Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] Phishing Simulation - Punitive Escalation
From: "Hart, Michael" <mhart20 () MSUDENVER EDU>
Date: Mon, 18 May 2020 16:31:03 +0000
Can this be part of supervisory goals and evaluations? I know it would be for my staff, regardless of their role. The good part of having managers do this is that it's not IT being punitive. It's a supervisor setting expectations about behavior. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Scantlin, Aaron J. Sent: Monday, May 18, 2020 10:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [EXTERNAL] Re: [SECURITY] Phishing Simulation - Punitive Escalation NOTICE: This email originated from outside the University. Please exercise caution when replying or opening links and attachments. I hear this a lot - and I understand where it comes from, but at what point do you not have to make a determination that a user presents more risk to organizational assets than value? Aaron J. Scantlin Security Analyst, Division of IT GSEC, GCFA, GNFA University of Missouri - Columbia (573) 884 - 7555 scantlina () missouri edu<mailto:scantlina () missouri edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ken Connelly Sent: Monday, May 18, 2020 11:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Phishing Simulation - Punitive Escalation I sold phishing education to our administration with the caveat that it would *never* be punitive. I think that's an important piece of our program. -ken On 5/18/20 9:51 AM, Gomez, Joshua wrote: Hello I wanted to ask what people are doing for a "path to escalation" for staff who repeatedly fail simulations or cause incidents? For Example First Failure -> Remedial Training Second Failure -> Remedial Training + Supervisor Notification Third Failure -> Remedial Training + Sit down with person and department head Etc. I'm just trying to get some ideas to bring to our Governance committee. We have not been trying to be punitive and haven't needed to do much, but we are starting to see repeat offenders that need coaching for behavioral changes. Thanks in Advance, Josh Joshua Gomez| Analyst, Information Security Information Technology Solutions ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C936d6ab5d9bd4a93f5d808d7fb480570%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637254159062693104&sdata=%2FrWu0V9tD46NWSQvfgU5WyUHt7zgJes%2FfQkoE8c3%2FEk%3D&reserved=0> -- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu> p: (319) 273-5850 f: (319) 273-3010 Any request to divulge your UNI password via e-mail is fraudulent! ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C936d6ab5d9bd4a93f5d808d7fb480570%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637254159062693104&sdata=%2FrWu0V9tD46NWSQvfgU5WyUHt7zgJes%2FfQkoE8c3%2FEk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C936d6ab5d9bd4a93f5d808d7fb480570%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637254159062703097&sdata=r8ggRUbPar8xrULlvtBXXxWEu9KhrJHFYEPC4RxICSw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Phishing Simulation - Punitive Escalation Gomez, Joshua (May 18)
- Re: Phishing Simulation - Punitive Escalation Ken Connelly (May 18)
- Re: Phishing Simulation - Punitive Escalation Frank Barton (May 18)
- Re: Phishing Simulation - Punitive Escalation Ullman, Catherine (May 18)
- Re: Phishing Simulation - Punitive Escalation Scantlin, Aaron J. (May 18)
- Re: [EXTERNAL] Re: [SECURITY] Phishing Simulation - Punitive Escalation Hart, Michael (May 18)
- Re: Phishing Simulation - Punitive Escalation Frank Barton (May 18)
- Re: Phishing Simulation - Punitive Escalation Jesse Thompson (May 18)
- <Possible follow-ups>
- Re: Phishing Simulation - Punitive Escalation Czarapata, Paul (KCTCS) (May 18)
- Re: Phishing Simulation - Punitive Escalation Rose, Henry (May 18)
- Re: Phishing Simulation - Punitive Escalation Oliver Betts-Richards (May 19)
- Re: Phishing Simulation - Punitive Escalation Ken Connelly (May 18)