Why Do Breaches Happen? Psychological Causes of Personal Data Breaches

Personal data breaches remain one of the most perplexing and impactful threats. Breaches don’t just stem from technical vulnerabilities—they are often a reflection of human psychology at play. So why do breaches happen?

The Psychology Behind Insider Breaches

The Dunning-Kruger Effect[1]

This cognitive bias occurs when individuals with limited knowledge or expertise overestimate their abilities. In the context of data breaches, employees may believe they are more competent in handling sensitive data than they actually are, leading to risky behaviours. For example, misconfigured cloud storage buckets, or emailing a client’s file to the wrong colleague without double-checking the attachment or chosen recipient.

Organisational mitigation to psychological cause: Regular, role-specific training to help employees recognise their limitations and seek guidance as needed.

Potential technical mitigation: Email encryption and implementation of data loss prevention rules when sending files.

Cognitive Dissonance[2]

This psychological phenomenon occurs when individuals experience discomfort from holding conflicting beliefs or behaviours. For instance employees may justify risky behaviours to align with perceived organisational priorities, such as meeting tight deadlines, or may bypass security protocols by convincing themselves it’s for efficiency.

In practice, this could be using unencrypted devices to store or share information, or using shadow (unauthorised) technology. For example when trying to meet a deadline results in staff using unauthorised, freely available software to expedite a task, inadvertently exposing sensitive data.

Organisational solution to psychological cause: Fostering a culture where security and data protection are seen as integral to productivity, not a hinderance. This would require clear, consistent communication from leadership to reinforce this mindset.

Potential technical mitigation: Mandate encryption for all devices and provide secure alternatives for remote work.

Social Proof[3]

People tend to mimic the behaviours of others, especially in ambiguous situations. If employees see colleagues ignoring security protocols without consequences, they are likely to follow suit.

Peer actions impact individual decision-making, particularly in workplace settings. This could result in negligence and lack of attention to detail, which could in turn lead to employees sharing login credentials believing it is a common and harmless practice, in turn leading to unauthorised access to data.  

Organisational solution to psychological cause: Monitor for policy violations and recognise employees who adhere to security best practices to set positive examples.

Potential technical mitigation: Implement strict, role-based, access controls which are regularly reviewed and updated to prevent unauthorised access.

Technical and organisational measures combined, provide more robust protections than either type of measure alone.

Prevention Is Possible: Addressing the Human Factor

By understanding the psychological causes of insider breaches, organisations can implement targeted strategies to mitigate risks:

• Mandatory Training: Tailor sessions to address cognitive biases and reinforce the importance of security protocols. The training must be role based, relevant to the organisation, and regularly refreshed. You should provide details of frameworks and the legal ‘need-to-knows’ but should also provide practical guidance on how to achieve the expected standard. Generic training will not be as effective as it’s not as relatable.

  
  

• Behavioural Nudges: Use reminders and prompts to encourage secure practices, such as locking screens or using strong passwords. Regular communication with practical “lessons learned”, for example following breaches, or completed Data Protection Impact Assessments (DPIAs) can be effective in driving home key messages.

  
  

• No-Fault Reporting Systems: Encourage employees to report mistakes without fear of blame, fostering a culture of transparency and improvement. The focus should be on capturing errors early, correcting them, and learning from them to prevent re-occurrence. Breaches should be reported as soon as possible, by the person who has spotted them (even if they are not involved in the cause of the breach) and shouldn’t need line manager’s approval to be reported. Remember, everyone has a personal responsibility to handle data appropriately so the reporting processes in place should make it as easy as possible for staff to meet their obligations.

  
  

• Leadership Commitment: Ensure that leaders model and prioritise security behaviours, setting the tone for the entire organisation. Leading by example is incredibly effective: leaders asking for assurances around security and data protection practices, measured through, for example, compliance with organisational policies and procedures, is a good start. Regular reporting on such matters will help build a security and data protection conscious culture, in time allowing organisations to build greater trust with their customers.

Conclusion: Closing the Psychological Loopholes

Insider breaches are not just a technical challenge, they are deeply rooted in human psychology. By addressing these psychological factors and learning from real-world examples, organisations can craft effective, people-centric security measures. After all, the key to robust data protection lies in understanding and empowering the very people who handle it.

[1] Dunning, D. (2011). "Chapter Five – The Dunning–Kruger Effect: On Being Ignorant of One's Own Ignorance". Advances in Experimental Social Psychology, 44, 247–296.

[2] Festinger, L. &  Carlsmith, J.M.  (1959). “Cognitive consequences of forced compliance”. Journal of Abnormal and Social Psychology, 58, 203-210.

[3] Aronson, E., Wilson, T.D., & Akert, A.M. (2005). Social Psychology (5th ed.). Upper Saddle River, NJ: Prentice Hall.