Researchers at Iowa State University have been looking into the role played by company employees in cyber-security management. The evidence suggests that individual behaviour in this context is all about self-control.

In-company data security: not just a matter of training

Deliberately leaking information, introducing viruses and damaging computer equipment are some of the behaviours which these days can jeopardise the very existence of a company. In order to understand the reasons behind this type of behaviour, a team of neuroscience researchers at Iowa State University in the United States have been measuring the brain activity of employees who break the security rules laid down by their company or organisation.

In the Iowa study, 350 students were confronted with a series of scenarios linked to cyber-security. These guinea-pigs were asked to take decisions and meanwhile the researchers analysed their brain activity. The research team came to the conclusion that people with low levels of self-control were more likely to infringe the rules and thus become a cyber-risk to their company.

It appears therefore that the solution does not lie just in pre-emptive training: “Training is good, but it may not be as effective as people believe. If self-control is part of the brain structure, that means once you’ve developed certain characteristics, it’s very difficult to change,” explains Qing Hu, Union Pacific Professor in Information Systems, who leads the research team, on the University’s news website.

The Iowa State University team has a different approach in mind, namely that – based on the findings of this report – companies and organisations ought to be taking steps to decide which employees should have access to what levels of information. Laura Smarandescu, Assistant Professor of Marketing at Iowa State University suggests that “a questionnaire measuring impulsivity for individuals in critical positions may be one of the screening mechanisms businesses could use.”  So does this mean that we are all pre-destined to be – or not to be – a danger to cyber-security? This is certainly not the view among cyber-security experts but their solutions vary from placing the emphasis on the training students receive at university to stressing the role that management should play in dealing with these risks and providing the right training.

By Guillaume Scifo