Employee behavior: the psychological gateway for cyberattacks

Aschwanden, Rahel; Messner, Claude; Höchli, Bettina; Holenweger, Geraldine (2024). Employee behavior: the psychological gateway for cyberattacks. Organizational Cybersecurity Journal: Practice, Process and People Emerald 10.1108/OCJ-02-2023-0004

10-1108_OCJ-02-2023-0004.pdf - Published Version
Available under License Creative Commons: Attribution (CC-BY).

Download (1MB) | Preview

Cyberattacks have become a major threat to small and medium-sized enterprises. Their prevention efforts often prioritize technical solutions over human factors, despite humans posing the greatest risk. This article highlights the importance of developing tailored behavioral interventions. Through qualitative interviews, we identified three persona types with different psychological biases that increase the risk of cyberattacks. These psychological biases are a basis for creating behavioral interventions to strengthen the human factor and, thus, prevent cyberattacks.

We conducted structured, in-depth interviews with 44 employees, decision makers and IT service providers from small and medium-sized Swiss enterprises to understand insecure cyber behavior.

A thematic analysis revealed that, while knowledge about cyber risks is available, no one assumes responsibility for employees’ and decision makers’ behavior. The interview results suggest three personas for employees and decision makers: experts, deportees and repressors. We have derived corresponding biases from these three persona types that help explain the interviewees’ insecure cyber behavior.

Research limitations/implications
This study provides evidence that employees differ in their cognitive biases. This implies that tailored interventions are more effective than one-size-fits7-all interventions. It is inherent in the idea of tailored interventions that they depend on multiple factors, such as cultural, organizational or individual factors. However, even if the segments change somewhat, it is still very likely that there are subgroups of employees that differ in terms of their misleading cognitive biases and risk behavior.

Practical implications
This article discusses behavior directed recommendations for tailored interventions in small and medium-sized enterprises to minimize cyber risks.

The contribution of this study is that it is the first to use personas and cognitive biases to understand insecure cyber behavior, and to explain why small and medium-sized enterprises do not implement behavior-based cybersecurity best practices. The personas and biases provide starting points for future research and interventions in practice.

Item Type:

Journal Article (Original Article)


03 Faculty of Business, Economics and Social Sciences > Department of Business Management > Institute of Innovation Management
03 Faculty of Business, Economics and Social Sciences > Department of Business Management > Institute of Innovation Management > Consumer Behavior

UniBE Contributor:

Aschwanden, Rahel Flurina, Messner, Claude Mathias, Höchli, Bettina Rebekka, Holenweger, Geraldine


600 Technology > 650 Management & public relations
100 Philosophy > 150 Psychology
300 Social sciences, sociology & anthropology > 330 Economics






[30] Schweizerische Mobiliar Genossenschaft




Rahel Flurina Aschwanden

Date Deposited:

10 Jun 2024 16:16

Last Modified:

10 Jun 2024 16:16

Publisher DOI:


Uncontrolled Keywords:

Cyber risks, Human factors in cybersecurity, Cyberpsychology, Cognitive psychology, Cognitive biases, Psychological gateway, Behavioral science





Actions (login required)

Edit item Edit item
Provide Feedback