Do you penalize employees who fail phishing simulations at your organization?

They have to retrain, but we don’t necessarily position retraining as a penalty. It's framed as a continuous education process to make it more of a positive experience. We know that some people will fail, but using gamification makes it an opportunity for them to improve their answers and skill sets. That's what we're striving for, and because we do it every quarter, at some point people do learn and become much better.

Anonymous Author
They have to retrain, but we don’t necessarily position retraining as a penalty. It's framed as a continuous education process to make it more of a positive experience. We know that some people will fail, but using gamification makes it an opportunity for them to improve their answers and skill sets. That's what we're striving for, and because we do it every quarter, at some point people do learn and become much better.
1 upvotes
Anonymous Author
We do require retraining and they have to spend about 15 minutes in the simulation or training module. It's not that big of a time commitment, so the expectation is minimal. It's good for the organization and we've had good executive leader buy-in for it. We did tabletop exercises to simulate events with some of our executive and board members that ratcheted up their awareness and concern. After that it was easy for them to get on board. It's still a bit of a logistical challenge for our team to follow up with individuals that aren't completing the training but we still do it.
1 upvotes
Anonymous Author
At my previous company, I don't think retraining was a consequence. We did have badges and things to acknowledge that you passed and did not fall prey to the simulation. At my current organization, there is opportunity for improving seamless integration of retraining because of the manual work needed. But simulations are an opportunity to educate rather than punish. Educating is one of the 1,500 things we do.
0 upvotes
Anonymous Author
No, but we are penalized enough being inflicted with mediocre software failing to catch real & obvious phishing attempts.
2 upvotes
Anonymous Author
Currently, after any egregious failure, they’re required to take remedial training. We do have serious penalties for not reporting a failure to me. With our system, I’m aware they’ve failed, and so is the employee. If they don’t report it (i.e. following our protocol of reporting clicking any link that turned out to be something other than what was represented), they are subject to an increasing serious set of penalties. Not informing IT that a mistake was made, and that a nefarious process may have initiated may be grounds for termination in a serious event. Reporting the mistake means that there will be no serious consequences, even in a serious event. If we can’t prevent people from making mistakes, the helping IT get ahead of the process is our goal.
2 upvotes