[MUSIC] Since employees interact with IT systems on a regular basis in their organizational activities, how they use those systems and whether they follow established measures will ultimately determine the overall security posture of an organization. Habit-based research mostly focuses on continuing IT use as an act that is driven by conscious or non-habitual decision making. However, it also draws from fields such as psychology to posit that much of continuing IT use is habitual. The argument is that when IT use is habitual, it ceases to be guided by an individual's intentions. Habitual IT use behavior at times has been defined as repeated behavioral sequences that are automatically triggered by cues in the environment and is considered to be a critical predictor of technology use. Limayem and Cheung in 2008 used a moderation perspective and illustrated that the predictive power of intention weakened with the continued habitual behavior by individuals. Venkatesh, Thong, and Xu in 2012 integrated habit into the unified theory of acceptance and use of technology, otherwise known as UTAUT, to compliment the theory's focus on intentionality as the overarching mechanism and key driver of behavior. They modeled habit as having both a direct effect on use and an indirect effect through behavioral intention. Research has also played to the role habit plays when warnings are ignored by users and acknowledgment of notifications becomes routine. For example, users click through half of all Security Sockets Layers, or SSL warnings, in less than two seconds, which is consistent with warning fatigue. Further, with more instances of receipt, employees' brains stop registering the novelty of security notifications due to the routine nature of clicking on similarly presented notifications. The concept of fatigue has also been investigated in clinical settings whereby corroborating its relevance. Studies have used various proxies for habit. For example, Kim and Malhotra in 2005 equated past use to habit. So you may wonder, is all this research necessary? Absolutely. The reason is simple. Inadvertent errors due to habitual behavior result in security breaches. What makes it troubling is that more often than not, it is not immediately ascertained that a security breach has even occurred. In April of 2015, a departing Federal Deposit Insurance Corporation employee was transferring files from an office computer onto a personal storage device and inadvertently copied sensitive customer data from more than 44,000 individuals. The employee left the FDIC in February of 2016, but the agency only realized the data was taken almost a week later. Despite the established risk, CompTIA has found that human errors rank as a serious concern for only less than one-third of organizations. Experts say the lack of focus on risk caused by people is because the human factor is the most difficult to solve. Whereas most other security threats can be addressed with investments in security technology, this approach doesn't work for internal human error. Adding security barriers only lowers compliance and increases work arounds. [MUSIC]