What is the problem with so-called “repeat offenders” We can answer that question in two ways. The easy way, and the right way. Let’s start with the simple answer. Many people would say that the problem with “repeat offenders” is repeat incidents, or at least repeat near misses. I know that’s the topic of discussion that was in mind when I was approached to give this talk. Most accurately, I often find that the term repeat offender is actually used – in cyber security – to refer to people who repeatedly click links in phishing simulations.
So, what do we do about that? That is, of course, a long answer and something I’ve spoken about many times over the years. What we’re essentially talking about is influencing security behaviours, no doubt as part of developing a positive and proactive security culture. There’s lots to talk about here and it will, ultimately, come down to the specifics of the organisation. Perhaps there is a culture of massively prioritising productivity over security, or of sending masses of email at the drop of a hat, in which case, your so-called “repeat offenders” might be overwhelmed with email and tasks. Perhaps people just don’t get the issue with phishing emails, in which case you really need to take a critical look at your awareness-raising initiatives because they’re not doing what you need – perhaps they’re not tailored enough, not often enough or not explaining the why of security well enough. That’s a really common issue I see with awareness-raising – campaigns that tell people what to do – or, rather, what not to do – but which miss the most crucial point: why. If you want people to change their behaviour, you need to show them why it matters.