Why Do Employees Ignore Password Security Best Practices?
Despite knowing the risks, employees often ignore password security best practices like MFA and password managers. Learn about the psychology behind this behavior and discover strategies to close the gap between knowledge and action for a more secure workplace.
2025-02-03
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Organizations invest heavily in cybersecurity awareness programs, teaching employees the importance of secure passwords. Employees often know the rules: passwords should be unique, never shared, and changed regularly. However, even in workplaces that experience data breaches, many individuals fail to adopt critical security tools like multi-factor authentication (MFA) and password managers. What drives this disconnect between knowledge and action? The answer lies in human psychology.
This blog post explores the psychological factors influencing employees' password behaviors and provides actionable strategies to bridge the gap between awareness and implementation.
The Knowledge-Action Gap
One of the most perplexing issues in cybersecurity is the knowledge-action gap. Many people know the importance of using MFA or a password manager, yet they don't act on it. This disconnect is often a result of low motivation, perceived inconvenience, or underestimating the risks of non-compliance.
Example: An employee may think, "I know MFA is secure, but it's a hassle to enter a code every time I log in."
Optimism Bias
Optimism bias is a cognitive distortion that makes people believe they are less likely to experience negative events than others. This false sense of security leads to complacency.
Example: A user might reason, "Breaches happen to other people, not me. I’m careful with my passwords."
Habitual Behavior and Resistance to Change
Humans are creatures of habit. Regarding cybersecurity, forming new habits like using MFA or adopting a password manager can feel daunting. People often stick to familiar behaviors, even if those behaviors are insecure.
Example: Someone might avoid adopting a password manager because they’re used to memorizing or writing passwords down.
The Convenience Factor
Security measures like MFA and password managers are often perceived as barriers to convenience. People prioritize short-term ease over long-term benefits, especially when the consequences of poor security aren’t immediately visible.
Example: An employee might reuse passwords across accounts because it’s easier to remember, thinking, "It’s faster than setting up MFA or managing a password vault."
Fear of Complexity
Some perceive cybersecurity tools as overly technical or difficult to use, leading to avoidance. This fear is more common among less tech-savvy users.
Example: Someone might avoid using a password manager because they’re afraid they’ll forget how to access it, leaving them locked out of their accounts.
Learned Helplessness
When individuals experience a data breach despite following basic security practices, they may develop a sense of helplessness, believing their actions have little impact on preventing future breaches.
Example: "Even with strong passwords, my data was stolen. Why bother with MFA or a password manager?"
Trust in Organizational Safeguards
Employees may over-rely on their organization’s security measures, assuming that firewalls, monitoring systems, and IT policies provide sufficient protection.
Example: "Our company already has robust security systems; I don’t need to do anything extra."
Lack of Immediate Feedback
Unlike physical theft, the consequences of cybersecurity lapses are often delayed or invisible. Without immediate feedback, the urgency to adopt preventive measures diminishes.
Example: "I’ve reused passwords for years and never had a problem, so why change now?"
Security Fatigue
Constant reminders, rules, and warnings about cybersecurity can overwhelm employees, leading to disengagement or apathy.
Example: "I’m tired of all these security measures. I just want to do my job without extra steps."
Social Influence
Social norms often shape human behavior. Employees are less likely to adopt these tools if colleagues or leaders don’t use MFA or password managers, even if they know the benefits.
Example: "No one in my team uses a password manager, so why should I?"
The Impact of Password Breaches and Ransomware in 2024
In 2024, the cybersecurity landscape witnessed significant incidents highlighting the critical importance of robust password security:
- Synnovis Ransomware Attack: Synnovis, a laboratory services provider for the NHS, suffered a ransomware attack costing £32.7 million, far exceeding its £4.3 million profit in 2023. The attack led to the leak of 400GB of stolen data, severely impacting hospitals and medical practices in London. Thousands of operations and appointments were canceled or delayed, marking one of the most significant recent patient data breaches in the NHS (Source: Financial Times).
- Change Healthcare Data Breach: In March 2024, Change Healthcare, a UnitedHealth Group subsidiary, experienced a ransomware attack disrupting critical healthcare services nationwide. The breach affected over 100 million individuals, making it one of the most impactful cyber-attacks in U.S. healthcare history (Source: NordLayer).
- RockYou2024 Password Leak: Hackers compiled a vast database named RockYou2024, containing nearly 10 billion leaked passwords. This leak significantly increased the risk of credential stuffing attacks, where cybercriminals use stolen passwords to gain unauthorized access to users' other accounts (Source: The Irish Sun).
How Keepnet Helps Embed Password Security Behavior
Keepnet Human Risk Management offers innovative solutions to help organizations transform employee behavior and embed secure password practices. By leveraging an AI-powered platform, Keepnet delivers:
- AI Phishing Simulations: Keepnet simulates phishing attacks through multiple channels, including SMS phishing, email phishing, MFA phishing, QR code phishing, and voice phishing, to help employees recognize and report threats in real time.
- Adaptive Security Awareness Programs: Keepnet’s programs are tailored to individual learning needs, using behavioral science and nudge theory to encourage secure actions without overwhelming users.
- Comprehensive Training Modules: Employees receive targeted training on password security, MFA adoption, and using password managers designed to create long-term habits.
- Real-Time Feedback: By providing immediate feedback during simulations, employees understand the impact of their actions and learn how to avoid future mistakes.
- Security Behavior and Culture Metrics: Keepnet provides organizations with detailed analytics on employee behavior, highlighting areas for improvement and tracking progress over time.
These features enable organizations to proactively address the human element of cybersecurity and foster a culture of secure behavior.
Conclusion
Understanding the psychological barriers to adopting secure practices like MFA and password managers is critical to closing the knowledge-action gap. By addressing these barriers with targeted strategies, organizations can foster a security culture that aligns behavior with awareness.
SHARE ON