We realize that a questionnaire like this comes with great responsibility.

The Human Performance in Cybersecurity survey collects – by its very nature – health-related data. How else would it be possible to assess your level of burnout? How will the test say anything sensible if we don’t ask you how you feel at work or in a private context? This questionnaire would be impossible without gathering your subjective experiences of flourishing or being in a flow state.

You, as a cyber security professional, care about personal information. You know how data should be treated. You know from first-hand experience how organizations often treat data in reality. And you understand the many factors and risks that come into play when safeguarding health information.

Handling health data comes with high levels of technical and regulatory requirements.

We want you to know that we take the security and privacy of your health data very seriously. Health data is not just another type of information—it is a hypersensitive part of your life. Therefore, we want to be as transparent as possible about the principles, systems, and safeguards surrounding this survey.

1. Basis for collecting and handling health-related data

The main focus of this survey is scientific research. The primary driver for creating it is research questions like these: What is the current state of mental health amongst cybersecurity professionals? What factors contribute to stress and burnout amongst cybersecurity professionals? What is the impact of burnout to cybersecurity risk management? 

The General Data Protection Regulation (GDPR) recognizes data concerning health as a particular category of data (Article 9). The specific purpose of this survey is to collect data around the research questions, such as the ones stated above. How we use the data within our research may vary during the project since it’s not yet clear how or when personal data may be useful in analyzing the data for this survey. 

Thus, as a participant, you consent to a “broad usage” of your data.

We will only use your data to benefit the cyber security domain as a whole. Your information will be stored for a maximum of 10 years from your consent unless you withdraw your consent before this period has elapsed. Your consent is entirely voluntary. If you do not wish to participate or if you wish to withdraw your consent at a later time, you will not suffer reprisal. You can withdraw your consent at any time and without giving any further details by sending an e-mail to the contact information given below.

2. Collection, processing and usage of your data

The information collected in this survey may be relevant to a better understanding and finding ways of preventing burnout in the cyber security domain. The insights we may gain from your information can contribute to these efforts. Your data will be used solely for research purposes; we will never sell them.

Upon request, your data may be available to universities, research institutions, or companies conducting research. The shared data will be pseudonymized. This means that personally identifiable information (PII) is replaced with artificial identifiers or pseudonyms. We maintain a link between the original and pseudonymized data, yet we will not share this re-identification information with third parties. The recipient may only use this information for the predetermined research purpose for which they submitted their request, and may not use them or make them available for other purposes.  

The results of this survey may be published in scientific journals, publications or generic media. All results will be entirely anonymized. This is a more stringent data protection method that irreversibly removes or alters all personally identifiable information from our datasets. We take extra care to ensure that it is impossible to re-identify you as an individual and therefore might employ techniques such as data masking, generalization, data suppression, and perturbation.

3. Who can access your data, and how are they protected?

We self-host Formbricks to collect the survey data. This is GDPR-compliant. We access the collected data through a web-based backend service or an API, both of which are provided by Formbricks. The user account data used to access these services are stored in an encrypted form, with access limited to selected administrative people. Our user account password complies with “NIST SP800-63B“:and follows the requirements of OWASP “ASVS v4.0 Password Security Requirements“

Upon receiving the data from our service provider (self-hosted Formbricks), we ensure that all data that directly identifies you as an individual (e.g. name, date of birth, IP numbers, e-mail address) are stored and processed separately from the more generic information. An internal identifier creates a link between the data. This identifier and the associated data can no longer be directly traced back to you. We ensure that the connection between the internal identifier and the data that directly identifies you will be stored separately and with extra protective measures, e.g. encryption, by the BSI Technical Guideline “TR-02102-1”. We will never share the connecting information with third parties.

Should your pseudonymized data be transferred to third-party researchers, our internal identifier will be replaced by a new one.

For data analysis, we ensure that all information is protected. We only use local applications on computer hardware and do not use any online services. Data is stored on encrypted local drives. Full-disk encryption is employed to protect against physical theft or unauthorized access to the hardware. Only authorized individuals with appropriate clearance can access the data analysis hardware and documents.

When we reach out to you via email, we encrypt any health-related information.

4. What risks are associated with the use of your data?

We take utmost care in protecting your data by implementing comprehensive technical and organizational safeguards. However, we cannot guarantee absolute data protection. A residual risk of personal traceability exists, and this risk increases if you publish any health-related data online.

Despite our best efforts, unauthorized access can only partially be ruled out. If such a breach occurs and data is traced back to you, we cannot prevent the potentially harmful use of this information.

We strive to minimize these risks but must inform you of their existence.

5. How do you personally benefit?

Before you submit the survey, you can choose to provide an email address where we can contact you. This is entirely voluntary. It is up to you to decide what e-mail address you use. For example, it may be a temporary, disposable e-mail address that you use for a short period of time and then discard.

We will use the email address you provided to send you a first generic analysis of your situation. This analysis contains the following information:

1. Your Copenhagen Burnout Inventory Score
2. Your Secure Flourish Index
3. Your Flow Short Scale
4. A brief analysis of the above three results

Please do not expect any direct health benefit or personal advantage from our scientific use of your information. If any commercial benefit is derived from our research, e.g., through the development of new diagnostic procedures or training, you will not share this benefit.

We will only contact you for the following purposes:

1. To ask you, with your consent, for additional information relevant to scientific questions
2. To inform you of new research projects/studies, or to inform you of results or additional research findings or information about our work
3. In individual cases, it may be possible that the result of our analysis could be of such significant importance to your health that we may reach out to you.

Your consent to contact you is valid for five years from the date you give consent unless you withdraw it before this period has elapsed. The legal basis for processing your data is your consent (Article 9 (2) (a) and Article 6 (1) (a) of the EU General Data Protection Regulation).

Our contact information, as the sole data controller for your data is: kashyap.thimmaraju@flowguard-institute.com