In the modern cybersecurity landscape, every employee is a potential threat vector. To keep their organizations safe, technical and business leaders alike must understand the factors that can make anyone susceptible to flouting policy and opening the door to attackers.
While the idea of a resentful employee purposefully trying to harm their company may make for a compelling story, research points to the major role of employee stress in motivating non-malicious (yet potentially catastrophic) security breaches.

Digital Attacks On Organizations

A recent study suggests that the vast majority of intentional policy breaches stem not from some malicious desire to cause harm, but rather, from the perception that following the rules would impede employees’ ability to get their work done effectively.
Employees are more likely to violate policy on days when they are more stressed out, suggesting that high-stress levels can reduce people’s tolerance for following rules that seem to get in the way of doing their jobs.

The Startling Findings

Common sources of stress include family demands that conflicted with work, job security fears, and ironically, the demands of the cybersecurity policies themselves.
People are more likely to violate procedures when they worry that following them would hinder productivity, require extra time or energy, mean doing their jobs in a different way, or make them feel like they were constantly being monitored.

The Leading Cause: Stress

There are a lot of well-intentioned reasons that an employee might knowingly fail to fully follow the rules.
Rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity. This means educating employees and managers on the prevalence of non-malicious violations and providing clear guidance on what to do if adherence to security practices seems to conflict with getting work done.

Malice And Ignorance Can Mix

As the myriad stresses of the pandemic make it harder to maintain productivity, that means that security tends to take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses.
To address this, managers must recognize that job design and cybersecurity are fundamentally intertwined. The reality is that compliance with cybersecurity policies can add to employees’ workloads, and so it should be considered and incentivized alongside other performance metrics when workloads are determined.

Job Design and Cybersecurity Are Intertwined

in a study, around 18% of policy violations were motivated by a desire to help a coworker. The pandemic has only increased the challenges we all face every day, and thus has created even more opportunities for well-meaning employees to “help” their peers in ways that leave their organizations vulnerable. 
Hackers know this, and they will often intentionally use social engineering tactics that take advantage of employees’ willingness to bend the rules if they think they’re helping someone out.

Hackers Take Advantage of Altruism (Helping Coworkers)

<img src="https://hbr.org/resources/images/article_assets/2022/01/Jan22_20_AndriusBanelis.jpg" width="630" height="354"><div class="caption" dir="ltr">
				Illustration by Andrius Banelis
		</div><div more-caption="more" close-caption="close" dir="ltr">
		Summary.&nbsp;&nbsp;&nbsp;
		In the face of increasingly common (and costly) cyberattacks, many organizations have focused their security investments largely on technological solutions. However, in many cases, attacks rely not on an outsider’s ability to crack an organization’s technical...<button dir="ltr">more</button>
	</div>Last summer, Colonial Pipeline paid a ransom of almost <a href="https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/" dir="ltr">$5 million</a> after a cyberattack created widespread panic over the availability of gasoline across the Southeastern U.S. Just a few weeks later, the world’s largest meat processing company agreed to pay an <a href="https://www.bbc.com/news/business-57423008" dir="ltr">$11 million</a> ransom in response to a cyberattack that suspended operations at plants across the U.S., Canada, and Australia. Attacks like these have been growing more common for years, and the Covid-19 pandemic has only made matters worse, with the FBI reporting a <a href="https://www.insurancebusinessmag.com/us/news/cyber/fbi-sees-a-400-increase-in-reports-of-cyberattacks-since-the-start-of-the-pandemic-231939.aspx" dir="ltr">400% increase</a> in cyberattacks in the first few months of the pandemic.In response, investment into cybersecurity <a href="https://cybersecurityventures.com/cybersecurity-spending-2021-2025/" dir="ltr">has skyrocketed</a> — but unfortunately, these efforts haven’t always addressed the underlying factors that create vulnerabilities. While IT specialists toil away to create better, smarter, and safer technical systems, there is one risk they can’t program away: humans. Especially as remote work becomes more prevalent and thus access to secure systems becomes more distributed, one wrong click by an employee can often be enough to threaten an entire digital ecosystem.Furthermore, while some organizations have begun to complement tech-focused efforts with cybersecurity initiatives targeting employees as potential attack vectors, these programs <a href="https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/employees-commit-most-data-breaches.aspx" dir="ltr">generally assume</a> that employees break security protocols out of either ignorance or malicious intent. Our <a href="https://www.nsf.gov/awardsearch/showAward?AWD_ID=2030845&amp;HistoricalAwards=false" dir="ltr">recent research</a>, however, suggests that much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee stress.<h2>Many Policy Violations Are Driven by Stress, Not Desire to Harm</h2>We asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks. In addition, we conducted a series of in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic in order to get a better understanding for how the transition to work-from-home has impacted cybersecurity.We found that across our sample, adherence to security conventions was intermittent. During the 10 workdays we studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.But what led to those breaches in protocol? When asked why they failed to follow security policies, our participants’ top three responses were, “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.” These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches — making non-malicious breaches (i.e., those motivated purely by the need to get work done) 28 times more common than retaliatory ones.We also found that people were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs. Common sources of stress included family demands that conflicted with work, job security fears, and ironically, the demands of the cybersecurity policies themselves: People were more likely to violate procedures when they worried that following them would hinder productivity, require extra time or energy, mean doing their jobs in a different way, or make them feel like they were constantly being monitored.Of course, since our data was self-reported, we were unable to measure breaches that employees were unaware of committing. As such, our research is less conclusive when it comes to the prevalence of security issues borne of ignorance or human error. But our findings do suggest that despite considerable <a href="https://cybernews.com/news/mistreated-employees-can-become-insider-threats-lisa-forte/" dir="ltr">media focus</a> on the “<a href="https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat" dir="ltr">insider threat</a>” posed by malicious employees, there are a lot of well-intentioned reasons that an employee might knowingly fail to fully follow the rules. Based on this, we’ve developed three key takeaways for managers:<h2>There’s a Middle Ground Between Ignorance and Malice</h2>Many leaders assume that employee security violations are either malicious or unintentional, and then design security policies based on that assumption. However, our research illustrates that there’s a sizable middle ground between ignorance and malice, and so managers would be wise to adapt their training programs and policies accordingly.Specifically, rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity. This means educating employees and managers on the prevalence of non-malicious violations, and providing clear guidance on what to do if adherence to security practices seems to conflict with getting work done.In addition, organizations should take steps to incorporate employees in the process of developing and user-testing security policies, and equip teams with the tools they’ll need to actually follow these policies. Too often, IT departments develop protocols in a vacuum, with limited understanding of how these rules might interfere with people’s workflows or create new sources of stress. Especially as the shift to remote work has transformed how many people work, IT leaders should be sure to involve the employees who will be affected by new security measures in their creation, evaluation, and implementation.<h2>Job Design and Cybersecurity Are Intertwined</h2>It’s common to think of security as secondary to productivity. In normal times, that’s not necessarily a problem, as employees are likely to have the resources to devote sufficient energy to both. But as the myriad stresses of the pandemic make it harder to maintain productivity, that means that security tends to take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses.To address this, managers must recognize that job design and cybersecurity are fundamentally intertwined. The reality is that compliance with cybersecurity policies can add to employees’ workloads, and so it should be considered and incentivized alongside other performance metrics when workloads are determined.<div>
 Sign up for 
 </div><div>
 Technology &amp; Innovation 
 </div><div>
 Must-reads from our most recent articles on technology and innovation, delivered once a month. 
 </div>

Stress can reduce people’s tolerance for rules that seem to get in the way of doing their jobs.

Stashed ideas

Last summer, Colonial Pipeline paid a ransom of almost <a href="https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/">$5 million </a>after a cyberattack created widespread panic over the availability of gasoline across the Southeastern U.S. Just a few weeks later, the world’s largest meat processing company agreed to pay an <a href="https://www.bbc.com/news/business-57423008">$11 million </a>ransom in response to a cyberattack that suspended operations at plants across the U.S., Canada, and Australia. Attacks like these have been growing more common for years, and the Covid-19 pandemic has only made matters worse, with the FBI reporting a <a href="https://www.insurancebusinessmag.com/us/news/cyber/fbi-sees-a-400-increase-in-reports-of-cyberattacks-since-the-start-of-the-pandemic-231939.aspx">400% increase </a>in cyberattacks in the first few months of the pandemic.

In response, investment into cybersecurity <a href="https://cybersecurityventures.com/cybersecurity-spending-2021-2025/">has skyrocketed </a>— but unfortunately, these efforts haven’t always addressed the underlying factors that create vulnerabilities. While IT specialists toil away to create better, smarter, and safer technical systems, there is one risk they can’t program away: humans. Especially as remote work becomes more prevalent and thus access to secure systems becomes more distributed, one wrong click by an employee can often be enough to threaten an entire digital ecosystem.

Furthermore, while some organizations have begun to complement tech-focused efforts with cybersecurity initiatives targeting employees as potential attack vectors, these programs <a href="https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/employees-commit-most-data-breaches.aspx">generally assume </a>that employees break security protocols out of either ignorance or malicious intent. Our <a href="https://www.nsf.gov/awardsearch/showAward?AWD_ID=2030845&HistoricalAwards=false">recent research </a>, however, suggests that much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee stress.

Many Policy Violations Are Driven by Stress, Not Desire to Harm

We asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks. In addition, we conducted a series of in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic in order to get a better understanding for how the transition to work-from-home has impacted cybersecurity.

We found that across our sample, adherence to security conventions was intermittent. During the 10 workdays we studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.

But what led to those breaches in protocol? When asked why they failed to follow security policies, our participants’ top three responses were, “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.” These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches — making non-malicious breaches (i.e., those motivated purely by the need to get work done) 28 times more common than retaliatory ones.

We also found that people were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs. Common sources of stress included family demands that conflicted with work, job security fears, and ironically, the demands of the cybersecurity policies themselves: People were more likely to violate procedures when they worried that following them would hinder productivity, require extra time or energy, mean doing their jobs in a different way, or make them feel like they were constantly being monitored.

Of course, since our data was self-reported, we were unable to measure breaches that employees were unaware of committing. As such, our research is less conclusive when it comes to the prevalence of security issues borne of ignorance or human error. But our findings do suggest that despite considerable <a href="https://cybernews.com/news/mistreated-employees-can-become-insider-threats-lisa-forte/">media focus </a>on the “<a href="https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat">insider threat </a>” posed by malicious employees, there are a lot of well-intentioned reasons that an employee might knowingly fail to fully follow the rules. Based on this, we’ve developed three key takeaways for managers:

There’s a Middle Ground Between Ignorance and Malice

Many leaders assume that employee security violations are either malicious or unintentional, and then design security policies based on that assumption. However, our research illustrates that there’s a sizable middle ground between ignorance and malice, and so managers would be wise to adapt their training programs and policies accordingly.

Specifically, rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity. This means educating employees and managers on the prevalence of non-malicious violations, and providing clear guidance on what to do if adherence to security practices seems to conflict with getting work done.

In addition, organizations should take steps to incorporate employees in the process of developing and user-testing security policies, and equip teams with the tools they’ll need to actually follow these policies. Too often, IT departments develop protocols in a vacuum, with limited understanding of how these rules might interfere with people’s workflows or create new sources of stress. Especially as the shift to remote work has transformed how many people work, IT leaders should be sure to involve the employees who will be affected by new security measures in their creation, evaluation, and implementation.

It’s common to think of security as secondary to productivity. In normal times, that’s not necessarily a problem, as employees are likely to have the resources to devote sufficient energy to both. But as the myriad stresses of the pandemic make it harder to maintain productivity, that means that security tends to take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses.

To address this, managers must recognize that job design and cybersecurity are fundamentally intertwined. The reality is that compliance with cybersecurity policies can add to employees’ workloads, and so it should be considered and incentivized alongside other performance metrics when workloads are determined.

Bite-sized knowledge
to upgrade
your career

Research: Why Employees Violate Cybersecurity Policies

Digital Attacks On Organizations

The Startling Findings

The Leading Cause: Stress

Malice And Ignorance Can Mix

Job Design and Cybersecurity Are Intertwined

Hackers Take Advantage of Altruism (Helping Coworkers)

IDEAS ABOUT

MORE LIKE THIS

Toxic Culture Is Driving the Great Resignation

Best Practices to Protect Your Business from Fraud – Business

6 Ways Companies Can Help Their Employees Overcome Burnout In A Distributed World

It's time to

READ

LIKE

A PRO!

Bite-sized knowledgeto upgradeyour career

Research: Why Employees Violate Cybersecurity Policies

Digital Attacks On Organizations

The Startling Findings

The Leading Cause: Stress

Malice And Ignorance Can Mix

Job Design and Cybersecurity Are Intertwined

Hackers Take Advantage of Altruism (Helping Coworkers)

IDEAS ABOUT

MORE LIKE THIS

Toxic Culture Is Driving the Great Resignation

Best Practices to Protect Your Business from Fraud – Business

6 Ways Companies Can Help Their Employees Overcome Burnout In A Distributed World

It's time to

READ

LIKE

A PRO!

Bite-sized knowledge
to upgrade
your career