Negative reinforcement: How NOT to improve user behavior
One of the interesting aspects of security awareness training is the intersection of information security with human resources. We know from experience that security practitioners are not always experts in the latter, but what we recently saw from Dave Clemente was a real doozy.
Clemente suggested that employees who engage in unsafe IT security behavior (such as clicking on phishing links) be reprimanded and that unsafe behavior should even negatively affect their performance review. To the security part of your mind, it might feel good to punish people for their security sins. We need to remember, however, that the ultimate goal of security is to protect a network, not give users a reason to DDoS it.
“Do we really want to set the precedent that clicking on a link in an email will negatively affect how the organization views your value to the business?”
Employees will understandably feel attacked if you threaten to impact their performance reviews (and potentially their income). Do we really want to set the precedent that clicking on a link in an email will negatively affect how the organization views your value to the business? Considering that even security pros themselves slip up (as Bill Brenner attested in his blog), punishing employees for clicking on emails is a sure way to poison the relationship between the IT department and the organization at-large.
Once employees have a negative view of the IT department, it will be extremely hard to get them to do anything we want them to do. The pragmatic side of me has to believe that most managers would not go along with this anyway. Is a sales manager going to negatively evaluate the best salesperson because he/she clicked on a phishing email?
To take a negative stance, you have to believe that they are deliberately behaving this way. In my experience, most employees want to help and do the right thing, but haven’t been given the proper tools and/or training. If phishing is a problem at your organization, you should evaluate your current program to ensure that you are doing everything you can to empower your employees to avoid phishing emails.
We’ve discussed on this blog previously how we have to sell security awareness to employees. While the ways you incentivize participation in security awareness may differ, one thing is certain: punishing people is not the way to go.
Have any of you tried this approach at your organization? What kind of reaction did you get?