Can Post Holiday Blues Increase Cyber Risk?

The early part of the year is well known for being a somewhat depressing time of the year, with poor weather combining with a long gap in public holidays creating a rather gloomy mood.  A recent study by the University of Delaware suggests that the post-holiday blues could also increase the cybersecurity risks organizations face.

The research suggests that our poor mood after the holiday period results in us engaging in less safe behavior when back at work.  For instance, we might use weaker passwords or access unapproved software.

Violating policies

Of course, most organizations have strict policies to protect against such behaviors, but in moments of weakness, employees were found to violate those policies.

The study found that our mood had a bit impact upon our digital behaviors, with good moods associated with secure behaviors, and bad moods linked with poor behaviors.

I’m sure we can all recall times where we’ve been inconvenienced by workplace security measures, especially when we’re already having a bad day.  Going through this extra effort may be something we’ll happily do if we’re in a good mood, but if we’re not?

The researchers focused on insider security breaches because they believe up to 90% of security breaches are as a result of noncompliant employee behaviors.

“That’s how malware gets on the system,” they explain. “That’s how companies get data breaches.”

The authors believe their work adds a unique element to previous work on this topic.  Whilst previous studies have looked at stable elements, such as personality traits, they wanted to examine things that change every day.

“It’s transient,” they say. “You can’t just say ‘Well, this person’s more likely to follow policies all the time.’ There’s always been this assumption that some people are predisposed toward this behavior or some people aren’t, whereas we can see now that based on these mood changes it’s hard to predict.”

Causing mood changes

The study delved into just what causes some of these mood changes in the workplace.  Whilst obvious factors such as our boss or an irate customer came high on the list, so too did the very security policies that are designed to keep networks safe.

“Sometimes if they’re dealing with security requirements that they think are too restrictive or are a hassle, that can have a negative impact,” the authors explain. “It’s like too much security puts employees in a negative mood, which then again makes them less likely to follow policy.”

If nothing else, the paper underlines the importance mood plays in whether employees comply with security policies or not.  As such, they should be factored into the creation of the policies, and certainly considered when investigating any cyber breaches.

“You also have to think some more about these people issues, to begin understanding your employees and creating an environment where the security policies are not so restrictive where they’re putting people in bad moods,” the authors conclude.