An Empirical Investigation of The Unintended Consequences of Vulnerability Assessments Leading to Betrayal

Abstract

When cybersecurity units conduct vulnerability assessments to evaluate the security of organizations, they can have unintended consequences for employees. Although cybersecurity personnel may view tactics such as fake phishing attacks and email scanning as protective measures, employees may view them as threats because being singled out as a security risk can harm their standing in the organization. To understand the implications of vulnerability assessments, we examine how organizations’ use of different tactics to identify user vulnerabilities can lead employees to feel betrayed by the cybersecurity unit, resulting in negative cybersecurity outcomes. Drawing on the theory of betrayal aversion, we develop a model that shows that when employees perceive these tactics as harmful, they can lead to an affective state of cybersecurity betrayal, resulting in a damaged relationship with the cybersecurity unit. In collaboration with an organization’s cybersecurity unit, we evaluated our model using an experimental vignette survey, post hoc interviews, and a crosssectional survey with two samples (i.e., employees in the organization and employees from a panel). We found that when organizations conduct vulnerability assessments to enhance cybersecurity, they often induce an affective state of betrayal and increase employees’ active resistance to cybersecurity (i.e., abandonment, avoidance, and sabotage of cybersecurity policies, technologies, and units). The paper concludes with implications for research and practice that explain the unintended consequences of vulnerability assessment and betrayal.