By Billy Hurley
A Washington State University report found that both fear and a sense of responsibility are effective security motivators. But fear works a bit better.
“When fear is high, violating policies will be low,” said Robert Crossler, information systems researcher and associate professor at Washington State University’s business school.
Scare vs. care. The report, published in Computers & Security, explored two motivational ideas:
- Protection motivation theory (PMT) encourages secure behaviors through fear appeals. (An employee says, “I must encrypt data so it’s protected from compromise!”)
- Stewardship theory motivates through unforced, reciprocal moral responsibility. (An employee says, “I care about the organization’s data as if it were my own.”)
The researchers offered three scenarios to the 365 IT professionals that completed the survey, all involving a fictional guy named Terry:
- Terry goes against policy and copies sales-report data to a USB drive. (Come on, Terry…)
- Despite company policy requiring employees to log out of workstations,Terry keeps his account logged-in to save time. (Really, Terry?!)
- Terry, away on business, decides that sharing a password could save his coworker a lot of effort. (Terry, no!)
The survey, in effect, asked: Would you be like Terry?
Yes, fear. With each scenario, the researchers asked a variety of questions, including ones designed to gauge a respondent’s fear. (If I did what Terry did, how worried would I be about the prospect of losing organizational data?)
Respondents who indicated that they were afraid of a given scenario were more likely to follow proper infosec policies, according to the report’s data. “The strongest predictor of people violating [policies] was that sense of fear of ‘If this happened, it would be bad,’” said Krossler.
Security professionals have frequently added “FUD,” or fear, uncertainty, and doubt, to their awareness training, especially with threats like ransomware, which can lead to high financial costs.
“Because it’s such a randomized attack vector, the next thing that I usually try to communicate is, ‘This can happen to you.’ And if it does happen to you: ‘Do you want to be responsible for the company paying a lot of money to get the files back?’” said Anthony Oren, CEO of Nero Consulting, to IT Brew back in June.
A snap poll from IT Brew showed that 78% of readers said fear is a powerful security motivator.
Less fear. The soft approach has a place, too. The Washington State University study also asked stewardship-focused questions—to gauge feelings of group loyalty over personal gain, for example. If a respondent felt connected to the organization, they often were likely to follow proper policy, but at a lesser rate than the slightly frightened.
“It amplified what protection motivation theory was doing, but it wasn’t as strong,” Crossler told IT Brew.
The findings demonstrate the importance of both approaches—one that can be supported by cooperative efforts, especially for remote workers who may feel disconnected at home.
“You really do need to have both: that fostering, team-building environment along with, ‘Hey, there’s this importance to protect this data to avoid something catastrophic happening,’” said Crossler.—BH
Do you work in IT or have information about your IT department you want to share? Email bill@morningbrew.com.
Read the original post at https://www.itbrew.com/stories/2023/01/31/a-helpful-security-motivator-fear