pAth – An empirical study to understand the relationship between the psychological contract and cybersecurity behaviour within organisations

Introduction

General rising threat with cybersecurity attacks and cost to businesses globally. Human behaviour is responsible for 85% of all cybersecurity incidents. In a survey by Gartner (22 February 2023), they found that 69% of employees have bypassed their organisation’s cybersecurity guidance in the past 12 months and 74% said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. This is not to place blame on the employee but to better understand organisational, contextual and psychological factors that may be counterproductive to cybersecurity attitudes and behaviour. To mitigate, Gartner suggested more organisations make use of approaches that proactively and predictively identify threats that come from within the organisation.

Objective of the research

This work aims to identify human factors by understanding engagement, and what the barriers to engagement might be, and the impact it may have on cybersecurity behaviour. Engagement can involve communications campaigns which aim to influence behaviour change but engagement can also relate to the relationship between the employer and the employee, and the degree of commitment, trust, loyalty, psychological contract and moral disengagement that may be playing a part in the development (or absence) of cybersecurity behaviour.

Based on previous research we have identified the Psychological Contract as playing a key factor in understanding employee motivations for cybersecurity. CIPD (2024) defines the psychological contract as the relationship between employers and workers, and what influences how people behave in organisations. This study aims to explore the Psychological Contract and evaluate its effectiveness in understanding human factors in cybersecurity and what impact it has on their actual behaviour.

We can’t assume that given the seemingly appropriate tools and knowledge, such as computer-based awareness training, that employees will engage and practice conducive cybersecurity behaviour just because they are asked to. This work evaluates psychological factors to better understand human factors and how they relate to cybersecurity, and the most effective ways of facilitating long-term behaviour change through psychological intelligence-driven awareness and insider threat solutions.

pAth: A tool to measure engagement and insider threat

We have developed a methodological tool using situational judgement tests (SJTs), called pAth (short for Project Athena), which considers cybersecurity behaviour and psychological theory to understand level of engagement with security, as well as identify groups (and individuals if appropriate) that may pose an elevated insider risk to an organisation.

The approach – pAth Empirical Study

This study will involve the use of situational surveys in evaluating causal relationships between the Psychological Contract and data that exists within organisations such as reporting rates, phishing simulations and mandatory training compliance rates. This study will explore and identify seemingly positive aspects as well as negative to better understand security engagement and factors that influence it in the protection against human-related cybersecurity threats.

The ultimate objective is to better understand the relationship between the psychological contract (and breaches) on cybersecurity behaviour within organisations.

Benefits to participating organisations

Organisations participating in this study will benefit from insight into human factors related vulnerabilities within their organisations and whether this transfers into cybersecurity behaviour using the data available within their organisations. This is useful to all organisations, but particularly those who have a graver need to hire and retain talent that will, even in challenging situations, remain committed and engaged to protecting the nation and its infrastructure.

This study will then facilitate the development of appropriate measurement tools to prevent human-related cybersecurity threat and provide security teams with advanced and predictive insight into human risk before the threat gravitates. This can provide important intelligence in the planning and execution of solutions and initiatives, especially involving awareness, engagement and insider threat.

Resources

CIPD (2024)
https://www.cipd.org/en/knowledge/factsheets/psychological-factsheet/

Lee, D., Lallie, H.S. & Michaelides, N. The impact of an employee’s psychological contract breach on compliance with information security policies: intrinsic and extrinsic motivation. Cogn Tech Work 25, 273–289 (2023). https://doi.org/10.1007/s10111-023-00727-5