Handling a cybersecurity policy violator is often one of the more difficult decisions in security. Go too easy and it sends a message of lax security. Go too hard and it can create resentment and an environment of fear.
The best response is layered approach of more restrictive security implementation until the employee improves their habits or they leave the organization. This response should factor the employee’s training history, and the intent of the policy violation.
A lot of how a company can respond will depend on the technology available, however the layered approach is still achievable with a little strategy and foresight.
Dealing with a Cybersecurity Policy Violator
Violations of cybersecurity policy and the technical controls and related process that are a part of those policies, pose a significant threat to the confidentiality, integrity, and availability or the businesses data assets.
Security violations are often the result of carelessness or purposeful circumventions to “get work done”. Of course, there are occasions where the subversion of security policies is an active attempt to damage or steal critical elements of the business. Regardless of the reason, when things are left unchecked, the damage is the same.
Doing nothing is not an option.
Taking a layered approach that implements stricter security controls (such as the removal of certain level of access) is a strategic way to achieve additional security where it is needed without impacting the remaining employees.
This approach is improved with the understanding that cybersecurity is a competitive edge to the business and that violations of cybersecurity reduce that advantage. Now, not all violations are equivalent because not all are violations of implemented policies and controls dealing with the equivalent levels of risk.
The list below describes each layer in step, from a mild response to the response of last resort:
- Additional Training: Remedial training covering the policy or topic related to the violation. For example: click on a phishing email then get more training about phishing emails.
- Increased Scrutiny: Additional levels of monitoring or activity restriction on the employee’s system. For example: install unapproved software then get application whitelisting on the system.
- Access Limitations: Removal or reduction of access to networks, applications, and/or data. For example: bypass the internet proxy and get reduced access to the internet.
- Termination: When things aren’t working out and the employee continues to put the company at risk.
The first three layers, though obstructive in some sense, should not be regarded as punitive. The goal with these responses is two-fold: increase the employees’ awareness of security and reduce the risk a careless (or rogue) employee exposes valuable IT assets to threats.
A simple version of this approach takes only the number of violations into consideration:
- Violation #1: Additional Training
- Violation #2: Increased Scrutiny
- Violation #3: Reduced Access
- Violation #4: Termination
Enhanced Response
A more progressive approach to dealing with policy violators is to develop a point system (much like a driver’s license point system) and as points are accumulated various actions and responses take place.
Gather too many points and get accesses, and privileges revoked, ultimately leading to termination of any employee unwavering in their carelessness or attempts to subvert security.
Have an extended and defined period of “secure behavior”, the employee gets points removed, and privileges returned.
Here is an example point system approach using the same responses from above:
- Violation Category: The points should reflect that some activities are more dangerous than others.
- Impact Modifier: The violation is significantly worse dependent on the potential impact to business operations and assets. Impact categories are similar in nature to “outage” categories in a response plan.
- Layered Response: Use the same responses from above. Moving up the response-stack incurs the appropriate response. Moving down returns things back to normal activity.
Violation Categories
For the sake of simplicity here are four categories of violation.
| Violation Category | Description | Points |
| Phishing Engagement | Clicking a link, opening an attachment, etc | 10 |
| Bypassing Perimeter Defense | Opening SSH in FW, VPNing out, bypassing internet proxy, exposing a Dev system to the internet, etc | 20 |
| Installing Unauthorized Software | Any program not approved by appropriate staff or process | 15 |
| Shadow IT | Any device put on the network not approved by normal processes. Example: internal game server, | 10 |
Violation Impact Modifier
In addition to the violation points, there are modifiers representing an increase of attack surface or level of access to critical systems or information. Some violations are just worse than others.
For example, setting up an internal game server [and as it turns out in this scenario has a severe vulnerability] on the server LAN segment only available to network administrators’ verses making that same server available to everyone on the network. Both situations are violations, but the second situation increases the attack surface to a greater degree than the first.
| Impact Level | Description | Modifier |
| Critical | Attack surface increase or access to critical system | x 10 |
| Medium | Attack surface increase or access to system “proximate” to critical system | x 5 |
| Low | Violation of policy that does not rise to Medium or Critical | x 1 |
Response Layer Point Ranges
These numbers can get calibrated to reduce the risk of having someone who just made a couple honest mistakes from getting fired, but these ranges are a decent start.
| Response | Point Range |
| Additional Training | 1-30 |
| Increased Scrutiny | 31-70 |
| Access Limitations | 71-100 |
| Termination | 100+ |
The numbers are only as tyrannical as you allow them to be. They are more of a guide then a strict set of rules. Keep in mind, the ranges used within the organization will impact the security culture of the organization one way or another.
Example Employee Policy Violation Score Card
This is a hypothetical miscreant, network admin who sees no real need for security to prevent him from doing whatever he wants on the company network. Hopefully such a person is not in your employ.
| Violation | Type | Points | Impact | Multiplier | Total | Running Total | Response |
| Installed game on company laptop | Unauth Program | 15 | Low | 1 | 15 | 15 | Training |
| Installs random “efficency program” on server | Unauth Program | 15 | Medium | 5 | 75 | 90 | Access Limitations |
| No issues for 6 months | -50 | 40 | Access restored | ||||
| Exposes same server to internet to login from home | Permiter Bypass | 20 | Medium | 5 | 100 | 140 | Termination |