Scientists tested brain activity to find cybersecurity threat
The old adage that the chain is as strong as its weakest link is certainly related to the risk that companies face in protecting their information security. Employees create threats that can be just as destructive for a company as hackers do.
Iowa State University researchers are working to better understand these internal threats by trying to get into the heads of employees who are at risk for their companies. To do this, they measured brain activity to determine what could provoke an employee to violate company policies and sell or exchange confidential information. The study showed that self-control is an essential factor in this case.
Researchers define a security breach as any unauthorized access to confidential data, including copying, transferring or selling this information to third parties for personal gain. A study by Qing Hu, a professor of information systems, and his colleagues, published in the journal Management Information Systems, states that people with low levels of self-control thought much less about the consequences of major security breaches.
“What we can say with this study is that the differences do exist. Different reactions occur in the brains of people with low and high levels of self-control when they look at different security scenarios, ”said Professor Hu. “If employees who start working for the company have a low level of self-control, they may be more likely to violate security and privacy if the situation turns out like this.”
The first of its kind, research used electroencephalography to measure brain activity, and observed how people would react in a series of specific safety scenarios. Scientists have found that people with good self-control took longer to think about their intentions in high-risk situations. “Instead of seizing the opportunity and getting instant rewards, they pondered how their actions could ruin their careers or lead to possible criminal charges,” says Professor Hu.
Scientists examined 350 students and determined their level of self-control. Of these, 40 students with the highest and lowest rates underwent further testing in a neurological research laboratory at the university's business college. They were shown a series of possible security actions, ranging from minor to serious violations, and asked to answer what action they would take. At this time, scientists measured their brain activity. Robert West, a professor of psychology, analyzed the results.
“When people think about a decision, we see activity in the prefrontal cortex of the brain, which is responsible for making risky decisions, working memory and evaluating the remuneration compared to the possible punishment,” West said. “People with low self-control made decisions faster towards a serious violation. It seems that they really didn’t think much about him. ”
The results of the study reflect the characteristics of self-control in criminology, which indicates that people with low self-control are much more impulsive and risky. However, using traditional research methods and techniques, scientists were unable to determine whether the group with a low level of self-control acted based solely on the immediate benefits without taking into account possible losses in the long term, compared to what it was in a parallel group.
It is entirely possible that the “effect of social desirability” or the desire to act as one wants to hide the true intentions of the participants. Scientists say that the results obtained using neurological methods and techniques are more believable and provide a better understanding of the decision-making process by a person in various circumstances.
What does this mean for business?
According to a global study on information security in 2015, the number of violations in the field of information security increased to 43 million last year, compared with 29 million in 2013. The study showed that former and current employees are the most frequent culprits of incidents. Not all employee security breaches were malicious, but those that still had malicious intent created huge risks for companies around the world. This underlines the need to focus on protecting confidential information directly within companies.
Laura Smarandeshku, an assistant professor in marketing, used psychological methods in her previous studies to improve her understanding of the human thought process. She says this study can help businesses determine which employees should have access to sensitive information.
“A questionnaire that helps measure the impulsiveness of people in critical situations may be one of the mechanisms for selecting employees,” Smarandeshku says.
“Other studies of human behavior recommend the introduction of comprehensive procedures at the enterprises, employee training and clear sanctions in cases of security breaches to prevent such a thing in the future. However, traditional training does not change the level of self-control, ”said Mr. Hu.
“Training is good, but it cannot be as effective as we want it to be. Since self-control is part of the structure of the brain, this means that when its specific characteristics have been formed, it is very difficult to change them, ”said the professor.