Organizations are continually exposed to a variety of online threats that put their information and systems in danger. The risks are even more significant as they face more advanced and persistent threats, as well as insider threat. The insider threat is employees introducing risks to the organization due to non-compliance with the information system security policy.
According to the Canadian Survey of Cyber Security and Cybercrime conducted in 2017, 21% of Canadian businesses have been impacted by a cybersecurity incident that affected their operations. Those businesses reported that the incidents were perpetrated through phishing and malware. In 2015, the Ponemon Institute indicated that 25% of breaches were caused by employee’s unsafe behaviours. In 2017, the British Department for Digital, Culture, Media & Sport found that 72% of breaches were the result of staff receiving and acting on phishing emails. These figures demonstrate the importance of understanding and reducing the threat that arises from insecure employee behaviour.
This study focused on behavioural approaches to reducing malware as employees do not always act in ways that help to prevent this threat. The authors focused on the three following behaviours: use of anti-malware software to scan USB sticks (‘anti-malware software’), avoiding links in suspicious emails (’email security’) and installing software updates when prompted (‘software updates’).
These behaviours were chosen as they are important to prevent malware and require different levels of input from users. They may also provide potential variation in the reasons why employees do not engage in anti-malware behaviours.
The authors analyzed the relationship between employees’ prior experience, their threat and coping appraisal and their intention to perform the three behaviours mentioned.
The results of the study showed that:
- Experience of security issues at work was found to influence email security behaviour significantly. Experiencing negative consequences of security issues may promote awareness and greater detection surrounding email phishing.
- Employees who perceive that anti-malware behaviours have high costs (loss of productivity, effort and time) are less likely to perform such behaviours.
- Employees perceive that all three behaviours are important in reducing malware threats. Of those three, email security behaviour was perceived to be the most effective in preventing malware, followed by anti-malware software behaviour and software update behaviour.
- Employees’ beliefs in their capabilities are not crucial for installing software updates when prompted. This highlights that perceptions of capability are not important for all security behaviours; installing software updates may be perceived as an easy behaviour to perform. On the other hand, anti-malware software and email security behaviours require a level of skills. The first requires knowledge in how to access and run the anti-malware software while the other requires the ability to detect suspicious links.
- Responsibility was a strong predictor of anti-malware software use and software security updates. Individuals with higher perceptions of personal responsibility for security had greater motivation to undertake anti-malware actions.
Empowering users with a sense of responsibility is therefore important to promote uptake of behaviours. Also, as response costs were identified as a critical deterrent to behaviour, organizations should seek to reduce the time and productivity burden associated with anti-malware behaviours.
Cite: Blythe, J. M. & Coventry, L. (2018). Costly but effective: Comparing the factors that influence employee anti- T malware behaviours. Computers in Human Behavior, 87, 87-97.