Fridays bring the frivolity

International study examines cybersecurity behavior in the workplace


Normally, studies on the topic of cyber security in the workplace investigate how entire groups of people behave and only provide a snapshot in time. TU business informatics specialist Professor Alexander Benlian, together with two international colleagues, has now investigated the behavior of individuals over longer periods of time in order to document changes. The team published the study "Time will tell" in the renowned journal "MIS Quarterly". The results provide pointers for future research – and for employers.

Imagine you are full of energy and focused on your work at the office in the morning. In the afternoon, however, you feel tired and may be more easily fooled by suspicious emails or tempted to click on links that become a gateway for cyber attacks. The method recently recommended by TU Professor Alexander Benlian (Department of Information Systems and Electronic Services) and two colleagues from Canada and the USA aims to capture precisely such changes in external circumstances or fluctuations in mood and energy levels.

Previous studies have mostly looked at snapshots of larger groups of people, for example through one-off cross-sectional surveys. These do provide general findings, such as that some employees are less likely to adhere to security rules if they are not responsible or that people use typical justification strategies – such as: “Nothing will happen” or “Our IT specialists don't adhere to them either” – when they disregard cyber security rules. But why does someone behave in a particularly security-conscious manner one day, while being more careless the next?

In order to better understand this, the researchers interviewed 108 office workers over a four-week study period on Mondays, Wednesdays and Fridays – a total of 1296 observations were made. This makes it possible to understand whether the test subjects are more conscientious on Mondays than on Fridays, for example, when dealing with suspicious links that could potentially transport malware or initiate phishing attacks. Interestingly, the researchers found that for some people, the tendency to disregard security rules increases towards the end of the working day and intensifies as the week progresses.

Study publication in “MIS Quarterly”

Professor Dr. Alexander Benlian
Professor Dr. Alexander Benlian

The approach that the international research team is now presenting in “MIS Quarterly” offers explanations as to why cyber security measures that seemed promising when they were introduced lose their effectiveness. The results can therefore help to make cyber security training more effective and security measures more targeted.

At the same time, the study also provides methodological impetus for further research. The scientists involved emphasize the need for an idiographic approach. It makes it possible to investigate the changing behavior of individuals over time (longitudinal). The increased focus on processes within individual test subjects and on dynamic influencing factors systematically applied here can help scientists to better understand individuals in their processes and contexts, and in this specific case: to discover why people are sometimes careless when dealing with data and sometimes not.

The publication

Cram, W. A., D'Arcy, J., & Benlian, A. (2024).Time will tell: A case for an idiographic approach for behavioral cybersecurity research. MIS Quarterly, 48(1), 95-136.