Security teams debate whether to punish employees who fail phishing simulations or cybersecurity quizzes or fall victim to scams such as business email compromise. Punishments for offenders range from severe sanctions such as discipline or termination to milder ones like forcing them to sit through additional training. Security leaders find it difficult to tread the line between punitive action, showing empathy to employees, and getting the right level of engagement. This report helps security leaders determine the appropriate consequences to apply when employees err, depending on the frequency and severity of the mistake.