Motivation and Self-Determination: Intrinsic Cyber Security

Self-Determination Theory

The Self-Determination Theory (SDT) is a major theory of human motivation and personality that is concerned with supporting our natural or intrinsic tendencies to behave in effective and healthy way.  It posits that the degree of self-determination in relation to one’s behavior is of immense importance for one’s performance and satisfaction.

SDT differentiates three types of motivation, which are on a continuum:

  1. Intrinsic motivation: interest in the activity solely for itself
    • Ideal because people engage in an activity for internal reasons, such as a pleasant sensation and satisfaction experienced from learning, growth and an accomplishment.
    • Found to be the longest lasting and strongest considering environmental adversity
    • Because it is influenced by external factors to a lesser degree, intrinsic motivation is linked to better performance, persistence, and overall satisfaction with the activity
  1. Extrinsic motivation: motives are related to outcomes of activity
    • Less self-determined, as it is driven by external forces, such as benefits, valued outcomes, or social pressure.
    • Although extrinsic motives can be personally important for the individual, and hence reflect the desire to engage in an activity, it is a less preferred state than intrinsic motivation because it induces feelings of obligation (e.g. going to work to sustain income).
  1. Amotivation: lack of any motivation for certain behavior
    • A state of lack of any good enough reasons to continue a given behavior, is related to low performance and dissatisfaction, and hence usually leads to giving up on the activity.

sdt-continuum

Putting it into the context of a cyber security analyst, we may argue that if an analyst is motivated to work for reasons of personal enjoyment and satisfaction (e.g. enjoyment of IT settings, psychological warfare), s/he will sustain high motivation levels longer and will be more resilient towards any adjustment difficulties than an employee who is motivated to work solely because of benefits and future career prospects. Finally, compelling an unmotivated employee to accept an assignment is very likely to result in early termination of the task or other unfavorable consequences.

The theory highlights that the degree of self-determination (intrinsic motives) of human behavior is influenced by the degree to which individuals fulfill their basic psychological needs of autonomycompetence and relatedness.

Autonomy is defined as freedom of choice. In terms of cyber security personnel, the need for autonomy could be fulfilled by providing higher flexibility of remote work, as well as higher responsibility, independence, and less control in terms of the employee’s activity on site.

Competence needs relate to the desire to feel effective in fulfilling a certain task. Positive feedback on a task is found to satisfy the competence need, thus increasing intrinsic motivation to do it further.

Relatedness is defined as the need to feel connected to others. This need can be addressed in many ways, such as mentoring programs, employee integration and socialization activities, and sustained relationships with remote employees.

06e7678ee004cba85f2fb8a2751f4cae--motivation-psychology

Motivating Factors in Cyber Security

Distal Attributes– attributes that people are born; stable, trait-like individual differences and dispositions

Need for Achievement -refers to an individuals’ desire to succeed and achieve goals.

  • Individuals high in need for achievement believe that they are the drivers of their own success.
  • Need for achievement has been noted as an important motivator across positions, in information technology positions more specifically and is likely to predict performance in cyber positions as well.

 

Need for Cognition– reflects the extent to which individuals are inclined towards effortful cognitive activities.

  • Given the cognitive nature of many of the performance requirements of cyber personnel, the best candidates are likely to be those who are motivated towards cognitive activities
  • Along with high cognitive abilities, these individuals have both the drive and intellectual ability to continually develop and absorb the technical knowledge necessary to fulfill their positions’ performance requirements.

 

Proximal Attributes– malleable knowledge and skill that provide the critical link between distal attributes and on-the-job behaviors and performance.

Technical Knowledge-specific technical knowledge areas vary by position.

  • Example:
    • Information assurance compliance personnel: computer network defense and vulnerability assessment tools
    • Legal advice and advocacy personnel: knowledge of recent lows, regulations, policies, standards, and procedures.
    • Computer network defense analyst: intrusion-detection systems tools, computer network defense trend analyses.
  • Individuals high in cognitive ability, need for cognition, and conscientiousness are likely to have both the ability to digest technical information and the drive to seek it out on their own.
    • Technical knowledge serves as the critical link between some of the distal attributes and subsequent cyber security personnel performance.

 

Problem-Solving Skills– complex higher order cognitive process that requires the use of multiple fundamental skills to reach a desired goal.

  • Need to effectively identify indicators of system performance and the actions needed to improve or correct performance relative to the goals of the system.
    • The employee must gather information on the current state of the system (problem identification), compare the current state to the desired state (problem representation), develop a strategy to move the system from the current to the desired state (solution generation), execute that strategy, and monitor its effectiveness
  • Related to fluid intelligence, working memory, and cognitive ability – distal attributes
  • Also facilitated by technical knowledge in the area

 

Contextual Attributes– cyber security workforce environment presents an occupational context in which there is a high degree of pressure and dynamism.

  • Technical advances and software changes require personnel to constantly learn and adapt to a new system
  • Constant vigilance is required to avoid/defend against potential network breaches with the continuous and growing threat of cyber-attacks
  • The high degree of pressure that the industry presents requires coordination between governments and organizations in the effort to take a holistic approach to the cyber security threat.

Social Skills– social interactions

  • Investigative positions explicitly require interaction with witnesses
  • Legal positions require interaction with policy makers
  • Transportable social skills:
    • Moral building
    • Conflict resolution
    • Information exchange
    • Task motivation
    • Cooperation
    • Consultation with others
    • Assertiveness

 

In hiring and retaining cyber personnel, evaluating the interconnectedness between an individual’s levels of autonomy, competence, and relatedness that leads them to a higher degree of self-determination, and thus, a higher probability of job performance and satisfaction, should be a focus for hiring managers going forward.

Distal attributes, those that the individual are born with, are stable, and vary slightly throughout the individuals life, can be analyzed to better understand the individual’s sense of autonomy.  As both Need for Achievement and Need for Cognition are individualistic traits that pertain to one’s particular way of thinking about and attraction to challenging tasks, having an understanding of how employees tend to display these attributes, highly praising the one’s that champion these qualities as an example to others, can be a strategy to retain the most in-demand employees as well as encourage others to follow suit in their manners and behaviors.

Proximal attributes, malleable knowledge that the organization has more control over to shape, are related to the cyber individual’s level of competence.  Technical Knowledge and Problem-Solving Skills are essential in the cyber security industry where new technologies, vulnerabilities, and threat-actors come into play on a daily basis.  Organizations should provide continuous on-the-job training to continuously keep up with the demands of the industry.  By doing so, they are ensuring that their employees retain a level of competence that they need to feel internally to be as effective as possible in fulfilling a certain task.

Lastly, contextual attributes are a facilitator for the relatedness that an individual must feel in order to reach the desired state of self-determination.  The context of one’s work in the cyber security industry in fluctuating, depending on what the days challenges have brought.  As the industry in progressing, sharing information across governments and corporations provides the knowledge sharing and relatedness that is necessary.  Encouraging this type of knowledge transfer, both internally and through open-source and community platforms, is yet another opportunity for cyber personnel to feel the relatedness that leads them to self-determination.

Cyber security jobs are complex and dynamic, and require a high degree of flexibility.  As cyber employees must be agile as well as dynamic, understanding how their degree of self-determination allows them to be successful at their jobs should be focus for managers going forward to retain and celebrate the talent that display these attributes and further encourage the distribution of these qualities throughout the organization.