Daily Briefing

Why do employees break cybersecurity rules? There's a 'middle ground between ignorance and malice.'

Writing for the Harvard Business Review, Clay Posey, an associate professor of information systems in the Marriott School of Business at Brigham Young University and chief research scientist at Beyond Layer 7, and Mindy Shoss, an associate professor of psychology at the University of Central Florida, explain how businesses can rethink their approach to cybersecurity.

Access our cybersecurity resource library

What makes organizations vulnerable to cyberattacks?

Within the first few months of the Covid-19 pandemic, the FBI reported a 400% increase in cyberattacks.

As a result, organizations' investment into cybersecurity has skyrocketed, Posey and Shoss write. But unfortunately, these investments don't always address the underlying issues that make organizations vulnerable to cyberattacks.

"While IT specialists toil away to create better, smarter, and safer technical systems, there is one risk they can't program away: humans," they write.

In particular, the prevalence of remote work has made access to secure systems more widely distributed. "One wrong click by an employee can often be enough to threaten an entire digital ecosystem," they write.

Some organizations have acknowledged the potential cybersecurity risks posed by their own employees by implementing cybersecurity initiatives to complement their tech-focused efforts. However, these programs generally assume that employees break security protocols either with malicious intent or because they don't know the rules.

Instead, Posey and Shoss' recent research suggests that most employees fail to comply because of "intentional yet non-malicious violations, largely driven by employee stress." In other words, employees were less likely to follow their organization's internal cybersecurity policies when they felt the policies interfered with their ability to effectively do their job.

4 ways organizations can rethink their approaches to cybersecurity

1. Recognize that many violations are driven by stress

For their research, Posey and Shoss surveyed over 330 remote employees across a wide range of industries. They asked them to self-report on both their daily stress levels and how well they adhered to cybersecurity policies over a two-week period. They also conducted a series of in-depth interviews with 36 professionals who had to work remotely because of the Covid-19 pandemic to gain a better understanding of how the transition to work-from-home impacted cybersecurity.

"We found that across our sample, adherence to security conventions was intermittent. During the 10 workdays we studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks," they write.

Notably, when asked why they did not follow security policies, their participants' top three responses were, "to better accomplish tasks for my job," "to get something I needed," and "to help others get their work done." The top three responses made up 85% of the cases in which employees knowingly broke the rules.

In comparison, they found that only 3% of respondents reported a malicious desire to cause harm—making a non-malicious breach 28 times more likely than a malicious one.

In addition, they found respondents were significantly more likely to purposely break security protocols on days when they experienced higher levels of stress, suggesting that an increase in stress reduced tolerance for following rules that made it harder for employees to do their jobs. 

2. Adapt training programs

According to Posey and Shoss, many leaders base their organization's security policies on the assumptions that security violations are always either malicious or unintentional. However, their research suggests that there is "a sizable middle ground between ignorance and malice"—indicating that "managers would be wise to adapt their training programs and policies accordingly."

Accordingly, instead of placing an emphasis on malicious attacks, "security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity," Posey and Shoss write.

Posey and Shoss suggest training employees and managers to better understand the prevalence of non-malicious violations and outlining clear guidelines regarding what to do if adherence to security policies seems to hinder productivity. Organizations also need to "take steps to incorporate employees in the process of developing and user-testing security policies, and equip teams with the tools they'll need to actually follow these policies," they write.

3. Remember that security and productivity are intertwined

Although employees typically have enough time and energy to focus on both productivity and security, the pandemic has made it harder for many to sustain productivity, which has caused security "to take a backseat to the critical tasks that drive performance reviews, promotions, and bonuses," Posey and Shoss write.

To mitigate this, employees' security compliance should be "incentivized alongside other performance metrics when workloads are determined," and sources of stress should be identified and mitigated.

4. Implement security policies that stop hackers from taking advantage of altruism

In Posey and Shoss' study, roughly 18% of employee policy violations were driven by a desire to help a coworker. Hackers often intentionally use social engineering tactics that take advantage of employees' willingness to sidestep certain rules if they think they're helping someone.

To prevent this, "managers must not only implement security policies specifically designed to protect against these sorts of attacks—they must also work to reduce the impact of these measures on employees' workflows, and clearly explain their rationale, in order to increase employee compliance," Posey and Shoss write.

Ultimately, Posey and Shoss say leaders must recognize that, "[i]n the modern cybersecurity landscape, every employee is a potential threat vector." And to address the increasing risk of cyberattacks, "leaders must undertake targeted efforts to minimize the root causes of stress in the workplace and design healthier, more sustainable workloads for employees at every level." (Posey/Shoss, Harvard Business Review, 1/20)

Learn more

Access our cybersecurity resource library


To get started, use this resource page to guide you through the following 3 steps for becoming a cyber resilient organization:

1. Engage senior leaders in security efforts to advance the organization’s security maturity

2. Optimize the effectiveness of your Chief Information Security Officer (CISO)

3. Prepare in advance







Don't miss out on the latest Advisory Board insights

Create your free account to access 2 resources each month, including the latest research and webinars.

Want access without creating an account?


You have 2 free members-only resources remaining this month remaining this month.

1 free members-only resources remaining this month

1 free members-only resources remaining this month

You've reached your limit of free monthly insights

Become a member to access all of Advisory Board's resources, events, and experts

Never miss out on the latest innovative health care content tailored to you.

Benefits include:

Unlimited access to research and resources
Member-only access to events and trainings
Expert-led consultation and facilitation
The latest content delivered to your inbox

You've reached your limit of free monthly insights

Become a member to access all of Advisory Board's resources, events, and experts

Never miss out on the latest innovative health care content tailored to you.

Benefits include:

Unlimited access to research and resources
Member-only access to events and trainings
Expert-led consultation and facilitation
The latest content delivered to your inbox
Thank you! Your updates have been made successfully.
Oh no! There was a problem with your request.
Error in form submission. Please try again.