[This article is in continuation of the earlier article titled “Theory of IS Motivation based on Behavioural Science†published in these columns]
Â
Motivation has been a subject of intense interest in corporate circles since a long time. Management experts have mainly discussed the behavioural science aspects of Motivation from the point of view of employee productivity.
 There have been many theories of motivation trying to explain how and why a human being would work. One of the most popular motivation theories has been the Maslow’s theory of “Hierarchy of needs†which states that human beings have certain “needs†and if a work satisfies those needs, they get motivated. The theory also holds that the different motivational needs can be classified into five categories stacked one above the other in the form of a “Pyramid†and a person has a tendency to fulfill the needs in a specified order. To demonstrate the theory, Maslow depicted his principle in the form of a pyramid as shown below with the Physiological needs at the bottom and Self Actualization needs at the top.
This theory cannot directly help us identify “What motivates an IT user in adopting Information Security practicesâ€. One way we can link Maslow’s theory to Information Security Adoption is by considering that “the existence of a person is threatened by non adoption of security practices†and hence it falls in the category of “Security and Safety needsâ€. This happens when non adoption directly leads to a loss to the concerned person.
 In fact information security requirements directly contradict the “Social needs†since security prohibits “Sharing†of information (such as passwords) while the need for “Social Belonging†strongly supports sharing of information amongst the people around. Also, it is difficult to identify the relevance of Physiological needs and Esteem needs. Self actualization is a generic factor and may be considered relevant.
In view of the incongruence of Maslow’s theory of motivation to explain the behaviour of IT users in adopting IS we need a different approach. None of the other management theories also are suitable for the purpose.
The undersigned has therefore propounded a different theory titled “Theory of Information Security Motivation†modeled on a “Security Pentagonâ€, the features of which were explained in an earlier article.
In brief, this theory states that the motivation for Information Security (IS) comes from five factors namely
- Awareness
- Acceptance
- Availability
- Mandate
- Inspiration
Also the theory states that these needs are not stacked in a hierarchy like in the Maslow’s theory and for modeling purpose they are better represented as sides of a Pentagon as shown below.
It is also part of the theory that the tendency for adoption of IS practices is to flow from Awareness to Acceptance to Availability to Mandate and Inspiration. However it is also accepted that “Mandate†and “Inspiration†are independently capable of triggering awareness, acceptance and availability.
Out of the five parameters of motivation, three namely Awareness, Acceptance and Inspiration refer to individual who is being motivated while Availability is an organizational influence on the motivation while Mandate is a regulatory influence on the motivation.
This theory therefore takes the individual, the organization and the environment in understanding the motivation for adopting information security practice.
Awareness, Acceptance and Inspiration may be considered as “Internal Motivators†for an individual.
“Inspiration†is like the self actualization need propounded by Maslow. When a person’s acceptance of IS needs is so strong, he becomes committed to adopt the standards with or without any body else requiring him to do so and with or without others funding the availability or forcing him with a mandate. Though this is entirely at the control of the individual, Inspiration is linked at the end of the chain of five parameters since reaching there requires maturing of an individual through own experience which comes out of “Availability†and also the realization of at least the Perceived Mandate†from the external society.
What this theory means is that “Awareness†is the foundation of all IS adoptions. IS cannot be introduced without creating “Awareness’. Mere “Awareness†is not however sufficient for adoption. The subject has to “Accept†the prescription. It is in the conversion of “Awareness†to “Acceptance†that management theories of motivation such as Maslow’s theory can have relevance.  For example, after creating “Awareness†if there are incentives for adoption, then a person may get motivated.
One of the methods the undersigned has adopted to increase conversion of awareness to acceptance in his training is to introduce a system where the trainee signs an “Ethical Declaration” where he binds himself in writing to follow the prescribed security practices. This is to increase his level of commitment.
In the IS domain, “half adoption is no adoption†and “Security is as strong as its weakest link”. Hence one cannot be satisfied at achieving the motivational level of “Acceptanceâ€. The system has to look at other factors which are required to convert “Acceptance†to “Availability†where the security implementation tools are available. For example, a person may like to protect his computer against the latest virus. But he can proceed only if a suitable anti virus solution is available to him.
Availability is generally a matter of “investment†whether at the personal level or at organizational level. Hence it is considered as “External Motivator†along with “Mandateâ€.
“Mandate” refers to the kind of regulatory push that is provided by legislations such as the HIPAA. The realization that “Mandate†has a useful role to play in IS motivation is a factor which integrates the McGregor’s theory of X and Y type of persons used in management. This theory states that an organization consists of two types of persons, one who needs to be pushed to performance and others who are self motivated . Mandating as a IS motivational factor addresses the requirement of the X type of persons while “Inspiration†recognizes the presence of Y type of persons.
The Theory of Security Pentagon propounded by the undersigned therefore fully in compatibility with the McGregor’s theory applied in this context.
The Theory of Security Pentagon recognizes a specific role for “Mandate†which is applicable both to an organization as well as to the State which wants security culture in the community. “Mandate†helps people to “rationalize†why the seemingly inconvenient security prescription should still be adopted. It helps fight the natural tendency not to adopt to control often fired by the “technology intoxication†of the IT users. Without “mandate†security adoption will be painfully slow and perhaps never reach the desired level where the society can feel safe.
One aspect of “mandate” which we should remember is that even “mandate” for adoption of security should ideally follow in the sequence of Awareness, Acceptance and Availability. Otherwise there will be undesirable consequences.
An example in India regarding mandating of the use of “Digital Signatures” in authentication of certain documents (eg: MCA returns). This mandatory procedure was introduced in India when there was lack of awareness of how to use Digital Signatures in the user community. This has lead to many users delegating their digital signatures to their auditors in gross violation of law and endangering the very acceptability of the system as a trusted system of e-document authentication in law.
Further the availability of digital signing tools is still inadequate in India. Many digital certificates are not compatible with the current OS. All this affects “Availability” and therefore non implementation of digital signature which is otherwise an excellent tool of IS.
The study of IS motivation on the suggested framework of the Security Pentagon as proposed by Naavi helps an individual or an organization to find better ways of adopting to the security environment.
These are early days in the history of this new theory and the concepts need to be explored, debated and refined. This article along with the earlier one are an attempt to clarify the thought process behind the theory for further refinement.
We know that “Behavioural Science†is a subject to which only the top management in corporate circles are often exposed and a majority of IT professionals may find it strange that there should be a discussion on the subject called “Behavioural science of Information Securityâ€.
But most technology persons have in the recent times come to accept that there is a “Human Factor†in IS management and not everything in IS can be implemented purely by technical measures. It is therefore not far that they will also realize that “Behavioural Science†may hold cues to many of the otherwise unexplainable traits of employees resulting in security breaches.
May be it is time for IS Managers to take up Behavioural Science Courses to understand and appreciate the inter-disciplinary concepts such as “Behavioural Science aspects in Information Securityâ€.
India is in the threshold of a major change in the Cyber Laws which affect Information Security and this theory highlights the need to support the mandated security measures with appropriate “Awareness creating ” and “Acceptability building” strategies besides creation of suitable tools.
Naavi has in the past worked on a Karnataka Cyber Law Awareness Movement and is now leading a Karnataka Cyber Security Movement. “Acceptance” may follow in due course. If these efforts are to result in action on the ground, IT companies need to come forward to provide “Availability”. Naavi is also leading an action plan for adoption of security practices in Cyber Cafes based on the model of the Security Pentagon. Accordingly, awareness is being created through the Karnataka e-safe programme. Acceptance and Availability is being addressed through a specific software system which is administratively beneficial to the Cyber Cafes and also provides some benefits to the regulators. The time is now ripe for “mandate” to follow through appropriate Cyber Cafe regulations so that there would be a synergistic effect in bringing about an accelerated implementation of information security in the State.
Naavi
www.naavi.org
29, September, 2009
Loading ...
3 users commented in " What Motivates an Individual to adopt Security? "
Follow-up comment rss or Leave a TrackbackMmmm. I’m not sure a pentagon with a few seemingly random lines constitutes a “behavioural model” in any scientific sense. You appear to have mixed up internal and external drivers, for example: on a conscious level, a person’s motivation to conform/comply with external demands such as laws and policies surely requires their acceptance that (a) the demands are relevant and applicable; (b) it is in the person’s best interests to comply/conform; (c) the person’s ability to comply/conform; and (d) the fear of potential personal, organizational or societal consequences if he/she does not comply/conform. However there are other subconscious factors as well, e.g. their perception of “society norms” or conventions, their acceptance or rejection of the authority that laid down the demands, and so forth.
Though it is an interesting approach, this requires a lot more research and thought to be a genuinely useful and predictive model.
Kind regards,
Gary
Dear Gary
Thanks for raising some thoughtful discussion on the subject.
I agree that this thought requires further research.
At present in India I donot see any thought being given to the interplay of Behavioural Science and Information Security. May be such research is on in US. Let this be further explored.
One interesting point Gary has brought is the “Internal Motivation” through “External Stimuli”.
I have stated that “Mandate” is an important motivator. Others identify “Fear” say of rejection by society is a motivator. I suppose there is a link between the two because “Non Compliance of a Mandate resulting in adverse consequences is a motivator”. I have practically experienced this in most of my IS motivational lectures.
I believe that external drivers do have an impact on internal drivers. Can any human being exist in a vacuum?..Does one get or donot get internal motivation influenced by external stimuli?.. can be further debated.
If there is an “inductive influence” of the external drivers on the internal drivers, then an attempt to include both in an integrated model is a possibility.
Why Pentagon as a visual symbolism?.. I could not say that the drivers listed had any distinct progressive relation. There could be some people who move from awareness to acceptance to availability and then directly move to compliance. Others may move from awareness to inspiration and then to compliance. Some may move from mandate to compliance. Hence I could not use a stacking model like the Pyramid or something similar and for want of anything better chose the Pentagon.
Further research is open to make changes.
The attempt here is to draw the attention of technical persons who are obsessed only with technology as a parameter of Information security to suggest that they need to look at human behavioral aspects. Since many of the Information Security experts donot have good exposure to behavioural sciences until they reach top echelons of corporate management, the security professionals at the lower levels need to be reminded of this factor.
I hope a visualized model could be useful.
I am open to all kinds of suggestions and debate in this regard.
Please also see http://www.bloggernews.net/123749
Leave A Reply