Insider threatMoods can impact cybersecurity behavior

Published 26 January 2018

As professionals return to work after holidays, their moods are undoubtedly affected by the emotional impact of their holiday experiences, but these moods may be more critical to workplace cybersecurity than previously realized. New research suggests that people’s positive or negative moods can affect the likelihood that they will engage in insecure computing behavior in the workplace.

As professionals return to work after holidays, their moods are undoubtedly affected by the emotional impact of their holiday experiences, but these moods may be more critical to workplace cybersecurity than previously realized.

New research from the University of Delaware’s John D’Arcy, published in Information Systems Journal, suggests that people’s positive or negative moods can affect the likelihood that they will engage in insecure computing behavior in the workplace.

Insecure workplace computing behavior includes things like using weak passwords, accessing unapproved software or not using two-factor authentication, said D’Arcy, an associate professor at UD’s Alfred Lerner College of Business and Economics.

Most organizations have formal policies that prohibit such behavior. UDel says that to try and predict why people violate these policies, D’Arcy worked with City University of Hong Kong’s Paul Benjamin Lowry to survey professionals in organizations throughout the United States about their workplace computing behavior.

The longitudinal survey found that “moods and emotions influence people’s security-related behavior,” D’Arcy said. “And these things vary from day to day, which can make people’s behavior vary from day to day.”

According to the survey, employees in better moods are more likely to have a positive attitude about security and are more likely to follow policy.

“On the flip side, if they’re in a bad mood, what you get can change from day to day,” D’Arcy said. “That makes it more likely that they will violate policy.”

This makes sense for any employee who has felt especially inconvenienced by workplace security measures during a bad day: On a day that you were feeling more positive emotions, the extra effort likely wouldn’t seem as annoying.

— Read more in John D’Arcy et al., “Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study,” Information Systems Journal (8 November 2017) (DOI: 10.1111/isj.12173)