<aside> ✅ Use this framework to help standardize the processes for employees who progress beyond the highest level of your remedial accountability schedule.

</aside>

Repeat Offender Handling Classifications

These guidelines help you evaluate employee behaviors and responses to phishing attacks, helping to identify their susceptibility to various levels of threat and their commitment to improving cybersecurity awareness and continuous learning.

Note: Classification types based on MITRE | Insider Threat Research https://insiderthreat.mitre.org/insider-types/

Outsmarted

Evaluation

Employee likely causes infrequent harm falling victim to targeted attacks that use sophisticated insider knowledge.

Observation

Employee demonstrates a humble attitude towards continuous learning and understands the importance of improving their awareness and handling of phishing and data exposure risks.

Suggested Disciplinary Approach

  1. Give the employee significant benefit of the doubt regarding commitment to improving their phishing and data exposure literacy.
  2. Require the employee to complete the highest level of documented remedial training promptly.
  3. Consider scheduling a 1-on-1 Q&A session with a social engineering expert to discuss best practices and reinforce training, if not already part of the current approach.
  4. Evaluate whether the employee has elevated or privileged access to data or network architecture, and determine if increased technical behavioral monitoring is warranted.

Mistaken

Evaluation

Employee likely causes less than frequent harm by falling victim to attacks ranging in difficulty to identify.

Observation

Employee demonstrates a humble attitude towards continuous learning and understands the importance of improving their awareness and handling of phishing and data exposure risks.

Suggested Disciplinary Approach

  1. Give the employee reasonable benefit of the doubt regarding their commitment to improving their phishing and data exposure literacy.
  2. Require the employee to complete the highest level of documented remedial training promptly.
  3. Consider scheduling a 1-on-1 Q&A session with a social engineering expert to discuss best practices and reinforce training, if not already part of the current approach.
  4. Evaluate whether the employee has elevated or privileged access to data or network architecture, and determine if increased technical behavioral monitoring is warranted.

Negligent

Evaluation

Employee likely causes frequent harm by falling victim to attacks ranging in difficulty to identify.

Observation

Employee demonstrates a conflictual or lacking desire to improve phishing and data exposure awareness ability.

Suggested Disciplinary Approach

  1. Give the employee clear, quantifiable OKR expectations, such as success rates in identifying and reporting phishing tests, to demonstrate acceptable risk levels. If these expectations are not met, appropriate disciplinary actions should follow, up to termination.
  2. Require the employee to complete the highest level of documented remedial training promptly.
  3. Consider scheduling a 1-on-1 Q&A session with a social engineering expert to discuss best practices and reinforce training, if not already part of the current approach.
  4. Evaluate whether the employee has elevated or privileged access to data or network architecture, and strongly consider technical behavioral monitoring.

Malicious

Evaluation

Employee purposely causes frequent harm by falling victim to attacks ranging in difficulty to identify.

Observation

Employee exhibits a defiant and intentional disregard for cybersecurity monitoring, governance, and security awareness expectations, actively challenging the necessity of these measures.

Employee suggests they have no intent of improving their security behavior understanding or literacy.

Suggested Disciplinary Approach

  1. Termination of employment.

Classification Calculation Assistance

These guidelines are designed to assess the probability that an employee might fall victim to phishing attacks, thereby potentially leading to data exposure and related security risks.

Outsmarted

Annual Phishing Test Data

Success Rate: 90%

Fail Rate: 10%

Employees in this category are generally proficient at recognizing phishing attempts but may occasionally fall victim to sophisticated attacks.

Attack Difficulty

Employee fails testing mostly considered to be of high sophistication and targeted nature with insider knowledge.

Observation

Employee verbally expresses a strong commitment to continuous learning and frequently asks questions to improve their awareness capability. They exhibit a positive and proactive demeanor towards security training.

Mistaken

Annual Phishing Test Data

Success Rate: 75%

Fail Rate: 25%

Employees in this category make occasional mistakes but are largely capable of identifying phishing attempts.

Their success rate shows they are effective in most cases but may miss some less obvious attacks.

Attack Difficulty

Employee fails tests of varying difficulty, ranging from moderately sophisticated to highly targeted attacks with insider knowledge.

Observation

Employee verbally acknowledges the importance of continuous learning and shows a willingness to improve their awareness capability. They have a generally positive demeanor towards security training.

Negligent

Annual Phishing Test Data

Success Rate: 50%

Fail Rate: 50%

Employees in this category have a mixed record in recognizing phishing attempts. Their success rate reflects their inconsistency and lack of commitment to improving their security awareness.

Attack Difficulty

Employee fails testing ranging in difficulty, from simple to sophisticated.

Observation

Employee verbally expresses indifference or skepticism about the need for continuous learning and shows little interest in improving their awareness capability. Their demeanor may be dismissive or resistant to security training efforts.

Malicious

Annual Phishing Test Data

Success Rate: Lower than 50%

Fail Rate: Higher than 50%

Employees in this category intentionally disregard security measures and challenge the need for them. Their low success rate reflects their lack of effort or desire to identify phishing attempts.

Attack Difficulty

Employee fails testing of any difficulty, including simple and complex attacks.

Observation

Employee verbally challenges the necessity of security measures and openly resists efforts to improve their awareness capability. Their demeanor is defiant and confrontational, showing no commitment to continuous learning.

Guidance and Best Practices

This section provides practical tips to help ensure the successful implementation of this framework by improving employee attitudes towards security awareness and risk management.

  1. In this framework, observing an employee's intent and their perception of the value of security awareness is just as important as assessing their susceptibility to compromise. No one is a "lost cause" unless they explicitly state that they do not care about causing harm. The primary goal of these guidelines is to encourage continuous learning and improvement in risk management, rather than to impose discipline. To protect your crucial operational culture, it is essential to prioritize this approach.
  2. A repeat offender will rarely fit into a classification perfectly resembling evaluation and observation guidelines. Make a determination of which classification most closely resembles each offenders data and exhibited demeanor.
    1. For example, an employee may have fallen for 50% of test attacks but were all highly targeted in nature with insider knowledge, and they demonstrate a highly humble attitude towards continuous learning and intent to improve security behaviors. While the test data alone supports a classification of negligent, the attack difficulty and behavior observations support Outsmarted which may lead to a final decision of Mistaken.
  3. Clearly communicate these guidelines and the criteria for each classification. Transparency about the leniency afforded to those who demonstrate a genuine desire to lower their risk level often encourages exactly that behavior.
  4. Ensure all remedial training and improvement plans are well-documented and track employees' adherence to completion timelines.
  5. Preventing bias and discrimination in cybersecurity disciplinary actions is crucial. Establish clear and specific criteria for exceptions at the governance and implementation stages, detailing the risk versus operational success reasons for each exception. Ensure fairness by involving a separate, independent representative to review and approve classifications and exceptions.