Most Orgs Don’t Know If Phishing Consequence Models Are Working

February 05, 2019
Gretel Egan

Consequence models — that is, official ramifications for end users who prove to be “repeat offenders” when it comes to phishing attacks (simulated and otherwise) — have been on our radar for a while, and it’s a topic we’ve heard more about from infosec professionals over the years. The “carrot vs. stick” debate has grown more recently as organizations consider multiple ways to incentivize end users to take more care with their cybersecurity behaviors.

As we did last year, we surveyed our security contacts — customers and non-customers — about their use of consequence models for our fifth-annual State of the Phish Report, released in January. This year, 42% of respondents said that they enforce consequences for users who repeatedly click on simulated phishing attacks, a 7% year-over-year decrease. We also saw a decrease in the number of infosec professionals who that said their organization imposes financial penalties on repeat offenders — but there was a slight rise in those who said job termination is part of their escalation path.

2019_SOTP_Consequences1Source: 2019 State of the Phish Report

A new question we asked for this year’s report focused on metrics related to escalation paths. Namely, we wanted to know if those who are using a consequence model are able to gauge its effectiveness. Interestingly, more than half said they haven’t evaluated the impact it’s having within their organization. Our Security Advisor, Alan Levine, said of this statistic, “If you can’t measure it, you may be doing the wrong thing.”

2019_SOTP_Consequences2
Source: 2019 State of the Phish Report

 

Listen to the on-demand replay of our State of the Phish web conference. CPE credits are available.

 

 

 

 

 

Carrot vs. Stick: Simply a Case of Perception?

Levine — a former Fortune 500 CISO and former non-believer in security awareness training — has strong opinions about the use of negative reinforcement techniques, which he shared in our recent State of the Phish SecureWorld web conference. “Failing tests is not the same thing as refusing to learn,” he said. “Any one of us in the right conditions — or as the case may be, the wrong conditions — could fall for a phishing scam.”

Levine is passionate about this topic, and his advocacy for “more carrot than stick” within organizations extends even to “kinder, gentler” ramifications like counseling and additional training (the latter of which he said is “always good” for users who are having difficulty grasping new skills). He advised that end users’ perceptions will be heavily influenced by policies and communications — and by the way organizations position user “failures.”

“Bad news travels much faster than good news; bad news will be discussed at the water cooler. And bad news for an individual can become bad news for an entire organization,” Levine cautioned. When users worry about being slapped on the wrist for making mistakes during the learning process, they could become nervous about all of their interactions with email, he warned, which could have a negative impact on the flow of business.

Levine says that infosec teams should focus on creating a program that “builds a bridge” to users, rather than expecting users to cross the bridge on their own. “We should reward users who do well, and we should help users who don’t do well along the way,” he said. “Reach out and communicate, with help, not hassle, to mobilize the workforce for the good fight.”

 

For more insights and advice, listen to the on-demand replay of the webinar, which highlights several key findings from our State of the Phish Report. CPE credits are available.