What do you think about a 3-strikes rule for clicking malicious links? Is that taking risk reduction too far?

Governance, Risk & Compliance Awareness & Training

3.4k views5 Comments

Sort by:

Director of Systems Operations in Healthcare and Biotech2 years ago

Others have already highlighted my exact thoughts, why would your security device let so many phishing attempts through and additional training should be recommended. Given the majority of phishing utilities and the amount of information being delivered now on a daily basis the 3 strike rule is too harsh.

Head of Information Security in Services (non-Government)2 years ago

We require additional phishing specific training for repeat offenders. We're also considering notifying HR.

CISO in Insurance (except health)2 years ago

Security awareness training should be positive and if you have habitual "clickers" they need focused attention to help them strengthen their security prowess. Also, habitual "clickers" can be added to further security control with sandboxing, RBI and other zero trust technologies.

Director in Manufacturing2 years ago

We did not have a three strike or nine strike or any other strike rule

However every single policy and rule we had for any topic, IT, HR, Financial, Travel had the phrase.

“Any employee violating this policy is subject to disciplinary action up to and including termination “

I don’t know of anyone being terminated for clicking on a malicious link, but they may have been encouraged to go work somewhere else

Senior Information Security Manager in Software2 years ago

3 strikes? Babe Ruth struck out 1,330 times in his career.

It may be unfair to penalize an end-user for that, as there are a lot of other factors.

One could also turn the tables and point at information security. Why do they have systems that allow malicious links to enter the system in the first place?

Overall, it is a bad idea.

Content you might like

Seeking insights for research universities regarding CMMC 2.0 adoption and compliance. I'm listing our full question set below, but we would welcome insights on any or all of these:

1. What is the anticipated timeline for CMMC 2.0 adoption by the Federal Government? Any insights on the expected rollout and implementation schedule?

2. From a Higher Ed CIO perspective, what are the key operational differences between each "level" in CMMC 2.0? Are there any specific challenges or considerations especially for research universities?

3. For a research university, which CMMC level would be the most suitable target? Are there any key dates or deadlines that Higher Eds and researchers should be aware of in their compliance journey?

4. What are the most crucial features or elements of CMMC that universities need to achieve compliance? Any recommendations or best practices?

5. Specifically, are there any requirements in CMMC for 7/24/365 "eyes on glass" network and/or endpoint monitoring? If there is an endpoint requirement, does it extend to all servers and laptops issued by the university, or is it limited to hosts involved in research grants? What is expected to demonstrate compliance in this regard?

6. Apart from CMMC compliance, are there other considerations or or strategies to consider when seeking to qualify for/reduce cyber risk insurance costs?

What do you think the CMMC (Cybersecurity Maturity Model Certification) will actually address?

SaaS compliance audits today are sufficiently thorough.

Strongly Agree5%

Agree63%

Neither Agree nor Disagree19%

Disagree10%

Strongly Disagree

View Results

Are you already moving to quantum safe cryptography or planning to allocate budget to do so in the next year?

New York City has become the first major city in the U.S. to open a Cyberattack defense center. Will we see a faster critical response time to major attacks with this new initiative?

Yes, response times will be faster.71%

No, response times will stay the same.22%

Unsure7%