What
Motivates an Individual to adopt Security?
Naavi
[This
article is in continuation of the earlier article titled
“Theory of IS Motivation based on
Behavioural Science” published in these columns]
Motivation
has been a subject of intense interest in corporate circles since a long
time. Management experts have mainly discussed the behavioural science
aspects of Motivation from the point of view of employee productivity.
There have been many
theories of motivation trying to explain how and why a human being would
work. One of the most popular motivation theories has been the Maslow’s
theory of “Hierarchy of needs” which states that human beings have certain
“needs” and if a work satisfies those needs, they get motivated. The theory
also holds that the different motivational needs can be classified into
five categories stacked one above the other in the form of a “Pyramid” and
a person has a tendency to fulfill the needs in a specified order. To
demonstrate the theory, Maslow depicted his principle in the form of a
pyramid as shown below with the Physiological needs at the bottom and Self
Actualization needs at the top.
This
theory cannot directly help us identify “What motivates an IT user in
adopting Information Security practices”. The only way we can link Maslow’s
theory to Information Security Adoption is by considering that “the
existence of a person is threatened by non adoption of security practices”
and hence it falls in the category of “Security and Safety needs”. This
happens when non adoption directly leads to a loss to the concerned person.
In fact security
requirements directly contradict the “Social needs” since security
prohibits “Sharing” of information while the need for “Social Belonging”
strongly supports sharing of information amongst the people around. Also it
is difficult to identify the relevance of Physiological needs and Esteem
needs. Self actualization is a generic factor and may be considered
relevant.
In view of the
incongruence of Maslow’s theory of motivation to explain the behaviour of
IT users in adopting IS we need a different approach. None of the other
management theories also are suitable for the purpose.
The undersigned has
therefore propounded a different theory titled “Theory of Information
Security Motivation” modeled on a “Security Pentagon”, the features of
which were explained in an earlier article.
In brief, this theory
states that the motivation for Information Security (IS) comes from five
factors namely
- Awareness
- Acceptance
- Availability
- Mandate
- Inspiration
Also the theory states
that these needs are not stacked in a hierarchy like in the Maslow’s theory
and for modeling purpose they are better represented as sides of a Pentagon
as shown below.
It is also part of the
theory that the tendency for adoption of IS practices is to flow from
Awareness to Acceptance to Availability to Mandate and Inspiration. However
it is also accepted that “Mandate” and “Inspiration” are independently
capable of triggering awareness, acceptance and availability.
Out of the five parameters
of motivation, three namely Awareness, Acceptance and Inspiration refer to
individual who is being motivated while Availability is an organizational
influence on the motivation while Mandate is a regulatory influence on the
motivation. Awareness, Acceptance and Inspiration may be considered as
“Internal Motivators” for an individual. “Inspiration” is like the self
actualization need propounded by Maslow. When a person’s acceptance of IS
needs is so strong, he becomes committed to adopt the standards with or
without any body else requiring him to do so and with or without others
funding the availability or forcing him with a mandate. Though this is
entirely at the control of the individual, Inspiration is linked at the end
of the chain of five parameters since reaching there requires maturing of
an individual through own experience which comes out of “Availability” and
also the realization of at least the Perceived Mandate” from the external
society.
What this theory means is
that “Awareness” is the foundation of all IS adoptions. IS cannot be
introduced without creating “Awareness’. Mere “Awareness” is not however
sufficient for adoption. The subject has to “Accept” the prescription. It
is in the conversion of “Awareness” to “Acceptance” that management
theories of motivation such as Maslow’s theory can have relevance. For
example, after creating “Awareness” if there are incentives for adoption,
then a person may get motivated.
However in the IS domain,
“half adoption is no adoption” and hence one cannot be satisfied at
achieving the motivational level of “Acceptance”. The system has to look at
other factors which are required to convert “Acceptance” to “Availability”
where the security implementation tools are available. For example, a
person may like to protect his computer against the latest virus. But he
can proceed only if a suitable anti virus solution is available to him.
Availability is generally a
matter of “investment” whether at the personal level or at organizational
level. Hence it is considered as “External Motivator” along with
“Mandate”.
The realization that
“Mandate” has a useful role to play in IS motivation is a factor which
integrates the McGregor’s theory of X and Y type of persons used in
management. This theory states that an organization consists of two types
of persons, one who needs to be pushed to performance and others who are
self motivated . Mandating as a IS motivational factor addresses the
requirement of the X type of persons while “Inspiration” recognizes the
presence of Y type of persons.
The Theory of Security
Pentagon propounded by the undersigned therefore fully in compatibility
with the McGregor’s theory applied in this context.
The Theory of Security
Pentagon recognizes a specific role for “Mandate” which is applicable both
to an organization as well as to the State which wants security culture in
the community. “Mandate” helps people to “rationalize” why the seemingly
inconvenient security prescription should still be adopted. It helps fight
the natural tendency not to adopt to control often fired by the “technology
intoxication” of the IT users. Without “mandate” security adoption will be
painfully slow and perhaps never reach the desired level where the society
can feel safe.
The study of IS motivation
helps an individual or an organization to find better ways of adopting to
the security environment.
These are early days in
the history of this new theory and the concepts need to be explored,
debated and refined. This article along with the earlier one are an attempt
to clarify the thought process behind the theory for further refinement.
The undersigned
understands that “Behavioural Science” is a subject to which only the top
management is often exposed and a majority of IT professionals may find it
strange that there should be a discussion on the strange subject called
“Behavioural science of Information Security”. But most technology persons
have in the recent times come to accept that there is a “Human Factor” in
IS management and not everything in IS can be implemented purely by
technical measures. It is therefore not far that they will also realize
that “Behavioural Science” may hold cues to many of the otherwise
unexplainable traits of employees resulting in security breaches.
May be it is time for IS
Managers to take up Behavioural Science Courses to understand and
appreciate the inter-disciplinary concepts such as “Behavioural Science
aspects in Information Security”.
Na.Vijayashankar
29th September 2009
Comments are Welcome at naavi@vsnl.com
