I read this article in dis-belief. I do not think shaming should be used as a technique in Security Awareness. I worked for a boss that one time wanted to advertise bad actors when it came to security UNTIL that bad actor was the CEO of the company. He changed his mind quickly.
I am not sure how the research was done.
What do others think?
Perhaps we need ground rules for, or a clear definition of, shaming.
At another organization where I worked, the InfoSec team had a spreadsheet on SharePoint - accessible to all Cleared personnel - listing the security infractions of anyone who was counseled or formally reprimanded. A description of the infraction - leaving a workstation unlocked and unattended, leakage of classified material, sharing of passwords, etc. - how the infraction was discovered, and what steps were taken (staff was counseled, reported to Supervisor, etc.). The tabs broke down infractions by locations, and a running tally showed year over year.
This log included the infractions of rank-and-file team members and managers, including the VP of Security whose cell phone rang in a closed area (no personally owned devices are allowed in a closed area, ever). This shaming is not a step away from bullying, rather, it is showing that leadership is treated no different from the rest of the team.
> cindelicato (Newcomer III) posted a new reply in Tech Talk on 11-30-2020 02:37 PM in the (ISC)Â² Community :
> Perhaps we need ground rules for, or a clear definition of, shaming. Â At
> another organization where I worked, the InfoSec team had a spreadsheet on
> SharePoint - accessible to all Cleared personnel - listing the security
> infractions of anyone who was counseled or formally reprimanded.
Well, that gets closer to "metrics" than shaming, but it's still questionable. It reminds me of the new Microsoft 365 "Productivity Score" (and that reminded me to post it: Thanks.)
In the dim and distant past, I put myself through much of university working in a hospital. (No, I was not personally acquainted with Florence Nightingale.) The best boss I ever had (in all my years of employment then and since) was one of the head nurses. The *worst* boss I ever had was also one of the head nurses. Worst boss once marked up a shift schedule showing that people were extending their holidays and weekends by taking "sick days" at the beginning or end of shifts. She completely demonstrated two things:
1) that people were cheating,
Social engineering sometimes means letting things go.
Reminds me a the Dilbert joke about HR have noticed the 40% of sick days are taken on Mondays and Fridays ....