The link between stressed employees and cybersecurity risks

A cursory glance through the news headlines each day should make it no surprise that we're generally a stressed bunch, but the scale of worry is nonetheless quite stark. Gallup's latest State of the Global Workplace report reveals that 44% of employees say that they're stressed.

“We’ve seen a 10-point increase in emotions like stress, sadness, pain, and worry over the past decade," says Gallup CEO Jon Clifton. "If you think about it, if that was global unemployment, that kind of figure would be making headlines in every country in the world, but with stress, it almost goes unnoticed because no one is really paying attention to how we feel."

Impaired decision making

This matters as research has shown that stress has a significant impact on our ability to make effective decisions. For instance, one paper found that stress lowers a range of cognitive functions, such as attention, working memory, and executive functions, which are essential for effective decision-making. This impairment can result in a reduced ability to process information and consider various options.

A second study found that stress can also have an impact on our emotional decision-making. Stress tends to shift decision-making towards more emotionally driven thinking and less driven by rational thinking. This emotional bias can lead to impulsive or less thought-out decisions.

Stress also has an impact on our perceptions of risk. A third study found that stress can alter the perception of risk, leading individuals to perceive risks as more severe or threatening than they actually are. This altered risk perception may result in more conservative or risk-averse decision-making.

Security implications

Being stressed at work has obvious implications for things like productivity, employee engagement, and retention, but research from security firm Adarma shows that it can also have an impact on cybersecurity.

The company quizzed security professionals from across the United Kingdom and found a similar picture to Gallup. Indeed, among security professionals, over half report being stressed, exhausted, and frustrated at work. As a result, the researchers believe that mistakes are inevitable, as are things like burnout and, ultimately, resignations, which presents a considerable problem given the intense skills shortages already facing the sector.

“Cybersecurity professionals are typically highly passionate people who feel a strong personal sense of duty to protect their organization, and they’ll often go above and beyond in their roles,” Adarma explains.

“But, without the right support and access to resources in place, it’s easy to see how they can quickly become victims of their own passion. The pressure is high, and security teams are often understaffed, so it is understandable that many cybersecurity professionals are reporting frustration, burnout, and unsustainable stress. As a result, the potential for mistakes being made that will negatively impact an organization increases.”

This abundance of stress results in over 40% of cybersecurity professionals feeling unable to adequately respond to the various threats they face, with an additional 43% saying that they have little or no capacity to respond to potential threats. Indeed, a quarter of security professionals said they don't feel they have any expertise or capability to respond to any kind of cybersecurity incident at all.

Making things better

So, what can be done to make things better? There are a number of ways that the stress burden on cybersecurity teams can be reduced:

  • Look for more diverse security teams: This not only brings fresh ideas into the team but by looking in a wider range of areas, you’re more likely to fill the skills gap that is causing so much stress today.
  • Try and ease the burden: It’s important that managers recognize the stress felt by security teams and explore strategies to effectively distribute the workload and avoid burnout.
  • Introduce the right tech: Technology can undoubtedly help to ease the burden, and it’s important that teams are given the right tools to do their job effectively, while also being given the training to effectively use these tools.
  • Optimize resource allocation: It’s inevitable that teams will have a finite budget, so it’s important that resources are allocated strategically to address the most significant threats and vulnerabilities.
  • Adapt to the evolving threat landscape: The threat landscape is inevitably evolving, so companies should regularly reassess and update security strategies to address emerging challenges.
  • Support career progression: The Gallup results show that employee engagement can act as a good buffer against stress, so it’s important that security professionals are engaged and see opportunities for advancement.
  • Promote wellbeing across the workforce: Last but not least, companies should prioritize the well-being of the entire workforce, including the security department. Implement policies and practices that support a healthy work-life balance.

It’s been noticeable that the Gallup figures have remained pretty stagnant for a number of years (or, indeed, getting worse). This has clear implications for cybersecurity, so now is the time for organizations to do something about it and change this broken record.