Cranky employees more likely to violate cybersecurity policies

January 25, 2018, University of Delaware
Cranky employees more likely to violate cybersecurity policies
University of Delaware’s John D’Arcy (above) worked with City University of Hong Kong’s Paul Benjamin Lowry to survey professionals in organizations throughout the United States. Credit: University of Delaware

As professionals return to work after holidays, their moods are undoubtedly affected by the emotional impact of their holiday experiences, but these moods may be more critical to workplace cybersecurity than previously realized.

New research from the University of Delaware's John D'Arcy, forthcoming in the Information Systems Journal, suggests that people's positive or negative moods can affect the likelihood that they will engage in insecure computing behavior in the .

Insecure workplace computing behavior includes things like using weak passwords, accessing unapproved software or not using two-factor authentication, explained D'Arcy, an associate professor at UD's Alfred Lerner College of Business and Economics.

Most organizations have formal policies that prohibit such behavior. To try and predict why people violate these policies, D'Arcy worked with City University of Hong Kong's Paul Benjamin Lowry to survey professionals in organizations throughout the United States about their workplace computing behavior.

The longitudinal survey found that "moods and emotions influence people's -related behavior," D'Arcy said. "And these things vary from day to day, which can make people's behavior vary from day to day."

According to the survey, employees in better moods are more likely to have a positive attitude about security and are more likely to follow policy.

"On the flip side, if they're in a bad mood, what you get can change from day to day," D'Arcy said. "That makes it more likely that they will violate policy."

This makes sense for any employee who has felt especially inconvenienced by workplace security measures during a bad day: On a day that you were feeling more positive emotions, the extra effort likely wouldn't seem as annoying.

The team focused on insider because such threats are "a big deal," D'Arcy said, with industry research suggesting that as much as 80-90 percent of all security breaches are caused by noncompliant employee behaviors.

"That's how malware gets on the system," he said. "That's how companies get data breaches."

This study was especially unique, D'Arcy explained, because most previous studies on this topic have examined characteristics of employees that remain stable, like personality traits, instead of something that changes each day.

"It's transient," he said. "You can't just say 'Well, this person's more likely to follow policies all the time.' There's always been this assumption that some people are predisposed toward this behavior or some people aren't, whereas we can see now that based on these mood changes it's hard to predict."

The team also examined what might cause some of these mood changes in the workplace, and ironically, sometimes the cause of the employees' bad moods was the security policy itself. The research team calls this a security policy "backfiring."

"Sometimes if they're dealing with security requirements that they think are too restrictive or are a hassle, that can have a negative impact," D'Arcy said. "It's like too much security puts employees in a negative , which then again makes them less likely to follow ."

This research suggests that moods and emotions could be critical new factors for IT and security professionals to consider when pinpointing the causes of security breaches and preventing insecure computing .

In addition to considering the technical aspects of security, D'Arcy said, "You also have to think some more about these people issues, to begin understanding your employees and creating an environment where the security policies are not so restrictive where they're putting people in bad moods."

"The technical stuff still matters," he said, "but so does this."

Explore further: ND Expert: WikiLeaks points out danger of insider threats to information security

More information: John D'Arcy et al. Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study, Information Systems Journal (2017). DOI: 10.1111/isj.12173

Related Stories

Hackers cause Sony major financial, reputational damage

June 8, 2011

Information security expert John D’Arcy, assistant professor of information technology management at the University of Notre Dame, says this week’s hacking attack on Sony Corp. is yet another example of the significant ...

Relax or learn? Coping with stress at work

September 28, 2017

Work stress can lead to a whole host of problems for employees and organizations. While our own intuition and some studies suggest the value of relaxation techniques such as meditation or exercise, there's another alternative ...

Recommended for you

Why war is a man's game

August 15, 2018

No sex differences in attitudes or abilities are needed to explain the near absence of women from the battlefield in ancient societies and throughout history, it could ultimately all be down to chance, say researchers at ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.