Techniques for Motivating Secure Behaviors

The problem of motivating employees to do the right thing in security is an increasingly hard one.  Many companies have developed cultures that worked well prior to the digital age,  but are no longer applicable, and often detrimental to information security.

We live in a money-motivated world, but not all motivation happens due to money.  Fairness, decisiveness, giving praise, and constructive criticism can be more effective than money in the matter of motivation.  However, they cannot be relied upon for all motivation.  There needs to be a well-balanced system of rewards.  Rewards generally improve productivity by 20% to 30%. This is nearly twice as much as that attained by goal setting or job-redesign

Rules for praise and punishment

Both praise and punishment should follow the same three rules.

  1. Promptly
  2. In specific terms
  3. The behavior, rather than the person, should be praised or reprimanded

Reward Rules

  • A reward should be quick.
  • A reward should be significant.
  • The goals and rewards must be; known, understandable; and attainable.
  • The reward must be distinctly and directly related to performance.
  • A reward should be irrevocable.
  • A reward should be compatible with job measurement.

Stick or carrot?  Punishment has left the working class feeling discontent and has increased the hostility between management and employees.  The “carrot” approach, however, has increased productivity and worker satisfaction by giving rewards to employees when they do a good job.

What motivates employees?

A study carried out by the US Department of Labor among 1500 workers asked the workers to rate 23 job factors in order of importance to them (Sanzotta (1977).  This information is useful in determining how to motivate behaviors.   It is presented in the table below.

White-collar employeesBlue-collar employees
1.      Interesting work

2.      Opportunity to develop special abilities

3.      Enough information

4.      Enough authority

5.      Enough help and equipment;

6.      Friendly and helpful coworkers

7.      Opportunity to see results of work

8.      Competent supervision

9.      Responsibilities clearly defined

10.  Good pay

11.  Good pay

12.  Enough help and equipment

13.  Job security

14.  Enough information

15.  Interesting work

16.  Friendly and helpful coworkers

17.  Responsibilities clearly defined

18.  Opportunity to see results of work

19.  Enough authority

20.  Competent supervision



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply