ScienceDaily reports "The old adage that a chain is only as strong as its weakest link
certainly applies to the risk organizations face in defending against
cybersecurity threats. Employees pose a danger that can be just as
damaging as a hacker."
|Iowa State researchers measured brain activity to better understand
cybersecurity threats and identify what motivates employees to violate
company policy. |
Iowa State University researchers are working to better understand these internal threats by getting inside the minds of employees who put their company at risk. To do that, they measured brain activity to identify what might motivate an employee to violate company policy and sell or trade sensitive information. The study found that self-control is a significant factor.
Researchers defined a security violation as any unauthorized access to confidential data, which could include copying, transferring or selling that information to a third party for personal gains. In the study, published in the Journal of Management Information Systems, Qing Hu, Union Pacific Professor in Information Systems, and his colleagues found that people with low self-control spent less time considering the consequences of major security violations.
"What we can tell from this current study is that there are differences. The low self-control people and the high self-control people have different brain reactions when they are looking at security scenarios," Hu said. "If employees have low self-control to start with, they might be more tempted to commit a security violation, if the situation presents itself."
The study, a first of its kind, used EEG to measure brain activity and examines how people would react in a series of security scenarios. Researchers found people with high self-control took longer to contemplate high-risk situations. Instead of seeing opportunity, or instant reward, it's possible they thought about how their actions might damage their career or lead to possible criminal charges, Hu said.
For the study, researchers surveyed 350 undergraduate students to identify those with high and low self-control. A total of 40 students -- from both the high and low ends of the spectrum -- were then asked to do further testing in the Neuroscience Research Lab at ISU's College of Business. They were given a series of security scenarios, ranging from minor to major violations, and had to decide how to respond while researchers measured their brain activity. Robert West, a professor of psychology, analyzed the results.
- Hu, Qing, West, Robert, and Smarandescu, Laura. The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective. Journal of Management Information Systems, Volume 31 Number 4 Spring 2014 pp. 6-48