JMIS - Journal of Management Information Systems

Journal of Management Information Systems

News

Absence of Self-Control Is a Predictor of Proneness to Information Security Violations

14 May 2015

A recent study published in the Journal of Management Information Systems (JMIS) and widely covered in the media shows that absence of self-control is a predictor of an employee becoming a security risk in organizations.

The paper published in the Spring 2015 issue of JMIS by Qing Hu, Robert West, and Laura Smarandescu of Iowa State University titled "The Role of Self-Control in Information Security Violations: Insights from A Cognitive Neuroscience Perspective" was covered in online news sites, blogs, and newspapers around the globe. The authors were interviewed by various news services about the implications of their research for organizations, highly concerned at present about their information security. The researchers used a brain imaging technology, electroencephalography (EEG), to examine the brain activation levels and regions of individuals in scenario-based laboratory experiments in which the subjects were considering information security violations.

The researchers found that self-control, a relatively stable behavioral characteristic in most adults, is a major factor that differentiates whether an individual may or may not violate established information security policies and procedures in organizations. Individuals with low self-control display lower levels of neural activities in brain regions known to perform cognitive control functions that govern rational behavior. They also use less time to make decisions related to information security violations. Thus, these individuals pose a greater threat to organizational information security. These findings question the effectiveness of security-education training commonly used in organizations, given the strong evidence of neurological roots of low self-control. The authors advocate assigning the right individuals to sensitive positions based on psychological screening, using tools such as self-control measurement to improve the overall level of information security in organizations.

A sample of news media report about this research:

"Iowa State Researchers Test Brain Activity to Identify Cybersecurity Threats," Communications of the ACM, ACM Technews, April 28, 2015. http://cacm.acm.org/news/186406-iowa-state-researchers-test-brain-activity-to-identify-cybersecurity-threats/fulltext
"Is Low Self-Control a Threat to Security?" The Epoch Times, April 27, 2015. http://www.theepochtimes.com/n3/1334981-low-self-control-threat-security/
"Using Brain Scans to Prevent Security Leaks," Clare Roth and Ben Kieffer, Iowa Public Radio Interview, April 24, 2015. Listen at http://iowapublicradio.org/post/using-brain-scans-prevent-security-leaks
"Employees with low self-control a security threat," The Economic Times, April 24, 2015. http://articles.economictimes.indiatimes.com/2015-04-24/news/61493847_1_self-control-brain-activity-security-violation
"Iowa State researchers test brain activity to identify cybersecurity threats", TechinAmerica, April 23, 2015. http://techinamerica.com/iowa-state-researchers-test-brain-activity-to-identify-cybersecurity-threats/
"Iowa State researchers test brain activity to identify cybersecurity threats," ThisIsRellyInteresting.com, http://www.thisisreallyinteresting.com/iowa-state-researchers-test-brain-activity-to-identify-cybersecurity-threats/
"Researchers test brain activity to identify cybersecurity threats," Technology.org, April 23, 2015. http://www.technology.org/2015/04/23/researchers-test-brain-activity-to-identify-cybersecurity-threats/
"Researchers studying brain activity to determine cybersecurity threats," Julie Ferrell, Ames Tribune, April 24, 2015. http://amestrib.com/news/researchers-studying-brain-activity-determine-cybersecurity-threats
"Testing brain activity to identify cybersecurity threats," Angie Hunt, R&D Magazine, April 22, 2015. http://www.rdmag.com/news/2015/04/testing-brain-activity-identify-cybersecurity-threats
"Researchers test brain activity to identify cybersecurity threats," Phys.Org, April 22, 2015. http://phys.org/news/2015-04-brain-cybersecurity-threats.html
"Researchers Test Brain Activity to Identify Cybersecurity Threats," Communications of the ACM, April 23, 2015. http://cacm.acm.org/careers/186008-researchers-test-brain-activity-to-identify-cybersecurity-threats/fulltext
Iowa State researchers test brain activity to identify cybersecurity threats, HealthCanal, April 22, 2015. http://healthcanal.com/brain-nerves/62691-iowa-state-researchers-test-brain-activity-to-identify-cybersecurity-threats.html
"Is low self-control a threat to security?" Futurity.org, by Angie Hunt, April 22, 2015, http://www.futurity.org/brains-employees-security-904552/
"ISU Study: Low Self-Control Linked to Cyber Fraud," Vanessa Miller, The Gazette, April 23, 2015. http://thegazette.com/isu-study-low-self-control-linked-to-cyber-fraud-20150423
"Brain activities tested to identify cybersecurity threats," Science Daily, April 22, 2015, http://www.sciencedaily.com/releases/2015/04/150422104236.htm
"Iowa State researchers test brain activity to identify cybersecurity threats," Angie Hunt, April 22, 2015. http://www.news.iastate.edu/news/2015/04/22/cyberbrainactivity#sthash.QO8sr49R.dpuf