Cybersecurity has emerged as one of the most significant challenges of the digital workplace. Moreover, it is an issue over which organizations don’t always have full control, as it depends to such a great degree on employee behavior. New research from the University of Delaware’s John D’Arcy shows that employees’ moods can influence their cybersecurity habits, for better and for worse:
According to the survey, employees in better moods are more likely to have a positive attitude about security and are more likely to follow policy. “On the flip side, if they’re in a bad mood, what you get can change from day to day,” D’Arcy said. “That makes it more likely that they will violate policy.” …
The team also examined what might cause some of these mood changes in the workplace, and ironically, sometimes the cause of the employees’ bad moods was the security policy itself. The research team calls this a security policy “backfiring.”
“Sometimes if they’re dealing with security requirements that they think are too restrictive or are a hassle, that can have a negative impact,” D’Arcy said. “It’s like too much security puts employees in a negative mood, which then again makes them less likely to follow policy.”
This finding may seem ironic, but in fact it makes perfect sense, because there’s nothing employees find more frustrating than workplace policies that get in the way of them getting their work done.
It’s not uncommon to think of cybersecurity as primarily a technological challenge, but it’s really more of a human one, Alex Blau writes at the Harvard Business Review, in that cyberattacks so frequently take advantage of human error. Most of the large-scale cyberattacks that have made headlines in the past year at some point involved someone making a mistake or exercising bad judgment and accidentally giving cybercriminals access to sensitive data. Behavioral science, Blau observes, help explain why people (including your employees) have a hard time adopting good cybersecurity habits:
One major insight from the fields of behavioral economics and psychology is that our behavioral biases are quite predictable. For instance, security professionals have said time and again that keeping software up-to-date, and installing security patches as soon as possible, is one of the best methods of protecting information security systems from attacks. However, even though installing updates is a relative no-brainer, many users and even IT administrators procrastinate on this critical step. Why? Part of the problem is that update prompts and patches often come at the wrong time — when the person responsible for installing the update is preoccupied with some other, presently pressing issue.
Blau’s insight here underscores something we discovered in our recent study of organizational culture at CEB, now Gartner. When culture change efforts fail, it is sometimes because employees are unable to manage the tension between the desired change and their day-to-day workflow. Getting employees to adopt a new habit at work means understanding the tradeoffs they need to make in order to do so, minimizing those tradeoffs as much as possible, and giving employees guidance on how to manage them. When best practices in cybersecurity (or any other area where you’re hoping to change employees’ habits) get in the way of an employee doing their work efficiently, the employees is more likely to sidestep them.
HR has a big role to play in facing the mounting cybersecurity challenges all organizations face today, because good cybersecurity practices depend so heavily on employees’ choices and behaviors, such as how they protect their passwords and respond to suspicious emails. To this point, Maarten Van Horenbeeck argues at the Harvard Business Review that employees fail to take on good cybersecurity habits because the rules their employers give them are unnecessarily complicated:
One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose. For example, password policies are so complicated and inconvenient that most employees just ignore them. Employees are told to change passwords frequently, but researchers have found that when people are required to come up with new passwords every three months they tend to do things like merely capitalizing the first letter or adding a number on the end to save time. This makes passwords increasingly easier to crack. Being creative gets exhausting when you have to do it repeatedly, yet most companies force this on employees for the sake of security.
In recent years, behavioral economists have become increasingly enthusiastic about the concept of “nudging”—prodding people toward more beneficial behaviors by making them the default option in some of the many choices individuals make about their health or finances. An example of nudging with which employers will be familiar is auto-enrollment in 401(k) plans, which past research has shown results in much higher participation rates than an opt-in system: When the default option is to participate, employees are more likely to do so because it takes more effort not to. Employers have also experimented with nudging strategies to encourage employees toward healthy choices like getting their yearly flu shot.
The latest research The Association for Psychological Science highlights a new study published last week that “compared the effectiveness of nudge-type strategies with more standard policy interventions” and found that nudges are substantially more effective at encouraging both financial and physical wellness:
In the case of retirement savings, for example, a nudge that prompted new employees to indicate their preferred contribution rate to a workplace retirement-savings plan yielded a $100 increase in employee contributions per $1 spent on implementing the program; the next most cost-effective strategy, offering monetary incentives for employees who attended a benefits fair, yielded only a $14.58 increase in employee contributions per $1 spent on the program.
The “WannaCry” ransomware cyberattack that began spreading last Friday quickly affected over 300,000 machines in 150 countries, mostly in Europe and Asia, making it the largest such attack in history and putting in stark relief the threat cybercrime now poses to organizations around the world. WannaCry exploited a vulnerability in outdated versions of Microsoft Windows, and as Washington Post tech writer Brian Fung explained earlier this week, some businesses were hit particularly hard because of a simple lack of resources and attention. There’s no question that if the affected businesses had kept their Windows systems up to date, they would have been protected from this threat, but doing so is often a lot less straightforward than many would assume, especially if cybersecurity isn’t properly ingrained in a company’s culture, or when cybersecurity efforts or IT upgrade initiatives lack the resources they need.
While the WannaCry attack appears to have been more sophisticated than a typical phishing scam, the majority of ransomware attacks (in which the attacker encrypts certain files on a user’s computer, locks them out of vital programs, or freezes their desktop, then demands payment to undo the damage) are conducted through phishing—a confidence scam in which the user is tricked into giving personal information or loading malicious software via email.
Why HR Should Care
Ransomware is—and should be—a major concern for HR departments: HR professionals are particularly vulnerable to such attacks, as they are often accustomed to receiving and opening innocuous emails from outside the organization. Cybercriminals know this and target organizations through their HR departments with malicious software disguised as a job application, résumé, or invoice. A recent phishing attack that compromised thousands of current and former employees at the newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that rank-and-file employees are one of an organization’s foremost lines of defense against hacking.
The headline finding of Dell’s End-User Security Survey, released last week, is that 72 percent of employees said they were willing to violate data security protocols and share confidential company information under certain circumstances, such as if a manager asked them to or if it would help them do their jobs more easily. Computerworld editor Matt Hamblen takes a closer look at the findings, which illustrate the fine line employees often walk between maximizing their productivity and safeguarding sensitive data:
Creating a security culture at a company can be complicated. The survey found that 65% of employees recognize their responsibility to protect confidential information, but many said security programs limit their productivity. Of those who received cybersecurity training at work, 24% admitted they went ahead and used unsafe behaviors anyway in order to complete a task. …
The survey found that unsafe behaviors for accessing, sharing and storing data are common in the workplace. Forty-six percent of employees admitted to connecting to public Wi-Fi to access confidential information, while 49% admitted to using a personal email account for work tasks. The survey found 35% said it was common to take corporate information with them when leaving a company.
One of the many interesting things we’ve found in our ongoing research into the development of organizational cultures is that employees often don’t engage in behaviors because there are underlying tradeoffs they must make in order to do so. In recognition of this, one company we’ve spoken to explicitly lays out the “dualities” associated with a desired behavior (in this case, efficiency vs. data security).
We’ve talked before about how workplace policies that require constant positivity on the part of employees tend to be counterproductive, attracting unwelcome scrutiny from regulators while stressing out employees and hindering constructive conflict. As technology makes it ever more possible to monitor employees’ emotional states, these new possibilities have opened up a new debate regarding how much sense it makes to try and manage employee happiness, with critics saying such efforts infringe on individual liberty to an unacceptable extent.
One employer that puts a premium on positivity is Trader Joe’s, the discount grocery chain, where a former employee has filed an unfair labor practices charge alleging that he was dismissed for his attitude not being “genuinely” positive. The New York Times‘ Noam Scheiber discussed the case late last week:
According to an unfair labor practices charge filed on Thursday with a National Labor Relations Board regional office, Thomas Nagle, a longtime employee of the Trader Joe’s store on Manhattan’s Upper West Side, was repeatedly reprimanded because managers judged his smile and demeanor to be insufficiently “genuine.” He was fired in September for what the managers described as an overly negative attitude.
The morale issues appear concentrated at some of the company’s largest and busiest stores, including one where a union is trying to organize. Tensions have been heightened, according to several employees, by the pressure to remain upbeat and create a “Wow customer experience,” which is defined in the company handbook as “the feelings a customer gets about our delight that they are shopping with us.” …