If a single click on a phishing email can ruin the entire company, the blame doesn’t lie with that individual.
That individual ABSOLUTELY has a piece of the blame.
In my time as a cybersecurity professional, my approach is always to blame the system, not the person.
If they clicked on a phishing link: 1) that email should never have reached their inbox, 2) that link should never have loaded, and 3) our awareness training is not up to snuff.
We have test-phishing mails sent by our IT-Sec team on a regular basis. There’s usually an obvious one and a better made one. First round 10% clicked the obv. one, 99% the good one.
We had a lot of trainings after that.
Last year the numbers went down to 5% and 80%.
If your security concept relies on both of these numbers being zero, you’re an incompetent hack trying to shift the blame on end users instead of doing your job.
Clicking a link isn’t supposed to have side effects, if it does someone else fucked up.