Harvard Business Review published an article on 1/20/22 by Clay Posey and Mindy Shoss titled Why Employees Violate Cybersecurity Policies. They explored why employees violate cybersecurity policies, and the results were quite interesting. Contrary to popular belief, their recent study suggests that “the vast majority of intentional policy breaches stem not from some malicious desire to cause harm, but rather, from the perception that following the rules would impede employees’ ability to get their work done effectively. The study further found that employees were more likely to violate policy on days when they were more stressed out, suggesting that high stress levels can reduce people’s tolerance for following rules that seem to get in the way of doing their jobs.”
So, what does this mean for managers and executives? According to the article, “Managers must recognize that job design and cybersecurity are fundamentally intertwined. The reality is that compliance with cybersecurity policies can add to employees’ workloads, and so it should be considered and incentivized alongside other performance metrics when workloads are determined.”
The study concluded that around 18% of policy violations stemmed from a desire to help a coworker. Unfortunately, hackers also understand this, and leverage empathy to launch attacks. The article recommends that managers and executives identify and work to reduce sources of stress in the workplace and include staff in cybersecurity policy creation. By including staff in the development process, they are more likely to understand the rationale behind the measures and more likely to adhere to them.
In short, “while the idea of a resentful employee purposefully trying to harm their company may make for a compelling story, our research points to the major role of employee stress in motivating non-malicious (yet potentially catastrophic) security breaches. To address the mounting risk of cyberattacks — as well as the countless other risks associated with an increasingly stressed-out workforce — leaders must undertake targeted efforts to minimize the root causes of stress in the workplace and design healthier, more sustainable workloads for employees at every level.”
So, EverChain's CTO's message to you today is that it is as important to monitor performance as it is to monitor stress. Pushing too hard may create gains on one side, but force losses on the other. Please monitor your employees’ stress level and remember, we are all in this war against cyberattacks together.
Research: Why Employees Violate Cybersecurity Policies by Clay Posey and Mindy Shoss
Harvard Business Review, published on www.HBR.org on 1/20/22