Opinion: Punishing users for security mistakes is a bad idea

KnowBe4, a security vendor that deals with building user awareness and mitigating social engineering risks, says that users should be punished for security mistakes. Fellow writer on CSO, Antone Gonsalves, covered their most recent report.

From the story:

“Security could be vastly improved by holding employees accountable for carelessly clicking on emailed links and attachments that lead to malware being downloaded to a corporate network, an awareness-training vendor says. Rather than simply re-training employees who are prone to fall for phishing attacks, KnowBe4 advocates reporting them to immediate supervisors and human resource departments that can pressure workers into becoming more careful.”

I get the point, I do. But this isn’t the right path to take. These employees, the ones “carelessly” clicking links, are victims. They’re the victims. Clueless, careless, or any other degrading adjective you want to apply to them, doesn’t change the fact that they are the victims.

They need support, not pressure, and certainly not punishment. I’m all for accountability, but there needs to be limits, because IT (or the security team within IT), should never be feared by the people they exist to support.

KnowBe4 says that a new program focused on accountability, proves this is the right path. As the aforementioned story explains:

“To prove the effectiveness of accountability, KnowBe4 did a study on the employees of 372 companies over a 12-month period. Of the 291,000 people who underwent testing, the vendor found roughly 16 percent who were especially prone to click on links in bogus phishing email. KnowBe4 claims that once the test group was held accountable for how they handled email, the percentage still inclined to becoming victims of phishing attacks fell to just over 1 percent.”

So, what defines accountability? There’s a rather large surface to cover here, and given that most of the world operates on an at-will basis when it comes to employment, fear is a strong motivator.

But fear is also a massive hindrance. Fear is the reason that a staffer in marketing knew they infected their system after opening a PDF document, but didn’t report it. Instead they sought help elsewhere, or worse, they let the problem exist.

Fear is why communication between IT and the rest of the company, as it pertains to active security incidents, is almost non-existent. People are afraid that if they admit to clicking a link, or opening an attachment, they’ll be fired or otherwise punished, and now a security vendor is encouraging this.

KnowBe4 says their new program helps organizations keep employees accountable. To me, I see the use of “accountable” as a kinder, gentler term for punishment. When it comes to social engineering and Phishing, punishing the victims will solve nothing, and serves only to promote fear.

Asked to weigh-in Brian Honan, InfoSec consultant, and head of Ireland’s Computer Security Incident Response Team (CSIRT), offered his thoughts. I agree with them totally, and share them here unfiltered.

“Blaming a security breach on one element alone is failing to appreciate the complexity of enterprise information security. There are many elements that can fail which can cause a security breach. These can range from technical issues, to lack of policies, or to poorly trained personnel.

“When we look at phishing attacks we very often look at the end user as being the weakest link and the point of origin of the breach. However, this can be myopic and blind us to other elements we need to consider.  We should also look at other failures in the security systems that allowed the attack to reach into the user such as, why did the phishing email bypass the email filters, did the detection systems detect any subsequent unusual user activity, and was there adequate security awareness training given to the user?

“Falling for a phishing attack and violating policies are [two] separate issues and should not be confused. Good and effective security awareness can address the needs in both areas. However, we need to realise that a well-crafted phishing attack can fool even the most experienced user and if our reaction is to punish them for being a victim of such an attack we run the risk of users not wishing to engage with the security team in the future.

“If there is consistent violations of policies then this indicates either policies are not appropriate for the business needs of the organisation, hence users violate them to get their work done, or its an indication that users are not properly aware of why policies are in place.”