“Bobbie Sue took the money and run
Go on take the money and run”
Take The Money And Run by Steve Miller Band (Click here for the song)
Photo by Tayla Kohler on Unsplash
Regular readers would know that my blogs are often inspired by conversations with clients and events in the media. Whilst cybercrime is often in the media, this week I drew inspiration from Tom Cruise in Mission Impossible and Michael Cain’s audible podcast on true crime.
"Human factors and the human-computer interface are a central component of cybersecurity, and technology alone will not prevent cybercrime”
Monteith, S., Bauer, M., Alda, M., Geddes, J., Whybrow, P.C. and Glenn, T
Researchers have studied crime for decades, from the criminal's perspective, a heist is an opportunity to look at the impossible, identify the vulnerabilities in the system and find a way through. Clever criminals engage in stealth techniques, whereby the perpetrator circumvents security measures without security knowing, or the heist is committed in plain sight of security forces, by the use of appropriate timing and route planning. In many circumstances, the crime is often discovered hours or days later. Based on research cybercriminals have taken advantage of the following:
Looked for or accidentally found a weakness in security
Exploit others/abuse a position of authority
Gained help from an outsider
Previous employment facilitated the commission of the crime, including the theft of identities and past experience.
“Every heist is a human story… Harry Houdini knew those in charge of security can make simple errors”
Alexis Conran
What other factors are at play?
1. Distrust or overtrust in security measures: Researchers have found that when we look for something rare we tend to abandon the search reasonably rapidly because the probability of success is low. This psychological phenomenon is called the prevalence effect. In the context of cybercrime, the greater the improvements in spam detection software, and other inbuilt security systems means the lower the chances of an unfiltered IT attack are rare. Thus employees tend to become lax.
2. Personality: The propensity of employees to adhere to policies can be influenced by individual differences and personality traits. Employees who are risk-takers or exhibit impatience with complex procedures might be more likely to neglect security measures, potentially leading to the exposure of vulnerabilities.
3. Human Error: Researchers have found that human error is considered the leading cause of 90% of cybersecurity breaches. These errors, like opening phishing emails or neglecting password management, can expose organisations to serious consequences. Often employees may be reluctant to report these mistakes, compounding their impact. Regular readers would know that errors typically occur when employees are tired, stressed or burnt out.
4. Excessive controls, and tedious rules. According to researchers, when the security system becomes excessively restrictive, employees tend to lose their sense of personal accountability. As a result, their vigilance and critical thinking decline, and their motivation to act diminishes. Moreover, if the system is perceived as burdensome and time-consuming, employees may view compliance as an interruption to their work and will attempt to evade security measures to avoid any negative impact on their daily productivity.
“One can build that ideal system where all documents, all emails, everything should be, but then you alienate the human being; in other words, he or she feels that they lack control – I'm monitored and can stop thinking about security.”
Gyllensten, and Torner
“The story of the Trojan Horse is well-known. First mentioned in the Odyssey, it describes how Greek soldiers were able to take the city of Troy after a fruitless ten-year siege by hiding in a giant horse supposedly left as an offering to the goddess Athena.”
Matt Pickles
Why do employees sabotage?
Researchers have found that employee sabotage is often a form of retaliation. It may occur as a reaction to immoral, unsafe, or otherwise wrong behaviour or an attempt to slow down or prevent change from occurring. To position themselves for a promotion, project or, salary increase, employees may sabotage the actual work or reputation of their co-workers. Sabotage often occurs when an employee may have been shown disrespect, passed over for promotion, given additional responsibilities with no pay increase, denied adequate resources to do the job, or didn't receive what he or she considered adequate credit for work performed by co-workers or management. When employees feel invisible, sabotage enables them to have some control, albeit negative, over their work environment.
“Insider threats can be significant because they involve a malicious actor who knows exactly where to look to find sensitive data”
Jessica Davis
Are there any warning signs in the lead-up to an attack?
Researchers have identified the following changes in employees' behaviour in the lead-up to a crime:
-Misconduct
-Stress, anxiety and/or depression during and leading up to the attack
-Addiction to alcohol, drugs, etc
-Personal hardship and financial strain
-Coercion/blackmail from others
-Increased time logged into secure areas for no apparent reason
-Showing off newly acquired wealth
-Decrease in work motivation
-Working hours that are incongruent with their role and typical schedule
-Downloading large volumes of data
-High-performing employee, stops meeting targets and displays signs of distress.
-Absenteeism
What is the impact of cybercrime on employees?
“A team may be knowledgeable about established safety procedures and skilled at handling a range of circumstances, even some that might be harmful, but handling the psychological effects of a situation is another matter.”
Keerthivasan Ravi, Ramprasath, Vijayakumar Supraja Dwarakanath
Researchers have identified several negative impacts on employees' mental and physical health when a company experiences a cyber-attack. In cases where hackers manipulate machines or critical infrastructures, there is a risk of physical harm like accidents or injuries to workers. When a hospital is targeted in a cyber-attack, not only do the attackers gain access to sensitive patient and employee data, but there will be severe disruption to patient care and necessary medical operations.
Aggressive customers pose a psychosocial hazard in many workplaces. When customers misbehave, disrespect, and devalue employees with their harsh words, it adversely impacts employees' stress, anxiety, and turnover. Cybercrime often increases the volume and severity of customer aggression and its repercussions.
When hackers repeatedly get through security measures and are not stopped, employees may lose faith in their employer's ability to protect them.
Constantly being engaged in a fight, exposed to dangerous criminals, and witnessing the struggles endured by victims, while shouldering the responsibility of keeping others safe, takes a heavy toll on the mental well-being of IT staff.
What can be done?
“Our data shows that while dishonesty is not limited to disgruntled workers and often involves only minor offenses, the propensity to behave in such a way increases with job dissatisfaction. Keeping employees engaged and satisfied may not prevent all unsavory behaviors, but a commitment to the company would compel them to think twice. Most people will not go down the slippery slope unless they feel ‘justified’ to do so … it could be retribution, a desire to ‘level the playing field’, an ‘us vs. them’ attitude, or simply the feeling that their manager or the company as a whole had it coming. Our research has already shown that a manager’s poor behavior can increase turnover – the same can be said for dishonesty and theft as well.”
Ilona Jerabek
As with all aspects of human behaviour in the workplace, preventing cybercrime depends on a complex set of factors. Leaders have the responsibility to ensure that employees grasp the concept of secure information security behaviours and establish a culture that encourages best practices. Regular readers would know that a leader dedicated to creating a psychologically safe and healthy workplace who remains alert and educated will go a long way to minimise the likelihood of cybercrime and its repercussions.
“Our lives are the sum of our choices.”
Tom Cruise Mission Impossible
References and further information
Reed, T. (2019). You Can’t always get what you want: Employee and organizational responses to perceived workplace injustices and their relationship to insider attacks. Homeland Security Affairs,
https://www.informationweek.com/security-and-risk-strategy/75-of-insider-cyber-attacks-are-the-work-of-disgruntled-ex-employees-report
https://www.prweb.com/releases/2016/08/prweb13636545.htm
Crino, M. D. (1994). Employee Sabotage: A Random Or Preventable Phenomenon? Journal of Managerial Issues, 6(3), 311–330. http://www.jstor.org/stable/40604030
Dreibelbis, R.C., Martin, J., Coovert, M.D. and Dorsey, D.W. (2018). The Looming Cybersecurity Crisis and What It Means for the Practice of Industrial and Organizational Psychology. Industrial and Organizational Psychology, 11(2), pp.346–365. doi:https://doi.org/10.1017/iop.2018.3.
Tam, C., Conceição, C. de M. and Oliveira, T. (2022). What influences employees to follow security policies? Safety Science, 147, p.105595. doi:https://doi.org/10.1016/j.ssci.2021.105595.
Greene, G., & D’Arcy, J. (2010, June). Assessing the impact of security culture and the employee-organization relationship on IS security compliance. In 5th Annual Symposium on Information Assurance (pp. 1-8).
Sawyer, B.D. and Hancock, P.A. (2018). Hacking the Human: The Prevalence Paradox in Cybersecurity. Human Factors: The Journal of the Human Factors and Ergonomics Society, 60(5), pp.597–609. doi:https://doi.org/10.1177/0018720818780472.
Monteith, S., Bauer, M., Alda, M., Geddes, J., Whybrow, P.C. and Glenn, T. (2021). Increasing Cybercrime Since the Pandemic: Concerns for Psychiatry. Current Psychiatry Reports, [online] 23(4). doi:https://doi.org/10.1007/s11920-021-01228-w.
Incorporating Occupational Safety And Health In The Assessment Of Cybersecurity Risks Discussion Paper European Agency For Safety And Health At Work
NIST (2021). Cyber Attack - Glossary | CSRC. [online] csrc.nist.gov. Available at: https://csrc.nist.gov/glossary/term/Cyber_Attack.
Skarlicki, Daniel & Van Jaarsveld, Danielle & Walker, David. (2008). Getting Even for Customer Mistreatment: The Role of Moral Identity in the Relationship Between Customer Interpersonal Injustice and Employee Sabotage. The Journal of applied psychology. 93. 1335-1347. 10.1037/a0012704.
Lafleur, J., Purvis, L. and Roesler, A. (n.d.). The Perfect Heist: Recipes from Around the World. [online] Available at: https://gwern.net/doc/technology/2014-lafleur.pdf [Accessed 10 Jul. 2023].
Bedi, M. (2023). Australia’s Latitude Group, IPH hit by cyber attacks amid wave of hacks. Reuters. [online] 16 Mar. Available at: https://www.reuters.com/technology/australias-latitude-group-says-customer-information-stolen-cyber-attack-2023-03-15/#:~:text=Technology%20experts%20say%20hackers%20have.
Gyllensten, K. and Torner, M. (2021). The role of organizational and social factors for information security in a nuclear power industry. Organizational Cybersecurity Journal: Practice, Process and People. doi:https://doi.org/10.1108/ocj-04-2021-0012.
Dalal, R.S., Howard, D.J., Bennett, R.J., Posey, C., Zaccaro, S.J. and Brummel, B.J. (2021). Organizational science and cybersecurity: abundant opportunities for research at the interface. Journal of Business and Psychology, 37. doi:https://doi.org/10.1007/s10869-021-09732-9.
Whitty, M. T. (in press). Developing a conceptual model for insider threat. Journal of
Management & Organization.
Whitty, M.T. (2018). Developing a conceptual model for insider threat. Journal of Management & Organization, pp.1–19. doi:https://doi.org/10.1017/jmo.2018.57.
Pickles, M. (2014). Did the Trojan Horse exist? Classicist tests Greek ‘myths’ | University of Oxford. [online] www.ox.ac.uk. Available at: https://www.ox.ac.uk/news/arts-blog/did-trojan-horse-exist-classicist-tests-greek-myths#:~:text=The%20story%20of%20the%20Trojan.
Kost, E. (2022). 11 Biggest Data Breaches in Australia (Includes 2021 Attacks) | UpGuard. [online] www.upguard.com. Available at: https://www.upguard.com/blog/biggest-data-breaches-australia.
Rich, A.N., Kunar, M.A., Van Wert, M.J., Hidalgo-Sotelo, B., Horowitz, T.S. and Wolfe, J.M. (2008). Why do we miss rare targets? Exploring the boundaries of the low prevalence effect. Journal of Vision, 8(15), pp.15–15. doi:https://doi.org/10.1167/8.15.15.
Keerthivasan Ravi, Ramprasath, Vijayakumar Supraja Dwarakanath. A Study on the Emotions of an Employee After a Cyber Security Attack in Their Organization.