Employee Cybercrime and Deviance: A Loss Prevention Psychology Perspective

An increasingly digital workplace provides opportunities for innovation and growth, but it also creates significant threats to businesses, including devastating types of employee‑driven cybercrime and deviance. Cybersecurity Ventures broadly estimates that overall global cybercrime costs will grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025. This estimate of damages is based on all sources of cyberthreats (e.g., cybercriminals, nation-state-sponsored threats, organized crime, insider threats, etc.). However, the purpose of this column is to focus more narrowly on employee threats and the types of workplace crimes and counterproductive acts they can commit or inadvertently assist through their negligence. Therefore, the tenets of loss prevention psychology (LPP) should prove useful to better understand, prevent, and remediate a greater percentage of insider cyberthreats.

Cybercrime: The Digital Pandemic

Employee-driven cybercrime can be devastating to a company’s bottom line, brand reputation, and overall survival. A singular instance of cybercrime can potentially cripple an organization, leading to significant financial losses, damage to the company’s reputation, and long-term impacts on consumer trust. Given these high stakes, LPP applies an integrative, multi‑faceted approach to mitigating cybercrime risks. It emphasizes the importance of technical measures (secure systems and encryption), human measures (employee education about cyber risks and safe practices), and organizational measures (risk-focused pre-employment screening, robust HR and IT policies and procedures, and an ethical culture that deters criminal behavior). Common types of employee cybercrime include the following:

• Data Theft: Unauthorized access and extraction of the company’s sensitive or proprietary data.
• Hacking Company Systems: Unauthorized intrusion into the company’s computer systems or networks with malicious intent.
• Insider Trading: Using confidential company information for personal financial gain.
• IT Sabotage: Deliberate actions to damage, disrupt, or slow down the company’s IT systems.
• Phishing Attacks Against Colleagues or Company Partners: Deceptive attempts to gain sensitive information by posing as a trusted entity within company communication channels.
• Installing Ransomware: Installing malicious software designed to block access to the company’s computer system until a sum of money is paid.
• Software Piracy: Unauthorized copying, distribution, or use of copyrighted software using company resources.
• Cyber Espionage: Illicitly accessing confidential information held within the company for personal gain or to benefit another organization.
• Identity Theft: Stealing and using a colleague’s or customer’s personal data for personal gain.
• Cryptojacking: Using the company’s IT resources to mine cryptocurrency without authorization.

Employee Deviance in Cyberspace

Employee deviance is less devastating than cybercrime, but the cumulative effect of lower-grade cyber misconduct can still adversely impact the financial and operational success of an organization. Employee deviance in cyberspace encompasses behaviors that violate company rules, norms, or expectations, usually resulting in harm to the organization or its members.

Examples of cyber deviance include excessive personal use of the internet during work hours, spreading rumors or sharing inappropriate content (e.g., online pornography), unauthorized access to confidential information, and the misuse of company systems or data. Though they may appear benign or trivial on the surface, these counterproductive employee behaviors can cumulatively lead to significant financial loss and deterioration of organizational culture, especially if the acts inadvertently support cybercriminals. Some common forms of employee cyber deviance include the following:

1. Unauthorized Access: Using company resources to gain access to data or systems without permission.
2. Misuse of Information: Using sensitive company information for personal gain.
3. Inappropriate Use of Company IT Resources: Using company networks or equipment for personal activities or gain.
4. Inappropriate or Offensive Online Communication: Sending inappropriate, offensive, or harassing messages via company networks or devices.
5. Cyberloafing: Spending excessive amounts of work time on non-work-related internet activities.
6. Workplace Cyberbullying: Using digital communication tools to harass or bully coworkers.
7. Identity Deception: Misrepresenting oneself online, often to gain unauthorized access or information.
8. Data Hoarding: Accumulating and storing sensitive company data for non- legitimate work reasons.
9. Digital Piracy: Unauthorized copying or distribution of copyrighted digital content using company resources.
10. Creating or Spreading Malware: Developing or disseminating malicious software via company networks or devices.

Moving Toward a Secure Cyberspace: The LPP Approach

Underpinning the LPP approach to addressing cyberthreats is the recognition of the central role played by human behavior and the psychological mindsets that drive such behavior. For instance, LPP focuses on proactive measures like using validated risk and talent management assessments to identify potential insider cyberthreats during the recruitment and hiring phase. These job-relevant measures help to ensure that conscientious employees with high integrity, trustworthiness, and emotional intelligence, who are less likely to engage in deviant or criminal behavior, are brought into the organization. Current employees can also be routinely surveyed for the status of their job-relevant attitudes and perceptions. Illustrative examples of the types of current employee mindsets that can lead to cybercrime and deviance can be summarized as:

• Anonymity: Employees might think their online actions are untraceable or anonymous, which can lead to increased risk‑taking or irresponsible behavior. This illusion of invisibility might allow employees to act in ways they normally would not act if their identity was known.
• Entitlement: Employees who feel they are underpaid or not appreciated might believe they are justified in misusing company resources. This could include everything from misusing company time for personal tasks (i.e., cyberloafing) to outright theft of data or IT resources.
• Revenge: Employees who feel wronged by their employer may turn to cybercrime or deviance as a form of retaliation. This could manifest in various ways, including data theft, sabotage, or spreading malware.
• Thrill-Seeking: Some employees might engage in cybercrime or deviance for the thrill of it, viewing it as a challenge or a game. This could lead to high- risk activities like unauthorized access or hacking.

Moreover, LPP underscores the necessity of regular, comprehensive training and development programs. These programs educate employees about potential cyberthreats, the impact and consequences of employee crime and deviance, and the importance of adhering to cyberhygiene principles (i.e., the specific steps that users of computers and related information technology can take to improve their online security and maintain system health).

However, training programs are also needed to teach employees about evidence-based stress management coping skills and how to access an employee assistance and counseling program if they are experiencing any mental health concerns. By focusing on mental health and wellness in general, and cybersecurity in particular, employees are better enabled to contribute to a secure digital work environment.

Finally, LPP accentuates the importance of a positive organizational culture in mitigating cyberthreats. An organization that values integrity, respects privacy, and fosters an atmosphere of trust and openness reduces the likelihood of cybercrimes, and discourages deviant workplace behavior. Illustrative examples of dysfunctional corporate cultures that must be avoided at all costs are summarized as:

• Lack of Cybersecurity Culture: A company that does not prioritize cybersecurity can inadvertently encourage criminal and deviant behaviors. Without proper policies, training, and awareness programs, employees might not realize the severity or potential consequences of their actions.
• Unethical Culture: Companies that foster a culture of ethical laxity, where bending or breaking rules is accepted or even encouraged, may see higher rates of employee cybercrime and deviance. This could range from minor acts of misuse of company time to more serious offenses.
• Poor Communication: If communication within the company is poor, employees might not understand the importance of following cybersecurity protocols, or they may not feel comfortable reporting suspicious behavior. A culture that encourages open communication can help mitigate these risks.
• Extended High Stress Environment: Companies that create and extend high stress work environments may drive employees to act in ways they otherwise would not. Constant stress can lead to poor decision-making and may make employees more susceptible to engaging in cybercrime.

In summary, the LPP approach offers a comprehensive framework to tackle employee rendered cybercrime head‑on, emphasizing prevention, education, and an organizational culture that encourages positive employee behavior in the cyber realm. LPP can bolster traditional loss prevention solutions to strengthen all efforts aimed at preventing employee cybercrime and deviance.