Thanks to KnowBe4 for this great policy tip!

Firing employees for failing phishing tests can be extremely counterproductive and can damage an organization’s overall security posture. That, at any rate, is what two security experts told Brian Krebs recently, and we agree with them.

Companies sometimes think punitive policies will make employees take phishing more seriously, but these policies actually discourage cooperation and openness. It is much more productive to reward desired behavior.

John LaCour, founder and CTO of PhishLabs, told Krebs that punishment isn’t an effective response to failed phishing tests because it makes employees feel they’ve been manipulated.

“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” LaCour said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”

Punishing Employees Has Negative Security Repercussions

In addition to creating an unhealthy work environment, punishing employees for failing phishing tests will have negative repercussions for your organization’s security. When an employee does fall for a phishing email, whether real or simulated, the most important thing they can do is report the incident so that the attack can be mitigated. Rohyt Belani, CEO of Cofense, said that organizations should have training programs that encourage employees to report failed phishing tests.

“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani told Krebs. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?’”

LaCour says that positive reinforcement and recognition is a key element in improving employees’ phishing resistance. He said that posting the scores for each department’s phishing tests can make employees take the tests seriously and improve cooperation. He added that small rewards and lighthearted penalties, like having the lowest-scoring department buy lunch for everyone, can also help by making it feel like a good-natured competition.

An organization’s employees are its most important assets, and they need to be treated fairly and with respect. However, employees that are chronically click- happy become an active liability for your network security. New-school security awareness training can build a culture of security within your organization by providing education programs that are effective and make your employees feel valued.

Part of that fair treatment is a published security policy—which hundreds of organizations use today—to create a clean, clear, level playing field with known consequences for repeated click behavior. Here is a “find/replace” Policy Template Doc that you can use for your own organization:
https://blog.knowbe4.com/policy-template-should-failing-phishing-tests-be-a-fireable-offense