skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Research: Why Employees Violate Cybersecurity Policies
In the face of increasingly common (and costly) cyberattacks, many organizations have focused their security investments largely on technological solutions. However, in many cases, attacks rely not on an outsider’s ability to crack an organization’s technical defenses, but rather on an internal employee knowingly or unknowingly letting a bad actor in. But what motivates these employees’ actions? A recent study suggests that the vast majority of intentional policy breaches stem not from some malicious desire to cause harm, but rather, from the perception that following the rules would impede employees’ ability to get their work done effectively. The study further found that employees were more likely to violate policy on days when they were more stressed out, suggesting that high stress levels can reduce people’s tolerance for following rules that seem to get in the way of doing their jobs. In light of these findings, the authors suggest several ways in which organizations should rethink their approach to cybersecurity and implement policies that address the real, underlying factors creating vulnerabilities.  more » « less
Award ID(s):
2030845
PAR ID:
10490055
Author(s) / Creator(s):
;
Publisher / Repository:
Harvard Business Publishing
Date Published:
Journal Name:
Harvard Business Review
ISSN:
0017-8012
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, Journal of Advanced Research in Social Sciences)
    null (Ed.)
    This research project examines the relationship between teleworking cybersecurity protocols during the COVID-19 era and employee’s perception of their efficiency and performance predictability.  COVID-19 is the infectious disease caused by the most recently discovered coronavirus and it has been declared a pandemic by the World Health Organization. Since March 2020, many employees in the United States who used operate onsite, have been working from their homes (teleworking) to mitigate the spread of the virus through social distancing. The premise of this research project is that teleworking can transform these employees into unintentional insider threats or UITs. Iinterviews were conducted through video conferencing with nine employees in Virginia, USA to examine the problem. This is an interdisciplinary research project which brings together the disciplines of sociology and computer science. Narrative Analysis was used to unpack the interviews. The major findings from the research efforts demonstrate that employees are trusting of the cybersecurity protocols that their organizations implemented but they also believe they are vulnerable, and that the protocols are not as reliable as in-person working arrangements. While the respondents perceived that the cybersecurity protocols lend to performance predictability, they seem to think it disrupts their efficiency. 
    more » « less
  2. ; ; ; (, Nature Human Behaviour)
    Time spent on the job is a fundamental aspect of working conditions that influences many facets of individuals’ lives. Here we study how an organization-wide 4-day workweek intervention—with no reduction in pay—affects workers’ well-being. Organizations undergo pre-trial work reorganization to improve efficiency and collaboration, followed by a 6-month trial. Analysis of pre- and post-trial data from 2,896 employees across 141 organizations in Australia, Canada, Ireland, New Zealand, the UK and the USA shows improvements in burnout, job satisfaction, mental health and physical health—a pattern not observed in 12 control companies. Both company-level and individual-level reductions in hours are correlated with well-being gains, with larger individual-level (but not company-level) reductions associated with greater improvements in well-being. Three key factors mediate the relationship: improved self-reported work ability, reduced sleep problems and decreased fatigue. The results indicate that income-preserving 4-day workweeks are an effective organizational intervention for enhancing workers’ well-being. 
    more » « less
  3. ; ; ; ; ; ; (, Proceedings of the USENIX Conference)
    Two-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations’ mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs and records kept at two public universities, we quantify the at-scale impact on organizations and their employees during a mandatory 2FA implementation. We show the multiplicative effects of device remembrance, fragmented login services, and authentication timeouts on user burden. We find that user burden does not deviate far from other compliance and risk management time requirements already common to large organizations. We investigate the cause of more than one in twenty 2FA ceremonies being aborted or failing, and the variance in user experience across users. We hope our analysis will empower more organizations to protect themselves with 2FA. 
    more » « less
  4. ; ; (, 2019 IEEE International Conference on Web Services (ICWS))
    With the rapid adoption of web services, the need to protect against various threats has become imperative for organizations operating in cyberspace. Organizations are increasingly opting to get financial cover in the event of losses due to a security incident. This helps them safeguard against the threat posed to third-party services that the organization uses. It is in the organization’s interest to understand the insurance requirements and procure all necessary direct and liability coverages. This helps transfer some risks to the insurance providers. However, cyber insurance policies often list details about coverages and exclusions using legalese that can be difficult to comprehend. Currently, it takes a significant manual effort to parse and extract knowledgeable rules from these lengthy and complicated policy documents. We have developed a semantically rich machine processable framework to automatically analyze cyber insurance policy and populate a knowledge graph that efficiently captures various inclusion and exclusion terms and rules embedded in the policy. In this paper, we describe this framework that has been built using technologies from AI, including Semantic Web, Modal/ Deontic Logic, and Natural Language Processing. We have validated our approach using industry standards proposed by the United States Federal Trade Commission (FTC) and applying it against publicly available policies of 7 cyber insurance vendors. Our system will enable cyber insurance seekers to automatically analyze various policy documents and make a well informed decision by identifying its inclusions and exclusions. 
    more » « less
  5. ; ; ; ; ; ; (, ASEE Conferences)
    The construction industry has been a predominantly White/Caucasian Men community with a very low representation of women and people from traditionally marginalized backgrounds. Even though companies have been implementing Diversity, Equity, and Inclusion (DEI) statements for many years, we still believe it is neither a diverse nor equitable field. To better understand how DEI statements declared by companies have been understood and recognized by employees, a survey was deployed nationwide to understand how professionals in the construction industry perceive their organization's DEI statements or policies. A complete data set was built from 249 participants. 75% identified themselves as men and 25% as women, and nobody identified with other gender identities. More than 80% of participants were White/Caucasian, 4% Black or African American, 4% Hispanic or Latinx, and 6% Asian. Participants are currently working in small (24%), medium (30%), and large (46%) construction and design companies located across The United States. Regarding the number of employees, companies are small, less than 99 employees; medium, between 100 and 499 employees; and large, more than 500 employees. Also, companies were grouped into four main types, building construction companies (67%), transportation construction companies (6%), special trade contractor companies (17%), and design companies (10%). For more than 65% of professionals in the construction industry who participated in this study, DEI was mainly related to proper representation of women and minoritized populations in the workforce; Merit-based transparent recruitment and promotion; equality, social justice, and nondiscrimination policy statement; and equitable payment and compensation. Other factors such as proper representation of women and minoritized populations at the top management level and payment structure transparency did not emerge from the results. We also found that 70% of professionals identified DEI statements in their companies and 30% of professionals did not identify or did not know about DEI statements. Looking at the company size, 85% of professionals in large companies identified DEI statements in their companies, but 71% and 42% of professionals in medium and small companies identified DEI statements in their companies, respectively. According to the company type, more than 80% of professionals working in design companies recognized DEI statements in their companies, but around 60% in construction and special trade companies. We can highlight that large companies have established policies and practices that result in better socialization and recognition of their DEI statements than medium and small companies. Also, construction and special trade companies need to strengthen their DEI statements and increase the representation of women and people from traditionally marginalized backgrounds. Results from this research give an idea about the current state of DEI in the construction industry and would contribute to the current effort to increase the diversity of the nation's construction workforce. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email