Why Do Employees Share Sensitive Data Despite Knowing the Risks? Understanding the Psychology Behind It
Despite 90% of employees receiving security training, cognitive biases, and workplace norms cause risky data-sharing behaviors to persist. This exposure increases the risk of data breaches and compliance failures. Keepnet’s AI-driven security solutions bridge this gap, reinforcing secure behaviors and fostering a risk-aware security culture.
2025-01-31
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Organizations and individuals are increasingly aware of the risks associated with sharing sensitive data. Despite this awareness, data breaches continue to occur at an alarming rate. In 2024 alone, the global average cost of a data breach reached $4.88 million, marking a 10% increase from the previous year and the highest recorded cost to date, according to IBM. This raises a critical question: Why do individuals continue to share sensitive information despite knowing better? The answer lies in psychological factors, cognitive biases, and situational influences.
To learn more about how organizations can foster secure data-sharing practices and minimize human risk, check out our blog on secure human behavior and safe file sharing.
This blog examines why people share sensitive data despite knowing the risks and reveals effective strategies to mitigate these behaviors.
The Paradox of Knowing vs. Doing
While most individuals understand that sharing sensitive data is risky, they often ignore this knowledge in practice. Employees may share sensitive information with colleagues or external parties, knowingly violating company policies. This behavior frequently stems from overconfidence, cognitive overload, and a workplace culture that normalizes such actions.
Example: An employee forwards confidential client details to a colleague via email, assuming it’s harmless or necessary for collaboration, even though policy dictates using a secure file-sharing platform.
1. Trust and Authority Bias
Individuals are more likely to share sensitive data when they trust the requester or perceive them as an authority figure. This trust can be exploited by malicious actors posing as legitimate entities.
Example: A well-executed phishing email impersonating a manager asks employees to "share internal financial reports," leveraging trust and authority to extract sensitive data.
2. Social Engineering and Emotional Manipulation
Attackers often exploit emotions like fear, urgency, or curiosity to manipulate individuals into sharing sensitive information. By creating a sense of urgency, they prompt quick actions without thorough consideration.
Example: An employee receives a fake email from their CEO demanding immediate access to company account credentials for an "emergency." In the rush to respond, they comply without verifying the request.
Check out the real-life example below.
3. Optimism Bias
Optimism bias leads individuals to believe they are less likely to experience negative events than others. This can result in underestimating the risks associated with sharing sensitive data.
Example: Sharing personal details on social media under the assumption that only friends and family will see them while ignoring potential privacy breaches.
4. Lack of Immediate Consequences
The delayed effects of data breaches make it challenging for individuals to link their actions to future negative outcomes, leading to complacency.
Example: An employee clicks on a malicious link and enters their login credentials but notices no immediate impact, leading them to underestimate the severity of their action.
5. Cognitive Overload
In high-pressure environments, individuals may experience cognitive overload, reducing their ability to assess risks critically. This can lead to sharing sensitive data to quickly resolve issues without considering potential repercussions.
Example: A customer service representative, juggling multiple tasks, responds to a fake inquiry requesting customer account details without verifying its legitimacy.
6. Social Norms and Peer Influence
If sharing sensitive data is perceived as a common practice within a group, individuals are more likely to follow suit, even if it's risky. Workplace cultures that fail to enforce policies exacerbate this issue.
Example: A team of employees frequently uses email to share sensitive customer information, creating a workplace culture where such behavior becomes normalized.
7. Overconfidence in Security Measures
Some individuals believe that existing security systems will protect them, leading to careless sharing of sensitive data under the assumption that safeguards are in place.
Example: Employees sharing passwords over messaging apps, believing encryption ensures their safety.
8. Familiarity and Repetition
Repeated exposure to requests for sensitive data can desensitize individuals to the risks, making them more likely to share information without proper scrutiny.
Example: Regularly filling out online forms requesting sensitive information without questioning the necessity of each field.
Addressing Risky Behaviours with Keepnet Human Risk Management Platform
Keepnet Human Risk Management Platform provides organizations with innovative tools to address the paradox of knowing versus doing. By leveraging behavioral insights and AI-powered solutions, Keepnet helps employees internalize secure data-sharing practices:
- AI Phishing Simulations: Keepnet simulates phishing attacks across multiple channels—including email phishing, SMS phishing, and voice phishing—to help employees recognize and avoid common traps.
- Adaptive Security Awareness Programs: These programs are tailored to individual learning needs and use behavioral science to embed secure practices in daily workflows.
- Security Behavior and Culture Programs: Keepnet’s Security Behavior and Culture Programs focus on fostering a long-term shift in employee attitudes and behaviors toward security. These programs help organizations build a security-conscious workplace culture by integrating behavioral science and continuous engagement strategies.
- Real-Time Feedback: Employees receive immediate feedback during simulated attacks, helping them understand the real-world consequences of risky behavior
- Policy Reinforcement Tools: Keepnet integrates policy reminders and secure workflows into daily tasks, reducing cognitive overload and habitual risky behavior.
- Detailed Analytics: Keepnet’s platform provides actionable insights into employee behavior, helping organizations identify high-risk areas and measure improvements over time.
Conclusion
Understanding the gap between knowledge and action is crucial for tackling the persistent issue of sensitive data sharing. Despite knowing the risks, individuals often violate policies, driven by trust, overconfidence, or workplace norms. By addressing these psychological drivers and leveraging solutions like those offered by Keepnet, organizations can create a culture where secure behavior becomes second nature. After all, true cybersecurity begins with human behavior.
SHARE ON