The report, titled ‘The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective' was published in the Journal of Management Information Systems Publication, and was worked on by Qing Hu, Union Pacific professor in information systems, along with assistant professor of marketing Laura Smarandescu and Robert West, professor in psychology.
Their headline finding was that, after examining the brain activity of 350 undergraduates, test subjects with lower self-control were more at risk of giving away sensitive company information. Speaking to SCMagazineUK.com earlier this week, Hu defined this self-control as “the exertion of control by one over the self”.
“In the context of criminology and information security, we define self-control as an individual's ability to refrain from committing deviant or criminal acts under given circumstances,” he said.
The academics started working on this research after various reports indicated – as they still do – that insiders are responsible for around half of all breaches. But with this figure potentially higher given that many incidents go unreported, Hu wanted to find a more accurate way to predict which employees are a threat.
Hu has researched the subject for ten years, and on learning that West had worked with brainwave measurements, deciding to collaborate with West and Smarandescu on the project two years ago.
In the study, they examined 350 ISUE undergraduates to determine level of self-control; the top 40 students with the most polar-opposite high and low control were brought in for a second test, which included a full EEG test to measure their brainwaves.
“We asked them to think about whether they would violate a company's assets or security policy,” West said. “We told them to imagine they were an employee asked by a friend to share a client or user list. We set that scenario up and asked them how likely they would do this, and we captured that specific response.”
The study subsequently showed that students with higher self-control took longer to think about the decision, potentially showing they were spending more time weighing the consequences of their actions.
Hu admitted that the average business might not be able to afford neuroscience tech, but said simple screenings of new employees could determine level of self-control.
“Everyone has talents and everyone has weaknesses. Businesses should use the right people with the right talents for the right job,” he said. “People with low self-control should not be put into positions that would have access to confidential digital assets. But those people could be very productive in other areas of the business; they're just not suitable for those kinds of conditions.”
Asked though by SC if this was expensive and unpractical, Hu said: “This is a good question which is created by brief reporting of a comprehensive study.
“In fact, what we have done is that we validated a short and paper based survey instrument developed by criminologists in 1993 for measuring self-control, which is available for free for anyone to use, and it has only 24 questions and takes about 15 minutes to complete. In essence, we have done the hard and expensive work (using brain imaging tools in a delicate and controlled lab environment) that enables employers to do the simple task of screening.
"So, if an organisation wants to screen employees for self-control, assuming that it clears the regulatory and legal restrictions for such an act, all it takes is a paper survey and analysing the data. However, there are still challenges for this to be accurate because there is no national standard for dividing high versus low self-control based on the survey score. What we have done was we surveyed about 350 students, and we selected 20 highest and 20 lowest scoring subjects for our study to show the validity of the theory.”