What is the most significant threat to workplace cyber security breaches? It may just be the complacency of the person in the cubicle next to you.
Five years after first presenting his concept at the 2016 Dewald Roode Workshop on Behavioral Information Security, Dr. Tom Stafford has published his grounded theory development of a mid-range Theory of Cybersecurity Complacency.
His article, “Platform-Dependent Computer Security Complacency: The Unrecognized Insider Threat” was published in IEEE Transactions on Engineering Management (IEEE-TEM), an elite academic journal of the Technology and Engineering Management Society of the Institute of Electrical and Electronics Engineers.
According to Stafford, cyber security research has traditionally presumed a criminal justice model of non-secure behaviors in the workplace — a thought that most security breaches arise from the actions of bad actors in the firm.
“I have long felt that assuming the worst is not the best way forward,” said Stafford, who is a professor and John Ed Barnes Endowed Eminent Scholar in Data Analytics in Louisiana Tech University’s College of Business.
“While there are certainly criminally minded transgressors to be guarded against, I think that a good many security issues arise from well-meaning but uninformed or unaware actors who either don’t know that what they are doing is harmful to security, or are simply apathetic on the notion.”
Stafford evolved a theory of Cybersecurity Complacency to describe the actions and views of well-meaning, but bumbling workers who unintentionally violate security.
“It is important to realize that even the best employees can cause security breaches through inattention, apathy or unawareness,” Stafford said. “Security managers can better act to support pro-security behaviors if they do not automatically assume the security problems arise only from the bad actors in the firm.”
Stafford is a leader in the field of information systems research. He is the Editor-in-Chief of The DATA BASE for Advances in Information Systems, the longest continuously-published MIS journal, and has previously edited 13 special issues of notable journals including Communications of the ACM, IEEE Transactions and MIS Quarterly. He has also served as Editor-in-Chief of Decision Sciences.
He co-chaired the 2018 Americas Conference for Information Systems and chaired 2019 Dewald Roode Workshop on Information Systems Security Research. He has been selected to serve as the chair for the 2025 International Conference for Information Systems, one of the most notable yearly research meetings in the field of business technology.