Punishing Cybersecurity Errors Found to be Counterproductive

Security

Over four in 10 (42%) organizations take disciplinary action against employees who make cybersecurity errors, which puts them at greater risk of attack, according to a new study by CybSafe.

In a survey of UK businesses, it was found that mistakes such as falling for simulated phishing scams are regularly punished. This includes naming and shaming employees (15%), decreasing access privileges (33%) and locking computers until appropriate training has been completed (17%). Additionally, 63% of organizations will inform the employees’ line manager when cyber-mistakes are made.

As part of the research, CybSafe conducted a lab-based experiment to test the impact of these kinds of punishments. It found that doing so has a “highly detrimental” impact on staff, with punishments increasing anxiety levels and reducing productivity. The findings suggest punishments may have a long-term impact on employees’ mental health and actually reduce their cyber-resilience.

Dr John Blythe, head of behavioural science at CybSafe, commented: “People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links. Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing.”

“Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and scepticism about cybersecurity.”

Blythe added that this kind of approach may make staff more reluctant to report cybersecurity errors quickly, putting organizations in more danger.

Dr Matthew Francis, executive director at CREST, said: “The findings have highlighted how some well-meaning organizations are negatively impacting their cyber-resilience by ‘outing’ or reprimanding individuals and that cybersecurity errors can serve as positive opportunities to educate people, to trigger long-term and sustained changes in security awareness and behavior.”

Products You May Like

Articles You May Like

Blast from the past! Windows XP source code allegedly leaked online
Microsoft Windows XP Source Code Reportedly Leaked Online
LIVE Webinar on Zerologon Vulnerability: Technical Analysis and Detection
OCR Imposes $6.85M Penalty Over Data Breach
179 arrested in massive dark web bust

Leave a Reply

Your email address will not be published. Required fields are marked *