

 

This log included the infractions of rank-and-file team members and managers, including the VP of Security whose cell phone rang in a closed area (no personally owned devices are allowed in a closed area, ever). This shaming is not a step away from bullying, rather, it is showing that leadership is treated no different from the rest of the team.

 

rslade
Influencer II

> cindelicato (Newcomer III) posted a new reply in Tech Talk on 11-30-2020 02:37 PM in the (ISC)² Community :

 

> Perhaps we need ground rules for, or a clear definition of, shaming.   At
> another organization where I worked, the InfoSec team had a spreadsheet on
> SharePoint - accessible to all Cleared personnel - listing the security
> infractions of anyone who was counseled or formally reprimanded.

 

Well, that gets closer to "metrics" than shaming, but it's still questionable. It reminds me of the new Microsoft 365 "Productivity Score" (and that reminded me to post it: Thanks.)
https://community.isc2.org/t5/I/M/m-p/41165#M5090

 

In the dim and distant past, I put myself through much of university working in a hospital. (No, I was not personally acquainted with Florence Nightingale.) The best boss I ever had (in all my years of employment then and since) was one of the head nurses. The *worst* boss I ever had was also one of the head nurses.  Worst boss once marked up a shift schedule showing that people were extending their holidays and weekends by taking "sick days" at the beginning or end of shifts.  She completely demonstrated two things:
1) that people were cheating,
and
2) why.

 

Social engineering sometimes means letting things go.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Steve-Wilme
Advocate II

Reminds me a the Dilbert joke about HR have noticed the 40% of sick days are taken on Mondays and Fridays ....

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS