4 in 10 organizations punish staff for cybersecurity errors
New research has found that 42% of organizations are taking disciplinary action against staff who make cybersecurity errors.
To examine the prevalence of punishment in businesses and the impact of this on staff, a team of researchers led by Dr John Blythe, Head of Behavioral Science at CybSafe, conducted a survey of cybersecurity awareness professionals as well as an experimental lab study, designed to mimic real-world outcomes when employees click simulated phishing emails.
The survey found that punishment continues to be a popular tool amongst UK businesses. Punishments range in severity and are often directed at those who “fail” phishing simulations:
- 15% of organizations name and shame employees
- 33% of organizations decrease access privileges
- 63% inform employees’ line managers
- 17% lock employee’s computers until appropriate training has been completed
Dr John Blythe said: “People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links. Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing.”
“Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and skepticism about cybersecurity. It may also trigger legal challenges. And people are much less likely to report quickly, if at all, when they are frightened of being punished for doing so.”
In the lab-based experiment, conducted as part of the same commissioned research, CybSafe researchers found that punishing staff for cybersecurity mistakes was not only unnecessary, but detrimental. Those who were punished for mistakes experienced decreased productivity and increased anxiety levels. In the long-term, the experiment suggests that punishments are likely to negatively affect people’s mental wellbeing and their cybersecurity resilience.
Dr Matthew Francis, Executive Director at CREST, said: “As the UK’s hub for behavioral and social science research into security threats, we are delighted to support CybSafe’s important research into phishing simulations and the effect of punishment. The findings have highlighted how some well-meaning organizations are negatively impacting their cyber resilience by ‘outing’ or reprimanding individuals and that cybersecurity errors can serve as positive opportunities to educate people, to trigger long-term and sustained changes in security awareness and behavior.”