I'm a strong advocate for customized remedial and accountability schedules for each organization, rather than a one-size-fits-all solution. These schedules should be tailored to the risk culture that your organization is ethically willing to tolerate. For instance, companies like Netflix and Twitter can likely accept a higher level of risk and implement a more liberal accountability schedule without HR intervention to protect their operational culture. In contrast, organizations like NASA, JP Morgan, and The White House cannot ethically adopt the same policy. For them, an account takeover or other social engineering attack could have drastic implications for the public and their clients.

Liberal Schedule: (Within a 12-month period)

Strike 1: Additional remedial learning plan enrollment (will have limited effect if not made mandatory)

Strike 2: Re-enrollment into remedial learning plan enrollment and prior completion status erased. (will have limited effect if not made mandatory)

Strike 3: One-on-one conversation and attack scenario walk-through with a security awareness practitioner.

Strike 4: One-on-one conversation and attack scenario walk-through with a security awareness practitioner and the victim user's direct report.

Conservative Schedule: (Within a 12-month period)

Strike 1: Additional remedial learning plan enrollment (will have limited effect if not made mandatory)

Strike 2: Enrollment into an internal organizational Teams/Zoom live-instructor event where users will be directly coached on the campaign they engaged with and have an opportunity to ask questions directly to the instructor and discuss as a group.

Strike 3: One-on-one conversation and attack scenario walk-through with a security awareness practitioner, the user's direct report, and a formal HR performance affecting disciplinary warning is issued.

Business information security officer (BISO) integration.

This is a great program to leverage and get your BISOS involved with your department. Teach them to run the level 3, 1-on-1 sessions. They are the individual business unit faces of security. Enable this security culture strength by allowing them to educate those they see more than you and have a better connection with. This will reduce friction with your disciplinary process perception as well.