Best Practice Report

Best Practices: Successfully Influencing Employee Cybersecurity Behavior

A Practical Guide For Promoting Responsibility, Compliance, And Good Judgment Without Fear, Shame, Or Acrimony

September 21st, 2021
Jinan Budge, VP, Principal Analyst
Jinan Budge VP, Principal Analyst
With contributors:
Stephanie Balaouras , Joseph Blankenship , Katy Tynan , David Brodeur-Johnson , Seles Sebastin , Bill Nagel

Summary

Now that phishing simulations are common, security teams debate whether to punish employees who fail them, as well as those who fail cybersecurity quizzes or fall victim to scams such as business email compromise. This punishment ranges from extreme sanctions such as disciplining or terminating the offenders or victims to less severe forms including forcing employees to sit through more training. While the latter may sound OK, employees disagree, with one remarking: “Get a red-hot poker and open up my eyes, it’s so boring.” This report details why punishing employees is a decidedly bad idea and explains how to nurture the better behavior that fosters a lasting and positive security culture.

Want to read the full report?

Contact us to become a client

This report is available for individual purchase ($1495).

Forrester helps business and technology leaders use customer obsession to accelerate growth. That means empowering you to put the customer at the center of everything you do: your leadership strategy, and operations. Becoming a customer-obsessed organization requires change — it requires being bold. We give business and technology leaders the confidence to put bold into action, shaping and guiding how to navigate today's unprecedented change in order to succeed.