Why understanding human behavior is essential to building resilient security systems.

Dr. Margaret Cunningham, Principal Research Scientist, G2CI at Forcepoint

October 19, 2021

4 Min Read
Burned match among unburned matches
Source: RRphoto via Alamy Stock Photo

Most mornings, we set out with the best intentions. There are tasks to complete, calls to make, chores to do, and people to care for. By midafternoon, reality sets in, to-do lists are pared down, and what can't be completed today is shifted to tomorrow (or next week). It's impossible to do everything, and often our best must be good enough.

Even when operating at our best, we have limitations. Working at high levels every day without breaks can quickly lead to burnout and stress. Even as burnout becomes a more widely acknowledged threat, employees are expected to perform consistently and with the same level of enthusiasm and intrinsic motivation to "get things done" every day. We must remember that people aren't machines and expectations for human performance can be notoriously unrealistic. We're limited in how much and how quickly we can process information. We are limited in how many things we can perceive and pay attention to at one time. We are limited by how much time there is in a day. Add to that the heightened stress of a global pandemic and you have an easy recipe for burned-out workers looking for the easiest solution to get through the day.

Perhaps more importantly, once we've reached our limit, we need time to recover. In exploring the process of recovery, we find that people recharge differently from one another, and differently day to day, depending on environmental and personal factors including ongoing stress and health. The current global climate, as well as increased personal and professional demands on employees, have made it more difficult to recover and recharge. In a recent survey of over 3,000 people, 55% said they felt at risk of burnout.

When people are burned out, they function in "power-save mode," where effort is rationed to avoid complete shutdown. As effort is rationed, performance on lower-priority tasks suffers. While the power-save mode analogy is overly simplistic, understanding what people trade off to continue making progress on their prioritized goals is critical for understanding how burnout and fatigue affect cybersecurity.

If we look at various cyber-hygiene behaviors, many require attention to detail, additional login steps, strong passwords, and extra time (software updates, restarting programs, etc.). These behaviors are also typically low-level priorities for end users, falling well beneath the objectives required for performing their primary job duties. Linked to lower-priority objectives, cyber hygiene is most likely to deteriorate when a person is burned out.

However, the impact of burnout extends far beyond the negative outcomes of poor cyber hygiene, such as compromised accounts and ransomware. As energy and motivation dwindle, people find innovative ways to reduce effort while still reaching their goals. Burnout compels people to engage in workarounds to retain energy to complete their tasks. This means that every time-consuming security behavior that makes it more difficult to share files, access critical assets, or use business applications is in direct competition with how employees need to spend their energy. One way we see the impact is in the widespread use of unapproved technologies: Recent studies reveal that 46% of employees use shadow IT to more easily perform job duties.

Workarounds and deviations from desired behavioral paths are nothing new. If you've ever walked through a park with plenty of sidewalks but noticed there are well-worn paths cutting through grassy areas, you've seen physical evidence of people prioritizing speed and convenience over convention. These are often called "desire paths," and they reflect the free will of humans to move through the world as they see fit.

Now, as people spend more time engaged in digital tasks, software developers and cybersecurity experts must make the effort to understand how people interact with technology, and how the architecture of security processes and tools supports (or impedes) natural human tendencies. Understanding human behavior, not controlling it, is key to building resilient security systems that can withstand the ever-changing landscape of new technologies and threats.

Risk Assessment
Since burnout is an ever-present threat to workers, even in increasingly hybrid or remote workforces, organizations can enhance their security posture by better accommodating and understanding human behavior. To successfully do this, they must reshape how they conceptualize risk and recalibrate their tolerance thresholds by including human performance in their risk assessment process. Involving experts in human factors engineering, human systems integration, and interaction design is critical for supplementing traditional security teams and departments. 

These experts help organizations understand and anticipate the types of issues that create security vulnerabilities stemming from poor cyber hygiene, and they can also help identify security policies likely to lead to unsafe workarounds. They also provide meaningful strategies for developing error-tolerant systems that can protect organizations and prevent small losses or breaches from turning into major adverse events. It is inevitable that workers will face burnout at some point in their careers, and it's up to organizations to recognize and mitigate the resulting risks.

About the Author(s)

Dr. Margaret Cunningham

Principal Research Scientist, G2CI at Forcepoint

Dr. Margaret Cunningham is Principal Research Scientist for Human Behavior within our Global Government and Critical Infrastructure (G2CI) group, focused on establishing a human-centric model for improving cybersecurity. Previously, Cunningham supported technology acquisition, research and development, operational testing and evaluation, and integration for the US Department of Homeland Security and US Coast Guard.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights