Select Page
Journal article | Research library
| 30/05/2024

Employee behavior: the psychological gateway for cyberattacks

Rahel Aschwanden | Claude Messner | Bettina Höchli, | Geraldine Holenweger

Purpose – Cyberattacks have become a major threat to small and medium-sized enterprises. Their prevention efforts often prioritize technical solutions over human factors, despite humans posing the greatest risk. This article highlights the importance of developing tailored behavioral interventions. Through qualitative
interviews, we identified three persona types with different psychological biases that increase the risk of
cyberattacks. These psychological biases are a basis for creating behavioral interventions to strengthen the
human factor and, thus, prevent cyberattacks.
Design/methodology/approach – We conducted structured, in-depth interviews with 44 employees,
decision makers and IT service providers from small and medium-sized Swiss enterprises to understand
insecure cyber behavior.
Findings – A thematic analysis revealed that, while knowledge about cyber risks is available, no one assumes
responsibility for employees’ and decision makers’ behavior. The interview results suggest three personas for employees and decision makers: experts, deportees and repressors. We have derived corresponding biases
from these three persona types that help explain the interviewees’ insecure cyber behavior.
Research limitations/implications – This study provides evidence that employees differ in their cognitive
biases. This implies that tailored interventions are more effective than one-size-fits-all interventions. It is
inherent in the idea of tailored interventions that they depend on multiple factors, such as cultural,
organizational or individual factors. However, even if the segments change somewhat, it is still very likely that
there are subgroups of employees that differ in terms of their misleading cognitive biases and risk behavior.
Practical implications – This article discusses behavior directed recommendations for tailored
interventions in small and medium-sized enterprises to minimize cyber risks.
Originality/value – The contribution of this study is that it is the first to use personas and cognitive biases to
understand insecure cyber behavior, and to explain why small and medium-sized enterprises do not implement
behavior-based cybersecurity best practices. The personas and biases provide starting points for future
research and interventions in practice.

You May Also Like