Mystery shopping as unethical testing of employees
During a mystery shopping test (to see if employees open a document that came in by e-mail), it happened that 4 representatives of the finance department were in the top 10 worst users (not following security policies).
Within an hour of presenting the results to the top management, the director of the finance department personally appeared at the cybersecurity department and angrily protested against such types of tests ("it's unethical").
Please note
The test itself, the scenario, the goal, the random selection of testees were approved in advance by the CEO (who, in his own words, wanted to "know what kind of employees we have here and whether we can trust them").
No employee's name was published, only some employees were interviewed after the fact but before the results were shared with management.
How would you respond to the finance director?
This is a high-stakes moment — not because of the test, but because of what it reveals about ownership, accountability, and emotional pressure. How you respond will either turn this into a governance win or a political loss.
Below is how I would handle it, step by step, as a security leader who wants to stay credible.
Do not debate ethics emotionally
An angry director is not looking for reasoning — he’s reacting to threatened status.
Your job is to:
- de-escalate,
- reframe,
- anchor yourself in governance, not opinion.
Start with acknowledgement
“I understand why this might feel uncomfortable.”
This validates emotion, not position.
Then clearly state why the test exists — and what it is not.
“This test was not about judging individuals or departments. It was about measuring organizational risk under realistic conditions.”
It's not a punishment, a trap, a moral judgment, it's just a measurement how effective we are with security awareness.
Address the “unethical” accusation head-on
“This is not personal: the test was approved by the CEO, reviewed in advance, and designed to assess behavior — not intent, loyalty, or competence.”
Because if simulating a realistic threat were unethical, then also fire drills and financial audits would also be unethical.
Discuss the implicit subtext: reputation damage
What the finance director is really saying is:
“I look bad...you have humiliated me...”
The explanation (as the test itself) should be always inpersonal:
“It's not about you, it's about people who must not think they are above rules. Attackers don’t avoid departments because they’re sensitive or prestigious."
Hiding or ignoring results would create a much bigger risk than acknowledging them. So it's good to have a reality check from time to time.
Finance department users are high-value targets precisely because of their role. That’s why this result is important, not embarrassing.
Now we know that we need to target awareness and provide support for the Finance department — not disciplinary action, not naming individuals.
The ethics question explained
“The ethical question we need to answer is not whether testing is uncomfortable — it’s whether we knowingly allow avoidable risk in a department that handles critical financial assets.”
The deeper truth
We knew from the start that this wasn’t about ethics, it was about personal prestige - the finance department is considered more important than some security guy trying to do his job.
And whether the director knows it or not, his reaction is another risk signal (for the company).