The human decision-making process is the preferred subject of psychologists and economists. Historically, they adopted an approach of viewing human behaviour as regular and highly predictable. This helped the researchers to build various models in order to comprehend social and economical phenomena. Such systems were compared by Karl Popper to reliable pendulum clocks.35 One can take them apart and observe how the pieces fit together. People, however, are much more complicated. Their behaviour, which is considered to be “highly irregular and disorderly,” has more in common with clouds, which are harder to predict due to their dynamic and constantly changing nature. Various theories were later developed to understand the drivers underlying certain actions. Such findings have been adopted by information security researchers to understand human behaviour in relation to policy compliance.
One of the dominant theories pertaining to human behaviour is the theory of rational choice. This theory provides insight into social and economic behaviour, and reveals how people aim to maximise their personal benefits and minimise their costs; personal gain tends to be the main motivator. People make decisions based on the perceived benefit as well as the cost of the outcome, and act accordingly.
This theory can also be used to explain how employees make decisions about whether or not to comply with a particular information security policy. According to this theory, it might be rational for users not to comply with a security policy, because the effort outweighs the perceived level of risk reduction.
Aytes and Connolly,36 for example, observed frequent unsafe computer-related practices among university students, which included revealing passwords, downloading attachments without running an antivirus scan and not backing up their data, among other things.
Their findings show that although the students were quite familiar with safe computing behaviour, they still continued to exhibit risky conduct.
They conclude that organisations may have to go a step further than simply recommending safe computing behaviour: they suggest that compliance may have to be imposed by more forceful means.
I interviewed Daniel Schatz, Director for Threat and Vulnerability Management at Thomson Reuters, to understand his view on this subject. He believes that inconvenience is the main driver for users’ non-compliant behaviour: “Everyone is unconsciously and constantly doing a cost–benefit calculation; if a users’ expected utility of opening the ‘Cute Bunnies’ attachment exceeds the inconvenience of ignoring all those warning messages, a reasonable decision was made, albeit an insecure one.”
The solution might be to either raise the cost or lower the benefit of non-compliance. While it will be difficult to teach the staff to dislike cute bunnies, raising the cost may succeed.
“To stick with the previous example, this could be done by imposing punishment for opening malicious attachments or deploying technology solutions to aid the user in being compliant.”
There is an operational and economic perspective to this, of course. If employees are scared to open attachments because of the potential for punishment, it may tarnish the reputation of the security function.
“Some will probably look for ‘security awareness training’ as an answer here; while there is a place for such training, the impact of it is low. If security awareness training aims to change an organisation’s culture, you’re on the right track, but trying to train users’ utility-based decisions away will fail”.
To explore whether the punishment suggested by Schatz can indeed be effective, let’s look into the theory of general deterrence.
This theory suggests that users will not comply with the rules if they know that breaking them will not be followed by punishment. Before elaborating on this theory, it is worth defining the terms intrinsic motivation and extrinsic motivation. Intrinsic motivation comes from within the individual, which usually leads to engaging in behaviour that is personally rewarding. In this context, people are not driven by the idea of an external incentive, rather by their own desires. Extrinsic motivation, on the other hand, results from the hope of gaining an external reward or avoiding punishment for specific conduct.
D’Arcy, Hovav and Galletta refer to an extended version of the theory of general deterrence to find out if information security awareness training affects the perception of company sanctions in terms of severity and certainty.37 They collected a sample of 269 employees from eight different companies who had received such training and were aware of the presence of user-monitoring software on their machines. Their findings show that the perception of sanctions is more effective in deterring risky behaviour than imposing actual sanctions.
Jai-Yeol challenged the significance of these findings, which use the theory of general deterrence to deal with and predict behaviour related to compliance, because the approaches that are postulated are solely based on extrinsic motivation.38 The author states that this model lacks the consideration of intrinsic motivation, which is an important aspect and strong driving force of the human character. He proposes a model including both the intrinsic and extrinsic motivators of human behaviour. Analysis of a sample of 602 employees revealed that approaches relating to the intrinsic motivation paradigm led to a significant increase in compliant employee behaviour over approaches relating to the extrinsic motivation model.
Another theory – the cognitive evaluation theory – supports the importance of intrinsic motivation. It can be used to predict the effects that rewards have on intrinsic motivation, specifically when these rewards are of a tangible nature, such as awards and prizes, as opposed to verbal rewards or recognition.
Following this theory, when rewards are perceived as a means of controlling behaviour, they have a negative effect on intrinsic motivation. A recipient’s sense of autonomy and self-determination will decline when they feel that they are being controlled.
Additionally, the cognitive evaluation theory also explains why verbal or non-tangible rewards have positive effects on intrinsic motivation. In order for employees to feel increasingly like they are skilful at completing certain tasks and that their performance has been positively evaluated by their supervisors, non-tangible rewards of this type must be delivered in a way that is not perceived as coercive. This type of reward system would boost employees’ performance and determination as a result of increased intrinsic motivation.
Within an information security context, this theory recommends adoption of a positive, non-tangible reward system to attain constructive behaviour regarding security policy compliance.
All of the above theories suggest that to effectively protect companies’ assets, the security professional should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to ensure that the motivations and attitudes of users are also considered.
Policies should be designed in a way that reduces the mental and physical workload of users by fostering intrinsic motivation, while reducing extrinsic motivation or deterrence. Security professionals and policymakers should keep the employee’s perspectives in mind and at the very core of their approaches to designing security policies.
35 Karl Raimund Popper, “Of Clocks and Clouds: An Approach to the Problem of Rationality and the Freedom of Man,” in Objective Knowledge: An Evolutionary Approach, Clarendon Press, 1972, 206–265.
36 Kregg Aytes and Terry Connolly, “Computer and Risky Computing Practices: A Rational Choice Perspective”, Journal of Organizational End User Computing, 16(2), 2004, 22–40.
37 John D’Arcy, Anat Hovav and Dennis Galletta, “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach”, Information Systems Research, 17(1), 2009, 79–98.
38 Jai-Yeol, Son “Out of Fear or Desire? Toward a Better Understanding of Employees’ Motivation to Follow IS Security Policies”, Information &. Management, 48(7), 2011, 296–302.