Norms and Sanctions as a Basis for Promoting Cybersecurity Practices

Abstract: Many cybersecurity breaches occur due to users not following good cybersecurity practices, chief among them being regulations for applying software patches to operating systems, updating applications, and maintaining strong passwords. We capture cybersecurity expectations on users as norms. We empirically investigate sanctioning mechanisms in promoting compliance with those norms as well as the detrimental effect of sanctions on the ability of users to complete their work. We realize these ideas in a game that emulates the decision making of workers in a research lab. Through a human-subject study, we find that whereas individual sanctions are more effective than group sanctions in achieving compliance and less detrimental on the ability of users to complete their work, individual sanctions offer significantly lower resilience especially for organizations comprising risk seekers. Our findings have implications for workforce training in cybersecurity.