Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items | Main | Why Would You Trust Microsoft To Store Your Sensitive Health Information? »

Know How To Motivate Your Personnel To Protect Information

Not everyone has the same motivation to secure the information they handle or access while they are working. This is something very important for information security and privacy practitioners to understand, but unfortunately too many do not think about motivation factors when creating and managing their information security, privacy and compliance programs.

I wrote about this a few years ago in my article, "Compliance Motivation: The Info Security Diet."


Many of the concepts I discussed stem directly from Maslow's Hierarchy of Needs.

Unfortunately most organizations do not stop and think about WHAT motivates their personnel to secure information (or do any other activity they want them to do, for that matter), but it is definitely important to consider.

I was reminded of my 2004 article today while reading a review of "Peak: How Great Companies Get Their Mojo from Maslow."

Too many times organizations put policies out to their personnel and don't think about how to motivate personnel to follow them.

Too many times organizations do not think about the different motivations for their personnel when putting together their training and awareness programs.

I'm reminded of so many people I've worked with over the years.

* In one organization there was a man who had worked in the mainframe support area for a very long time; he's still there and has been in the exact same position for over 20 years. Not one promotion in 20 years! He's happy!! He gets to work right at 8am and leaves right at 4pm. You could set your watch by him. He does no overtime. He does not want to learn anything new. He just wants to do his very specialized mainframe work and nothing else. Sometimes he dozes off at his desk. Why does the company keep him? Because he has deep knowledge and skill in his very specialized topic that the company could not find in anyone else. He has no ambition to do or learn anything more. What motivates him to keep information secure?

* In another organization the information security area used contract workers to do security authorization builds and changes. They typically had 6 - 8 contract workers doing this at any one time. Most of the contracts were for 6 months, and then up for renewal. Most of the contract workers were also right out of college. They often spent their lunch times and any free time they could steal to update their resumes, talk with potential full-time employers on the phone, and do other activities to find a permanent job. What motivated these contract workers to keep the company's information secure? They knew they would't get any promotions, raises, or vacation days. They did't have a personal investment in the business. They could possibly get a full-time job at the end of their contract, but they knew, based upon the other previous contract workers doing the same work, that it was not likely.

* In another organization the full-time accounting staff are fairly secure in their positions. They have a clearly defined job path, that could lead to an executive position. They sometimes have to work overtime under their established salaries. They value their raises and vacations. They really like to get certificates and other tokens of appreciation. They want the busines to succeed so they will succeed. They are always looking for ways to get continuing professional education hours to help support their various certifications. What motivates these personnel to protect and appropriately safeguard the information they handle?


I've seen these three specific types of folks...and many more. The different groups all require a very, very different motivation for complying with the information security policies and for safeguarding information during their work. These motivators HAD to be a factor within the information security, privacy and compliance program! These motivators had to be addressed within the training and ongoing awareness communications.

Do you know what motivates the different types of personnel within your organization? Do you know what you need to communicate to them, or reward them with, or penalize them with, to get them to appropriately safeguard your information?

This aspect of social psychology is a very important consideration to include within a successful information security, privacy and compliance program. I cover the many different motivators within my article from a few years ago; they are still applicable in today's business environments.

What is *YOUR* motivation for doing something other than your defined job responsibilities? I'd like to know! Please take the poll on the right side of this screen...you may need to scroll up or down a bit.

It will be very interesting to see what your collective opinions are about going above and beyond your documented job responsibilities. Knowing such attitudes are key to helping you understand the motivation that needs to be applied to your personnel within your information security, privacy and compliance efforts.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 3, 2007 7:10 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/535

Comments

Hi Rebecca.

Your blog entry is very opportune: I'm writing about compliance for our next security awareness module, and struggling to find anything positive and upbeat to say about it. "Comply or be fired or go to jail!" is hardly the most inspiring and motivational approach, at least for some!

What motivates *me* is an innate sense of right and wrong, instilled by a 'strict but fair' upbringing and the usual range of ups and downs since leaving the family nest - a set of personal values that places trust and integrity high on the list. It's probably a key characteristic of my Myers-Briggs personality type ... but I bet the other 15 types are not quote so hung up on it. How do I find out what drives *them*? How do I appeal to *their* sense of right and wrong?

I guess there is no universal solution, meaning that the awareness materials need a range of approaches. Some people just need to be told. Others need persuading. Some will probably be entirely opaque to the idea. It gets messy real quick.

Thanks for the list of 25 motivators in your info sec diet paper. It's good to get a psychologist's view on this. How many of those motivational factors did you figure out from teaching your children stuff, I wonder?

Best wishes,
Gary

Posted by: Gary Hinson | October 11, 2007 3:03 AM

Thanks for your message, Gary!

I definitely agree; awareness communications must be widely ranging in approaches to have a positive impact on the organization's security and privacy efforts.

I'm glad you liked my paper! Yes, many of the motivational factors come from raising, and teaching, children, but also from building an information protection program within a large organization.

But, upon second look, most of the motivational factors are really reinforcing, through experience, the research discussed years ago by such pioneering folks as Donn Parker and others.

Rebecca

Posted by: Rebecca | October 12, 2007 8:49 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.