Motivation

Improving your Security Culture.

Motivation is the third and most easy to understand dimension of our security culture model. There is lots of information in organizational culture literature about what motivates humans and whether people are motivated from within or by external forces. There is also extensive literature on whether people are inherently good or bad, whether people should be rewarded or punished, and whether manipulating someone's motivation can change effort or output.

Security is one of the only areas of organizational motivation where punishment is still the major motivational tool. As there is no evidence that employees are intrinsically motivated to adopt secure practices, organizations will need to have appropriate processes in place to ensure employees are motivated in relation to security. However, organizational literature clearly indicates that punishment does not work in motivation. In a good security culture we would therefore expect positive motivation to be dominant

Intrinsic motivation versus extrinsic motivation

Organizational behavior literature suggests that provision of extrinsic rewards to employees for performing particular tasks, such as direct financial rewards, may actually reduce their intrinsic motivation. However, we believe that organizations should consider both tangible rewards (e.g. money) and intrinsic motivation to adopt new behaviors (e.g. recognition and social participation) when employees are expected to meet modified performance standards or change their behavior.

While it is essential that employees are made aware that security controls are necessary and useful to discourage them from attempting to bypass these controls, motivation in security should not only be aimed at preventing employees from compromising existing security measures and guidelines. A good security culture will encourage employees to be motivated to reflect on their behavior at all times, to assess how their behavior influences security and what they can do to improve security.

Although it is important that a degree of trust is involved and that responsibility to act in an appropriate manner is delegated to employees themselves, this does not mean that an organization should not monitor their behavior. It is essential that organizations have monitoring processes in place to identify security breaches, that they investigate those breaches to ensure that unacceptable behavior is corrected. Of course, the organization should also reward exemplary behavior, and should publicize those examples to increase both awareness as well as motivation.

Horizontal versus vertical Social Participation

Social participation is a well know aspect of organizational culture. We found that some organizations do encourage social participation inline with the organization's governance structures, as in encouraging staff influenced by a decision to participate in the decision making process. We have called this vertical social participation. Our research suggests that such social participation has only a limited effect on improving the security culture, and that to improve motivation organizations should encourage more wide spread social participation. It should be obvious that employees at the same level within different areas of an organization often come across the same security issues and may not know that others in the organization are covering the same ground. Organizations that have horizontal social participation where, for instance, all system and security administrators across the business units are involved in a regular exchange of information to improve decision making, may find that motivation will increase significantly as well.