Carrot or Stick?
Examining What Motivates Workers’ Security Compliance
Professor Robert Crossler’s research suggest informed managerial decisions can help employees better understand security policy violations and make the right decision.
Photo by WSU Photos Services
Fear of what could go wrong is the greatest motivator when it comes to getting remote workers to protect their employer’s information technology security, according to a recent study in Computers & Security. But it tends to work best when employees also have a solid understanding of the severity of potential security threats, including the knowledge of what to do when the worst happens.
As millions of Americans continue to work remotely, the research provides employers with key insights to keep their valuable information safe.
“Employees need to feel a security breach is a big deal if it happens, so the number one thing employers can do is clearly communicate what the threats are and how serious they could be,” says Robert Crossler, a corresponding author and chair of the Carson College Department of Management, Information Systems, and Entrepreneurship. “For most people, this is not their job. Their job is to make or sell something, not to make good security choices, even if it’s critical for their organization.”
Comparing approaches for motivating security compliance
For the study, the researchers examined and compared two approaches for motivating security compliance behaviors in a changing work environment.
The first is protection motivation—a theory suggesting organizations can encourage secure behaviors through fear and threat messages, and by promoting employees’ ability to respond to a particular threat. The practice, which often utilizes surveillance to monitor employee actions, has been used effectively for decades to deter people from engaging in risky behaviors at work and to discourage unhealthy practices such as smoking or having unsafe sex.
The second is stewardship theory, in which an organization motivates the employee’s behavior through a sense of moral responsibility versus using force. For example, management encourages the employee to buy into the organization’s overall vision while giving them support to act independently when confronted with a security threat.
Helping employees make the right decision
For the analysis, 339 people who worked at companies with IT security policies were surveyed with three scenarios: describing common policy violations relevant to remote work, such as the use of unauthorized storage devices; logging off a sensitive account when not in use; and refraining from sharing passwords.
Respondents indicated their likelihood to act in a certain way based on various protection motivation and stewardship theory factors. The study showed fear and threats emphasized in protection motivation theory were far more effective at preventing employees from violating security policy than a strictly stewardship-based approach.
The researchers also considered a security approach that integrated factors of both theories.
They found that collectivism—or promoting mutual benefits of good behavior for both the employee and the employer—helped increased the efficacy of protection motivation theory-based methods.
“Basically, we found that the more workers felt that their organization’s resources were their own, the more likely they were to protect its security policies,” Crossler says. “While stewardship theory didn’t work as well as protection motivation, our results suggest managerial decisions informed by a stewardship perspective can help employees better understand security policy violations and make the right decision.”