Why do people indulge in risky online behavior?

Roughly three-quarters of employees resort to risky online behavior at work. This can involve anything from using entertainment or streaming services online, to sharing personal information and passwords, to downloading malicious or unauthorized applications, to backing up work documents on unauthorized cloud storage, to visiting gaming or gambling websites. But do you know what’s worse? Most users do this willingly knowing of its high risk.

Why Employees Engage In Risky Online Activities

According to research, there are a multitude of psychological factors that contribute to risky behavior among employees:

1.  Overconfidence / Optimism Bias: Employees indulge in risky online behavior due to optimism bias, convinced they are immune to any potential harm or threat. This overconfidence extends beyond their own actions to include a misplaced trust in the organization's security measures. This false sense of safety can lead to employees taking greater risks.
2. Complacency: Employees tend to become accustomed to doing things a certain way, especially when workloads are repetitive. As a result, they underestimate the risks involved and may erroneously assume cybersecurity measures are readily present.
3. Social Learning:  For social acceptance, employees naturally observe how their peers behave. These observations help them understand behavioral norms however, they may also influence the perception of what constitutes risk. If a user witnesses an individual sharing a password, the user may do the same.
4. Risk Creep: Studies show that if individuals engage in risky behavior without serious consequence, they may feel emboldened to continue doing so. If someone downloads an unauthorized application and no system or person is there to alert them, then it’s likely the behavior will continue.
5. Convenience: E-mailing a sensitive attachment is far more convenient than uploading it and then sharing the link or password in two separate emails. Sometimes the convenience of doing something a certain way can put organizations at risk.
Urgency: The pressure to meet a certain deadline, the desire to save time – this can lead to people cutting corners on security rules and processes. For instance, it’s much easier to simply download a tool rather than wait for permission from IT.

How Can Organizations Curtail Risky Behavior?

Security awareness and behavior are distinct from each other. We all know the danger of using a phone while driving and yet most people still do it despite being aware of the risks. To bring about meaningful change, try following these best practices:

1. Cultivate a Culture of Security: Cultivating a culture of security means going beyond just educating your workforce. It means targeting the attitudes, perceptions and behaviors that users have about security and embedding security in the very fabric of the organization. It also means being more humane and less punitive. Half of employees fear reporting cybersecurity mistakes. Culture is always instilled from top down. Leaders must learn to walk the talk and make a personal effort to include security in their everyday conversations.
2. Implement Real-world Training Exercises: Learning about a risk and encountering a risk are two completely different things. Employees should know what risk looks like in the wild and the actions they should take against it. Conducting phishing simulations and other real-world exercises can help identify risk-prone users, reinforce the need to remain cautious and build security instinct and muscle memory in employees.
3. Gamify to Build Interest: Who says cybersecurity has to be boring or needs to be forced upon? If organizations leverage things like gamification (contests, rewards, prizes) they can make the learning process more interactive and engaging. For example, running a “spot the deepfake” contest (using websites like whichfaceisreal.com) or a “spot the phish” challenge can invoke fun and a competitive spirit among employees.
4. Deploy Tighter Security Controls: Use technology controls to prevent users from doing risky things. For example, use a secure web gateway to prevent employees from visiting non-work related websites; use phishing-resistant multi-factor authentication to add an additional layer of protection against credential theft; use an advanced email security solution that can detect phishing attacks; use data leakage prevention to prevent unauthorized sharing of sensitive data.
5. Ensure Policies and Procedures Are User Friendly: Individuals often bypass security measures because they believe such policies will impede their work. On the flip side, if security procedures are tailored to accommodate employee requirements, there is a higher probability that they will appreciate and adhere to the company's regulations and guidelines.

Mitigating risky behavior might sound like a difficult task but it's not impossible. By understanding the motivations driving employee risk-taking, developing security protocols and training that prioritize employee needs, addressing basic safeguards such as password management, and cultivating a healthy security culture, then organizations can not only earn cooperation from their employees but also foster a more accountable and resilient workforce.