It’s defense in depth. Just because you have one line of defense doesn’t mean you shouldn’t have another. The way defense in depth typically works is assuming the previous lines of defense have been thwarted. Even if you can’t foresee that happening, assume it did.
And it sounds like these employees were trained on this.
The thing I don’t like is the XMas bonus aspect. But the general idea doesn’t seem unreasonable.
How much depth is it really adding, though? Harassing non-specialists seems to have relatively limited value – plenty of security staff get phished – and there is a risk of making people think of the security group as adversaries.
I would certainly agree that the exercise could have some value but I think it would be wise to weigh that against the costs and especially to think about how you can make it supportive rather than punitive. In particular, most people are not only not given good tools for making untrained security decisions and many of them will be told to violate that advice regularly. For example, what percentage of vendors, outsourced HR, etc. will tell people to open unexpected attachments or click on links which are difficult to distinguish from phishing? SolarWinds was far from the only company training their customers to ignore security errors on installers, too.
And it sounds like these employees were trained on this.
The thing I don’t like is the XMas bonus aspect. But the general idea doesn’t seem unreasonable.