A forthcoming article by University of Delaware assistant professor John D'Arcy explores the effects of "security-related overload" on employee noncompliance in the workplace.

Cybersecurity and stress

Can too much security be a bad thing?

TEXT SIZE

10:37 a.m., April 24, 2014--From background checks and airport scanners to alarm systems and network firewalls, our lives are frequently touched by security mechanisms put in place to protect us. But can too much security actually cause us stress?

It’s a possibility, says new research by John D’Arcy, an assistant professor in the University of Delaware’s Department of Accounting and MIS.

Research Stories

Chronic wounds

UD's Millicent Sullivan and Kristi Kiick have received a $1.4 million grant from the National Institutes of Health for research that could provide a new approach to the treatment of chronic wounds.

Prof. Heck's legacy

The American Chemical Society is highlighting the legacy of the late Nobel laureate Richard Heck, the Willis F. Harrington Professor Emeritus of Chemistry at the University of Delaware with a digital tribute on its publications website.

In a forthcoming Journal of Management Information Systems article, D’Arcy, with coauthors Tejaswini Herath of Brock University in Canada and Mindy K. Shoss of St. Louis University in Missouri, explores “security-related overload” and suggests possible ways to counter its stressful effects.

UDaily sat down with D’Arcy to discuss his research findings and ask about the implications for future information security initiatives.

Q. How can cybersecurity measures cause employees stress?

A. Employees are often given a variety of cybersecurity requirements in the form of policies, procedures and technical controls and in particular, stress can result from overload, complexity and uncertainty. The result is that employees may engage in information security policy (ISP) violations. In this way, security requirements can actually backfire due to the demands they place on employees.

Q. What are some of the ways employees engage in ISP violations?

A. Some examples of ISP violations include:

  • Failure to log off when leaving a PC or workstation;
  • Writing down a password;
  • Sharing a password; or
  • Copying confidential or sensitive data to a non-secure USB device. 

Data leakage (e.g., a human resources employee divulging salary information to someone outside the organization) is another major security compliance problem.

Q. In many organizations, there are consequences for ISP violations. Can you explain why, when there are clear policies or procedures in place, employees will engage in such activity?

A. We found from the survey we conducted of over 500 employees who use computers on a regular basis that when security requirements are perceived as an overload, complex or uncertain, individuals can rationalize ISP violations and become more susceptible to negative behavior. This rationalization process is called moral disengagement. 

Q. What are some examples of moral disengagement?

A. There are three general categories that such disengagement can fall into: reconstructing the conduct; obscuring or distorting consequences; and devaluing the target.

An employee may fall into the category of reconstructing the conduct if they employ “palliative comparison,” or considering a harmful act as acceptable by contrasting it with a more reprehensible behavior. Something like password sharing can fall into this category; an employee might argue that this ISP violation isn’t as bad as stealing company information. “Euphemistic labeling” also falls into this category; employees might see certain ISP violations as “no big deal” or an “inevitable reality” in the workplace. 

In the distorting consequences category can fall the displacement of responsibility, in which an employee might deny responsibility for a violation due to perceived work overload. Finally, in devaluing the target, an employee might blame others by attributing the violation to a strict or unreasonable policy.

Q. So what’s the solution?

A. It’s important to note that it is the requirements of the policies, and not the security threats themselves, that can lead employees to engage in this behavior. If stressed employees are more likely to engage in these types of rationalizations that lead to noncompliance, then organizations need to rethink how they create information security policies. 

Precise and clearly written policies devoid of jargon and technical terms can make security less complex, while periodic security training and education can eliminate uncertainty. Involving employees in the design and implementation of policies can also make efforts feel less intrusive and reduce negative behavior.

Article by Kathryn Meier

Photo by Ambre Alexander Payne

icon-fb icon-tw icon-yt icon-fs

News Media Contact

Andrea Boyle Tippett
Communications and Public Affairs
302-831-1421
aboyle@udel.edu

UDaily is produced by
Communications and Public Affairs

The Academy Building
105 East Main Street
University of Delaware
Newark, DE 19716 | USA
Phone: (302) 831-2792
email: publicaffairs@udel.edu
www.udel.edu/cpa