Clay Posey, an associate professor of information systems in the Marriott School of Business at Brigham Young University and chief research scientist at Beyond Layer 7, and Mindy Shoss, an associate professor of psychology at the University of Central Florida, explain why employees violate cyber security policies to Harvard Business Review.
Why Do Employees Break Cyber Security Rules?
In May 2021, Colonial Pipeline, the largest fuel pipeline in the U.S., paid a ransom of nearly $5 million one day after Russian-based cybercriminals hacked its IT networks. The company was forced to shut down the entire pipeline, causing major disruptions to gas delivery up and down the East Coast. A few weeks later, the world’s largest meat company, JBS, paid an $11 million ransom in response to a cyber attack that halted operations at plants across the U.S., Canada, and Australia. These types of attacks have been happening for years, and the Covid-19 pandemic has only made matters worse. In the first few months of 2020 alone, the FBI reported a 400% increase in cyber attacks.
As a result, organizations’ investment into cyber security has skyrocketed, according to Posey and Shoss. But unfortunately, these efforts don’t always address the underlying factors that create vulnerabilities. The prevalence of remote work, in particular, has made access to secure systems more widely distributed. While IT specialists focus on developing better, smarter, and safer technical systems, the biggest risk remains human error. Cyber security programs generally assume that employees break security protocols either out of ignorance or malicious intent. However, Posey and Shoss’ recent research suggests that “failures to comply may be intentional yet non-malicious violations, largely driven by employee stress.”
1. Many violations are driven by stress
For their research, Posey and Shoss surveyed more than 300 remote employees across a wide range of industries. They asked participants to self-report their daily stress levels and adherence to cyber security policies over two weeks. They also conducted a series of in-depth interviews with 36 professionals who worked remotely during the Covid-19 pandemic to see how the transition to working from home impacted cyber security.
During the ten workdays, Posey and Shoss found that 67% of the participants failed to fully adhere to cyber security policies at least once, with an average failure-to-comply rate of one out of every 20 job tasks. When asked why they did not follow security guidelines, participants’ top three responses were, “to better accomplish tasks for my job”, “to get something I needed”, and “to help others get their work done.” Respondents reported a malicious desire to cause harm in only 3% of policy breaches.
Additionally, they found that respondents were significantly more inclined to knowingly breach security protocols on days when they experienced higher stress levels, suggesting that an increase in stress reduced tolerance for following rules. Common sources of stress included family conflicts, job security fears, and the cybersecurity policies themselves.
2. Managers need to adapt training programs
Many business leaders tend to assume that employee security violations are either malicious or unintentional – this is not the case. Posey and Shoss’ research illustrates that there’s a “sizable middle ground between ignorance and malice,” so managers should adapt their training programs and policies accordingly.
Rather than emphasizing malicious attacks, security policies should acknowledge that many employee-driven breaches stem from an attempt to balance security with productivity. Posey and Shoss suggest training employees and managers on the prevalence of non-malicious violations, then outlining clear guidelines on what to do when adherence to security policies seems to hinder productivity. IT leaders need to involve any employees affected by new security measures in the design, evaluation, and implementation stages.
3. Security and productivity are intertwined
Employees typically have enough time and energy to focus on both security and productivity. However, the pandemic has made it difficult for many to sustain productivity, causing security to “take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses,” Posey and Shoss write.
Managers must recognize that job design and cyber security are fundamentally intertwined. The reality is that compliance with cyber security policies can add to an employee’s workload, and so “it should be considered and incentivized alongside other performance metrics when workloads are determined.” Also, managers should identify and reduce sources of stress for their teams since working in high-pressure situations can impact employees’ consistency in following security protocols.
4. Hackers take advantage of altruism
In the study, roughly 18% of policy violations were motivated by a desire to help a coworker. The pandemic has created even more opportunities for well-intentioned employees to put their organizations at risk. Hackers often use social engineering tactics to take advantage of employees’ willingness to bend the rules if they think they’re helping someone out.
To prevent this, Posey and Shoss state that “managers must not only implement security policies specifically designed to protect against these sorts of attacks” — they also need to reduce the impact of these measures on employees’ workflows, and clearly explain their rationale, to increase compliance.
Leading Cyber Security Solutions in NJ & FL
Every employee is a potential threat vector. Mindcore provides New Jersey and Florida companies with personalized cyber security services, including ongoing training and support. For more information or to schedule a consultation, contact us today.