Although cybersecurity breaches by hackers (think Marriott hotels in 2018) get all the media attention, the majority of threats come from employees themselves. This can be due to purposeful actions by employees who might steal and release sensitive data, but most comes from carelessness. This occurs when an employee opens a suspicious e-mail, or clicks on a link that is part of a phishing attack. Other times an employee might lose a thumb drive or laptop that contains sensitive data. I am part of a research team that has been investigating insider threats to cybersecurity led by Stacey R. Kessler (Montclair State University), with members Shani Pindek (University of Haifa), Gary Kleinman (Montclair State University), and Stephanie A. Andel (University of South Florida). Our recent paper on the topic shows how the cybersecurity climate of an organization is linked to the cybersecurity behavior and risk of employees.
What Is Organizational Climate?
Organizational climate concerns the polices and practices of an organization, that is, what behaviors and outcomes are encouraged and discouraged. There are a number of specific climates that have been studied, including
- Customer service climate: An organization that emphasizes the importance of the customer and good customer service.
- Civility climate: An organization that encourages people to be nice and respectful to one another.
- Diversity climate: An organization that values the differences among its employees and encourages people to respect those differences.
- Ethical climate: An organization that promotes high ethical standards and honesty in its workforce
- Safety climate: An organization that strives to keep employees safe from accidents and injuries.
What Is Cybersecurity Climate?
An organization that has a cybersecurity climate values the safe handling of sensitive information, and encourages employees to follow cybersecurity protocols. This means taking positive actions, such as frequently changing passwords, and avoiding risky behavior, such as keeping passwords on sticky notes pasted on the computer screen. Such organizations provide training about safe data handling practices, and their managers will take corrective action when an employee engages in risky behavior. Some prohibit employees from removing data from the premises on thumb drives, lap tops or other devices. They also might forbid any web surfing that is not work related.
What Did We Find?
There were two main purposes to this research effort. First, we developed a new assessment tool to assess cybersecurity climate–the Information Security Climate Index (ISCI). This scale measures three dimensions of climate: Practices of the organization, Importance place on keeping information safe, and Laxness in the handling of sensitive information. Second, we surveyed samples of four healthcare specializations, certified nursing assistants, dentists, pharmacists and physician assistants on their perceptions of the climate in their organizations and on their cybersecurity behavior. We found that individuals who report being in organizations that promoted cybersecurity climate were more likely to follow safe data handling protocols, and avoid risky data handling behaviors.
Takeaways from the Study
Since insider threats due to lax data handling and risky behavior account for most data breaches, it is important to understand what organizations can do to reduce such threats. This line of research suggests that a focus on cybersecurity climate might be an effective means of promoting data safety. Organizations can improve such climates by putting an emphasis on data security through messaging and training that encourages employees to recognize threats, take them seriously, and be more safe in their handling of sensitive data. Such efforts might begin by assessing employee perceptions of cybersecurity climate to get a benchmark, and then seeing if interventions to improve the climate change those perceptions.
Picture by: pixabay.com