Article Reviewed: https://academic.oup.com/cybersecurity/article/10/1/tyae001/7588826

In the article “Cybersecurity when working from home during COVID-19: considering the human factors,” the paper attempted to answer several questions to understand why employees may not adhere to guidelines to protect the company for which they are employed.

1. What were participants’ lived experiences when transitioning from the office to home, and how did these impact cybersecurity learning and behaviors?
2. What did cybersecurity mean for participants when working from home?
3. How did participants learn about cybersecurity when working from home?
4. What recommendations might we give to organizations based on our findings?

Research Method:The researchers used a method known in Psychology as “interpretative phenomenological analysis,” (Whitty et al.) or (IPA) for short. IPA is used to understand peoples’ “Lived experiences.” Interviews with open-ended questions allowed researchers to understand the respondent’s experiences. Vygotsky’s theory of learning is to know how people learned about and implemented cybersecurity practices during the pandemic. It used Vygotsky’s model, “Zone of Proximal Development.” (Whitty et al.)This model helps us understand what a person can learn independently and what they can do by learning from peers. The ZPD, which is the area of the model in which a person can learn with guidance, would be associated with cybersecurity training, help from coworkers, and tools like antivirus programs and computer security updates.

Research Questions: The set of questions proposed during the interview was as follows, allowing Empirical data collection.

1. How did the participants experience the transition from the office to working from home?
2. What does ‘effective cybersecurity behavior’ mean for participants, especially when working from home?
3. Did participants experience any threats or attacks, and how did they deal with them?
4. What type of advice/information (if any) was given to them to work securely at home?
5. How did participants interpret the advice, and how easy or difficult was it to implement?

There were 27 respondents, 67% of whom were men and 34% were women. The participants ranged in occupation, but all came from an office environment and abruptly transitioned to working from home during the pandemic. The questions asked uncovered 5 themes.

1. Transition from home to office: The abrupt transitions to homework cause many people to be stressed and unable to focus on the best cyber security practices. Among other aspects during this time, the quick change to working from home may not have provided the proper amount of time for appropriate ‘At home’ cyber security policies to be put in place. Hence, guidelines were unclear to many who were used to working in an office environment.
2. Working Space at Home: Working spaces at home were not ideal for some employees. Employees working from home with more minor children could often create distractions, and privacy was not easily obtained by employees, contributing to stress levels. Thus, the environment was not ideal for employees to learn cybersecurity practices or put them into practice.
3. Understanding of cybersecurity: This revolved around participants’ understanding of cybersecurity and new issues that arise when working remotely. Here, we can see Vygotsky’s theory of ‘the zone of proximal development.’ Employees may not have understood much of the cybersecurity terminology or believe it was not their problem. Without proper and frequent training that was engaging or unable to be appropriately delivered due to the new working environment, it facilitated the growth of new threats. One notable threat that emerged during the pandemic was ‘zoom bombing’ in which malicious actors would breach unsecured meetings, typically displaying illicit videos or photos. People breaching this meeting may have done this out of boredom or for a good laugh and denied that there was any psychological damage that could occur to the employees who were victimized by these attacks i.e. Attacks like this could create not only a high level of stress for the employee in the meeting but also for their family if they were nearby, such as children who may have been nearby and viewed the illicit videos or photos injected into the unsecured meetings.
4. Awareness and education: This included a lack of education provided by the companies. If training were available, it would not be engaging and would not be very well received. Additionally, employees would prefer to seek advice from family members.
5. Digital limitations: old devices, shared devices, and insecure home networks would contribute to the risk for company assets.

Conclusion: The pandemic changed working environments for employees abruptly and created much stress, which did not provide a suitable environment for employees to learn and practice reasonable cybersecurity efforts. Human factors, including the personal and shared use of company devices, lack of education, or stress levels that would not facilitate the ability to learn, lead to weaker protection receptively. Vygotsky’s theory showed that without proper guidance, employees could only use cybersecurity practices they already knew and could not learn much else without the proper guidance, which would, therefore, limit what they could implement.

Sources:

Whitty, Monica T, et al. “Cybersecurity When Working from Home during COVID-19: Considering the Human Factors.” Journal of Cybersecurity, vol. 10, no. 1, 1 Jan. 2024, academic.oup.com/cybersecurity/article/10/1/tyae001/7588826?searchresult=1, https://doi.org/10.1093/cybsec/tyae001.