Punishing users is the wrong approach to improving security behavior

Punishing users for undesired security behavior? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behavior. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behavior. We hadn’t heard much on this topic since we wrote a post on it back in September; however, it has flared up again.