The Psychology of Enterprise Security

Change management is risk management — cultivating a culture of security

Psychology of Cybersecurity

Security insiders like to bandy about that expression, “the culture of security.” But treating this as a goal, versus an immediate need, is the equivalent of ignoring a gaping hole in your security posture.

After a breach, comes the deluge: lawsuits, regulatory fines, lost business, stock devaluation. However, research indicates that we are failing to factor human reactions into that fallout. An Israeli study has found that cyberattacks spike levels of cortisol, creating psychological stress. It also suggests, writes EurekAlert, that people are more inclined to express feelings of fear and insecurity.

The study measured the reactions of humans directly affected by a breach. But as security incidents get more intrusive—compromising not just a company’s output, but also its legal, financial, and HR information—they’re causing C-suite pressure and employee anxiety alike.

In the case of Sony, this prompted distressed workers to slap the entertainment giant with a class-action suit for failing to adequately protect their personal information. From an executive perspective, separating a security incident from the office experience is no longer so cut-and-dry.

Stress adversely impacts workers’ day-to-day achievements, impacting the growth of any business. Mitigating this should be central to any risk plan. When approaching cyber-risk management related to employee performance, technology such as security analytics stands out as having the visibility to study behaviors and actions. Better at detecting threats, analytics actually protect work culture.

Risk Management Office

Still, a breach may feel inconsequential to an employee until it personally impacts them, triggering that stress response. As such, the blithely unaware company worker will often behave negligently—disregarding security protocols, resisting new changes in their daily routine—because best practices seem to get in the way of their work. In these circumstances, there is a lack of change management, or the nurturing of behavioral change in the workplace.

A 2015 poll revealed that 92% of employees claim security precautions negatively affect their ability to complete daily work. These safeguards include lengthy authentication measures, such as VPNs and an array of passwords. “Like remote access, multiple passwords are a symptom of security implemented in silos,” eSecurity Planet writes. “In many cases, IT organizations simply add a new password requirement for every new asset they need to secure, creating a fragmented approach to security.”

This hasn’t shifted much in the two years since. A recent survey by Ovum, the research and consulting firm, found that 36% of companies use a staggering 51 to 100 security tools. This is why centralizing security—integrating existing tools into an analytics solution—is important.

It’s also why cultivating a culture of security is so essential. When employees have rich understandings of how their behaviors contribute to an enterprise’s security posture—instead of just being given a set of rules to follow—they are more likely to participate. There is an awareness that their actions can have impact.

This is established through change management. Here, the executive, security, and HR leadership must work together to map out strategy that includes education, training, and a series of check-ins to make security-savvy behavior a daily routine for each employee. As with the most formidable solution an enterprise can deploy, observing and reacting to behavior is key to making security effective. Humans are the secret to further enabling this technology.