busy office (Pavel Vinnik/Shutterstock.com)

Why employees violate security policies

The reason employees violate information security policies (ISP) may be rooted in a mismatch of priorities, according to new research from Binghamton University, State University of New York.

Organizationwide security policies that do not account for the realities of different employees’ priorities and their daily responsibilities are more likely to be ignored or circumvented, increasing data breach risks.

“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management. “Each of these groups are trained in a different way and are responsible for different tasks.”

In health care, for example, where patient health data is highly confidential, compliance with hospital security policies about locking unattended workstations varies for physicians, nurses and support staff, the researchers found.

“Physicians, who are dealing with emergency situations constantly, were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” Sarkar told BingU News. “On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”

Because each subculture responds differently to the blanket security policies, security teams should identify and consult with each subculture to develop more effective ISPs that introduce less friction.

In a hospital, for example, touchless, proximity-based authentication could lock or unlock workstations when an employee approaches or leaves a workstation. Sarkar suggested.

 “There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected