Why Do Employees Keep Ignoring Workplace Cybersecurity Rules?
Companies spend a lot of time making sure employees know the rules regarding cybersecurity. They cajole, they beg, they threaten. They make them take classes, sign forms, watch videos.
And yet, somehow, it does little good. A study by Gartner last year found that 69% of employees had bypassed their organization’s security policies in the past 12 months, and 74% said they would be willing to do so if it helped them or their team accomplish a business objective. All this even though most of them probably know that human error is often a factor in cybersecurity breaches.
Such indifference inevitably raises the question: Why? Why do people ignore security guidelines, even in the face of stiff penalties? Why do they flout the rules, even though they know it isn’t good for either their employers or themselves? The answer may be what criminologists have long called “neutralization techniques"—rationalizations that people instinctively use to “neutralize" the wrongness or harm of an action. Cybersecurity researchers have shown that such techniques also play a big role in employees’ willingness to ignore their employer’s cybersecurity guidelines. The lies we tell The concept of neutralization was developed by American criminologists Gresham Sykes and David Matza in the 1950s to explain the ability of juvenile offenders to “neutralize" guilt associated with misbehavior.
They identified several neutralization techniques, and set the groundwork for criminologists to add techniques later on. Typical rationalizations employees use to flout an employer’s security rules include the following. Many will no doubt sound familiar, but they all have the same thing in common: They allow people to shirk the guilt they would normally feel for
. Read more on livemint.com
