Punishing users for undesired security behavior? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behavior. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behavior. We hadn’t heard much on this topic since we wrote a post on it back in September; however, it has flared up again.
While it’s frustrating to continue to rehash this debate, the industry response overall has been encouraging. Steve Ragan at CSO Online provided an excellent argument against punishment, noting that it creates a culture of fear that hinders the potential benefits users can provide to our security posture:
“Fear is the reason that a staffer in marketing knew they infected their system after opening a PDF document, but didn’t report it. Instead they sought help elsewhere, or worse, they let the problem exist.
Fear is why communication between IT and the rest of the company, as it pertains to active security incidents, is almost non-existent. People are afraid that if they admit to clicking a link, or opening an attachment, they’ll be fired or otherwise punished, and now a security vendor is encouraging this.”
“If, as a security administrator, you have scared your users from reporting incidents, then aren’t you part of the problem as well?”
Those familiar with PhishMe know how much we value the potential intelligence you can gather from user reports, and a user base that lives in fear of reprisal will weaken your security by being afraid to provide information about threats. If, as a security administrator, you have scared your users from reporting incidents, then aren’t you part of the problem as well?
Bill Brenner of Akamai also wrote an encouraging response, noting that even “battle-hardened” security pros make mistakes. Our users are humans, and humans do make mistakes, is punishing them the best response?
As security administrators, we should look at ourselves first when users make mistakes. Have you provided your users with the knowledge they need to avoid those mistakes? If you feel you have, did you provide training in an engaging manner?
When the human resources department of a Fortune 500 turned off escalators at peak lunch hour to foster healthy behavior (the punishing approach), people worked around the measure and had an early or late lunch. On the other hand, when the same HR department adopted a rewarding approach of placing piano keys on the stairs, people were engaged and behaviors changed positively. Let’s get out of the geeky mindset of admonishing the ‘stupid user’; instead, make them part of your organization’s security posture by cultivating relationships through open communications and positive criticism.