In every organization, there is a small percentage of users (often 3-5%) who repeatedly fail phishing simulations. These "repeat offenders" require a strategic, compassionate approach.
Why They Fail
Impulsiveness: Clicking before thinking (Behavioral)
Overworked: High stress/multitasking (Contextual)
Tech Gap: Fundamental lack of understanding (Knowledge)
The Escalation Framework
1Automated
Failures 1-2. User sees landing page and gets micro-learning video. No human contact.
2Coaching
Failures 3+. Security team reaches out. 'Is the training confusing? How can we help?'
3Restrict
Chronic Risk. Revoke Admin rights, block attachments, or isolate VLAN.
4Manage
Willful Negligence. Only now does it become an HR performance issue.
The Golden Rule
Care, Not Punishment
Punitive measures (public shaming, firing threats) drive threats underground. Frame your response as a safety measure for them and the company.
Key Takeaway
"The goal is behavior change, not termination. Treat high-risk users as patients who need care, not criminals who need punishment."
