Should all users who fail phishing simulations, including C-Suite executives, face penalties?

Any consequential training should be equitable for all, including board members sometimes. Don’t enforce punitive measures, though: make it positive, and include everybody, so they all participate and learn at the same time.

Anonymous Author
Any consequential training should be equitable for all, including board members sometimes. Don’t enforce punitive measures, though: make it positive, and include everybody, so they all participate and learn at the same time.
0 upvotes
Anonymous Author
A few years ago, I was at a CISO event, and there were 100 of us in the room when the discussion turned to phishing. One individual in the financial sector advocated for a “3 strikes and you're out” rule, saying the board, the CIO, and HR had approved it. And after he finished describing this, I said, “So does your CEO or CFO get fired when they fail?" He said, "Well, it's different." I told him, "I will be the plaintiff attorney’s expert witness when an administrative assistant gets terminated because they were constantly getting pummeled with problems from the executive they're supporting, making $55K a year, and then they’re fired for failing a phishing simulation. You wouldn’t fire your CEO, but I could own them in a minute." The whole room erupted into debate. Some were on my side, others said, "No, certain people are exempt from those rules." But I don’t agree.
1 upvotes
Anonymous Author
No. Enforcing behavior through stick isn't always the most effective way to increase compliance. Far better is to spend additional time to educate said users, and on the other hand to know that a certain % of your users will always fail some test and as a result you should have robust controls that prevent issues should users fail their due diligence.
1 upvotes