Authors: Georgia Crossland, Amy Ertan, and Berta Pappenheim
This blog post outlines the initial findings of the Cyber Security Leadership and Culture research theme of 2020/21 at the Research Institute for Sociotechnical Cyber Security (RISCS) sponsored by, and in cooperation with the UK’s National Cyber Security Centre (NCSC). The full Phase 1 literature review is available on the RISCS website here - please contact firstname.lastname@example.org with any questions.
The research is an example of a much needed co-operation between academic researchers (Georgia Crossland and Amy Ertan, PhD researchers at the Information Security Group at Royal Holloway, University of London), small cyber psychology business owners (Berta Pappenheim, RISCS Research Fellow and Co-Founder at The CyberFish and Nadine Michaelides, Founder at Anima) working together with, and supported by the UK Government (Nico B, from the Economy and Society engagement team at the NCSC). Research Motivation
While various research strands have started exploring the impact of remote working on employees’ mental health productivity, there is little insight on how approaches to cyber risk and resilience have been impacted through the shift. Our research objectives focus on how organisations adjusted to remote working in terms of cyber risk management strategies, how organisations maintain a positive security culture through remote working, how leaders are able to support colleagues in terms of wellbeing, and whether this has an visible impact on cyber security behaviors.
Phase 1 involved a review of existing literature on the topic of remote working and the associated impact on employee wellbeing, the relationship with the employee and the organisation, and changes in cyber security behaviours. Phase 2 will involve a series of expert interviews with senior information security colleagues. The findings will culminate in a white paper which will be released in late Spring 2021.
Findings 1: The Impact of COVID-19 and Remote Working on Mental Health
The current COVID-19 pandemic has impacted healthcare workers' mental health, as well as the mental health of the wider workforce and general population. This is not only due to the widespread infections and health anxieties felt by many, but also due to the repeated national lockdowns that cause isolation and a total shift from what is considered to be ‘normal living’. Wherever feasible, workers had to adapt to working from home. Many also had to quarantine, shield in their households, and deal with increased caring and family commitments.
While pre-COVID-19 research highlights benefits of remote working, through performance increases and work satisfaction, with greater flexibility resulting in greater perceptions of productivity, there is a limit to how far previous studies can be applied as these studies typically assume remote working to be an optional benefit rather than mandated activity.
A range of possible negative impacts of remote working on employees have been highlighted, including the implicit promotion of an ‘always on’ working mode, leading to employee fatigue. Productivity may be negatively impacted by multitasking, decreased motivation and childcare responsibilities. It has also been reported that remote working has affected the UK workforce’s mental and physical health, with issues including aches and pains, diet and exercise, poor sleep, isolation, increased exhaustion, anxiety and depression.
While some research suggests virtual meetings can help reduce feelings of isolation, perspectives are mixed, with some employees experience ‘virtual meeting fatigue’.
Findings 2: The Impact of COVID-19 and Remote Working on Cyber Security
The cyber security threat landscape has adapted to the pandemic and remote working practices, with cybercriminals adapting their methods to take advantage of the circumstances. Many organisations have seen an increase in denial of service attacks, with criminals using themed COVID-19 language in their ransomware and social engineering campaigns, through emails and malicious domains.
CISOs generally report high levels of stress that impacts both their mental and physical health. This prevents efficiency and negatively impacts the organisation as stress can result in burnout. During COVID-19 and the shift to remote working research highlights stress factors are very likely to have increased.
The limited existence of relevant cyber security awareness training research relating to remote working represents a potential challenge to cyber security. A third of surveyed organisations have experienced a cyber attack as a direct result of an employee working outside of the businesses' security perimeter. Cyber security practices in the home are different from those in the office, hence, employees need to be made aware of and trained in new behaviours and practices they may need to adopt.
Findings 3: The Impact of COVID-19 and Remote Working on The Psychological Contract
Introduction to the Psychological Contract
The psychological contract is an implicit agreement between employer and employee, and may be defined as ‘the individual beliefs, shaped by the organisation, regarding terms of an exchange agreement between the individual and their organisation'.
When organisations satisfy the psychological contract, the relationship between the organisation and individual prospers, resulting in positive outcomes for both employees and organisations. Psychological contract breaches can violate the employee’s trust in the organisation and vice versa, potentially undermining loyalty for both parties. Breaches can lead to lower levels of job satisfaction, organisational commitment and extra role behaviour.
Furthermore, research suggests that employees are more willing to accept the ‘costs’ of being compliant with information security policy if they perceive the psychological contract to consistently be fulfilled by the organisation.
The Impact of COVID-19 and Remote Working on The Psychological Contract
For existing employees, the shift to remote working often meant a redrawing of the obligations between employee and employer. For some employees, it meant work takes on a more transactional nature. Studies suggest that strong leadership and flexible arrangements (allowing employees to adjust their working schedule) positively influence relational aspects of the psychological contract, while the use of surveillance technologies, when perceived as excessive by the employee, promotes distrust.
While research suggests that onboarding is a crucial time for the development of the psychological contract, especially for the development of trust and organisational culture, little research focuses on remote onboarding. Research into the remote onboarding practices of Microsoft colleagues through 2020 found various challenges experienced by employees, who reported struggles with training documentation, collaboration and communication, and isolation from their new team. The study’s suggestions for improvement suggest a rapid overhaul of remote onboarding practices: scheduling 1:1 meetings; providing sufficient information about the organisation; emphasising team building; assigning an onboarding buddy; and so on.
For breaches of the psychological contract
Research has highlighted that breaches of the psychological contract (which may include poor working conditions and job insecurity) leads to increased employee exits and decreased loyalty to employers and may also lead to increased workplace deviance, increasing the potential for insider threat activity. There is limited research evidence on the impact of breaking psychological contracts and insider threats while working remotely during the pandemic.
The literature demonstrated the unprecedented disruption to individuals and organisations caused by the COVID-19 pandemic, as well as insight into how global economies and organisations. Research has begun to look at the effects of the huge shifts in working patterns on mental health, employee attitudes towards risks and psychological contracts between employee and employer. These factors are highly likely to influence employee cyber security behaviours. However, given the unprecedented nature of the shift, and the ongoing nature of the pandemic, existing research cannot predict entirely how these behaviours may change. By engaging with relevant senior practitioners through a set of expert interviews, in Phrase 2 of this project, we will explore cyber security and sociotechnical experts views on how remote working has impacted cyber security, employee-employer relationships and wellbeing.