Magazine article Risk Management

Motivating the Workforce to Support Security

Magazine article Risk Management

Motivating the Workforce to Support Security

Article excerpt

It is a serious game we play in information security. It is also unfair. Attackers have the distinct advantage. They are intensely motivated to succeed in their single, selected effort at a specific time and target with no concern for collateral damage. Meanwhile, the victim organization requires workers, contractors, partners, customers and suppliers to defend all vulnerabilities and assets at all times and in all workplaces, while continuing to perform their assigned tasks. The key, both for successful attacks and successful security against attacks, is motivation. In order to mount an effective defense, organizations have to increase their motivation to a level comparable to that of the attacker.

Job performance motivation in the modern workforce is based on benefits such as salary, commission, contractual payments, bonuses, perks, recognition and job advancement. Advancing the profitability, productivity and growth of the enterprise to produce more and better widgets is what counts. As a result, many workers view security as contrary to their job performance. An employee can work faster and better by not making backups, using pirated software and failing to securely store sensitive information.

Organizations must remove this conflict between job performance and security constraints by making security a part of workers' job performance assessments. Information security must join job advancement and financial compensation as the primary motivators of employment.

Failure of Risk Reduction as a Motivator

Security awareness is based mostly on the objective of risk reduction. Awareness programs tell employees that their security efforts and security constraints on their work are necessary to reduce the high risk of great losses. When awareness is increased and losses do not occur, however, it is seen as unnecessary. Thus, awareness diminishes until losses start increasing and the cycle repeats.

Risk is intangible and its materialization is not observable until it is too late. Since risk reduction cannot be accurately or definitively measured, it is not an effective motivator. It is easier to motivate people by emphasizing the positive and measurable objective of due diligence with rewards rather than the negative approach of risk reduction

Due diligence involves using generally accepted good practices, meeting the requirements of laws and regulations, enabling electronic business, achieving security effectiveness relative to others' efforts (including competitors) and satisfying the demands of customers and shareholders It is achieved by benchmarking and using the current body of knowledge and requirements on safeguards

Motivation Enhancement

An organization must move beyond security awareness and develop a security motivation program along with or as a part of a continuing awareness effort It should employ the following motivators:

* Anticipation and receipt of rewards

* Fear and experience of penalties

* Ethical and honest business convictions

* Personal or public loss experience

* Dedication to employer and profession for continued employment

* Protection of personal investment of effort, money or other assets

* Protection of personal and employer's reputations

* Competitive desire to excel beyond peers

* Expediency and convenience

Rewards and penalties are powerful job performance motivators for any employee/employer relationship. They are also the only ones that are controllable, so they can be used to motivate security as well.

Rewards usually involve job advancement, praise and recognition, financial remuneration (often in the form of specific bonuses for exemplary behavior). They can also be prizes for exemplary security performance--for example, winning a competition among groups for the fewest guard-reported or auditor-reported security lapses or for the highest number of continuous days without a lost-time incident. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.