"Research: Why Employees Violate Cybersecurity Policies"

Security researchers asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks.  The security researchers also conducted a series of in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic to better understand how the transition to work-from-home has impacted cybersecurity.  The researchers found that adherence to security conventions was intermittent.  During the 10 workdays they studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.  When asked why they failed to follow security policies, the participants’ top three responses were, “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.” These three responses accounted for 85% of the cases in which employees knowingly broke the rules.  In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches, making non-malicious breaches 28 times more common than retaliatory ones.  The researchers also found that people were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs.

Harvard Business Review reports: "Research: Why Employees Violate Cybersecurity Policies"