Shaming employees for falling for phishing attacks is the wrong approach, according to Dr. Karen Renaud, a chancellor’s fellow at the University of Strathclyde. In an article for the Wall Street Journal, Renaud described a study she conducted alongside fellow researchers Rosalind Searle and Marc Dupuis in which the researchers asked people if they had ever been responsible for a cybersecurity incident at work, and how their management responded.
“Respondents fell into two distinct groups,” Renaud writes. “In the first group, people talked about managers yelling at them, embarrassing them in front of their peers and not trusting them after the incident. One woman said that the phishing email she fell for was sent to the entire company, with her name in the ‘To’ field, warning everyone not to fall for it as she had. Another person reported having computer access removed for a period, and still another said that it became obvious that his manager no longer trusted him and would check his work continuously.”
Employees who were not shamed, on the other hand, were eager to help remediate the situation and prevent it from happening again.
“Those in the second group said that their mistake had been met with understanding and support,” Renaud says. “There was no attempt to shame them in front of their peers. They were told how to repair the situation. These employees seized upon the opportunity to make up for their mistake. Some had feared being fired and were very grateful that this didn’t happen. The consequence, in contrast to the other group, was a much stronger relationship between the employer and employee after the incident, and a desire to do better in the future.”
Renaud concludes that organizations should address the phishing attack without blaming or shaming the employee.
“Anyone can fall for a deceptive phishing message,” Renaud says. “When they do, they already feel bad about it, and shaming them will only make things worse. The implications of our survey were clear: Shame is similar to a boomerang that will come back to hurt the organization, as well as harming the employee. Managers should deal with the mistake, but not reject the employee. If employees feel that their personhood is being attacked, they will respond defensively. Shaming results in a lose-lose outcome.”
New-school security awareness training can create a culture of security within your organization by teaching your employees to follow security best practices.
The Wall Street Journal has the story.
