Research: Why Cybersecurity Policies are violated by workers
Colonial Pipeline paid a nearly $5 million ransom last summer after a hack caused widespread alarm over the supply of fuel in the Southeastern United States. Only a few weeks later, the world’s largest meat processor agreed to pay an $11 million ransom in response to a cyberattack that halted operations at factories in the United States, Canada, and Australia. Attacks like this have been increasing in frequency for years, and the Covid-19 epidemic has further exacerbated the situation, with the FBI claiming a 400% spike in cyberattacks in the first two months of the pandemic.
In response, investment into cybersecurity has skyrocketed — but unfortunately, these efforts haven’t always addressed the underlying factors that create vulnerabilities. While IT specialists toil away to create better, smarter, and safer technical systems, there is one risk they can’t program away: humans. Especially as remote work becomes more prevalent and thus access to secure systems becomes more distributed, one wrong click by an employee can often be enough to threaten an entire digital ecosystem.
Furthermore, while some firms have begun to supplement technology-focused efforts with cybersecurity initiatives that target workers as possible attack vectors, these programs often presume that employees violate security standards out of ignorance or malevolent intent. This study, however, reveals that many failures to comply are the consequence of purposeful but non-malicious infractions, which are mostly motivated by employee stress.
Many Policy Violations Are Driven by Stress, Not Desire to Harm
After asked to more than 330 remote employees from a wide range of industries to self-report their daily stress levels and adherence to cybersecurity policies over two weeks. And conducted in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic to better understand how the transition to work-from-home has impacted cybersecurity.
It is verifiable that across this sample, adherence to security conventions was intermittent. During the 10 workdays that were studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.
But what led to those breaches in the protocol? When asked why they failed to follow security policies, the participants’ top three responses were, “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.” These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches — making non-malicious breaches (i.e., those motivated purely by the need to get work done) 28 times more common than retaliatory ones.
People were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs. Common sources of stress included family demands that conflicted with work, job security fears, and ironically, the demands of the cybersecurity policies themselves: People were more likely to violate procedures when they worried that following them would hinder productivity, require extra time, or energy, mean doing their jobs in a different way, or make them feel like they were constantly being monitored.
There’s a Middle Ground Between Ignorance and Malice
Many leaders assume that employee security violations are either malicious or unintentional, and then design security policies based on that assumption. However, this research illustrates that there’s a sizable middle ground between ignorance and malice, so managers would be wise to adapt their training programs and policies accordingly.
Specifically, rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity. This means educating employees and managers on the prevalence of non-malicious violations and providing clear guidance on what to do if adherence to security practices seems to conflict with getting work done.
Job Design and Cybersecurity Are Intertwined
It’s common to think of security as secondary to productivity. In normal times, that’s not necessarily a problem, as employees are likely to have the resources to devote sufficient energy to both. But as the myriad stresses of the pandemic make it harder to maintain productivity, that means that security tends to take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses.
To address this, managers must recognize that job design and cybersecurity are fundamentally intertwined. The reality is that compliance with cybersecurity policies can add to employees’ workloads, so it should be considered and incentivized alongside other performance metrics when workloads are determined.
In addition, managers should work to identify and reduce sources of stress for their teams, since working under more-stressful conditions can impact employees’ consistency in following security protocols (not to mention their well-being and effectiveness across a slew of other metrics). In particular, especially as remote work becomes more common, managers should be cognizant of the psychological burden to employees of working under systems that monitor them. Surveillance systems that seemed reasonable in the office might feel intrusive at home — and even if there’s no obvious, direct fallout, our research suggests that the added stress could indirectly make people more likely to break security protocols.