Scientists have tested brain activity to find cybersecurity threat

The old adage that the chain is as strong as its weakest link, of course, also applies to the risks that companies face in protecting their information security. Employees create threats that can be as devastating to a company as hacker actions.

Iowa State University researchers are working to better understand these internal threats, trying to penetrate the heads of employees who carry risks for their companies. To do this, they measured brain activity to determine what could cause an employee to violate company policies and sell or exchange confidential information. The study showed that self-control is a significant factor in this case.

Researchers define a security breach as any unauthorized access to confidential data, including copying, transferring or selling this information to third parties for personal gain. A study by Qing Hu, a professor of information systems, and his colleagues, published in the journal Information Management Systems, stated that people with low levels of self-control thought much less about the consequences of major security breaches.
')
“What we can say in this study is that the differences do exist. Different reactions occur in the brains of people with low and high levels of self-control when they look at different security scenarios, ”said Professor Hu. "If employees who start working for a company have a low level of self-control, they may be more prone to breach of security and confidentiality if the situation turns this way."

In a first-of-its-kind study, electroencephalography was used to measure brain activity, and observations were made of how people would react in a series of specific security scenarios. Scientists have discovered that people with good self-control required more time to think about their intentions in highly risky situations. “Instead of seizing the opportunity and getting an instant reward, they wondered how their actions could ruin their careers or lead to possible criminal charges,” says Professor Hu.

Scientists examined 350 students and determined their level of self-control. Of these, 40 students with the highest and lowest rates were further tested in the neurological research laboratory at the university's business college. They were shown a series of possible actions in the field of security, ranging from minor to serious violations, and asked to respond to what action they would take. At this time, scientists measured their brain activity. Robert West, a professor of psychology, analyzed the results.

“When people think over the decision, we see activity in the prefrontal cortex, which is responsible for making risky decisions, working memory and evaluating the reward compared to the possible punishment,” West said. “People with low self-control quickly made decisions in the direction of a serious violation. It seems that they didn’t really think much about him. ”

The results of the study reflect the characteristics of self-control in criminology, which indicates that people with low self-control act much more impulsively and riskierly. However, using traditional research methods and techniques, scientists could not determine whether a group with a low level of self-control acted, based only on a direct benefit without taking into account possible losses in the long term, compared to how it was in a parallel group.

It is possible that the “effect of social desirability” or the desire to act as you like, hid the true intentions of the participants. Scientists say that the results obtained using neurological methods and techniques are more believable and provide a better understanding of the human decision-making process under various circumstances.

What does this mean for business?

According to a global study on information security in 2015, the number of information security breaches increased to 43 million last year, compared with 29 million in 2013. The study showed that former and current employees are the most frequent perpetrators of incidents. Not all employee security breaches were malicious, but those that still had malicious intent created a huge risk for companies around the world. This emphasizes the need to focus on protecting confidential information directly within companies.

Laura Smarandeshka, an associate professor in the field of marketing, has used psychological methods in her previous studies to improve the understanding of the human thought process. She says this study can help businesses determine which employees should have access to confidential information.

“A questionnaire that helps measure the impulsiveness of people in critical situations can be one of the mechanisms for selecting employees,” says Smarandeshka.

“Other studies of human behavior recommend the introduction of complex procedures in enterprises, employee training and clear sanctions in cases of security breaches to prevent this in the future. Nevertheless, traditional trainings do not change the level of self-control, ”Mr. Hu said.

“Learning is good, but it cannot be as effective as we want it. Since self-control is part of the structure of the brain, this means that when its certain characteristics have been formed, it is very difficult to change them, ”said the professor.