Norms and Sanctions as a Basis for Promoting Cybersecurity Practices
This work addresses cybersecurity training for organizational workforces, offering incremental insights into sanction effectiveness.
The study tackled the problem of cybersecurity breaches caused by poor user practices by modeling expectations as norms and testing sanctioning mechanisms in a game simulating workplace decisions. It found that individual sanctions improve compliance and work completion but reduce resilience, especially in organizations with risk-seeking members.
Many cybersecurity breaches occur due to users not following good cybersecurity practices, chief among them being regulations for applying software patches to operating systems, updating applications, and maintaining strong passwords. We capture cybersecurity expectations on users as norms. We empirically investigate sanctioning mechanisms in promoting compliance with those norms as well as the detrimental effect of sanctions on the ability of users to complete their work. We realize these ideas in a game that emulates the decision making of workers in a research lab. Through a human-subject study, we find that whereas individual sanctions are more effective than group sanctions in achieving compliance and less detrimental on the ability of users to complete their work, individual sanctions offer significantly lower resilience especially for organizations comprising risk seekers. Our findings have implications for workforce training in cybersecurity.