Study: Bad Moods Lead to Bad Passwords

Study: Bad Moods Lead to Bad Passwords

Cybersecurity has emerged as one of the most significant challenges of the digital workplace. Moreover, it is an issue over which organizations don’t always have full control, as it depends to such a great degree on employee behavior. New research from the University of Delaware’s John D’Arcy shows that employees’ moods can influence their cybersecurity habits, for better and for worse:

According to the survey, employees in better moods are more likely to have a positive attitude about security and are more likely to follow policy. “On the flip side, if they’re in a bad mood, what you get can change from day to day,” D’Arcy said. “That makes it more likely that they will violate policy.” …

The team also examined what might cause some of these mood changes in the workplace, and ironically, sometimes the cause of the employees’ bad moods was the security policy itself. The research team calls this a security policy “backfiring.”

“Sometimes if they’re dealing with security requirements that they think are too restrictive or are a hassle, that can have a negative impact,” D’Arcy said. “It’s like too much security puts employees in a negative mood, which then again makes them less likely to follow policy.”

This finding may seem ironic, but in fact it makes perfect sense, because there’s nothing employees find more frustrating than workplace policies that get in the way of them getting their work done.

When good cybersecurity “hygiene” conflicts with the efficient completion of work tasks, employees will tend to opt for efficiency over security. Employees are reluctant to adopt these habits when the tradeoffs they must make are too great or they don’t know how to manage them, so organizations should consider giving employees specific guidance or devising process-based methods to actively manage these tradeoffs.

One way to overcome this challenge is to nudge employees into better habits, such as by requiring them to opt out of extra security protocols on their devices rather than opt in. Other experts have recommended simplifying cybersecurity policies and encouraging a more open and cooperative relationship between line employees and the IT department, so that the latter is not seen as an adversary enforcing rules and taking too long to respond to help desk tickets. That may require an adjustment in the culture of the organization and the role of IT within it.

Whichever strategy an organization employs, to be successful, it must ensure that employees can engage in good cybersecurity behaviors without disrupting their workflow and get employees engaged in cybersecurity as something they want to practice, rather than a burden imposed on them by IT. Businesses are increasingly realizing that cybersecurity is a human problem as much as a technological one, and as such HR has a huge role to play in solving it.