I am a new Security Lead/Analyst for medium sized company who does not have a great security posture. One of the many things I have been tasked with is creating and aiding in enforcing policies that pertain to what standard procedure should be, should a user violate some security policy, i.e. fail a phishing test, so many times. The company runs some internal security analysis/tests but does nothing with the info/results of any of it.
So, my question is, what is a typical or industry standard way of handling these incidents? Is it just one the first violation they get an email/written warning, second is additional training, and so on? Or what do you guys recommend.
Thanks in advance for any advice or point in the right direction!