Â [This article is in continuation of the earlier article titled â€œTheory of IS Motivation based on Behavioural Scienceâ€ published in these columns]
Motivation has been a subject of intense interest in corporate circles since a long time. Management experts have mainly discussed the behavioural science aspects of Motivation from the point of view of employee productivity.
Â There have been many theories of motivation trying to explain how and why a human being would work. One of the most popular motivation theories has been the Maslowâ€™s theory of â€œHierarchy of needsâ€ which states that human beings have certain â€œneedsâ€ and if a work satisfies those needs, they get motivated. The theory also holds that the different motivational needs can be classified into five categories stacked one above the other in the form of a â€œPyramidâ€ and a person has a tendency to fulfill the needs in a specifiedÂ order. To demonstrate the theory, Maslow depicted his principle in the form of a pyramid as shown below with the Physiological needs at the bottom and Self Actualization needs at the top.
This theory cannot directly help us identify â€œWhat motivates an IT user in adopting Information Security practicesâ€. One way we can link Maslowâ€™s theory to Information Security Adoption is by considering that â€œthe existence of a person is threatened by non adoption of security practicesâ€ and hence it falls in the category of â€œSecurity and Safety needsâ€. This happens when non adoption directly leads to a loss to the concerned person.
Â In fact information security requirements directly contradict the â€œSocial needsâ€ since security prohibits â€œSharingâ€ of information (such as passwords) while the need for â€œSocial Belongingâ€ strongly supports sharing of information amongst the people around. Also, it is difficult to identify the relevance of Physiological needs and Esteem needs. Self actualization is a generic factor and may be considered relevant.
In view of the incongruence of Maslowâ€™s theory of motivation to explain the behaviour of IT users in adopting IS we need a different approach. None of the other management theories also are suitable for the purpose.
The undersigned has therefore propounded a different theory titled â€œTheory of Information Security Motivationâ€ modeled on a â€œSecurity Pentagonâ€, the features of which were explained in an earlier article.
In brief, this theory states that the motivation for Information Security (IS) comes from five factors namely
Also the theory states that these needs are not stacked in a hierarchy like in the Maslowâ€™s theory and for modeling purpose they are better represented as sides of a Pentagon as shown below.
It is also part of the theory thatÂ the tendency for adoption of IS practices is to flow from Awareness to Acceptance to Availability to Mandate and Inspiration. However it is also accepted that â€œMandateâ€ and â€œInspirationâ€ are independently capable of triggering awareness, acceptance and availability.
Out of the five parameters of motivation, three namely Awareness, Acceptance and Inspiration refer to individual who is being motivated while Availability is an organizational influence on the motivation while Mandate is a regulatory influence on the motivation.
This theory therefore takes the individual, the organization and the environment in understanding the motivation for adopting information security practice.
Awareness, Acceptance and Inspiration may be considered as â€œInternal Motivatorsâ€ for an individual.
â€œInspirationâ€ is like the self actualization need propounded by Maslow. When a personâ€™s acceptance of IS needs is so strong, he becomes committed to adopt the standards with or without any body else requiring him to do so and with or without others funding the availability or forcing him with a mandate. Though this is entirely at the control of the individual, Inspiration is linked at the end of the chain of five parameters since reaching there requires maturing of an individual through own experience which comes out of â€œAvailabilityâ€ and also the realization of at least the Perceived Mandateâ€ from the external society.
What this theory means is that â€œAwarenessâ€ is the foundation of all IS adoptions. IS cannot be introduced without creating â€œAwarenessâ€™. Mere â€œAwarenessâ€ is not however sufficient for adoption. The subject has to â€œAcceptâ€ the prescription. It is in the conversion of â€œAwarenessâ€ to â€œAcceptanceâ€ that management theories of motivation such as Maslowâ€™s theory can have relevance. Â For example, after creating â€œAwarenessâ€ if there are incentives for adoption, then a person may get motivated.
One of the methods the undersigned has adopted to increase conversion of awareness to acceptance in his training is to introduce a system where the trainee signs an “Ethical Declaration” where he binds himself in writing to follow the prescribed security practices. This is to increase his level of commitment.
In the IS domain, â€œhalf adoption is no adoptionâ€ and “Security is as strong as its weakest link”. Hence one cannot be satisfied at achieving the motivational level of â€œAcceptanceâ€. The system has to look at other factors which are required to convert â€œAcceptanceâ€ to â€œAvailabilityâ€ where the security implementation tools are available. For example, a person may like to protect his computer against the latest virus. But he can proceed only if a suitable anti virus solution is available to him.
Availability is generally a matter of â€œinvestmentâ€ whether at the personal level or at organizational level.Â Hence it is considered as â€œExternal Motivatorâ€ along with â€œMandateâ€.
“Mandate” refers to the kind of regulatory push that is provided by legislations such as the HIPAA. The realization that â€œMandateâ€ has a useful role to play in IS motivation is a factor which integrates theÂ McGregorâ€™s theory of X and Y type of persons used in management. This theory states that an organization consists of two types of persons, one who needs to be pushed to performance and others who are self motivated . Mandating as a IS motivational factor addresses the requirement of the X type of persons while â€œInspirationâ€ recognizes the presence of Y type of persons.
The Theory of Security Pentagon propounded by the undersigned therefore fully in compatibility with the McGregorâ€™s theory applied in this context.
The Theory of Security Pentagon recognizes a specific role for â€œMandateâ€ which is applicable both to an organization as well as to the State which wants security culture in the community. â€œMandateâ€ helps people to â€œrationalizeâ€ why the seemingly inconvenient security prescription should still be adopted. It helps fight the natural tendency not to adopt to control often fired by the â€œtechnology intoxicationâ€ of the IT users. Without â€œmandateâ€ security adoption will be painfully slow and perhaps never reach the desired level where the society can feel safe.
One aspect of “mandate” which we should remember is that even “mandate” for adoption of security should ideally follow in the sequence of Awareness, Acceptance and Availability. Otherwise there will be undesirable consequences.
An example in India regardingÂ mandating of the use of “Digital Signatures” in authentication of certain documents (eg: MCA returns). This mandatory procedure was introduced in India when there was lack of awareness of how to use Digital Signatures in the user community. This has lead to many users delegating their digital signatures to their auditors in gross violation of law and endangering the very acceptability of the system as a trusted system of e-document authentication in law.
Further the availability of digital signing tools is still inadequate in India. Many digital certificates are not compatible with the current OS. All this affects “Availability” and therefore non implementation of digital signature which is otherwise an excellent tool of IS.
The study of IS motivation on the suggested framework of the Security Pentagon as proposed by Naavi helps an individual or an organization to find better ways of adopting to the security environment.
These are early days in the history of this new theory andÂ the concepts need to be explored, debated and refined. This article along with the earlier one are an attempt to clarify the thought process behind the theory for further refinement.
We know that â€œBehavioural Scienceâ€ is a subject to which only the top management in corporate circles are often exposed and a majority of IT professionals may find it strange that there should be a discussion on the subject called â€œBehavioural science of Information Securityâ€.
But most technology persons have in the recent times come to accept that there is a â€œHuman Factorâ€ in IS management and not everything in IS can be implemented purely by technical measures. It is therefore not far that they will also realize that â€œBehavioural Scienceâ€ may hold cues to many of the otherwise unexplainable traits of employees resulting in security breaches.
May be it is time for IS Managers to take up Behavioural Science Courses to understand and appreciate the inter-disciplinary concepts such as â€œBehavioural Science aspects in Information Securityâ€.
India is in the threshold of a major change in the Cyber Laws which affect Information Security and this theory highlights the need to support the mandated security measures with appropriate “Awareness creating ” and “Acceptability building” strategies besides creation of suitable tools.
Naavi has in the past worked on a Karnataka Cyber Law Awareness Movement andÂ is now leading a Karnataka Cyber Security Movement. “Acceptance” may follow in due course. If these efforts are to result in action on the ground, IT companies need to come forward to provide “Availability”. Naavi is also leading an action plan for adoption of security practices in Cyber Cafes based on the model of the Security Pentagon. Accordingly, awareness is being created through the Karnataka e-safe programme. Acceptance and Availability is being addressed through a specific software system which is administratively beneficial to the Cyber Cafes and also provides some benefits to the regulators. The time is now ripe for “mandate” to follow through appropriate Cyber Cafe regulations so that there would be a synergistic effect in bringing about an accelerated implementation of information security in the State.
29, September, 2009