Assume that it's time for Bob's performance review.
Bob's boss says he's a great addition to the team. Easy to work with!
And the sales numbers? Hot mama, Bob's smokin'! Mr. Bob surely has worked himself toward a big, fat raise!
Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd's multimillion-dollar investment in security systems.
Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they're held accountable?
via Should employees be punished for sloppy cyber security? [POLL] | Naked Security.
A thought experiment, sure, but one that leads in some interesting directions.