It’s no secret that all it takes is the weakest human link to compromise a company’s cybersecurity. To mitigate this risk, companies need to understand their employees’ habits and behaviors; they need to be aware of their people’s self-control levels when implementing security programs.

In a study of 6,000 participants in the Netherlands, a team of Dutch and American researchers found a correlation between self-control and the probability of malicious software infections.

“Companies can refer to their employees’ level of self-control to know who among them are in need of greater reinforcement and training on computer use and security protocols,” said Dr. Thomas Holt, lead author of the study Testing an Integrated Self-Control and Routine Activities Framework to Examine Malware Infection Victimization which was published in Social Science Computer Review. Holt is also professor of criminal justice at Michigan State University.

Organizations can also introduce regulations on Internet access or device use and automated implementation of security tools, he added.

The study by Holt, Johan van Wilsem, Steve van de Weijer and Rutger Leukfeldt explores the extent to which personal characteristics and user behaviors affect the probability of malicious software infections, a serious form of cybercrime, using the integrated routine activities and self-control theory of victimization.

The self-control theory of victimization

Self-control is a set of attributes that is easy to measure using a 24-item scale, Holt said.

Low self-control is manifested through short-sightedness, negligence, physical versus verbal behavior, and an inability to delay gratification.

“HR could be a useful means to assess these characteristics,” he said. “Risky online behaviors that may reflect low self-control could be measured based on activity while on company computers and networks such as viewing pornography or downloading pirated materials.”

The researchers found that people with low self-control have an increased risk of malware victimization because their routines place them in close proximity to motivated offenders and decrease their willingness to utilize appropriate guardianship factors.

“Basically, your ability to regulate your behavior influences how you act and when,” Holt said.

“Those with low self-control are more impulsive, risk-taking and short-sighted. This makes them less willing to take appropriate security measures and may increase the likelihood they wind up in risky situations that put them near offenders.”

To mitigate this risk, Holt said, companies can restrict certain activities like “the ability to download/install third party applications without authorization, downloading pirated software and automating security protocols such as AV scans would help to partially reduce risk.”

“While we don’t know that offenders are deliberately targeting those with low self-control, we do know that malware writers and social engineers often target those who are more likely to respond or interact with their tools through malicious links and websites,” Holt said.

“That may affect those with low self-control at a higher rate as they don’t pay sufficient attention to potential risks or take proactive steps to secure their devices.”

A representative sample

“The Dutch population is largely representative of other European and western populations. Additionally, they have robust survey data relevant to cybercrime victimization that is not present in other countries, especially the US,” Holt said.

Participants were asked a series of questions about how they might react in certain situations to measure victimization, and describe their devices as having slower processing, crashing, unexpected pop-ups, and the homepage changing on their web browser.

Holt said the findings lead him and his team to potential further research.

“I am interested to see how we can better develop resources to automate security protocols for use among populations with low self-control to reduce the risk of compromise,” he said. “I am also interested in the extent to which cyber security education is implemented in practice across various age groups as that is a key concern. If we communicate risk but people don’t use this information to protect themselves, we have to figure out why and how we can change this issue.”