Carrot vs. Stick: Determining the Best Path for Your Program

We know it and you know it: Dealing with end-user mistakes is costly. From employee downtime, to remediation costs, to the potential spread of malware or ransomware, to IP and confidential data walking out the door, there are real dollars tied to cybersecurity errors. Employees who make those mistakes genuinely impact your business’s bottom line. And if they do it more than once...well, that just compounds the problem.

As such, you may have concluded that it’s fair to expect employees to avoid “repeat offender” status when it comes to cybersecurity mistakes — particularly if the mistakes are costly. You may feel that there would be consequences for you if your actions cost your organization time and money. So there should be consequences for employees who continue to click on phishing emails and make cybersecurity errors…right?

Perhaps you’ve also looked at other policies within your organization and deduced that it would be appropriate to align cybersecurity missteps to escalations for other bad behaviors. Some actions certainly should not go unchecked…but should poor cyber hygiene fall in that category?

Alan Levine, a former Fortune 500 CISO and current Security Advisor for Wombat, recently explored the “carrot vs. stick” conundrum in the SecureWorld web conference, Risky Business: When End Users Continue Bad Security Behavior. He joined other industry experts — Spectrum Pharmaceuticals CIO Mitchell Sprinsky and Snyder’s-Lance Information Security Manager Mike Muscatel — in debating the pros and cons of implementing an escalation path based on end-user actions. The panel offered advice for incorporating one-on-one employee counseling sessions, and determining how and when to impose penalties — including limitations on access privileges, bonus restrictions, and even job termination. They also discussed the potential ramifications of implementing a more punitive escalation path.

Levine in particular stressed the need for careful consideration on a “stick” approach, cautioning that the ripple effects can put a strain on employee morale and ultimately breed a sense of distrust, anxiety, and resentment throughout an organization. He will examine this topic again next week at our Wombat Wisdom Conference in Pittsburgh. If you are joining us, plan to attend the Carrot or Stick? Consequences for Repeat Clickers panel discussion on Wednesday, September 13.

Industry experts discuss cybersecurity awareness and training initiatives and how to handle end users who repeat bad behaviors.

To Escalate or Not to Escalate? More Food for Thought.

Regardless of your stance on employee security awareness training, establishing an escalation path for end users who are “repeat offenders” is not something to enter into lightly. We certainly recommend doing your research and listening to what experienced infosec professionals like Levine, Sprinsky, Muscatel, and others have to say on the subject. We also suggest the following:

• Abandon an “IT vs. end users” mentality and consider whether your organization’s employees have truly been prepared to make the right decisions. Too often, users are filed under “S” for Stupid and are not given the opportunity to learn new behaviors. Mistakes are made in a hands-on format; security awareness training should be delivered in the same manner.
• Acknowledge the clear distinction between malicious intent and human error. A user who makes an honest mistake is different from a user who is too lazy to care, and both of those are very different from malicious insiders who intentionally harm your organization.
• Talk to your HR department and management teams to learn their thoughts about end-user penalties and the potential consequences of an escalation path. There could be labor laws or other legal concerns that prohibit punitive actions. It’s likely you would need Board approval before implementing a plan of this nature, so you’ll need to do your homework.
• Be prepared to draw a definitive line in the sand. If, in your mind, you are already letting certain people off the hook — like C-level staff, key business roles, or even yourself and your team — you should scrap the idea of proposing an escalation plan. If you are going to do it, it needs to be done consistently, regardless of who makes the mistakes.