Our Research on Security's Human Element

Repeat clickers, Phishing

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Highlights:

Employees' behaviors in handling phishing attempts, including clicking links and entering data, as well as reporting suspicious incidents to organizational representatives are explored.
Both repeat clicker and repeat reporter phenomena are identified and analyzed.
Four distinct behavioral response clusters among employees when facing phishing attacks are identified: "Gaffes," "Beacons," "Spectators," and "Gushers."
Takeaway: Valuable insights into effective security awareness strategies for industry professionals responsible for managing employee security behaviors.

Phishing, Employee Engagement, Gamification

Highlights:

Employees' reporting behaviors related to phishing emails through a gamified approach called the "Phish Derby" competition are explored.
The impact of education levels on Phish Derby performance is highlighted, as more educated participants performed poorer in the competition.
The influence of the work platform on employee performance is explored, where individuals using a single platform outperformed those using a mix of PCs and Macs.
The intriguing finding that self-reported computer skill levels and perceived ability to detect phishing messages did not significantly affect Phish Derby performance is made.
Takeaway: Recognize the importance of motivating positive cyber behaviors among employees, going beyond the traditional focus on click rates, and incorporating gamification elements into security awareness training programs for better outcomes in organizations.

Insider Threat, Computer Abuse, Motives, Controls

Highlights:

The ongoing issue of insider computer abuse (ICA), the unauthorized and deliberate misuse of organizational information resources by insiders, is explored.
The shortcomings of traditional organizational security efforts, which primarily focus on deterrence and sanctions, in effectively combating ICA are highlighted.
The significant and direct role that intrinsic self-control plays in influencing ICA behaviors is demonstrated.
Takeaway: Provide valuable insights for security professionals, suggesting a shift towards enhancing intrinsic self-control mechanisms to mitigate insider computer abuse effectively.

Policy Violations, Motives, Workload

Highlights:

The need to understand employees' motivations for intentional policy breaches, which are primarily driven by the perception that following rules hinders their ability to be productive, is emphasized.
The finding that the vast majority of intentional policy breaches are not fueled by malicious intent but by employees' desire to work effectively is underscored.
A more nuanced and employee-centric cybersecurity strategy to mitigate vulnerabilities effectively is advocated for.
Policies that address the real underlying factors behind policy breaches rather than solely relying on technical defenses are recommended.
Takeaway: Provide valuable insights for security professionals, urging them to develop policies that strike a balance between security requirements and employees' productivity needs, leading to a stronger security posture overall.