Superconductor

Information security is the application of risk management principles to information technology, so we should expect that results for the broader field of risk management should give useful results when specialized to information security. The concept of "risk homeostasis," as defined by Gerald J. S. Wilde in his book Target Risk, may be such a principle. Risk homeostasis theory tells us that we need to modify the behavior of employees to have an effective information security program, something which is often overlooked in the design and implementation of such programs.

The principle of risk homeostasis tells us that people feel comfortable with a certain level of risk in their lives. So if one type of risk is somehow reduced, people will tend to adjust their behavior to compensate, perhaps accepting additional risks as they do so. Wilde's research indicates that this happens in many cases.

If risk homeostasis is indeed an inescapable part of human behavior, as Wilde suggests, then we can expect it to apply to the use of information technology as well. Traditional techniques of minimizing risk usually involve the "triple-E" of engineering, education and enforcement. On the other hand, risk homeostasis theory tells us that the motivation of users is the most important factor to consider, yet traditional approaches do little or nothing to address this, and may just reallocate risk instead of reducing it.

Risk homeostasis theory provides a way for using motivations to affect behavior, and Wilde's research has found a number of characteristics of successful risk reduction programs that are common to many such programs. Incentives play an important role in such programs, and are particularly effective at changing behavior. The common characteristics of successful risk reduction programs include the following:

1. Managerial vigor. Managerial commitment to a program should be obvious and reinforced often. This applies to any program, and information security is no exception.
2. Rewarding the bottom line. Effective incentive program should reward the outcome instead the intent. So it is better to measure the number of computer viruses that an organization is infected with rather than the percentage of computers equipped with anti-virus software.
3. Rewards must be attractive. Incentives to employees that successfully reduce the number of security incidents could include cash, shares of stock, extra privileges or extra holidays. Rewards do not have to be large to be effective.
4. Progressive incentives. It is more than four times as difficult to remain free of security incidents for one year than it is to remain free of security incidents for one quarter. So a reward for a complete year with no security incidents should be more than four times as great as the reward for no security incidents for a single quarter.
5. Simple rules. A successful information security program should be kept simple and easily understandable to all employees who it affects.
6. Perceived equity. The rewards of an incentive program should be perceived as equitable by those employees that it affects. Employees who are not eligible for an incentive for some reason should not resent the incentives received by those who are eligible.
7. Perceived attainability. Goals for which incentives are offered should be attainable. If goals are unattainable, some people will not make an active attempt to meet the goals. A goal of no security incidents at all is probably unattainable, so a more realistic goal should be used instead.
8. Short incubation period. The time period for which an employee needs to remain free of security incidents in order to be eligible for an incentive should be relatively short. Delayed incentives are not valued as much as ones which are immediate.
9. Reward both group and individual performance. Incentive programs should be designed so that they strengthen peer pressure towards a goal of effective information security. Incentives to entire groups as well as to individuals are also useful to this end.
10. User participation in program design. Any incentive system should be developed in cooperation with those who will be affected by it. People are more likely to achieve goals that they have helped define.
11. Prevention of incident under-reporting. An effective incentive program should counter any tendencies to not report security incidents. If a computer is infected by a virus, for example, not reporting the incident should be penalized more than just getting a virus.
12. Reward all levels of an organization. Workers, supervisors and middle-management should all be eligible for incentives for meeting their information security goals. This creates a more cohesive and pervasive orientation towards being security-aware.
13. Appropriate information security training. Although training for security is different from motivating towards security, some studies suggest that it helpful for employees to be told what specific behaviors will help avoid security incidents.
14. Maximize net savings or benefit/cost. In the planning an incentive program, there will not be enough resources to reward all behavior, so some thought should be given to the question of exactly what behaviors are rewarded. Be sure that the behavior that is encouraged is that which provides the greatest return for the organization.
15. Effective research. Like any health and safety program, an incentive plan for information security should not be casually introduced. Understand what factors an incentive program can affect, the benefits from the possible changes, as well as the costs of doing so, before implementing any incentive program.

By using an incentive program with the characteristics that Wilde’s research indicates are the most effective, you may maximize the chances of changing employees' behavior so that information security risks are minimized. You might want to give such elements serious consideration when reviewing the status and future direction of existing information security programs.