Researchers found that fear of what could go wrong is the primary driver in getting remote workers to protect IT systems.
When it comes to relying on remote employees to keep IT systems secure, there are two basic approaches organizations can take. One, the protection motivation theory, uses fear as a deterrent. The other relies on workers’ sense of stewardship or moral responsibility.
Researchers at the Washington State University tested the two approaches and found that fear of what could go wrong is the better motivator in getting remote workers to protect IT systems, especially for workers whose job is unrelated to IT security.
Employees need to feel that a security incident is “a big deal if it happens,” Robert Crossler, one of the study’s authors and an associate professor in the Carson College of Business, told WSU Insider. “So the No. 1 thing employers can do is to clearly communicate what the threats are and how serious they could be.”
For the study, the researchers compared how effective each of the approaches were in encouraging secure remote work habits. They surveyed 339 workers about one of three common IT security policy violations: storing data on unauthorized devices, logging in and out of sensitive accounts and sharing passwords. After reading one of the scenarios, each respondent indicated how they’d behave based on various protection motivation and stewardship theory factors.
The protection motivation theory encourages secure behavior by sending threat messages or by appealing to workers’ fears. It often uses surveillance to monitor workers and deter them from engaging in risky behavior. According to the theory, users assess the threat and their ability to react to it when choosing whether to follow policies.
Stewardship theory, on the other hand, tries to motivate responsible behavior by appealing to employees’ sense of moral responsibility. This approach encourages staff to commit to the organization’s security guidelines and gives them the training and tools to recognize and report a security threat.
While practicing good cyber hygiene when working from home might seem to spring from feeling related to stewardship, the study showed that a management approach that emphasized threats and consequences was more effective at preventing security policy violations.
Crossler and his colleagues also considered a security approach that integrated aspects of the two theories and found that emphasizing the “mutual benefits of good behavior for both the employee and the employer, helped increase the efficacy of protection motivation theory-based methods,” the article stated.
“Basically, what we found was that the more workers felt that their organization’s resources were their own, the more likely they were to respond in the desired way,” Crossler said.
“This is really the first study that brings stewardship theory and protection motivation theory together in the context of IT security for people working from home,” Crossler said.
While the idea of stewardship on its own was less effective than protection motivation, “results suggest that managerial decisions informed by a stewardship perspective can help to provide a further understanding of security policy violations that motivates employees to make the right decision,” he said.
The study, which appeared in the January 2023 issue of Computers & Security, was conducted in collaboration with researchers at the University of North Texas and Oklahoma State University.
Editor's note: This article was changed Jan. 24 to correct the name of the researchers' university.