Every company has a unique work culture. You may have heard various cultures referred to as a “family,” or more “corporate.” Regardless of what category your workplace fits into, there is one aspect that is vital for every business to have; a non-punitive one when it comes to testing your employees. You may have heard this term before, and if you’re in the realm of cybersecurity, you are likely familiar with how it fits into the testing/training space. But what exactly does it mean to have a non-punitive culture, and how can you implement it?

What a Non-Punitive Security Culture Means for Your Employees

A non-punitive work culture encourages employees to report mistakes such as clicking a phishing link or sharing information during a vishing call, as well as near-misses and concerns, without fear of negative consequences.

Why Non-Punitive Cultures Improve Cybersecurity Reporting

This kind of culture not only works, but is key to a company’s success, because it fosters an environment where employees feel safe to report mistakes without fear of blame. In this kind of space, employees should feel safe asking for help where needed. It encourages open communication and is a place where employees can learn from one another without fear of judgement. Leaders should recognize employees for their efforts and hard work, and address mistakes without punishment.

Common Misconceptions About Non-Punitive Work Cultures

Even though it may sound nice, some misconceptions exist about this type of culture, such as:

• Isn’t non punitive culture too soft?
• Won’t people slack off if they are not punished?
• How do we maintain accountability?

The short answer to these misconceptions is that they can be true if organizations do not also implement other, positive practices. Practices such as encouraging open and honest discussions about mistakes, and leaders demonstrating the appropriate actions and responses to mistakes, can help you balance kindness with clarity and accountability.

When leaders remove fear around mistakes and consequences, employees experience greater psychological safety. It fosters an environment in which everyone can learn from each other, and where mental health is prioritized.

Dr. Abbie, the Director of Education at Social-Engineer, LLC (SECOM) states; “When a workplace adopts a truly non punitive culture, it stops treating mistakes as moral failures and starts treating them as data. Empirical research on psychological safety shows that when people are not afraid of being shamed or punished for errors, stress hormones decrease, cognitive resources free up, and teams become more willing to speak up, learn, and take healthy risks. Over time, that reduces burnout, protects against anxiety and depression, and creates a culture where people’s nervous systems can settle enough for them to think clearly, connect with others, and actually perform at their best.”

How to Assess Your Company’s Security Culture

Now that we know why this kind of security culture works, how do we get a baseline for our companies’ current culture? You can start with the following checklist. Answer these questions to yourself, and they should help you gauge where you fall in the non-punitive realm:

Do employees hesitate to report mistakes?

• If they do not, this could indicate you’re on the right track. Openness in communication signals a healthy work culture.
• If you notice a common hesitancy, this may be a sign to examine your current culture.

Do leaders talk openly about their own learning moments?

• Here at SECOM, we follow our own advice and do internal phishing testing. When our CEO (Chris) falls for one of the phishes, he openly admits this. This helps the rest of us see that we are only human and really impresses the importance of reporting suspicious methods even when fallen for.

Are simulation results used for learning or for discipline?

• This learning may look different depending on how many times someone has fallen for a phishing email, SMiShing text, or vishing call. If someone fails repeatedly, even after being trained, this may require a more clear and direct approach. However, simulation results should never be used as an excuse for discipline.

Do employees know exactly how to report?

• This is important because if we tell our employees how necessary it is to report suspicious messages, but don’t show them how to report them, we are putting them in an impossible situation. Your reporting methods should be simple, take a short amount of time, and be communicated clearly.

Implementing a Non-Punitive Security Culture in Your Organization

To implement a secure yet non-punitive culture, it has to come from the top down. Leaders have to find a balance between open communication and accountability. Clear communication of goals and expectations can aid in ensuring that the culture is non-punitive, yet not too lenient towards underperformance.

Organizational policies should focus on learning over blame, and leaders need to model supportive behavior. Open communication should be encouraged, as well as emphasis placed on reporting, regardless of any mistakes. For example, if someone clicks on a phishing email link and later realizes it, they could still protect other employees and the company from potential harm by reporting the message. This type of reporting should be required and encouraged, with no fear of a negative outcome for the employee.

A basic framework for implementing this type of culture may look something like the following simple steps:

1. Set clear expectations for employees
2. Leaders model appropriate behavior
3. Implement positive reinforcements

Strengthening Your Human Layer Through a Supportive Culture

With the right balance, employees should feel empowered to report their mistakes while feeling motivated to learn. This balance can take time to strike but keep moving forward with the following points in mind: it must come from the top down. Leaders need to demonstrate and model the appropriate and expected behavior. Open communication is vital, and reporting methods for mistakes need to be simple, clear, and non-punitive. Implementing this type of culture at your workplace will only strengthen your human element.

Written by
Shelby Dacko
Human Risk Analyst, Social-Engineer, LLC