Everyday Cyber Security in Organizations

Everyday cybersecurity involves both technological and human security. Technological security focuses on maintaining the integrity of the technology, ensuring the usability of technological security, and controlling access. Human security encompasses interactions between people mediated through technology.

This report is a review of academic and policy literature in the context of everyday cybersecurity in organizations. The authors identified four behavioural sets that influence how people practice cybersecurity: compliance with security policy, intergroup coordination and communication; phishing/email behaviour; and password behaviour. This review aims at providing a summary of the existing literature in the area of ‘everyday cybersecurity’ within the social sciences, with a particular focus on organizational contexts.

Compliance’ with security policy

Employees fail to comply with information security policies for several reasons. The research draws on a combination of rational choice and decision-making theories, deterrence theory, and other principles from criminology, psychology to explain behaviours and attitudes to compliance.

Improvements to an organization’s security culture could benefit security management programmes and the behaviour of employees, which in turn should improve compliance with security policies. Several aspects within a security culture affect the intentions and motivations of employees: communications within the organization, effective monitoring and management commitment to the security culture.

When it comes to sanctions and rewards, studies offer no conclusive results regarding their effectiveness. Neither certainty of sanctions nor application of rewards appears to have any significant impact on compliance.

The employee relationship can also lead to positive behavioural change. Studies highlighted that employees’ attitudes, normative beliefs and habits are all influential in the intention of employees to comply with security policy.

Intergroup coordination and communication

Research highlights that a significant problem in this area is that security managers and other managers or employees have different points of view regarding information security practices. Differing skills between those with technological expertise and those without, have also been shown to polarise groups further.

It is widely accepted that disagreements between groups may lead to inter-group tensions and may foster poor work relations.

As such, to reduce intergroup conflict, organizations can implement superordinate goals. Superordinate goals are a set of goals that required participation from all groups to achieve these goals. The idea postulates that, if the goals are met, the relationship between the two groups becomes more harmonious. Intergroup leadership also relates to the idea of superordinate goals, as it refers to the idea of leadership across organizational group boundaries.

Phishing/email behaviour

Studies focused on several areas of email behaviour to understand why some employees might be more susceptible to phishing attacks. Users may lack the awareness and skills needed to detect phishing attempts.

By examining, factors such as personality traits, user awareness, education, motivation and perception of risk, researchers have been able to form theories of user behaviour when it comes to processing and dismissing or falling victim to phishing attempts.

Demographic characteristics, especially gender and age, are one area of focus. Results on gender show mixed results, while results on age show that differences in behaviour with age. This lack of consensus suggests that further research in these areas is needed.

An individual’s threat perception, effectiveness, self-efficacy, perceived severity of threats and perceived susceptibility can positively impact threat avoidance behaviour.

As such, security awareness methods that target user motivation can enhance a user’s avoidance behaviour. By motivating to protect against threats, game-based education delivery has been shown to engage users and lead to an improvement in security behaviour.

Research has shown that awareness of phishing threats is often not sufficient to change employee behaviour. IT management must know and identify precisely where to direct and focus these awareness training efforts.

Password behaviour

Generally, password policies are a set of rules established to enhance technological security by ensuring, or at least encouraging individuals to use what is determined to be strong passwords. Such policies may include a requirement for password lengths, passwords with mixed case/symbols, and the requirement to change passwords regularly.

The literature suggests that users have different motivations when it comes to choosing a secure password. Some users are more motivated by privacy issues rather than security. Users are also motivated by security and convenience simultaneously and will make a trade-off between them when determining a password. This trade-off often determines password quality, meaning that users will choose a strong password only if they are willing to sacrifice convenience.

This report highlights several aspects of cybersecurity in an organization and how employee behaviour plays a critical role. However, because most of the research gives mixed results, researchers must repeat those studies in a different environment to determine the validity and reliability of existing methods as well as provide homogenous results. Furthermore, this future research should aim to use psychological, sociological, and economic theory to aid, add to, or create new, behavioural interventions.

To cite: Ertan, A., Crossland, G., Heath, C., Denney, D. and Jensen,  R. B. (2020). Everyday Cyber Security in Organisations. Literature Review. Royal Holloway University of London.