Let's Build a Responsible Cyber Society




What Motivates an Individual to adopt Security?


 [This article is in continuation of the earlier article titled “Theory of IS Motivation based on Behavioural Science” published in these columns]

 Motivation has been a subject of intense interest in corporate circles since a long time. Management experts have mainly discussed the behavioural science aspects of Motivation from the point of view of employee productivity.

 There have been many theories of motivation trying to explain how and why a human being would work. One of the most popular motivation theories has been the Maslow’s theory of “Hierarchy of needs” which states that human beings have certain “needs” and if a work satisfies those needs, they get motivated. The theory also holds that the different motivational needs can be classified into five categories stacked one above the other in the form of a “Pyramid” and a person has a tendency to fulfill the needs in a specified  order. To demonstrate the theory, Maslow depicted his principle in the form of a pyramid as shown below with the Physiological needs at the bottom and Self Actualization needs at the top.

 This theory cannot directly help us identify “What motivates an IT user in adopting Information Security practices”. One way we can link Maslow’s theory to Information Security Adoption is by considering that “the existence of a person is threatened by non adoption of security practices” and hence it falls in the category of “Security and Safety needs”. This happens when non adoption directly leads to a loss to the concerned person.

 In fact information security requirements directly contradict the “Social needs” since security prohibits “Sharing” of information (such as passwords) while the need for “Social Belonging” strongly supports sharing of information amongst the people around. Also, it is difficult to identify the relevance of Physiological needs and Esteem needs. Self actualization is a generic factor and may be considered relevant.

 In view of the incongruence of Maslow’s theory of motivation to explain the behaviour of IT users in adopting IS we need a different approach. None of the other management theories also are suitable for the purpose.

 The undersigned has therefore propounded a different theory titled “Theory of Information Security Motivation” modeled on a “Security Pentagon”, the features of which were explained in an earlier article.

 In brief, this theory states that the motivation for Information Security (IS) comes from five factors namely

  1. Awareness
  2. Acceptance
  3. Availability
  4. Mandate
  5. Inspiration

 Also the theory states that these needs are not stacked in a hierarchy like in the Maslow’s theory and for modeling purpose they are better represented as sides of a Pentagon as shown below.

It is also part of the theory that  the tendency for adoption of IS practices is to flow from Awareness to Acceptance to Availability to Mandate and Inspiration. However it is also accepted that “Mandate” and “Inspiration” are independently capable of triggering awareness, acceptance and availability.

 Out of the five parameters of motivation, three namely Awareness, Acceptance and Inspiration refer to individual who is being motivated while Availability is an organizational influence on the motivation while Mandate is a regulatory influence on the motivation.

This theory therefore takes the individual, the organization and the environment in understanding the motivation for adopting information security practice.

Awareness, Acceptance and Inspiration may be considered as “Internal Motivators” for an individual.

 “Inspiration” is like the self actualization need propounded by Maslow. When a person’s acceptance of IS needs is so strong, he becomes committed to adopt the standards with or without any body else requiring him to do so and with or without others funding the availability or forcing him with a mandate. Though this is entirely at the control of the individual, Inspiration is linked at the end of the chain of five parameters since reaching there requires maturing of an individual through own experience which comes out of “Availability” and also the realization of at least the Perceived Mandate” from the external society.

What this theory means is that “Awareness” is the foundation of all IS adoptions. IS cannot be introduced without creating “Awareness’. Mere “Awareness” is not however sufficient for adoption. The subject has to “Accept” the prescription. It is in the conversion of “Awareness” to “Acceptance” that management theories of motivation such as Maslow’s theory can have relevance.  For example, after creating “Awareness” if there are incentives for adoption, then a person may get motivated. 

One of the methods the undersigned has adopted to increase conversion of awareness to acceptance in his training is to introduce a system where the trainee signs an "Ethical Declaration" where he binds himself in writing to follow the prescribed security practices. This is to increase his level of commitment.

In the IS domain, “half adoption is no adoption” and "Security is as strong as its weakest link". Hence one cannot be satisfied at achieving the motivational level of “Acceptance”. The system has to look at other factors which are required to convert “Acceptance” to “Availability” where the security implementation tools are available. For example, a person may like to protect his computer against the latest virus. But he can proceed only if a suitable anti virus solution is available to him. 

Availability is generally a matter of “investment” whether at the personal level or at organizational level.  Hence it is considered as “External Motivator” along with “Mandate”. 

"Mandate" refers to the kind of regulatory push that is provided by legislations such as the HIPAA. The realization that “Mandate” has a useful role to play in IS motivation is a factor which integrates the  McGregor’s theory of X and Y type of persons used in management. This theory states that an organization consists of two types of persons, one who needs to be pushed to performance and others who are self motivated . Mandating as a IS motivational factor addresses the requirement of the X type of persons while “Inspiration” recognizes the presence of Y type of persons.  

The Theory of Security Pentagon propounded by the undersigned therefore fully in compatibility with the McGregor’s theory applied in this context. 

The Theory of Security Pentagon recognizes a specific role for “Mandate” which is applicable both to an organization as well as to the State which wants security culture in the community. “Mandate” helps people to “rationalize” why the seemingly inconvenient security prescription should still be adopted. It helps fight the natural tendency not to adopt to control often fired by the “technology intoxication” of the IT users. Without “mandate” security adoption will be painfully slow and perhaps never reach the desired level where the society can feel safe.

One aspect of "mandate" which we should remember is that even "mandate" for adoption of security should ideally follow in the sequence of Awareness, Acceptance and Availability. Otherwise there will be undesirable consequences.

An example in India regarding  mandating of the use of "Digital Signatures" in authentication of certain documents (eg: MCA returns). This mandatory procedure was introduced in India when there was lack of awareness of how to use Digital Signatures in the user community. This has lead to many users delegating their digital signatures to their auditors in gross violation of law and endangering the very acceptability of the system as a trusted system of e-document authentication in law.

Further the availability of digital signing tools is still inadequate in India. Many digital certificates are not compatible with the current OS. All this affects "Availability" and therefore non implementation of digital signature which is otherwise an excellent tool of IS.

 The study of IS motivation on the suggested framework of the Security Pentagon as proposed by Naavi helps an individual or an organization to find better ways of adopting to the security environment.

 These are early days in the history of this new theory and  the concepts need to be explored, debated and refined. This article along with the earlier one are an attempt to clarify the thought process behind the theory for further refinement.

 We know that “Behavioural Science” is a subject to which only the top management in corporate circles are often exposed and a majority of IT professionals may find it strange that there should be a discussion on the subject called “Behavioural science of Information Security”.

But most technology persons have in the recent times come to accept that there is a “Human Factor” in IS management and not everything in IS can be implemented purely by technical measures. It is therefore not far that they will also realize that “Behavioural Science” may hold cues to many of the otherwise unexplainable traits of employees resulting in security breaches.

 May be it is time for IS Managers to take up Behavioural Science Courses to understand and appreciate the inter-disciplinary concepts such as “Behavioural Science aspects in Information Security”.

India is in the threshold of a major change in the Cyber Laws which affect Information Security and this theory highlights the need to support the mandated security measures with appropriate "Awareness creating " and "Acceptability building" strategies besides creation of suitable tools.

Naavi has in the past worked on a Karnataka Cyber Law Awareness Movement and  is now leading a Karnataka Cyber Security Movement. "Acceptance" may follow in due course. If these efforts are to result in action on the ground, IT companies need to come forward to provide "Availability". Naavi is also leading an action plan for adoption of security practices in Cyber Cafes based on the model of the Security Pentagon. Accordingly, awareness is being created through the Karnataka e-safe programme. Acceptance and Availability is being addressed through a specific software system which is administratively beneficial to the Cyber Cafes and also provides some benefits to the regulators. The time is now ripe for "mandate" to follow through appropriate Cyber Cafe regulations so that there would be a synergistic effect in bringing about an accelerated implementation of information security in the State.


29th September 2009

 Comments are Welcome at naavi@vsnl.com