The human decision-making process is the preferred subject of psychologists and economists. Historically, they adopted an approach of viewing human behaviour as regular and highly predictable. This helped the researchers to build various models in order to comprehend social and economical phenomena. Such systems were compared by Karl Popper to reliable pendulum clocks. One can take them apart and observe how the pieces fit together. People, however, are much more complicated. Their behaviour, which is considered to be “highly irregular and disorderly,” has more in common with clouds, which are harder to predict due to their dynamic and constantly changing nature. Various theories were later developed to understand the drivers underlying certain actions. Such findings have been adopted by information security researchers to understand human behaviour in relation to policy compliance.
One of the dominant theories pertaining to human behaviour is the theory of rational choice. This theory provides insight into social and economic behaviour, and reveals how people aim to maximise their personal benefits and minimise their costs; personal gain tends to be the main motivator. People make decisions based on the perceived benefit as well as the cost of the outcome, and act accordingly.
This theory can also be used to explain how employees make decisions about whether or not to comply with a particular information security policy. According to this theory, it might be rational for users not to comply with a security policy, because the effort outweighs the perceived level of risk reduction.
Aytes and Connolly, for example, observed frequent unsafe computer-related practices among university students, which included revealing passwords, downloading attachments without running an antivirus scan and not backing up their data, among other things.
Their findings show that although the students were quite familiar with safe computing behaviour, they still continued to exhibit risky conduct.
They conclude that organisations may have to go a step further than simply recommending safe computing behaviour: they suggest that compliance may have to be imposed by more forceful means.
I interviewed Daniel Schatz, Director for Threat and Vulnerability Management at Thomson Reuters, to understand his view on this subject. He believes that inconvenience is the main driver for users’ non-compliant behaviour: “Everyone is unconsciously and constantly doing a cost–benefit calculation; if a users’ expected utility of opening the ‘Cute Bunnies’ attachment exceeds the inconvenience of ignoring all those warning messages, a reasonable decision was made, albeit an insecure one.”
The solution might be to either raise the cost or lower the benefit of non-compliance. While it will be difficult to teach the staff to dislike cute bunnies, raising the cost may succeed.
“To stick with the previous example, this could be done by imposing punishment for opening malicious attachments or deploying technology solutions to aid the user in being compliant.”
There is an operational and economic perspective to this, of course. If employees are scared to open attachments because of the potential for punishment, it may tarnish the reputation of the security function.
“Some will probably look for ‘security awareness training’ as an answer here; while there is a place for such training, the impact of it is low. If security awareness training aims to change an organisation’s culture, you’re on the right track, but trying to train users’ utility-based decisions away will fail”.
To explore whether the punishment suggested by Schatz can indeed be effective, let’s look into the theory of general deterrence.
This theory suggests that users will not comply with the rules if they know that breaking them will not be followed by punishment. Before elaborating on this theory, it is worth defining the terms intrinsic motivation and extrinsic motivation. Intrinsic motivation comes from within the individual, which usually leads to engaging in behaviour that is personally rewarding. In this context, people are not driven by the idea of an external incentive, rather by their own desires. Extrinsic motivation, on the other hand, results from the hope of gaining an external reward or avoiding punishment for specific conduct.
Figure 10: Extrinsic vs. intrinsic motivation factors
D’Arcy, Hovav and Galletta refer to an extended version of the theory of general deterrence to find out if information security awareness training affects the perception of company sanctions in terms of severity and certainty. They collected a sample of 269 employees from eight different companies who had received such training and were aware of the presence of user-monitoring software on their machines. Their findings show that the perception of sanctions is more effective in deterring risky behaviour than imposing actual sanctions.
Jai-Yeol challenged the significance of these findings, which use the theory of general deterrence to deal with and predict behaviour related to compliance, because the approaches that are postulated are solely based on extrinsic motivation. The author states that this model lacks the consideration of intrinsic motivation, which is an important aspect and strong driving force of the human character. He proposes a model including both the intrinsic and extrinsic motivators of human behaviour. Analysis of a sample of 602 employees revealed that approaches relating to the intrinsic motivation paradigm led to a significant increase in compliant employee behaviour over approaches relating to the extrinsic motivation model.
Another theory – the cognitive evaluation theory – supports the importance of intrinsic motivation. It can be used to predict the effects that rewards have on intrinsic motivation, specifically when these rewards are of a tangible nature, such as awards and prizes, as opposed to verbal rewards or recognition.
Following this theory, when rewards are perceived as a means of controlling behaviour, they have a negative effect on intrinsic motivation. A recipient’s sense of autonomy and self-determination will decline when they feel that they are being controlled.
Additionally, the cognitive evaluation theory also explains why verbal or non-tangible rewards have positive effects on intrinsic motivation. In order for employees to feel increasingly like they are skilful at completing certain tasks and that their performance has been positively evaluated by their supervisors, non-tangible rewards of this type must be delivered in a way that is not perceived as coercive. This type of reward system would boost employees’ performance and determination as a result of increased intrinsic motivation.
Within an information security context, this theory recommends adoption of a positive, non-tangible reward system to attain constructive behaviour regarding security policy compliance.
All of the above theories suggest that to effectively protect companies’ assets, the security professional should develop and implement security policies not only to ensure formal compliance with legal and regulatory requirements, but also to ensure that the motivations and attitudes of users are also considered.
Policies should be designed in a way that reduces the mental and physical workload of users by fostering intrinsic motivation, while reducing extrinsic motivation or deterrence. Security professionals and policymakers should keep the employee’s perspectives in mind and at the very core of their approaches to designing security policies.
Build a defence programme against insider threats
All organisations are vulnerable to insider abuse, errors or malicious attacks. These can impact reputation, operations and profitability, and expose data, harm the organisation, or deliver valuable intellectual property into competitors’ hands.
Insider Threat – A Guide to Understanding, Detecting, and Defending Against the Enemy from Within looks beyond perimeter protection tools and details how to build a defence programme using security controls from the international standards ISO 27001 and ISO 27002, and NIST SP 800-53.