Key Points

• Many internal security incidents arise from structural, organizational failures rather than solely from intentional or malevolent employee acts. If companies target only "the bad guys," they risk ignoring systemic issues that may foster security incidents in the first place.
• Human behavior within a company is deeply influenced by its structure and culture. Factors such as job characteristics (e.g., workload, clarity of expectations), perceptions of organizational justice (e.g., fairness in compensation, promotions, or disciplinary actions), and an overall security climate (the shared employee view of security practices and priorities) are key influencers in whether employees engage in positive or negative security behaviors.
• When supervisors consistently model appropriate behavior and when employees perceive that they are treated fairly and equipped with necessary resources, positive security behaviors are more likely to flourish—and may reduce instances of theft, sabotage, and negligence.

Broadening Understanding of Employee Misbehavior

Perhaps because of its natural association with law enforcement, corporate security is typically viewed as an enforcement tool and investigative body—to discourage workers from wrongdoing and catch them if it can’t. But taking aim at intentional, malevolent actors fails to address the root cause in many security incidents. Organizations must understand that when an employee exhibits unwanted security behavior, it’s sometimes because of an organization’s own structural failing—not a choice made by the employee.

Two factors can easily cause companies to miss the organizational underpinnings that affect security success or failure. First, the effectiveness of security hardware often obscures the need for companies to pay attention to organizational and human factors needed to support it—a crucial undertaking, according to research on organizational behavior. “Without question, the use of well-designed physical-related security systems to prevent security threats is vital to ensuring security at work. Nevertheless, the expected positive effects could be drastically undercut if human-related systems are not taken into consideration” (“Security in organizations: expanding the Frontier of industrial-organizational psychology,” International Review of industrial and Organizational Psychology).

Second, unwanted workplace security behaviors are often viewed in the context of threats, such as workplace violence and employee theft, which puts focus on intention. However, security violations can also result from unintentional behaviors driven by negligence or inadequate knowledge.

Indeed, intentional acts are only one possible root cause for security incidents or violations (see the accompanying flow chart). Some security experts actually believe that a majority of unwanted security deviations—possibly as many as 80%—result from human factors, and most of those are attributable to organizational characteristics rather than individual intent. As a result, although a security department may focus on rooting out problems, greater security gains may be possible by implementing organizational changes to support better security behaviors.

What Influences Security Behaviors?

All workplace security behaviors have either a positive or negative outcome. Positive security behaviors help safeguard assets; negative behaviors put them at risk. While some security behaviors are job-specific (e.g., security officers conducting patrols), most aren’t, and include activities such as locking a filing cabinet before leaving the office. These security behaviors—much like job performance—are primarily influenced by knowledge (e.g., of security policies and procedures); procedural know-how (e.g., skills to execute behavior); and motivation. But again, as with a focus on intentional malevolence, this view tends to put weight on the individual worker.

But it isn’t realistic to assume that individuals always have complete control over their behavior, say researchers, particularly within the context of the workplace.

Therefore, it is prudent to consider those factors beyond one’s control that might positively or negatively affect the determinants, and, in turn, security behaviors. — Security in organizations: expanding the frontier of industrial-organizational psychology,” International Review of Industrial and Organizational Psychology

Factor #1. Job characteristics affect security behaviors, such as whether workload is excessive or if a worker believes expectations are clear. There is ample research to show these issues can cause workers’ poor performance, frustration, and job dissatisfaction, and it’s also likely to contribute to theft and sabotage or, at a minimum, to weaken a worker’s motivation to comply with security regulations and policies.

Factor #2. A company’s “organizational justice” also is likely to affect security behaviors, research suggests. The feeling of unjust treatment or perceptions of unfairness in the workplace—in pay, promotion, or punishment—likely contributes to negative security behaviors. Because of it, a Human Resources department can often make or break company security, explained Roger Johnston, Ph.D., an expert in vulnerability assessments, at a national security conference. “HR is potentially a powerful tool in security, but in many organizations, they make things worse by not properly administering the grievance and complaint processes.” And that’s a missed security opportunity to cut internal theft, he said.

You need to do the things that make people less disgruntled because that’s something you can actually do. It’s hard to make people less greedy. — Roger Johnston, Ph.D., Vulnerability Assessment Expert

Factor #3. Security climate—employees’ shared perceptions of what the organization is like in terms of security (its practices, rewards, norms, etc.)—is an important factor shaping security behaviors. Exactly how important is unclear, because unlike the multitude of studies on how safety climate affects employees’ safety behavior, there is little research in the area of security.

While scientific guidance is limited, there are a few obvious ways in which security climate impacts security behaviors.

Management and supervisor support. Commitment and support for security among executive management is important because it influences employees’ perceptions of how important security is to the organization. What little security research there is suggests that some employee theft can be attributed to the fact that employees mimic behaviors modeled by their supervisors or managers. It has also been shown that “inappropriate security behaviors such as employee theft diminish when managers regularly communicate to employees about the importance of security.”

Security executives should examine security climate questions such as:

1. Do supervisors model appropriate security behaviors?
2. Do workers feel they’re given the necessary resources (time, instruction, etc.) to follow security rules?
3. Do pressures to cut security corners exist?

Coworker support. Research has proven that the norms and beliefs that surround a worker (in the form of coworkers) exert a social influence on workers. “These social influences can then [have an impact on] an individual’s perceptions, as well as behaviors, related to security,” the study notes.

In an effort to address this security climate issue, security executives should ask:

1. What are the group norms?
2. Where (and whom) do they come from?
3. Can they be positively influenced? How?