Report

Debunking the
“stupid user”
myth in security

Exploring the influence of employees’ perception and emotions on security behaviors

Attitudes and emotions are strong predictors of behavior—even when it comes to cybersecurity.

Across all security interventions examined, the results show two consistent trends. First, the more reasonable participants found the intervention, the more likely they were to comply with it. Second, the more negative participants felt about an intervention, the less likely they were to comply with it. These findings suggest that people’s attitudes and feelings are good indicators of their likelihood to comply with security controls. Despite being largely overlooked and understudied to date, they should be considered as critical design factors by the cybersecurity industry.

Overall, participants were most positive about security nudges as a security intervention.

Participants found security nudges to be more reasonable than conventional security interventions. Similarly, participants in the nudging scenarios were significantly less likely to react with negative emotions compared to the conventional security interventions. Compared to the nudging intervention, participants in the blocking scenarios were 3 times more likely to respond with negative emotions. Given the positive relationships we saw across attitudes, emotion, and behaviors, we expected that security nudges would also drive a high rate of compliance—and they did.

Participants were highly likely to comply with security nudges.

Compliance with security nudges was very high. In fact, 78% of participants in the nudging scenario said they would be likely to respond to the security nudge. For comparison, only 32% of participants in the blocking scenario said they would be likely to comply with the intervention.

And yes, when you block access to applications, people look for workarounds.

It might come as no surprise that nearly 70% of participants in the blocking scenario said they would look for a workaround to access the application that had been blocked. This suggests that security interventions that attempt to block or limit access to applications that employees need to complete their work may ultimately lead to counterproductive security outcomes.

Download the
full report now.

See what you're missing.