Measuring the Impact of Intrinsic Motivation on Information Security Policy Compliance

Abstract

The growing number of security breaches has become a major concern in organisations. Most often, such security breaches are related to internal employees due to their indirect or direct actions leading to information security policy (ISP) violations. Therefore, understanding employees’ intrinsic motivation and security behaviour towards ISP compliance is critical. Previous studies have identified different types of extrinsic motivation, such as complying with an ISP to avoid sanctions. This research adds an important contribution: intrinsic motivation is a more effective motivator because deterrence does not have a significant effect on employee behaviour. This thesis proposes a model which predicts that intrinsic motivation influences intentions towards ISP compliance. A combination of qualitative and quantitative approaches was used to evaluate the model via five stages. Each stage was developed in light of the results of the previous stage. The first stage was conducted within a Saudi Arabian Fortune 600 organisation. The study found that Self-Determination Theory (SDT) components (autonomy, competence and relatedness) had a positive effect on intentions to comply with ISPs. The second stage used a qualitative semi-structured interview within the same organisation to carry out more investigation into the organisation’s cyber security practices. The interviews revealed that no effort had been made to design ISP awareness drives to foster intrinsic motivation to comply. The third stage was conducted within the same organisation to obtain responses from their cyber security decision makers; here the weights for the SDT components and intention to comply for measurement purposes in stages four and five were identified. Next, the model was validated by participation in the Decisions & Disruptions (D-D) awareness game. The assertion is that by playing the game employees can increase their awareness, enhance their motivation and, possibly, improve their intention to comply with ISPs outside of the game. The D-D game was used because of the difficulty of analysing behaviour rather than intention to comply. The goal was to determine whether intrinsic motivation, improved through playing the game, had a positive effect on intention because it plays a role in influencing behaviour. The D-D game was developed by Professor Awais Rashid and his team at the University of Bristol. They used the game only to investigate cyber security decision-making, but this research has applied the game in a different direction by using SDT to study human security behaviour. Stages four and five were conducted in the UK and Saudi Arabia to investigate whether the intrinsic motivation to comply with ISPs can be influenced by subjects playing the game, increasing their awareness and possibly improving their ISP compliance after gameplay activity. Overall results confirmed that all SDT components are positively influenced by experiencing the game and have a positive effect on the intention to comply with ISPs.