Re: Phishing Simulation - Punitive Escalation

[Oliver Betts-Richards <00000199152951de-dmarc-request () LISTSERV EDUCAUSE EDU>]

I don't know how many UK-based higher education institutions use this group so there may be a cultural barrier here 
(please, forgive me), but termination of employment seems like a harsh step. (I wonder how far up the chain that might 
stop!?)

I also wouldn't like to be the member of the cybersecurity team involved in disciplining a colleague for being tricked 
by something that can happen to any of us.

Cheers,

Oliver Betts-Richards
Cybersecurity Analyst
IT Services

M: 07920 541225
T: 01332 592394
E: o.betts-richards () derby ac uk<mailto:o.betts-richards () derby ac uk>

University of Derby,
Kedleston Road,
Derby
DE22 1GB
[cid:image001.png@01D62DBA.2D2ED820]<https://www.derby.ac.uk/>
[University of Derby]<https://www.derby.ac.uk/>

[Tef Gold]<https://www.derby.ac.uk/about/tef/>
[Gradiuan top 30]<https://www.derby.ac.uk/>

[Cyber Essentials][agilepm-foundation 4]



Sensitivity: Internal
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Czarapata, Paul 
(KCTCS)
Sent: 18 May 2020 23:04
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing Simulation - Punitive Escalation

CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you 
recognise the sender and know the content is safe.

While I have not heard of this in Higher Education, I know of at least two hospitals in Cincinnati where the third 
violation is termination of employment.  The first is a warning and online video, second is a face-to-face session with 
a member of the Cybersecurity team.


______________________________________________________________________

Paul Czarapata, Ed.D.

Vice President/Chief Information Officer

Kentucky Community & Technical College System

300 North Main Street

Versailles, KY 40383

O: 859/256-3248



Your success equals our success.
[cid:7092dddd-0cf6-45f6-ac32-d9a93b58c927]

[cid:445a0320-079f-468f-93cb-de10e9d0bd3a]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ft.sidekickopen35.com%2Fe1t%2Fc%2F5%2Ff18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3MxRLxW5w6vXM8rl77WW4Wzrfn56dT6bf3Vtshg02%3Ft%3Dhttps%253A%252F%252Ftwitter.com%252FPCZARAPATA%26si%3D6650399237341184%26pi%3D4719794e-b15d-4315-b75a-2fbc2472ae29&data=02%7C01%7C%7Cb93cc49e40cb41f11bc908d5f87cfeca%7Cf2e339511ec44c72b2bfa4f4671d64af%7C0%7C0%7C636688138077705139&sdata=RXt3sP9cTYcCSZmOFORsIVRR3ku2vA1LprImaUNN3SM%3D&reserved=0>
 [cid:7a735ab0-5ead-4798-b33f-f04a2080274a] 
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ft.sidekickopen35.com%2Fe1t%2Fc%2F5%2Ff18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3MxRLxW5w6vXM8rl77WW4Wzrfn56dT6bf3Vtshg02%3Ft%3Dhttp%253A%252F%252Fwww.linkedin.com%252Fin%252Fczarapata%252F%26si%3D6650399237341184%26pi%3D4719794e-b15d-4315-b75a-2fbc2472ae29&data=02%7C01%7C%7Cb93cc49e40cb41f11bc908d5f87cfeca%7Cf2e339511ec44c72b2bfa4f4671d64af%7C0%7C0%7C636688138077705139&sdata=k9MrizMPcShUOvarV8Il4Pon061CUnnM9Fd3Zau0CqQ%3D&reserved=0>
  [cid:12e3de41-ed1d-45a6-8fe7-fd8925b7932b] 
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2F%23!%2Fpages%2FKCTCS%2F110247165663059&data=02%7C01%7C%7Cb93cc49e40cb41f11bc908d5f87cfeca%7Cf2e339511ec44c72b2bfa4f4671d64af%7C0%7C0%7C636688138077715152&sdata=A9N%2F7CaBC7ypFt8hK3h%2FXehULdBLUMgue98ihZOYnq0%3D&reserved=0>

Training and Learning Center<http://kctcs.edu/tlc> | Technology Solutions Help Desk<http://ithelpdesk.kctcs.edu/> | 
Technology Communications Center<http://kctcs.edu/tcc>


________________________________
From: Gomez, Joshua <J.Gomez () SNHU EDU<mailto:J.Gomez () SNHU EDU>>
Sent: Monday, May 18, 2020 10:51 AM
Subject: Phishing Simulation - Punitive Escalation


Hello

I wanted to ask what people are doing for a "path to escalation" for staff who repeatedly fail simulations or cause 
incidents?



For Example

First Failure -> Remedial Training

Second Failure -> Remedial Training + Supervisor Notification

Third Failure -> Remedial Training + Sit down with person and department head

Etc.



I'm just trying to get some ideas to bring to our Governance committee.  We have not been trying to be punitive and 
haven't needed to do much, but we are starting to see repeat offenders that need coaching for behavioral changes.



Thanks in Advance,



Josh



Joshua Gomez | Analyst, Information Security

Information Technology Solutions











**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The University of Derby has a published policy regarding email and reserves the right to monitor email traffic.
If you believe this was sent to you in error, please reply to the sender and let them know.

Key University contacts: http://www.derby.ac.uk/its/contacts/

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community