4 in 10 firms punish staff for cybersecurity errors

New study says punishing employees for cybersecurity errors is “unfair, unnecessary, and detrimental” to workers and the business

Posted 6 August 2020 by Christine Horton

Firms are putting themselves and workers at risk by punishing employees for making cybersecurity slip-ups, according to a new study.

Research by British cyber firm CybSafe has found that more than four in 10 organisations take disciplinary action against staff who make cybersecurity errors.

However, the company describes this as “only unnecessary, but detrimental”.

“People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links,” said Dr John Blythe, head of behavioural science at CybSafe. “Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing.

“Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and scepticism about cybersecurity. It may also trigger legal challenges. And people are much less likely to report quickly, if at all, when they are frightened of being punished for doing so.”

To examine the prevalence of punishment in businesses and the impact on staff, CybSafe conducted a survey of cybersecurity awareness pros as well as an experimental lab study, designed to mimic real-world outcomes when employees click simulated phishing emails.

In the research CybSafe researchers found that those who were punished for mistakes experienced decreased productivity and increased anxiety levels. In the long-term, the experiment suggests that punishments are likely to negatively affect people’s mental wellbeing and their cybersecurity resilience.

However, the survey found that punishment continues to be a popular tool among UK businesses. Punishments range in severity and are often directed at those who “fail” phishing simulations.


Punishments include naming and shaming employees (15 percent), decreasing access privileges (33 percent) and locking computers until appropriate training has been completed (17 percent). Additionally, 63 percent of organisations will inform the employees’ line manager when cyber-mistakes are made.

Dr Matthew Francis, executive director at CREST, said: “As the UK’s hub for behavioural and social science research into security threats, we are delighted to support CybSafe’s important research into phishing simulations and the effect of punishment.

“The findings have highlighted how some well-meaning organisations are negatively impacting their cyber resilience by ‘outing’ or reprimanding individuals and that cybersecurity errors can serve as positive opportunities to educate people, to trigger long-term and sustained changes in security awareness and behaviour.”