Here at BH Consulting we often talk about how all the security in the world could be for nought if your employees themselves are not cyber aware and sufficiently well trained to avoid the generalised and socially engineered threats that come their way.

The solution, we think, is to tackle the lack of security knowledge head on, engaging with staff in such a way that they will wish to buy into a culture of security.

But wouldn’t it be great if there was another way to ensure the security of your business, not by enhancing the nature and skills of your workforce, but by only employing those who are less susceptible to being tricked or otherwise duped into insecure activity in the first place?

Well, according to research from Iowa State University, that may be a possibility.

Three researchers from the educational establishment have hypothesised that less secure personnel can be identified based on their brainwaves.

The Ames Tribune reports how Qing Hu, Union Pacific Professor in information systems, assistant professor of marketing Laura Smarandescu and Robert West, professor in psychology, tested subjects’ brain activity.

What they discovered was that the test subjects with the lowest levels of self-control were those most likely to give away company secrets.

Depending on which publications you read, you are likely aware that anywhere up to a reported 59% of security incidents are attributed to human action, be that accidental, uninformed or malicious in nature.

Hu, who said the actual figures may be much higher due to the age old problem of businesses under reporting security incidents, has been studying the subject for more than ten years, searching for a way to predict which employees are likely to pose the largest threat:

In the past, we’ve used surveys for research like this. But people don’t necessarily tell them their true thinking and ideas, sometimes for social desirability.

Sometimes people want to show themselves as better than they are. So that causes bias issues in surveying.

To achieve better results Hu joined forces with the other two researchers and together they studied 350 Iowa State University undergraduates.

Taking the 20 students with the highest levels of self control, plus the 20 with the lowest, the team then ran a second set of tests which measured their brainwaves. Robin West explains:

We asked them to think about whether they would violate a company’s assets or security policy.

We told them to imagine they were an employee asked by a friend to share a client or user list. We set that scenario up and asked them how likely they would do this, and we captured that specific response.

The research revealed how the students with the highest levels of self-control took longest to respond which, the researchers say, suggests a longer cognitive process as they weighed up the pros and cons of their decision.

Hu noted how the cost of testing may be prohibitive to all but the largest of businesses but said simple screening processes could be implemented to identify candidates with the lowest levels of self-control and, hence, the largest propensity to engage in insecure practices such as opening phishing emails and passing data on to unauthorised parties.

While I personally don’t think brainwave testing should suddenly become commonplace off the back of one study, it could be a useful metric in the future and one that many businesses may well be interested in should the field develop.

Meanwhile, Hu warned against dismissing the notion of employing people with low self-control altogether, saying:

Everyone has talents and everyone has weaknesses. Businesses should use the right people with the right talents for the right job.

People with low self-control should not be put onto positions that would have access to confidential digital assets. But those people could be very productive in other areas of the business, they’re just not suitable for those kinds of conditions.

What do you think?

Could brainwaves provide key intelligence when interviewing new candidates for your organisation? Is the research relevant? Or is it a load of mumbo jumbo?