Do NOT punish employees for being victims

 Joseph Granneman believes victims should be held accountable for the actions of criminals


Phishing is when someone tries to convince you to click on a link and enter information on a website that is pretending to be something else, for the purposes of obtaining confidential information about you for an unknown, and probably illegitimate, purpose.

Punish the Victims?

An article, published on TechTarget​, proposes to punish the people who click on these phishing links. Punishing victims is wrong : even if the intent is to help people to learn how to identify these threats.
In fact, the analogy used by the author is flawed, too. He writes “Employees would be held accountable if they let a criminal into the office and they caused physical damage.” If we look at this analogy critically as it equates to an email phishing attack, then, the employee who actually allowed the “criminal” into the office would really be the one who allowed the email to arrive in an inbox, not the one who clicked it. This would be akin to punishing an Administrative Assistant for working with a criminal who was vetted and hired by someone in Human Resources, or allowed entry by the security guard.

Dissecting the Opinion

Here are some of the flaws in the analogies used in the article :

Users are either not understanding the message or they have developed an apathetic attitude toward the training because there are no personal repercussions for not following through on it.

Actually, users are very busy people, who sometimes rush through their day and, maybe, click something before they realize it, or are using mobile devices that sometimes do things the user didn’t intend. Furthermore, most phishing scams target personal information – in which people who fall victim are suffering very real personal repercussions, because their personal and financial data is often being stolen.

Phishing is still successful because organizations do not hold employees accountable. Speed limits would not be followed either if there were no enforcement.

The driver of a car is causing problems when they speed; not the passengers, or the drivers of surrounding cars. The author also assumes that people only follow rules if they agree with them – which is not at all true. There are many reasons people DO follow rules, much of which starts with understanding rules, and their intent. But criminals are those who knowingly break the rules with the intent of doing harm. In this analogy, the enforcement should be applied to those who are creating the phishing scams, not those who are stuck in a traffic jam because of those who have been speeding.

It is time for a new approach to information security because we are not winning this war.

Based on what metric? Most data, like this report from APWG, shows the number of attacks – not the number of victims.

A Better Way

Phishing is the result of technological, and the solution should come from technology, too. A far better way of handling phishing attacks would be for security software vendors to improve methods of looking at email links, analyzing their destinations, and popping up a message telling you there is a mismatch and giving you the choice to either proceed, or not.

Regardless, at the end of the day, it’s important to remember that criminals will continue to get more sophisticated in their methods of attack, and that, while we can educate people to help them avoid a negative outcome, it is never the victims’ fault.