Re: [EXTERNAL] Re: [SECURITY] Phishing Simulation - Punitive Escalation

["Hart, Michael" <mhart20 () MSUDENVER EDU>]

Can this be part of supervisory goals and evaluations?  I know it would be for my staff, regardless of their role.  The 
good part of having managers do this is that it's not IT being punitive.  It's a supervisor setting expectations about 
behavior.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Scantlin, Aaron J.
Sent: Monday, May 18, 2020 10:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Phishing Simulation - Punitive Escalation

NOTICE: This email originated from outside the University. Please exercise caution when replying or opening links and 
attachments.

I hear this a lot - and I understand where it comes from, but at what point do you not have to make a determination 
that a user presents more risk to organizational assets than value?

Aaron J. Scantlin
Security Analyst, Division of IT
GSEC, GCFA, GNFA
University of Missouri - Columbia
(573) 884 - 7555
scantlina () missouri edu<mailto:scantlina () missouri edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ken Connelly
Sent: Monday, May 18, 2020 11:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Phishing Simulation - Punitive Escalation

I sold phishing education to our administration with the caveat that it would *never* be punitive. I think that's an 
important piece of our program.

-ken
On 5/18/20 9:51 AM, Gomez, Joshua wrote:
Hello
I wanted to ask what people are doing for a "path to escalation" for staff who repeatedly fail simulations or cause 
incidents?

For Example
First Failure -> Remedial Training
Second Failure -> Remedial Training + Supervisor Notification
Third Failure -> Remedial Training + Sit down with person and department head
Etc.

I'm just trying to get some ideas to bring to our Governance committee.  We have not been trying to be punitive and 
haven't needed to do much, but we are starting to see repeat offenders that need coaching for behavioral changes.

Thanks in Advance,

Josh

Joshua Gomez| Analyst, Information Security
Information Technology Solutions






**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C936d6ab5d9bd4a93f5d808d7fb480570%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637254159062693104&sdata=%2FrWu0V9tD46NWSQvfgU5WyUHt7zgJes%2FfQkoE8c3%2FEk%3D&reserved=0>


--

- Ken

=================================================================

Ken Connelly                       Director, Information Security

Information Security Officer          University of Northern Iowa

email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850 f: (319) 273-3010



Any request to divulge your UNI password via e-mail is fraudulent!

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C936d6ab5d9bd4a93f5d808d7fb480570%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637254159062693104&sdata=%2FrWu0V9tD46NWSQvfgU5WyUHt7zgJes%2FfQkoE8c3%2FEk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C936d6ab5d9bd4a93f5d808d7fb480570%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637254159062703097&sdata=r8ggRUbPar8xrULlvtBXXxWEu9KhrJHFYEPC4RxICSw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community