Hi Matt, The KnowBe4 suggested template is very employee focused. The schedule goes up to 9+ subsequent failures and employee manager/management remedial processes. If you have the opportunity please do download the KnowBe4 template from the blog. It’s freely downloadable.https://www.knowbe4.com/hubfs/SecurityAwarenessTrainingandTestingModelPolicyTemplate.docx
My own opinions. Some industries may have the need to be more stringent than others. A government military defense contractor or critical infrastructure provider may have much lower risk tolerance. These employee policies have to be tailored to the specific industry and company need. Many cyber insurance policies are now calling for employee awareness training as part of compliance. We’re still in the infant stages of these cyber policies. But these policies may have an influence on employer practices and tolerances. Cybersecurity culture is now starting to become more pervasive and moving up to C-Suites and Boards.
Employees - humans --are their most important company assets. So helping them grow and succeed is just good business and generally speaking, taking a positive approach with employees who fail and working to help them succeed is certainly the desirable route.
But there are certain situations on a case by case basis where an employee may-- for whatever reason intentionally disregard the policy putting the company at risk. But repeated intentional disregard of company policy would usually trigger an HR warning anyway. An employee who repeatedly fails training or is finally deemed “untrainable” is a security problem waiting to happen. So in some cases it may rise to a level of termination. Perhaps a company might have the option of removing that person from doing computer work to take that risk out of the equation. Each company will have to set its own policy according to their situation. That’s why a template can only suggest a roadmap. This is a great discussion and love to hear what others think and how they might handle this problem.