What’s the difference between holding that door open for a stranger or checking their badge? Between using a complex password or reusing the same old password you’ve had for years? Ultimately, it’s motivation—the belief that your actions in support of a secure workplace matter and merit changes in behavior.
Much is made of motivation in security awareness training, so in this two-part post, we’ll take a closer look at what that involves, and how the awareness program can address it. For starters, it is essential to recognize that the ultimate goal of any security awareness program is to motivate everyone in the company to adopt the behaviors that ensure good privacy and security practices. This outcome requires a coherent training and reinforcement program, delivered over time, and with a consistent message that reaches people in meaningful ways.
So just whose motivation are we talking about? After all, some people are already plenty motivated by security concerns: the CSO, driven to meet compliance mandates, is motivated to achieve security awareness for the organization; the IT organization is motivated to keep systems secure. The bad guys are motivated too. The potential rewards in hacking corporate networks are great, so the attacker has an equally great motivation to succeed. As you can see, some people possess the intrinsic motivation to pay attention to security. But what about regular employees? What motivates them about security awareness? Unless you can motivate employees to care, the advantage will go to the attacker.
And there’s the real challenge of a security awareness program: inspiring and instilling the motivation to practice security-aware behaviors. When it comes to security awareness (and privacy awareness, for that matter), you can mandate training, you can get people to sign pledge, and you can hold an annual security day, but how can you truly motivate people? As everyone knows, motivation waxes and wanes. It is often fleeting. It’s easily discouraged or defeated. But a mindset, on the other hand, is constant, reliable, and lasting. By instilling a mindset or attitude that values security awareness, you stand a better chance of attaining sustainable, effective competence. A mindset, like a conviction, means you’ll do what you must, even when you don’t feel like it, even when your motivation at the moment is low. Sure, if you apply coercive, punitive, or deceptive measures, you might be able to create extrinsic motivation. But with proper education, stimulus, and environment, and with encouragement, recognition, and rewards, you can foster intrinsic motivation in general employees. To do so, the training and reinforcement program must comprehend these very human dynamics in a holistic way, and purposefully design for them. Properly designed and executed training with reinforcement can overcome the many motivational obstacles to learning, thereby enabling the organization to realize the desired behaviors both quickly and for the long haul. We’ll come back to this in Part II.