Do you penalize employees who fail phishing simulations at your organization?

2.3k views5 Comments

Member Board of Directors in Finance (non-banking), 201 - 500 employees
They have to retrain, but we don’t necessarily position retraining as a penalty. It's framed as a continuous education process to make it more of a positive experience. We know that some people will fail, but using gamification makes it an opportunity for them to improve their answers and skill sets. That's what we're striving for, and because we do it every quarter, at some point people do learn and become much better.
CIO in Manufacturing, 1,001 - 5,000 employees
We do require retraining and they have to spend about 15 minutes in the simulation or training module. It's not that big of a time commitment, so the expectation is minimal. It's good for the organization and we've had good executive leader buy-in for it. We did tabletop exercises to simulate events with some of our executive and board members that ratcheted up their awareness and concern. After that it was easy for them to get on board. It's still a bit of a logistical challenge for our team to follow up with individuals that aren't completing the training but we still do it.
CIO in Software, 5,001 - 10,000 employees
At my previous company, I don't think retraining was a consequence. We did have badges and things to acknowledge that you passed and did not fall prey to the simulation. At my current organization, there is opportunity for improving seamless integration of retraining because of the manual work needed. But simulations are an opportunity to educate rather than punish. Educating is one of the 1,500 things we do.
Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
No, but we are penalized enough being inflicted with mediocre software failing to catch real & obvious phishing attempts.
IT Director and Software Producer in Software, 11 - 50 employees
Currently, after any egregious failure, they’re required to take remedial training. We do have serious penalties for not reporting a failure to me. With our system, I’m aware they’ve failed, and so is the employee. If they don’t report it (i.e. following our protocol of reporting clicking any link that turned out to be something other than what was represented), they are subject to an increasing serious set of penalties.

Not informing IT that a mistake was made, and that a nefarious process may have initiated may be grounds for termination in a serious event.

Reporting the mistake means that there will be no serious consequences, even in a serious event.

If we can’t prevent people from making mistakes, the helping IT get ahead of the process is our goal.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.8k views131 Upvotes319 Comments










Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
67k views69 Upvotes39 Comments