Research: Why Employees Violate Cybersecurity Policies

Common sources of stress include family demands that conflicted with work, job security fears, and ironically, the demands of the cybersecurity policies themselves.

People are more likely to violate procedures when they worry that following them would hinder productivity, require extra time or energy, mean doing their jobs in a different way, or make them feel like they were constantly being monitored.

There are a lot of well-intentioned reasons that an employee might knowingly fail to fully follow the rules.

Rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity. This means educating employees and managers on the prevalence of non-malicious violations and providing clear guidance on what to do if adherence to security practices seems to conflict with getting work done.

As the myriad stresses of the pandemic make it harder to maintain productivity, that means that security tends to take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses.

To address this, managers must recognize that job design and cybersecurity are fundamentally intertwined. The reality is that compliance with cybersecurity policies can add to employees’ workloads, and so it should be considered and incentivized alongside other performance metrics when workloads are determined.

in a study, around 18% of policy violations were motivated by a desire to help a coworker. The pandemic has only increased the challenges we all face every day, and thus has created even more opportunities for well-meaning employees to “help” their peers in ways that leave their organizations vulnerable.

Hackers know this, and they will often intentionally use social engineering tactics that take advantage of employees’ willingness to bend the rules if they think they’re helping someone out.