فراتر از ترس یا تمایل؟ به سوی درک بهتر از انگیزش کارکنان به دنبال سیاست های امنیتی

Given the significant role of people in the management of security, attention has recently been paid to the issue of how to motivate employees to improve security performance of organizations. However, past work has been dependent on deterrence theory rooted in an extrinsic motivation model to help understand why employees do or do not follow security rules in their organization. We postulated that we could better explain employees’ security-related rule-following behavior with an approach rooted in an intrinsic motivation model. We therefore developed a model of employees’ motivation to comply with IS security policies which incorporated both extrinsic and intrinsic models of human behavior. It was tested with data collected through a survey of 602 employees in the United States. We found that variables rooted in the intrinsic motivation model contributed significantly more to the explained variance of employees’ compliance than did those rooted in the extrinsic motivation model.

Security incidents can have a negative impact on the market value of a firm. Goel and Shawky [3] found that firms experienced a 1% decrease of market share after the announcement of a security breach. Surprisingly, many incidents are perpetrated by organizational members (inside the firewall). In this sense, employees at all levels are the weakest link in information security. Employees can be a threat because they can be involved in intentional abuse (e.g., data theft, data destruction, etc.) or unintentional or accidental events (e.g., forgetting to change a password, forgetting to log off, etc.). Such acts are often referred to as IS security non-compliance behavior [13]. As they have direct access to the network of the organization, employees often become the target of thieves or hackers who attempt to use social engineering techniques to gain access to an organization's information. Nonetheless, many organizations underestimate the importance of managing human functions and rely heavily on technological solutions to their IS security. Most organizations develop their security programs without first considering the human aspect of their exposure to security breaches. As pointed out by Siponen and Vance [9], studies in this area have relied heavily on general deterrence theory (GDT) as a theoretical basis for understanding why employees follow (or do not follow) an organization's IS security policy (ISSP) (e.g., [1], [4] and [6]). Thus deterrent certainty and deterrent severity of GDT have been touted as effective strategies in preventing employees from misusing the information assets of their organizations. However, the efficacy of this theoretical solution has been questioned because studies have reported mixed results about the impacts of them as effective regulators of employees’ conduct. Studies in organizational behavior that are drawn from the social psychology literature on human motivation have often explained employees’ rule-following behavior with two motivation models of human behavior [12]: one is an extrinsic motivation model (focusing on the perceived consequences, such as punishment or reward, of breaking the rules) and the other is an intrinsic motivation model (holding that employees follow the rules because of their innate desire to follow the rules). Past research found that the intrinsic motivation model better explained employees’ rule-following but the current research stream has been built on GDT and therefore is closely linked to the extrinsic motivation model. Despite its potential to explain employees’ security-related behavior, the intrinsic motivation model has not received due attention in the literature. We argued that we could improve our ability to explain employees’ violations of security-related rules with the intrinsic motivation model. Our study, by focusing on the both the extrinsic and intrinsic models, was constructed to offer a theoretical explanation for why employees do or do not follow their organization's ISSP. In particular, two salient variables were identified for each model: perceived deterrent certainty and deterrent severity for the extrinsic model, and perceived legitimacy and value congruence from the intrinsic model. They were assumed to be the determinants of employees’ behavior. The study also examined the relative contributions of the two models in understanding employees’ ISSP compliance behavior. Thus our stimulating question was: Do employees comply with an ISSP mainly out of fear (the extrinsic motivation), desire (the intrinsic model), or both?

There were, of course, several limitations to our study. First, because of its cross-sectional design, we cannot eliminate the possibility of alternative causal arguments. That is, the strong relationships found in study could represent the effect of past behavior on employees’ currently held perceptions. Second, the self-report method through which both perceptions and ISSP compliance behavior were obtained from a single respondent could introduce a CMV issue; our study would have been strengthened if we had obtained independent and dependent variables from different sources. Third, although we relied on prior research to identify the two most salient variables for each of the extrinsic and intrinsic models, we cannot exclude a possibility that other important variables have been omitted. Our study would have been better if we had a more complete set of variables for each of the models of human behavior. Finally, we cannot exclude a possibility that the effects of some potentially important variables were not present in our analysis: our results may have been more robust if we had controlled for the effects of other potentially important variables, such as job position, job characteristics, and professional membership. In addition, the type of industry could have been included to explain the variance of ISSP compliance to a greater extent. The findings of this study empirically supported our assertion. We found that factors rooted in the intrinsic motivation model have even stronger effects on employees’ compliance with ISSP than those rooted in the extrinsic motivation model.