Chapter 16 digs into a range of helpful and interesting anti-phishing suggestions and topics.

First-Time Firing Offense

I occasionally run into bosses who tell me their organization's anti-phishing policy is to fire anyone who inappropriately responds (i.e., fails) to a real-world or simulated phishing test. At the first offense, the person is fired. This policy is used to communicate the seriousness with which that organization takes phishing and to significantly reduce the number of phishing failures they experience. Although we don't have data to back what I'm about to say, I'm going to say it anyway: I think this policy is likely to reduce phishing failures below what the average organization faces. Some would say it's a successful policy.

Most anti-phishing experts and companies do not agree with this strategy, although perhaps some scenarios (e.g., stock trading floor, national security computer, etc.) may justify it better than others. But two facts make supporting this policy difficult (beyond the sheer human cruelty and the fact that the constant fear of impending termination doesn't create the most productive and loyal workforce).

First, anyone can be successfully phished. Anyone! The person who wrote that policy of firing someone for a first-time offense can be successfully phished. I've had dozens of people through the years tell me they could not be phished and ask me to do a simulated phishing test on them. In every case ...