How do you get remote workers to take cybersecurity seriously? There’s coaching and coaxing, sure, but there’s also just scaring the holy living heck out of people.
A recent study in the journal Computers and Security suggests just that, saying that fear is the most effective motivator in getting remote workers to be mindful of cybersecurity practices.
The study used a sample of 339 people who work at companies with IT security policies, who were recruited to answer a scenario-based survey which described common policy violation scenarios relevant to remote work situations, like the use of unauthorized storage devices, logging off sensitive accounts when not in use or sharing a password. Each respondent randomly read one of three of the scenarios and then indicated their likelihood to act in a certain way based on various protection motivation and stewardship theory factors.
The purpose was to assess the effectiveness of either a protection motivation—where organizations can encourage secure behaviors through fear appeals, threat messages and promoting self-efficacy, or the ability to respond to a particular threat—or a stewardship motivation, where organizations motivate the employee’s behavior through a sense of moral responsibility that is not forced. The study found that, for remote workers, the former was more effective than the latter.
“Employees need to feel this is a big deal if it happens, so the number one thing employers can do is to clearly communicate what the threats are and how serious they could be,” said Robert Crossler, corresponding author for the study and associate professor in the Carson College of Business at Washington State University. “Because for most people this is not their job. Their job is to make something or sell something, not to make good security choices, even if it is critical for their organization.”
However, much as Machiavelli said that a prince is ideally both feared and loved, the researchers found that a combination of both protection and stewardship motivations works better than either one alone. The authors dubbed their amalgamation of the two approaches as “Security motivation” focused on a sense of collectivism that emphasizes the mutual benefits of good behavior for both employers and employees.
“Basically, what we found was that the more workers felt that their organization’s resources were their own, the more likely they were to respond in the desired way,” Crossler said. “Instilling a sense of collectivism in employees is only going to help enhance people’s likelihood of protecting security policies.”
This is especially in light of other findings, which said that leaning too hard into a fear-based approach can lead to people rebelling and actively seeking to circumvent security measures, such as monitoring software. As a result of their analysis, the authors recommend that companies should consider removing or reducing surveillance practices that are a common aspect of protection motivation theory. Where such removal is impracticable, employers should consider providing employees with contextual reasons for performing such monitoring.