What do you think about a 3-strikes rule for clicking malicious links? Is that taking risk reduction too far?

2k views3 Comments

Senior Information Security Manager in Software, 501 - 1,000 employees
3 strikes? Babe Ruth struck out 1,330 times in his career.

It may be unfair to penalize an end-user for that, as there are a lot of other factors.

One could also turn the tables and point at information security. Why do they have systems that allow malicious links to enter the system in the first place?

Overall, it is a bad idea.
Director in Manufacturing, 1,001 - 5,000 employees
We did not have a three strike or nine strike or any other strike rule

However every single policy and rule we had for any topic, IT, HR, Financial, Travel had the phrase.

“Any employee violating this policy is subject to disciplinary action up to and including termination “

I don’t know of anyone being terminated for clicking on a malicious link, but they may have been encouraged to go work somewhere else
CISO in Insurance (except health), 5,001 - 10,000 employees
Security awareness training should be positive and if you have habitual "clickers" they need focused attention to help them strengthen their security prowess. Also, habitual "clickers" can be added to further security control with sandboxing, RBI and other zero trust technologies. 

Content you might like


We’re currently discussing this45%

No, but I expect that may change18%

No, and I don’t expect that to change5%

Other (please explain in the comments)1%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.9k views130 Upvotes318 Comments

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
Palantir Foundry
Read More Comments
7.4k views14 Upvotes48 Comments