California Management Review
California Management Review is a premier professional management journal for practitioners published at UC Berkeley Haas School of Business.
by Fabian Muhly and Emanuele Chizzoni
Image Credit | styf
Have you ever felt overwhelmed by your daily responsibilities and the amount of work in your profession? No? That’s good for you. According to a study by McKinsey (2023), the majority of people, around 60%, will face or already have faced mental and wellbeing challenges during their life. Even if you are fortunate enough to be part of the resilient minority who will never be affected by mental health or wellbeing issues, it is highly likely that some of your employees will have to deal with such challenges.
Amitava Dutta and Kevin McCrohan, “Management’s Role in Information Security in a Cyber Economy,” California Management Review, 45/ 1 (Fall, 2002): 67–87.
Why is that important for you as a leader? Your employees are the backbone of your organization. Thus, health issues of your workforce – physically or mentally – have a direct impact on productivity and eventually on your organization’s economic success. According to the National Saftey Council (n.d.) productivity loss due to health issues amounts to $136 billion for employers yearly. But there is more to the equation. Research shows that mental health issues and wellbeing challenges have a negative impact on employees’ information security behavior (McCormack et al., 2018). Work overload not only leads to higher burnout rates but also leads to lower information security policy (ISP) compliance rates due to mental fatigue and lower organizational identification (Ji Kim et al., 2024). This holds true for the general workforce but specifically applies to information security professionals. Burnout rates and wellbeing challenges among security professionals are rising. A report by ISSA (2024) states that 55% of cybersecurity professionals regularly experience stress at work with 28% of Chief Information Security Officers (CISOs) saying they are likely to leave their jobs due to high burnout rates. This is worrying in light of the ever-evolving cyber threat landscape. Cybercrime is on a constant and steady rise, with data breaches – where hackers steal personal information – continue to grow year after year. These incidents have led to declines in stock valuations, with average market losses reaching the $5 billion mark (Huang et al., 2023).
The contribution of human error to these numbers is significant. Verizon’s (2024) annual report estimates that around 74% of data breaches can be referred to some kind of human failure. This can be misconfiguration of systems, intentional or unintentional losses of direct information or information storage devices, as well as the manipulation of behavior that results in the disclosure of critical information. When we take a more positive connotated approach, the human factor can also be the savior. This especially holds true, adding wellbeing and stress into the equation. According to Tessian (2022) 50% of workers are more likely to make mistakes when they are stressed, 51% when they are tired and 34% when they feel burned out. It feels natural to conclude that initiatives fostering employee wellbeing are a promising additional resource to strengthen a holistic information security strategy. By doing so, employees will not only be more productive and cyber risk resilient, but it could also leverage synergies with a positive impact on cost allocation. Once it is recognized that occupational health management and information security share common goals, budgets can be used more efficiently.
In a recent qualitative study, the authors interviewed CISOs from the Swiss financial industry. The results highlighted a biunivocal relationship between stress and job satisfaction, affecting the overall on-the-job performance of the workforce. Participants specifically stated that job satisfaction and stress are underrated as drivers of information security behavior at the workplace. Indeed, social exchange theory states that individuals are more likely to engage in beneficial organizational action if they are satisfied and if they perceive their employment relationship as a positive exchange. Employees satisfied with their job and resilient towards stress tend to be more likely to comply with information security policies (van Dyne and Ang, 1998). Thus, resilient human capital brings great advantages to the company and keeps information protected.
We apply the PERMA+4 Model (Donaldson et al., 2022) as framework for work related wellbeing. We have supplemented it with the results of our recent research in order to provide recommendations on how you can foster a more cyber-risk-resilient workplace, promote wellbeing, and use budgets more efficiently when synergies are harnessed.
The vast majority of adults spend a significant proportion of their daily life at work. Undoubtedly, the emergence and rapid development of AI will have a disruptive impact on many industries in the coming years. However, as long as human capital is integral to organizational processes, labor productivity will directly drive organizational output and success. Positive organizational psychologists have long recognized that human wellbeing is a tremendous source of labor productivity and organizational success. Seligman (2011) proposed a framework for wellbeing that consists of five measurable elements. He stated that wellbeing can be developed through pursuing positive emotions, engagement, relationships, meaning and accomplishment. Recent research that follows the epistemological approach of Seligman has added four other dimensions that specifically drive work-related wellbeing and work-performance. Donaldson et al. (2022) integrated measures of physical health, mindset, work environment and economic security into the framework, which has come to be known as the PERMA+4 framework of work-related wellbeing and performance. The insights of the our recent qualitative research in the Swiss financial industry support the PERMA+4 framework and its implications also among security professionals.
That said, we present the framework and its components in more detail to be used as a tool to implement a positive culture that fosters the wellbeing of employees and by doing so implicitly strengthens the human firewall of information security.
Employees are more productive at work and can identify with their organization better, once they experience emotions like joy, hope, gratitude or satisfaction. For instance, Salesforce (2020) introduced the “Ohana” culture to foster the sense of belonging among their workforces. Regular “thank you” messages and gratitude walls in the offices were introduced. Conversely, interviews with CISOs reveal that leadership transitions are disruptive, often resulting in substantial changes to workplace dynamics when a manager is replaced. This is a particularly salient factor given that employees often react skeptically to such transitions due to concerns that established workflows may be subject to significant alterations. Therefore, transitions in leadership roles should be approached with meticulous consideration to mitigate potential negative effects.
Leaders that create positive emotion through celebrating small wins and personal achievement of their teams and employees can bring more wellbeing to their organization. Transitions in leadership should not be seen isolated from other workplace and team dynamics but rather be carefully executed by leaders.
Leader’s food for thought
When was the last time you intentionally created a moment of joy or positivity at work?
Being absorbed by work can be positive. In contrast to work overload, positive outcomes are achieved when employees are interested in their work and feel energized by it. The 20% time policy at Google (Clark, 2021) allows employees to allocate 20% of their time to passion projects, which boosts engagement through the alignment of tasks to intrinsic interests. Leaders that know the strengths and interests of their employees can better align roles and tasks with the human capital in their organization. This is supported by the insights the authors derived during their research. Interviewees stated that often they experienced that leaders were promoted based on their technical skills rather than their leadership abilities. This resulted in reduced engagement and frustration among colleagues, which had an overall negative impact on organizational identification. Furthermore, the research highlighted the pressing need to equip the leaders with the appropriate emotional intelligence needed to effectively lead their teams.
Leader’s food for thought
Do you help people match their strengths with their activities?
In technical words, an organization is the concentration of people fulfilling their tasks in their function. When people do not get along with each other in an organization, this can have negative impacts on the company’s output. It is therefore very important that employees possess trusting and positive relationships at work. At Patagonia (Rodriguez, 2020), managers are trained in relational leadership skills while prioritizing psychological safety over hierarchy. By admitting one’s own mistakes openly or encouraging cross-functional collaboration, leaders stimulate positive relations among their workforces. During the authors’ interviews with CISOs, effective communication was highlighted as pivotal leadership skill for the quality of relationships within and among teams.
Leader’s food for thought
Do you encourage collaboration and support networks across teams?
For true wellbeing and productivity at work, employees require a common understanding of the organization’s mission. A purposeful, driven behavior at work can only flourish with a true meaning to employees’ tasks. Finding purpose and greater good at work is key. Unilever’s (n.d.) “Brands with purpose strategy” links sustainability goals to corporate purpose. In this way, employees can connect personal purpose to organizational purpose. Unfortunately, organizational processes sometimes hinder employees from recognizing their purpose. Results of the authors’ research highlight that employees often dislike their job due to a lack of meaning, as tasks they have been assigned to did not correspond to the job function, they initially applied for.
Leader’s food for thought
When did you last communicate how your employees’ work makes a difference?
One of the authors once heard the Head Learning & Development of a former employer telling him: “You do not need that continuing education for your job function!” Giving employees opportunities to celebrate personal progress and skill development will have lasting effects on their performance at work. Continuous feedback and goal celebration as performed at Adobe (2019) are good initiatives to enact higher feelings of accomplishment. Leaders do good in coaching individuals on personal mastery and a learning mindset for better workplace wellbeing and productivity.
Leader’s food for thought
Are you creating enough opportunities for individuals to experience mastery and progress?
Even machines require maintenance and care for lasting productivity. For us humans, physical and mental health is indispensable for long term productivity – for office and non-office worker alike. It therefore goes without saying that organizational initiatives that promote health are beneficial for workplace productivity. At Deloitte Australia (n.d.), sleep education or fitness reimbursement promote health among workers. In the very same sense, leaders shall lead by example and promote healthy behaviors, nutrition or wellness initiatives. The effects such actions will have on the individual but also on the organizational level are not to be underestimated. Employees that regularly exercise are observed to demonstrate half as much of presenteeism behavior – showing up at work without actually working – than employees that do not exercise (Aldana, 2025).
Leader’s food for thought
Are you encouraging or undermining healthy lifestyle behaviors among your team?
People who strive for their goals with optimism and perseverance can make an organization more productive and successful. Attracting and retaining such workplace behavior is highly beneficial for an organization. Sataya Nadella (Mann, 2024) once transformed Microsoft’s culture from “know it all” to “learn it all”. Thus, shifting from a utopian ideal to implementing a growth mindset culture. When leaders share personal growth stories or recognize the efforts of their employees not just outcomes, they become more empathetic and serve as role models.
Leader’s food for thought
Do you share your own vulnerabilities and growth stories to inspire resilience?
Despite a change in workplace mentality since the outbreak of the pandemic, with higher rates of workers now working from home, the vast majority of working hours are still performed at the organization’s site. The quality pf physical and psychological work environment impact workers’ performance. Workplace settings with enough daylight, plants and limited noise will all have positive impacts on workers’ wellbeing. This is how Airbnb (Office Snapshots, n.d.) thought about its workspace. With their “Belong anywhere” philosophy they let teams built workspaces with high environmental control to create psychological safe and inspiring places. Leaders do good in involving employees in workspace decisions, address toxic behaviors immediately and monitor workload and stress levels of employees systematically.
Leader’s food for thought
Have you acted swiftly to address toxic behaviors or practices?
Ultimately, it all comes down to numbers. Well, let’s say hard facts also count towards workplace wellbeing. Employees who feel they are being treated unfairly in terms of their renumeration, who fear losing their job, or who see comparable jobs at other organizations with better benefits will tend to decrease their productivity, either implicitly or explicitly. Costco for example, pays above-market wages and offers benefits to part-time workers. Eventually, this leads to higher retention rates and psychological safety for employees. Leaders who advocate transparent salary structures, support financial wellbeing programs and communicate organizational changes affecting jobs openly will have a lasting positive effect on employees’ organizational identification.
Leader’s food for thought
How do you contribute to creating a culture of fairness and security?
Organizations all over the globe have one thing in common. Their existence and success in providing services or products to society is based on their employees’ productivity. Occupational health management will gain traction in the coming years when more and more organizations acknowledge its worth for employee wellbeing and productivity. But there is more to it, as this article has highlighted. Caring about employee wellbeing has positive side effects that should not be underestimated. The authors’ research confirms previous studies that wellbeing at work affects an organization’s information security. You, as a leader that supports the wellbeing of your workers, will implicitly foster information security behavior in your organization. Energized, engaged and motivated employees that display a high degree of organizational identification are more capable of recognizing and fending off information security risks. Additionally, when you recognize the alignment between occupational health management and information security, it allows for more strategic allocation of resources, leading to positive effects on overall cost-efficiency.
