Businesses often require employees from different professions with a wide range of skills. The vast majority of employees are hired to complete tasks that come with expectations for productivity that are actively assessed throughout an employees’ tenure. In addition, employees are also expected to comply with security measures that are often implemented without consideration of how this will affect their productivity. When user experience is not appropriately considered or assessed, friction between security and productivity can occur, resulting in a very real risk of security breaches.
Research shows that when confronted with a choice between being secure or being productive, productivity tends to win. One of the leading psychological causes of this outcome is that completing a security measure does not actually entail inherent reward. In the best case, your reward is that nothing bad happens. Moreover, if an individual has never (knowingly) experienced a cybersecurity incident, the prospect of encountering one remains conceptual. So while they may cognitively understand the consequences through training, appreciation of the reality of those consequences remains distant.
Productivity, on the other hand, often provides positive and importantly, more immediate reward - people feel satisfaction when tasks are completed, they may receive praise for their efforts or financial compensation. Similarly, when productivity goals are not met, this can result in ‘punishment’ through negative feedback or potential loss of income.
When productivity is an active priority in discussions and interactions at work, this contributes to a culture where productivity is king, and while I doubt that any organization tells its employees that security plays second fiddle to productivity, this is nonetheless implied. When organizations have high expectations of both security and productivity (without consideration that these are often in conflict during day to day tasks), employees are left to make decisions about prioritization. Employees are more likely to justify cutting corners when it comes to security with mounting pressure to meet productivity goals.
The bottom line here is that employers need to better appreciate that productivity goals need to consider security measures, while security professionals should understand that employees need to be productive in their specific job and be disrupted as little as possible.
Where do we start in tackling this issue?
Assess your technology interactions
It is difficult to know what measures are causing friction if you don’t properly assess how your employees experience your technology. It can be the case that small adjustments to the implementation of security measures will help employees feel more inclined to maintain secure behaviors. Of course, some security measures are going to be necessary even if they are disruptive. In these cases, acknowledging the frustration of employees and properly disseminating why these measures are necessary will help to ease friction.
Management buy-in
Management buy-in is not just about financial investment in security. Creating a culture where security is fully integrated and prioritized requires that it be an active topic within the workforce. If your managers are not proactive about discussing security with their team members, but are proactive about discussing productivity, this sends a message.
Key Performance Indicators
When asking yourself what you prioritize at your organization, one simple question can help give you an indication: What do you measure? Most organizations tie their reward system to outcomes and results, and as a result many employees will prioritize their efforts to meet their KPIs. If you measure, assess, and discuss productivity, but not security, it’s likely you have an imbalance in your priorities. Applying secure behavior metrics to your organization can help keep track of the success of your security measures and also contribute to a secure culture by demonstrating the importance of security to your employees.
Security and productivity don't need to compete. Contact us to learn how to optimize security without compromising productivity.