Why Employees Break Cybersecurity Rules — And How Companies Can Fix It

Understanding the Human Side of Security Failures

Most companies spend heavily on cybersecurity tools, policies, and enforcement systems — yet employees still regularly bypass these safeguards. Gartner’s research highlights a disturbing trend: 69% of employees knowingly ignore cybersecurity policies, and 93% admit to deliberately acting insecurely when it suits them. The issue isn’t always a lack of awareness or training. More often, it’s rooted in motivation, trust, and the broader emotional contract employees feel they have with their organization.

This article explores a groundbreaking study from the University of Warwick that introduces a critical psychological factor in security non-compliance: Psychological Contract Breach (PCB). This refers to the perceived failure of an organization to uphold its promises or implicit agreements with employees. When this trust is broken — for instance, when flexible working hours or other expected perks are withdrawn — employees may feel less inclined to comply with company rules, including security policies.

The researchers delved deep into the influence of PCB on employees’ Intention to Comply with Information Security Policies (ICI). They found that PCB directly weakens intrinsic motivation (such as fairness and personal attitude), although it has no impact on extrinsic deterrents like punishments or sanctions. In essence, employees who feel betrayed are less responsive to both coaching and rules. They’re also more susceptible to social engineering attacks, making them a potential weak link in the security chain.

To counter this, the study recommends several strategies. These include improving communication and trust, promoting perceived organizational support, adopting persuasive rather than authoritarian leadership, addressing fairness concerns, and actively investing in cultivating a positive security culture. The article emphasizes that the most effective cybersecurity systems are holistic — blending policy, tools, and most importantly, human motivation.

In today’s evolving threat landscape, organizations must recognize that fostering a robust security culture is more than just policy enforcement. It’s about aligning employee expectations, treating them fairly, and embedding cybersecurity into the company’s DNA. When employees believe they’re valued and supported, they’re more likely to value and support the security posture of their workplace.

What Undercode Say:

The Psychological Contract: The Hidden Force Behind Security Compliance

Cybersecurity is often portrayed as a battle of technology versus hackers. But this article reveals a more complex, human-centric truth: the weakest point in cybersecurity is not software — it’s sentiment. The University of Warwick’s findings illustrate a powerful but often invisible force shaping employee behavior: Psychological Contract Breach (PCB).

When organizations don’t deliver on both their written promises and implied expectations, they unknowingly erode the emotional glue that binds employee loyalty. Unlike formal contracts, psychological contracts are subjective — rooted in beliefs about fairness, respect, and mutual obligation. The moment employees feel shortchanged (missing out on flexibility, recognition, or workplace support), their motivation to uphold corporate policies — including information security — plummets.

This shift from cooperation to quiet rebellion can have devastating effects. Employees with high PCB are resistant to training, immune to typical punishments, and increasingly vulnerable to manipulation through social engineering. They may not intentionally sabotage security, but their disengagement makes them an easy target — a silent liability.

Yet, the solution isn’t to tighten rules or increase surveillance. In fact, doing so may aggravate the perception of mistrust. Instead, organizations must reframe cybersecurity as a shared responsibility, rooted in cultural values, not control. That means moving away from fear-based tactics and toward persuasive leadership that inspires intrinsic motivation.

Security policies must be viewed as fair, necessary, and aligned with employees’ roles. Leaders must promote open communication, regularly check in on employee expectations, and empower staff through transparency. Culture plays a pivotal role — when cybersecurity becomes part of daily habits and collective mindset, compliance follows naturally.

This approach also redefines how companies measure security success. Instead of just tracking policy violations or phishing test failures, businesses should monitor employee sentiment, trust levels, and perceived fairness. These are stronger predictors of long-term resilience than any software update or firewall upgrade.

The article also spotlights an urgent need for investment in cultural transformation. This isn’t about posters in the breakroom; it’s about embedding security into every level of organizational behavior — from leadership styles to reward systems. Firms that succeed in this will enjoy higher compliance, stronger defenses, and a workforce that actively defends the organization, even when no one is watching.

In a digital era where human risk is the new attack surface, prioritizing people over protocols could be the single most important cybersecurity strategy of all.

🔍 Fact Checker Results:

✅ 69% of employees intentionally bypass cybersecurity rules – Verified by Gartner
✅ Psychological Contract Breach lowers security compliance – Confirmed by University of Warwick research
✅ Cultural transformation improves compliance – Supported by multiple organizational behavior studies

📊 Prediction:

As more organizations shift toward hybrid work models and digital-first operations, employee disengagement will emerge as the next major cybersecurity threat. By 2027, companies that invest in emotional engagement and security culture will see 40% fewer internal security incidents than those that rely solely on technical solutions. 💼🛡️