A team of researchers, in a first-of-its-kind study, tested brain activity to better understand employees who pose a risk to cybersecurity.

The old adage that a chain is only as strong as its weakest link certainly applies to the risk organizations face in defending against cybersecurity threats; Employees pose a danger that can be just as damaging as a hacker.

Iowa State University researchers are working to better understand these internal threats by getting inside the minds of employees who put their company at risk. To do that, they measured brain activity to identify what might motivate an employee to violate company policy and sell or trade sensitive information. The study found that self-control is a significant factor.

Researchers defined a security violation as any unauthorized access to confidential data, which could include copying, transferring or selling that information to a third party for personal gains.

In the study, published in the Journal of Management Information Systems, Qing Hu, Union Pacific Professor in Information Systems, and his colleagues found that people with low self-control spent less time considering the consequences of major security violations.

"What we can tell from this current study is that there are differences. The low self-control people and the high self-control people have different brain reactions when they are looking at security scenarios," Hu said.

"If employees have low self-control to start with, they might be more tempted to commit a security violation, if the situation presents itself."

The study, a first of its kind, used EEG to measure brain activity and examines how people would react in a series of security scenarios.

Researchers found people with high self-control took longer to contemplate high-risk situations. Instead of seeing opportunity, or instant reward, it's possible they thought about how their actions might damage their career or lead to possible criminal charges, Hu said.

For the study, researchers surveyed 350 undergraduate students to identify those with high and low self-control. A total of 40 students -- from both the high and low ends of the spectrum -- were then asked to do further testing in the Neuroscience Research Lab at ISU's College of Business. They were given a series of security scenarios, ranging from minor to major violations, and had to decide how to respond while researchers measured their brain activity. Robert West, a professor of psychology, analyzed the results.

"When people are deliberating these decisions, we see activity in the prefrontal cortex that is related to risky decision making, working memory and evaluation of reward versus punishment," West said.

"People with low self-control were faster to make decisions for the major violation scenarios. It really seems like they were not thinking about it as much."

The findings reflect characteristics of self-control in criminology, in which individuals with low self-control act impulsively and make riskier decisions. However, with traditional research methods and techniques, researchers could not determine if the low self-control group was more likely to act based on immediate gain, without considering the long-term loss, as compared to the high self-control group.

It's possible that social desirability bias, or the tendency to act in way that is viewed as desirable, masked the true intentions of participants. With neuroscience methods and techniques, the results are more reliable and provide a better understanding of human decision making in various circumstances, researchers said.