Viewpoint: Shaming employees who fall for hacking attempts creates 'lose-lose outcome' 

Many organizations have fallen victim to phishing attacks preying on their employees, but it is important for managers not to shame individuals who have taken the bait in email phishing campaigns, Karen Renaud, PhD, said in a Dec. 6 Wall Street Journal op-ed. 

Dr. Renaud, a chancellor's fellow at the University of Strathclyde in Glasgow, Scotland, highlighted research she has done with colleagues on the aftermath of cybersecurity incidents. The research examined responses of employees who caused a cybersecurity incident at their workplace. 

Five things to know: 

1. The researchers surveyed workers and asked whether they had caused a cybersecurity incident at work. If they had, the respondents said they immediately felt bad. Whether they felt shame or guilt came down to how their employer responded. 

2. Respondents fell into two groups. The first included employees whose managers yelled at them, embarrassed them in front of peers and no longer trusted them after the incident. 

"One woman said that the phishing email she fell for was sent to the entire company, with her name in the 'To' field, warning everyone not to fall for it as she had," Dr. Renaud wrote. "Another person reported having computer access removed for a period, and still another said that it became obvious that his manager no longer trusted him and would check his work continuously." 

3. Respondents from the second group reported their mistake being met with understanding and support and not being shamed in front of their peers. These employees said they were instructed how to repair the situation and some felt very grateful after fearing being fired. 

4. The group of employees that received a more supportive response went on to have a much stronger relationship with their employer after the incident, Dr. Renaud said. 

5. Dr. Renaud and her team concluded that using shame as a behavior modification tool limits employees' likelihood of helping combat cyberthreats; shame can lead to the employee feeling less loyal to the organization, which may decrease their willingness to behave securely. 

"The implications of our survey were clear: Shame is similar to a boomerang that will come back to hurt the organization, as well as harming the employee," Dr. Renaud wrote. "Managers should deal with the mistake, but not reject the employee. If employees feel that their personhood is being attacked, they will respond defensively. Shaming results in a lose-lose outcome."

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars