Do you penalize employees who fail phishing simulations at your organization?
Member Board of Directors in Finance (non-banking), 201 - 500 employees
They have to retrain, but we don’t necessarily position retraining as a penalty. It's framed as a continuous education process to make it more of a positive experience. We know that some people will fail, but using gamification makes it an opportunity for them to improve their answers and skill sets. That's what we're striving for, and because we do it every quarter, at some point people do learn and become much better.CIO in Manufacturing, 1,001 - 5,000 employees
We do require retraining and they have to spend about 15 minutes in the simulation or training module. It's not that big of a time commitment, so the expectation is minimal. It's good for the organization and we've had good executive leader buy-in for it. We did tabletop exercises to simulate events with some of our executive and board members that ratcheted up their awareness and concern. After that it was easy for them to get on board. It's still a bit of a logistical challenge for our team to follow up with individuals that aren't completing the training but we still do it.CIO in Software, 5,001 - 10,000 employees
At my previous company, I don't think retraining was a consequence. We did have badges and things to acknowledge that you passed and did not fall prey to the simulation. At my current organization, there is opportunity for improving seamless integration of retraining because of the manual work needed. But simulations are an opportunity to educate rather than punish. Educating is one of the 1,500 things we do.Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
No, but we are penalized enough being inflicted with mediocre software failing to catch real & obvious phishing attempts.IT Director and Software Producer in Software, 11 - 50 employees
Currently, after any egregious failure, they’re required to take remedial training. We do have serious penalties for not reporting a failure to me. With our system, I’m aware they’ve failed, and so is the employee. If they don’t report it (i.e. following our protocol of reporting clicking any link that turned out to be something other than what was represented), they are subject to an increasing serious set of penalties. Not informing IT that a mistake was made, and that a nefarious process may have initiated may be grounds for termination in a serious event.
Reporting the mistake means that there will be no serious consequences, even in a serious event.
If we can’t prevent people from making mistakes, the helping IT get ahead of the process is our goal.
Content you might like
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Autocratic3%
Transformational62%
Servant10%
Laissez-faire3%
Democratic10%
Coaching10%
Others0%
29 PARTICIPANTS
Yes54%
No32%
Unsure13%
505 PARTICIPANTS
ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
I would definitely suggest this based of how you categorize your types of data/systems and information being stored in certain parts of your data center. I think it’s really dependent on the size of your organization and ...read moreFounder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.