Motivation

Improving your Security Culture.

Motivation is the third and most easy to understand dimension of our security culture model. There is lots of information in organisational culture literature about what motivates humans and whether people are motivated from within or by external forces. There is also extensive literature on whether people are inherently good or bad, whether people should be rewarded or punished, and whether manipulating someones motivation can change effort or output.

Security is one of the only areas of organisational motivation where punishment is still the major motivational tool. As there is no evidence that employees are intrinsically motivated to adopt secure practices, organisations will need to have appropriate processes in place to ensure employees are motivated in relation to security. However, organisational literature clearly indicates that punishment does not work in motivation. In a good security culture we would therefore expect positive motivation to be dominant

Intrinsic motivation versus extrinsic motivation

Organisational behaviour literature suggests that provision of extrinsic rewards to employees for performing particular tasks, such as direct financial rewards, may actually reduce their intrinsic motivation. However, we believe that organisations should consider both tangible rewards (e.g. money) and intrinsic motivation to adopt new behaviours (e.g. recognition and social participation) when employees are expected to meet modified performance standards or change their behaviour.

While it is essential that employees are made aware that security controls are necessary and useful to discourage them from attempting to bypass these controls, motivation in security should not only be aimed at preventing employees from compromising existing security measures and guidelines. A good security culture will encourage employees to be motivated to reflect on their behaviour at all times, to assess how their behaviour influences security and what they can do to improve security.

Although it is important that a degree of trust is involved and that responsibility to act in an appropriate manner is delegated to employees themselves, this does not mean that an organisation should not monitor their behaviour. It is essential that organisations have monitoring processes in place to identify security breaches, that they investigate those breaches to ensure that unacceptable behaviour is corrected. Of course, the organisation should also reward exemplary behaviour, and should publicise those examples to increase both awareness as well as motivation.

Horizontal versus vertical Social Participation

Social participation is a well know aspect of organisational culture. We found that some organisations do encourage social participation inline with the organisation?s governance structures, as in encouraging staff influenced by a decision to participate in the decision making process. We have called this vertical social participation. Our research suggests that such social participation has only a limited effect on improving the security culture, and that to improve motivation organisations should encourage more wide spread social participation. It should be obvious that employees at the same level within different areas of an organisation often come across the same security issues and may not know that others in the organization are covering the same ground. Organizations that have horizontal social participation where, for instance, all system and security administrators across the business units are involved in a regular exchange of information to improve decision making, may find that motivation will increase significantly as well.