Aschwanden, Rahel; Messner, Claude; Höchli, Bettina; Holenweger, Geraldine (2024). Employee behavior: the psychological gateway for cyberattacks. Organizational Cybersecurity Journal: Practice, Process and People Emerald 10.1108/OCJ-02-2023-0004
|
Text
10-1108_OCJ-02-2023-0004.pdf - Published Version Available under License Creative Commons: Attribution (CC-BY). Download (1MB) | Preview |
Purpose
Cyberattacks have become a major threat to small and medium-sized enterprises. Their prevention efforts often prioritize technical solutions over human factors, despite humans posing the greatest risk. This article highlights the importance of developing tailored behavioral interventions. Through qualitative interviews, we identified three persona types with different psychological biases that increase the risk of cyberattacks. These psychological biases are a basis for creating behavioral interventions to strengthen the human factor and, thus, prevent cyberattacks.
Design/methodology/approach
We conducted structured, in-depth interviews with 44 employees, decision makers and IT service providers from small and medium-sized Swiss enterprises to understand insecure cyber behavior.
Findings
A thematic analysis revealed that, while knowledge about cyber risks is available, no one assumes responsibility for employees’ and decision makers’ behavior. The interview results suggest three personas for employees and decision makers: experts, deportees and repressors. We have derived corresponding biases from these three persona types that help explain the interviewees’ insecure cyber behavior.
Research limitations/implications
This study provides evidence that employees differ in their cognitive biases. This implies that tailored interventions are more effective than one-size-fits7-all interventions. It is inherent in the idea of tailored interventions that they depend on multiple factors, such as cultural, organizational or individual factors. However, even if the segments change somewhat, it is still very likely that there are subgroups of employees that differ in terms of their misleading cognitive biases and risk behavior.
Practical implications
This article discusses behavior directed recommendations for tailored interventions in small and medium-sized enterprises to minimize cyber risks.
Originality/value
The contribution of this study is that it is the first to use personas and cognitive biases to understand insecure cyber behavior, and to explain why small and medium-sized enterprises do not implement behavior-based cybersecurity best practices. The personas and biases provide starting points for future research and interventions in practice.