Termination: When Is It Appropriate? Assessing When Firing Someone After a Breach Makes Sense

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/termination-when-appropriate-p-1551

When is enforcement of security policies effective? When it serves as an
enabler of the right behavior.

For that to happen, generally three conditions need to be met. First
enforcement has to be visible, meaning the workforce has to be aware of it.
Second, it needs to be meaningful, meaning there has to be a real
consequence. Lastly, it needs to be persistent, meaning it has to be
visible long enough to shape new behavior. It also helps if the action
taken is considered fair.

So how does employee termination as an enforcement action stack up against
these criteria? The reason I ask this question is twofold.

In recent months, when talking with folks about security incidents and
breaches, a common theme that has repeated itself over and over again is
that termination of an employee was often the action taken in response to a
breach. But when I asked if that had stemmed the number of incidents, the
answer generally was, "only temporarily" if at all. And in my experience
over the last 20 years managing security, I've seen that terminations have
not been as effective as one might expect in long-term behavior
modification.

Meaningful Consequence

Termination has personal, professional and financial consequences. It alone
may actually modify behavior for those aware of what happened. If the goal
is to remove the person involved, then it is effective. If the goal,
however, is long-term change, then termination alone is not likely to
achieve that result and might actually be counterproductive. This is only
accentuated by our short attention spans.

Visibility

For an action to change behavior it must be visible, meaning others must be
aware of it - not only that it happened, but the circumstances that led to
it. This is problematic because many organizations are hesitant to discuss,
let alone publicize, punitive actions. As a result, only a few employees
may be aware, and depending on their perception, the story told to others
may be skewed.

Also, termination eliminates any opportunity for the person punished to
become a learning vehicle for others - someone who can say from experience:
"That's not something you want to be doing." The finality of termination
can also work as a negative, as we lose a valuable resource without the
benefit hoped for, while placing additional burden on those left behind.

Behavioral change is helped by learned retention, and termination has a
short shelf-life when it comes to retention.

Persistence

Termination, as we said earlier, eliminates certain awareness opportunities
for long-term learning because the person punished is gone and the people
involved don't discuss it. Individuals who have been punished, but remain
in the workforce, can testify to others firsthand that certain behaviors
are destructive. In fact, individuals that are given a second chance can
become positive influences with peers -particularly if they perceive the
consequences they're handed were fair.

Don't get me wrong, termination is still an appropriate consequence
depending upon the circumstances. It should be reserved, though, for the
repeat offender, the individual who shows a total disregard for the rules,
the person who seeks to harm another, or the most egregious incidents. But
it should not be a standard response for every privacy breach in which an
employee had some responsibility.

Privacy and security are everyone's responsibility. You hear this over and
over again, yet organizations are reluctant to set privacy and security
performance criteria for their workforce. Why?

In government, employees who handle sensitive or classified information
routinely have security identified in their job description and included as
part of their performance evaluations. A first-time violation might result
in counseling, training and a letter in their file. A second violation
within a certain timeframe might result in a formal letter and loss of
eligibility for a bonus or promotion. Repeated violations or a serious
incident with willful negligence or intent might result in termination.
Taking these steps makes everyone in the organization personally aware of
their individual and collective responsibility to protect valuable
information.

To go one step further, often government contractors (business associates
in healthcare) are held responsible for the actions of their employees
through award fees. Security violations during a specified period can
result in reduced award fees for that contractor. Organizations and
agencies need to remind their vendor partners that they need to pay
attention to workforce training and that their employees' actions have
consequences.

The point is that even good workers sometimes make mistakes or have lapses
of judgment - some that will no doubt even leave you scratching your head.
That does not necessarily mean they are not good employees or capable of
doing better.

A security incident or even a lapse of judgment, depending on circumstance,
should not be grounds for automatic dismissal. Sometimes the person who
makes the mistake and suffers the consequences, but is not terminated, is
far more effective at shaping others' behavior than the one who disappears
and is soon forgotten.

Tying privacy and security to individual performance plans and then
enforcing it fairly can have a profound effect on behavior, and therefore,
culture. It has consequences, it's visible and persistent, and if applied
consistently, will be perceived as fair. More important, it will contribute
toawareness and learning and assist in reducing the number of future
incidents.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.