Wall Street Journal article: "Shaming Employees For Phishing is Counterproductive"



Shaming for Phishing is CounterproductiveShaming employees for falling for phishing attacks is the wrong approach, according to Dr. Karen Renaud, a chancellor’s fellow at the University of Strathclyde. In an article for the Wall Street Journal, Renaud described a study she conducted alongside fellow researchers Rosalind Searle and Marc Dupuis in which the researchers asked people if they had ever been responsible for a cybersecurity incident at work, and how their management responded.

“Respondents fell into two distinct groups,” Renaud writes. “In the first group, people talked about managers yelling at them, embarrassing them in front of their peers and not trusting them after the incident. One woman said that the phishing email she fell for was sent to the entire company, with her name in the ‘To’ field, warning everyone not to fall for it as she had. Another person reported having computer access removed for a period, and still another said that it became obvious that his manager no longer trusted him and would check his work continuously.”

Employees who were not shamed, on the other hand, were eager to help remediate the situation and prevent it from happening again.

“Those in the second group said that their mistake had been met with understanding and support,” Renaud says. “There was no attempt to shame them in front of their peers. They were told how to repair the situation. These employees seized upon the opportunity to make up for their mistake. Some had feared being fired and were very grateful that this didn’t happen. The consequence, in contrast to the other group, was a much stronger relationship between the employer and employee after the incident, and a desire to do better in the future.”

Renaud concludes that organizations should address the phishing attack without blaming or shaming the employee.

“Anyone can fall for a deceptive phishing message,” Renaud says. “When they do, they already feel bad about it, and shaming them will only make things worse. The implications of our survey were clear: Shame is similar to a boomerang that will come back to hurt the organization, as well as harming the employee. Managers should deal with the mistake, but not reject the employee. If employees feel that their personhood is being attacked, they will respond defensively. Shaming results in a lose-lose outcome.”

New-school security awareness training can create a culture of security within your organization by teaching your employees to follow security best practices.

The Wall Street Journal has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer

Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews