How your staff make security decisions: The psychology of information security

Your employees encounter potential cyber security threats on a daily basis. Perhaps there’s a new face in the office that they don’t recognise, or a new password they need to remember, or a database of sensitive information that they need to upload onto the Cloud.

In The Psychology of Information Security, Leron Zinatullin explains how employees respond to those challenges and explains why they make the decisions they do.

For example, he found that employees usually don’t have a solid understanding of information security or their obligations to protect information.

In the rare cases where employees are aware of and follow a security policy, they don’t appreciate why those rules are in place.


The cost of compliance is too high

The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, and manufacturing goods.

Therefore, an employee’s main priority is often to ensure efficient completion of their core business activity, and information security will usually only be a secondary activity.

Zinatullin found that, when security mechanisms cause additional workload, employees will favour non-compliant behaviour in order to complete their primary tasks quickly.

The means of compliance are obstructive

Sometimes, employees are unable to comply even if they are willing because the security mechanisms of the organisation do not match their basic requirements.

Examples include an organisation giving employees encrypted USB drives with too little storage space, forcing them to share files via email or non-encrypted drives.

Another problem is having to use multiple passwords to access multiple systems. Users normally resolve this problem by writing down their passwords.

Want to know more?

The information in this blog was taken from Leron Zinatullin’s The Psychology of Information Security.

Use this book to understand your employee’s behaviour and resolve security-related conflicts.

It contains insights gained from academic research, as well as interviews with UK-based security professionals from various sectors, and will help you develop a security programme that accounts for human weaknesses and your wider business objectives.


A version of this blog was originally published on 6 February 2017.