Why Employees Knowingly Violate Cybersecurity Policy

Employee - Security Policy A study sponsored by the National Science Foundation and reported in the Harvard Business Review, Research: Why Employees Violate Cybersecurity Policies, identified a wide disconnect between the demands of cybersecurity and the reality of day-to-day work for employees – one of the key gaps that the new FAIR Controls Analytics Model™ (FAIR-CAM™) is intended to help close.

Researchers from Brigham Young University and University of Central Florida studied remote workers over 10 workdays and found “67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.”

Jack Jones is the creator of FAIR™, the international standard for quantitative analysis of information and technology risk. He recently introduced FAIR-CAM, a formal description of how risk management controls operate individually and within a system of other controls to affect risk.

Employees said they violated compliance with security policies “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.”

“These three responses accounted for 85% of the cases in which employees knowingly broke the rules,” the researchers write. “In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches.” Employees also reported they were more likely to skirt the rules at times of high pressure in their work.

The findings cast doubt on the typical perceptions in cybersecurity of malicious vs. non-malicious insiders— with non-malicious insiders perceived as a problem of awareness training. The researchers call for a more nuanced approach that accounts for the underlying causes of these behaviors.

FAIR-CAM Gets to Root Causes to Align Security Policies and Practices with Work Realities

FAIR-CAM - Decision Support Controls Domain Partial View

FAIR-CAM Decision Support Controls Functional Domain - Partial View from Introduction to the FAIR Controls Analytics Model

FAIR-CAM categorizes controls by high-level functional domains to distinguish between control functions that affect risk directly versus those that affect the operational performance of controls, versus those that affect decision-making.

The Decision Support Controls (DSC) functional domain decomposes the key factors that contribute to poor decision-making. In doing so, it can help organizations identify and implement policies, processes, and technologies that increase the odds that personnel will make appropriate decisions.

For example, the study presented in the Harvard Business Review called out the need to ensure that productivity and security compliance incentives are balanced. This is, in fact, explicitly called out in FAIR-CAM’s DSC domain. FAIR-CAM also describes other contributing factors, as well as how weaknesses in these conditions flows downstream to create security deficiencies (referred to as variances in FAIR-CAM) and ultimately, higher risk.

Implications for Cybersecurity Policy and Compliance

To keep their organizations safe, technical and business leaders alike must understand and resolve the factors that contribute to insiders failing to fulfill their security responsibilities, which can open the door for attackers. FAIR-CAM can be an excellent diagnostic and strategy development aid for doing this well.