Now that phishing simulations are common, security teams debate whether to punish employees who fail them, as well as those who fail cybersecurity quizzes or fall victim to scams such as business email compromise. This punishment ranges from extreme sanctions such as disciplining or terminating the offenders or victims to less severe forms including forcing employees to sit through more training. While the latter may sound OK, employees disagree, with one remarking: “Get a red-hot poker and open up my eyes, it’s so boring.” This report details why punishing employees is a decidedly bad idea and explains how to nurture the better behavior that fosters a lasting and positive security culture.