What cybersecurity practitioners have long suspected is true: 67% of employees would try to circumvent security controls that block access to unsanctioned SaaS applications at work.
The reason why might come as a surprise.
According to a new Nudge Security research, undesirable security behaviors may have less to do with lack of awareness and more to do with basic human emotions.
Released today, “Debunking the ‘stupid user’ myth in security,” is a new report from Nudge Security that explores how workers’ attitudes and emotions influence security behaviors.
The research consulted leading psychologists at Duke University. It confirms that workers are more likely to comply with security controls if they find the experience to be positive and reasonable.
“We now have evidence to suggest that improving the employee experience of security can actually lead to better security outcomes,” said Russell Spitler, CEO and co-founder of Nudge Security.
The research took 900 participants through a common scenario: needing to access a SaaS application for work.
Participants were randomly assigned to one of three “security interventions” that either blocked access to the application, revoked access punitively, or nudged participants to justify access.
They were asked to rate how reasonable they found the intervention, how positively or negatively they felt about it, and how likely they were to comply with it.
Overall, participants’ attitudes and emotions strongly correlated with their likelihood of compliance.
- 67% of participants said they would not comply with the blocking intervention. Instead, they would look for a workaround.
- Participants perceived nudging as the most positive and reasonable intervention. They were 3X more likely to feel negatively about blocking and punitive interventions.
- 78% of participants would comply with a nudge, 2X the compliance rate of the blocking intervention.
“This research underscores basic tenets of human psychology and demonstrates that, even in cybersecurity, attitudes and emotions are strong predictors of behavior,” said Dr. Aaron Kay, PhD, J Rex Fuqua Professor of Management and Professor of Psychology & Neuroscience at Duke University and Nudge Security advisor.
“Security leaders are setting themselves up for failure when they implement security controls with the assumption that employees will comply mechanically, regardless of their own self interests.”
Read the full report here.