Akamai Diversity

The Akamai Blog

Punish Users for Security Mistakes?

In the world of information security, complaining about the user is a sport as old as the profession itself. Users falling for phishing attacks. Users failing to install patches. The list of complaints goes on.

Now, security vendor KnowBe4 -- whose product notifies management when employees click on potentially malicious links -- is suggesting users be punished for their missteps. CSOonline's Anton Gonsalves reports:

Security could be vastly improved by holding employees accountable for carelessly clicking on emailed links and attachments that lead to malware being downloaded to a corporate network, an awareness-training vendor says. Rather than simply re-training employees who are prone to fall for phishing attacks, KnowBe4 advocates reporting them to immediate supervisors and human resource departments that can pressure workers into becoming more careful. "With this program, they start to understand that there truly are repercussions for clicking on phishing links," Stu Sjouwerman, founder and chief executive of KnowBe4, said. "That will change the behavior."

It's easy to see the appeal in this approach. Even with security awareness programs, employees have been known to repeat mistakes. Those mistakes can be costly to the business. It's also standard procedure for a lot of companies to penalize employees who fail to follow the rules set down for them during security training. 

But one could also argue that punishment takes it too far. Gonsalves' colleague, Steve Ragan, says as much in a blog post:

These employees, the ones "carelessly" clicking links, are victims. They're the victims. Clueless, careless, or any other degrading adjective you want to apply to them, doesn't change the fact that they are the victims. They need support, not pressure, and certainly not punishment. I'm all for accountability, but there needs to be limits, because IT (or the security team within IT), should never be feared by the people they exist to support.

That's a fair point. There's another point to be made as well: Most security professionals, no matter how well trained and battle hardened they are, make mistakes. It only takes a split second to fall for the very techniques you've spent years warning users about. I made an example of myself in this post.

After writing that, more than a couple veteran security practitioners told me they've made plenty of their own mistakes. It's not an entirely bad thing. Sometimes you have to make mistakes to find better ways to get the job done. 

I end this post with a request for feedback. Which is better, in your opinion: punishing users for their security mistakes, or finding a gentler way to show them the light?

Leave your thoughts in the comments section.