Information security teams can spend all the money in their budget on fancy technology but it’s for naught if employees don’t use it. Unsurprisingly then, given the amount of money currently being spent by firms in keeping their data and their systems secure, information security teams have almost doubled their spending on employee awareness in the past three years, from $1,597 per 1000 IT users in 2013 to $3,086 per 1000 IT users in 2016, according to CEB data.
With all this money in the budget for awareness, however, information security teams are under an even bigger obligation to use it wisely and not be labelled as spendthrift. They should base their campaigns on the six root causes that are most likely to motivate employees to behave securely or not. These root causes have been determined by an analysis of survey data from over 350,000 employees globally across a wide range of industries and company sizes.
- Perception of the burden of compliance: Employees who perceive the action required to guard corporate information as time-consuming or hard to do (with extra steps to make), don’t perform the action or do so only occasionally.
- Policy knowledge: Some employees don’t know or understand what is wrong with a certain behavior or what to do to be secure, so they act insecurely without realizing it.
- Judgment: Often times, employees face work situations that have ambiguous security implications. These tend to be situations where policies do not (and cannot) exist, requiring them to make a judgment call on whether something is risky. The most obvious example is links or attachments in email. Most of these are benign and need to be opened; it takes judgment to spot the suspicious ones that might be a phishing email.
- Risk perception: If employees don’t believe an action is risky, they are more likely to perform it even if they know it’s against policy.
- Emotional commitment: This is the belief that behaving securely is just “the right thing to do”, regardless of policy or consequences to the actor for doing the wrong thing.
- Self-interest in security: Fear of sanctions from non-adherence or the promise of reward from adherence affect employees’ secure behavior.