Should all users who fail phishing simulations, including C-Suite executives, face penalties?

423 views1 Upvote5 Comments

Member Board of Directors in Finance (non-banking), 201 - 500 employees
Any consequential training should be equitable for all, including board members sometimes. Don’t enforce punitive measures, though: make it positive, and include everybody, so they all participate and learn at the same time.
Board Member, Advisor, Executive Coach in Software, Self-employed
A few years ago, I was at a CISO event, and there were 100 of us in the room when the discussion turned to phishing. One individual in the financial sector advocated for a “3 strikes and you're out” rule, saying the board, the CIO, and HR had approved it. And after he finished describing this, I said, “So does your CEO or CFO get fired when they fail?" He said, "Well, it's different." I told him, "I will be the plaintiff attorney’s expert witness when an administrative assistant gets terminated because they were constantly getting pummeled with problems from the executive they're supporting, making $55K a year, and then they’re fired for failing a phishing simulation. You wouldn’t fire your CEO, but I could own them in a minute." The whole room erupted into debate. Some were on my side, others said, "No, certain people are exempt from those rules." But I don’t agree.
1 2 Replies
CIO in Manufacturing, 1,001 - 5,000 employees

Mentally, I lean towards what you're saying, but in any company that I've ever worked for, the board wouldn't get behind that. It just wouldn't be practical.

Board Member, Advisor, Executive Coach in Software, Self-employed

Another individual from a different firm described a penalty system where people wouldn’t be terminated, but their quarterly bonus structure would be affected. I still didn't like that set up, but at least it has some implication to keep you sharp.

Director of Information Security in Energy and Utilities, 5,001 - 10,000 employees
No. Enforcing behavior through stick isn't always the most effective way to increase compliance. Far better is to spend additional time to educate said users, and on the other hand to know that a certain % of your users will always fail some test and as a result you should have robust controls that prevent issues should users fail their due diligence.

Content you might like

Every year4%

Every 1-2 years26%

Every 2-3 years31%

Every 3-4 years20%

Every 4-5 years10%

No more frequently than every 5 years8%



Slow recovery response times34%

Data availability is limited49%

Too expensive to scale effectively52%

Difficult to manage for widespread use37%

Prone to misconfiguration12%

No - There are no drawbacks7%


1.7k views3 Upvotes

Director of Systems Operations in Healthcare and Biotech, 10,001+ employees
By far the best place for me to travel was Shanghai. Loved the city and the vibe. Singapore is also an amazing place to have to be stationed for work.
Read More Comments
2.2k views2 Upvotes2 Comments