We currently test 60,000+ employees at least once a year. Once an employee fails the test we direct them to educational material and re-test within 3 months. I want to continue developing our program beyond an unlimited number of re-tests. I’d like to know from this group a) How many failures would you allow until permanent action is taken? b) Do any of you have a policy and/or standard that you’ve developed to communicate the consequences for multiple failures? c) Would you share if you have one? Thanks and I look forward to anyone’s response!!
Hmm, this could be a complicated question. Currently I don’t have a policy. Well I do but it is vague. My policy just states that failure to comply could result in disciplinary action, and that pretty much is just regarding doing the mandatory training. I have to do some revising.
Anyway, I think their may be some additional factors involved that need to be analyzed. Will you have backing from the HR Department/CEO/users supervisor? What type of messages are they failing on? Are they continually failing on obvious ones, or are they failing on complicated ones? Will you have to hold a meeting with the user and supervisor, and document? Those may be questions that arise.
For me, in a perfect world, I would have the backing from HR,CEO, and Supervisors. The user would be trained and tested, meeting held with the user and the supervisor. Probably involving additional training material. Of course this would be all documented. Re-testing would be with simple ones. If they can’t make it past the simple obvious ones, then after the 3rd time maybe some unpaid time off work, or released from their duties.
We seem to have trouble with repeat offenders as well. We have thought about taking internet access away for a certain period of time as a disciplinary act but haven’t started doing it yet due to lack of policy and support.
We experienced similar problems for a few months after implementing security training and phish testing. Our organization has not implemented policies regarding test failures. Instead, we have put the focus on consistent education and training. If a user fails three tests in a row, I personally sit down with that person and walk through the social engineering red flags. If they continue failing tests, I coordinate with their supervisor to have them re-take the training. This effort has paid off for our organization immensely. Our end users were initially reactive to the testing emails and would click without regard for the risks involved. Now, 99% of our end users are proactive and either question suspicious emails or delete them entirely.