Docstoc

Shropshire Environment_ Motivation_ and System Hardening

Document Sample
Shropshire Environment_ Motivation_ and System Hardening Powered By Docstoc
					       ENVIRONMENT, MOTIVATION, AND SYSTEM HARDENING

                                       Jordan Shropshire

                                             Abstract

The present study provides a theoretical basis for understanding the determinants of system
hardening performance. Using self-determination theory (SDT), an integrated motivational
model is developed and tested. Constructs systems familiarity and threat awareness are included
as antecedents of competence and autonomy and as indirect determinants of self-determined
motivation. In turn, the latter impacts system hardening performance. An empirical study for
analyzing this model was conducted. Some 179 current and potential systems administrators
completed surveys and hardened Linux webservers in a controlled laboratory environment. The
results confirm the proposed relationships. The model accounted for 33.3% of the variance in
motivation and 17.2 % of the variance in system hardening performance. Implications for
research and practice are discussed.
	
  
Keywords:	
  Security, environment, motivation, system hardening, perceived competence,
perceived autonomy, security awareness, system familiarity, threat awareness	
  

	
                            	
  




                                                -1-­‐	
  
	
  
       ENVIRONMENT, MOTIVATION, AND SYSTEM HARDENING

                                             INTRODUCTION

In the modern, hyper-connected business environment the effects of poor information security have

become quite salient. US firms annually lose hundreds of millions of dollars to unexpected system

downtime and data loss or compromise (Richardson 2010). Customers also suffer because the privacy of

their data is jeopardized (Son and Kim 2008). Corporate investors note the effect of security breaches

when stock shares lose value (Gordon and Loeb 2002; Ko and Dorantes 2006). In sum, information

security breaches have devastating consequences (Tsiakis and Stephanides 2005). This is unfortunate

because many information security incidents could be avoided if systems were properly hardened

(Gordon et al. 2011; Siponen et al. 2009).

        Hardening is the process of securely configuring a system (Paquet 2009). The purpose is to

protect the information system against unauthorized access, intruders, malware, hackers, viruses, and

other vulnerabilities (Kaeo 2004). The procedure begins with a methodical review of the components

necessary to provision a particular information service. The hardware, software, data and procedures

which are most susceptible to accidental or purposeful compromise are identified. The most secure

configuration for each flagged component is then determined. This may involve extensive research or

consultation with industry standards and regulations. Reconfiguration steps are then taken. Service

assurance levels increase when the plans are implemented. Hence, a relatively weak system is “hardened”

when security risks are reduced.

        The scope, formality, and frequency of system hardening are variable (Jacobson 2009). As a

general practice, system-wide security exercises are conducted on a quarterly or annual basis (Fink et al.

2006). This may involve outside security consultants in addition to the entire IT department. Besides

securing systems the outcome of the process may include reports and formal presentations to

management. The procedures also occur less formally on an ongoing basis. New hardware or software

may be introduced or existing components may be reconfigured. When such system changes occur, it


                                                    -2-­‐	
  
	
  
becomes necessary to ensure business continuity by conducting system hardening. Involvement may be

limited to only those responsible for the specific system components. For instance, following the

transition from IPv.4 to IPv.6 only the networking team may dedicate time towards hardening the

protocols and routing processes which have been affected. Or, after a major website upgrade a single

database administrator might engage in precursory hardening to prevent SQL injections.

        System hardening is a relatively complex task (Panko 2004). A systems administrator must be

capable of thinking through multiple system layers in order to identify potential problems. Changes aimed

at securing one component may indirectly impact other facets of the system. A common example of this is

closing firewall ports which must remain open in order to provide services. Further, it is necessary to

balance security with usability (Bulgurcu et al. 2010). It is possible to harden a system to such a degree

that interaction is overly-taxing and users avoid it altogether (Johnston and Warkentin 2010; Spears and

Barki 2010). To avoid pitfalls and elicit better results, hardening requires significant effort and

concentration.

        Because hardening is an intellectually-challenging process, it is a relatively difficult process to

manage (Scherling 2011). IT managers must be able to visualize an entire system and ensure coordination

among their workers (Campbell et al. 2003). They must not allow any overlap in systems hardening

responsibilities or else the final configuration will not be optimal (Weaver 2007). They must also prevent

gaps in task delineation or else parts of the system may not be secured. Managers must assign IT workers

some degree of responsibility based on their projected performance (Cross et al. 2010). These

determinations are often subjective and may be based on limited evidence (Livari and Huisman 2007).

This may result in results which do not meet expectations. For better results, it is necessary to make more

deliberate decisions. Previous studies indicate that performance expectations should be based on

psychological and behavioral guidance (Venkatesh 1999).

        Over the years, behavioral studies have indicated that one factor which determines IT worker

behavior is motivation (Bartol and Martin 1982; Malhotra et al. 2008; Stanley et al. 1993; Venkatesh

2000). These findings have already been used within the information security domain, but not to

                                                      -3-­‐	
  
	
  
understand system hardening (Mahmood et al. 2010). The purpose of this research is to propose and test a

motivational model of IT worker performance at system hardening. A comprehensive motivational

sequence, including environmental variables, psychological mediators, motivation, and behavioral

outcome is proposed and tested. This model is framed using self-determination theory (SDT) (Deci and

Ryan 1985). It represents one of the earliest attempts to combine SDT with information security. The

remainder of this study is organized as follows: background information on self-determination theory is

provided in the following section. Next, the proposed research model is introduced and corresponding

hypotheses are stated. Hypothesis testing methods are described and the procedure for evaluating the

hypotheses is explained. Finally, study results and conclusions are made.


                        BACKGROUND: SELF-DETERMINATION THEORY

Self-determined motivation is based on action out of choice and/or pleasure rather than threat of

consequences (Deci and Ryan 1985; Vallerand 1997). SDT incorporates the determinants and sequences

of self-determined motivation into an integrated causal model consisting of four elements (see Figure 1)

(Grouzet et al. 2004). This motivational sequence begins with environmental factors such as feedback or

reward. Environmental conditions stimulate psychological needs (the need for self-competence, for

example). Consequently, need satisfaction is a contributor to self-determined motivation. In turn,

motivation leads to consequences or action. This motivational sequence can exist at three levels of

generality: global (regarding personality), contextual (within a specific domain), or situational (with

respect to a certain activity) levels (Vallerand 2000). This study concerns individual performance at a

specific activity. Therefore, the focus of this research is the situational level. The remainder of this section

describes the elements of the integrated motivation sequence at the situational level.

Figure 1: Self-Determination Theory




                                                                                                                   	
  


                                                      -4-­‐	
  
	
  
        Prior studies hold that environment influences psychological state and indirectly shapes

motivation (Ryan 1982). The environmental forces which are relevant depend on the specific context. For

instance, a number of studies in the education field have focused on the impact of student motivation on

class performance (Parkes and Henderson 2004; Thill and Mouanda 1990; Whitehead and Corbin 1991).

In these cases, the most important environmental variables were related to teacher feedback. Within the

marketing sector, a range of salient variables have emerged. Increases in salesman motivation have been

linked to environmental stimuli such as changes in economic conditions, prior sales success, perceived

financial need, customer feedback, and changes in compensation (Deci et al. 1999; Zuckerman et al.

1978) . Separately, the role of environment has also been studied within the technical fields. Contrasting

with the business discipline, environment cues for engineers are based less on social interactions and

more on technical mastery. For instance, it has been demonstrated that engineers’ motivation to take on

complex assignments begins with their discipline-specific knowledge and their ability to interact with the

problem space (Baillie and Fitzgerald 2000). Such environmental factors, acting through psychological

mediators, may significantly increase or decrease self-determined motivation.

        Psychological needs are stimulated by environmental factors and are the antecedents of self-

determined motivation (Deci and Ryan 1985; Grouzet et al. 2004). Hence, they act as psychological

mediators. Need satisfaction is a direct contributor of motivation. SDT holds that the most relevant

psychological needs are competence, autonomy, and relatedness (Vallerand 1997). Perceived competence

refers to the ability to cope with the environment. Perceived autonomy is the freedom to control one’s

destiny and act in accordance with the integrated self. It should be noted that autonomy does not infer

independence of others but freedom to make choices. Perceived relatedness refers to a sense of security

and fit within a social group. Collectively, these are fundamental needs which individuals constantly seek

to fulfill. Positive perceptions of competence, autonomy, and relatedness enhance self-determined

motivation as individuals are motivated to perform activities which meet their psychological needs. Each

need is influenced by environmental conditions. For instance, positive feedback has been shown to

stimulate autonomy and competence. The reverse is also true: low competence is a result of negative

                                                    -5-­‐	
  
	
  
feedback. To reiterate, psychological needs mediate the relationship between environment factors and

motivation.

         Previous research has focused on two type of motivation: intrinsic and extrinsic motivation (Deci

and Ryan 2000). Intrinsic motivation is self-developed and endorsed. It refers to performing a behavior

that is satisfying and interesting. An IT professional who finds a task to be intellectually stimulating

would be intrinsically motivated. Extrinsic motivation is based on external pressure to obtain something

positive or avoid something negative. The intrinsically-motivated employee views a task as a means to an

end. It is suggested that extrinsic and intrinsic motivation are not negatively related but are endpoints on a

motivation continuum. Within this scheme, self-determined motivation is aligned with the intrinsic end of

the continuum. Need satisfaction catalyzes intrinsic motivation, as individuals will seek to pursue

activities which fulfill their basic needs for autonomy, competence, and relatedness (Deci and Ryan

1985).

         The causal impact of motivation on resulting actions is well-documented. Examples include

school performance (Guay and Vallerand 1996), computer use (Davis et al. 1992; Igbaria et al. 1996;

Venkatesh 2000), and social interactions (Blais et al. 1990). Thus, the more self-determined the

motivation, the more positive the results (Ryan et al. 1983). In summary, environmental factors influence

psychological needs and indirectly shape motivation while self-determined motivation leads to behavioral

outcomes.


                                   THEORETICAL DEVELOPMENT

This research integrates the elements of SDT with situation-specific environmental factors into a

comprehensive model for understanding system hardening performance (see Figure 2). Based on an

analysis of the system hardening environment and a comprehensive literature review, two factors emerged

as potentially relevant environmental variables for the information security environment. They are threat

awareness and systems familiarity. Consistent with previous studies of motivation in the technical fields,

they are based on expertise and problem manipulation (Wickens and Hollands 1999). Both are


                                                     -6-­‐	
  
	
  
hypothesized determinants of perceived autonomy and perceived competence. In turn, the psychological

needs are predicted to influence self-determined motivation. Finally, situational motivation is expected to

dictate individual performance at system hardening. The hypothesized relationships between these

constructs are explained in the following section.

	
  
Figure 2: Research Model




                                                                                                              	
  
	
  

        To begin, SDT holds that the environment is a combination of conditions which collectively

shape psychological need (Deci et al. 1994; Deci and Ryan 1985). Therefore, it is necessary to identify

unique factors which influence psychological need and indirectly impact motivation and security

performance. Based on structured observation of the system security environment two conditions were

selected. They are system familiarity and threat awareness. Neither variable has yet been applied to

behavioral research in information security although they have been addressed in prior SDT studies

(Goldberg and Pedulla 2011; Greitzer et al. 2008; Perry and Lindell 2003; Taylor et al. 2002). They are

expected to play a formative role in the development of psychological needs.

        Over forty years ago, system familiarity was conceived as the degree to which an individual is

proficient at manipulating some combination of software, data, and hardware (Lee 1970). It is expected to

determine motivation and hardening behavior via psychological need. The proposed role of system

familiarity is sustained by related studies in the extant literature (Arthur and Hart 1989; Goldberg and

Pedulla 2011; Marcoulides 1988; Taylor et al. 2002). Furthermore, Davis (1993) conceptualized system

                                                     -7-­‐	
  
	
  
familiarity within the complete motivational sequence as an environmental stimulus, determinant of

attitude, and indirect antecedent of behavioral action. Although it was not used in a predictive capacity,

the concept of familiarity has been broached in information security research (Hui et al. 2007). Based on

this evidence, system familiarity is anticipated to be a significant determinant of psychological need and

indirectly impact motivation.

        To illustrate the role of system familiarity within the information security context, consider a

scenario in which it becomes necessary to harden a particular network-attached storage (NAS) array. An

IT worker who is proficient with Openfiler and FreeNAS is expected to have a relatively high degree of

competence, as they are two of the most common open source NAS platforms (Lynn 2010). The

individual would pursue the hardening assignment because it validates his or her perceptions of

competence. In addition to perceived competence, it is projected that system familiarity is also a

determinant of perceived autonomy. IT workers with systems familiarity will feel more comfortable in

decision making and in greater control. Conversely, IT workers with less familiarity will have low

perceived autonomy, because they will doubt their ability to implement the proper changes. To

summarize, system familiarity is expected to influence psychological need. Therefore, it is proposed that:

HYPOTHESIS 1: System familiarity will have a positive influence on perceived competence

and

HYPOTHESIS 2: System familiarity will have a positive influence on perceived autonomy
	
  
     The second environmental factor is threat awareness – understanding the means by which

systems may be purposely or inadvertently compromised. The concept of threat awareness has already

been established within the information security space (Chen et al. 2008; Greitzer et al. 2008; Perry and

Lindell 2003). Studies of environmental factors related to threat awareness support its proposed

relationship with psychological need and motivation (Furnell et al. 2007; Gagne and Deci 2005;

Hirschberger et al. 2009; Walczuch and Lundgren 2004). Based on this evidence, threat awareness is

included as an essential element in predicting system hardening performance. It is not possible to secure a

system without awareness of possible system threats (Du et al. 2006; Stafford and Poston 2010).

                                                     -8-­‐	
  
	
  
Specifically, it is anticipated that individuals without such information will have lower perceptions of

competence. By contrast, IT workers with a keen awareness of security threats will feel more competent

because they understand the latest system risks and the best approaches for neutralizing them. Besides

competence, threat awareness is also expected to influence perceived autonomy. IT professionals with

greater threat awareness will feel perceive more freedom to make their own decisions because they

understand the options. For example, suppose an organization migrates its domain naming service (DNS)

from Windows Server 2003 to Linux-based BIND. After the transition it will be necessary to select an IT

professional to harden the new server. The individual who understands the potential threats to DNS will

perceive greater decision making flexibility because he or she understands the decisions which must be

made. Simplified, the IT worker who is more aware of security threats to DNS will perceive greater

autonomy. These relationships are expressed in the following hypotheses:

HYPOTHESIS 3: Threat awareness will have a positive influence on perceived competence

and

HYPOTHESIS 4: Threat awareness will have a positive influence on perceived autonomy

        Both of the environmental factors are necessary to effect security improvements. The IT

professional cannot harden a system if he or she cannot identify the potential threats and determine a best

course for reducing the risks of their occurrence (Stafford and Poston 2010). Understanding security

threats is alone not sufficient. The IT professional must also be able to reconfigure a system in order to

implement a security fix (Tjhai and Furnell 2007). This requires familiarity with the system. Combined,

threat awareness and system familiarity shape psychological need and indirectly stimulate self-determined

motivation to harden a system.

        The elements of psychological need - competence and autonomy - are included as antecedents of

motivation. Past research demonstrates that they mediate the relationship between the environmental

factors and motivation (Gagne 2003; Grouzet et al. 2004; Guthrie and Davis 2003; Ryan et al. 2006; Shah

2003). Perceived competence is expected to build motivation in a variety of scenarios. For example, a

newly-hired IT worker may view system hardening as an opportunity to demonstrate his or her technical

                                                     -9-­‐	
  
	
  
prowess. In doing this he or she seeks to reinforce the fundamental need for competence. The link

between competence and motivation is well-established (Deci and Ryan 2000; Elliot 2005; Vallerand

1997). To extend this rationale the following hypothesis is considered:

HYPOTHESIS 5: Perceived competence will have a positive influence on self-determined motivation


        Perceived autonomy is the second hypothesized predictor of motivation. For instance, an

individual may be motivated to partake in system hardening because he or she considers it to be an option

reserved for a few trusted experts. The individual’s desire to control his or her own destiny and select

interesting work is based on autonomy. The path from perceived autonomy to motivation has already

been demonstrated (Dickinson 1995; Ehrman et al. 2003; Vallerand 1997). This supports the basic desire

for autonomy, performing the task out of choice.

HYPOTHESIS 6: Perceived autonomy will have a positive influence on self-determined motivation

        It should be noted that relatedness is not included in the current model. Recent studies of SDT

indicate that relatedness plays a smaller role in intrinsic motivation development when the behavioral

outcome is not based on social interaction (Vallerand 2000). Because system hardening is undertaken as

an individual activity, it is concluded that relatedness is not relevant to this study.

        As previously described, system hardening is the process of identifying weaknesses in current

system configurations and finding and implementing solutions for reducing security risks (Panko 2004).

This procedure requires a great deal of concentration on the part of the IT worker as it is necessary to

think through complex system processes in order to pinpoint and reconcile vulnerabilities (Scherling

2011). Surface-level problems may be apparent but less salient issues require more effort to uncover

(Campbell et al. 2003). For instance, consider the task of hardening a virtual private network (VPN)

installation. Ensuring that exterior, incoming resource requests are routed through the authentication

system is a relatively straightforward task. Reconciling discrepancies between planned privilege levels

and actual user domains for authenticated, external clients is a more consuming process. While even the

amotivated worker will perform the former task, only a self-determined employee will do the latter. For


                                                      -10-­‐	
  
	
  
such intellectually-challenging activities, the difference between active engagement and simply going

through the motions has substantial security implications.

        Differences in motivation generally correspond to degree of performance (Erez and Judge 2001;

Mohr and Bitner 1995; Richardson and Abraham 2009). Self-determined IT workers are expected to do a

better job. In the case of VPN hardening, the average IT worker may neglect to check for inconsistencies

between directory permissions for remote clients and subnet structure. His or her task performance is

likely based on extrinsic motivation - fear of punishment for not completing the task and/or reward of

continued salary for performing the work. In contrast, the IT professional who is motivated by the thrill of

outsmarting deviant users may perform the check and uncover a flaw which allows VPN access into a

sensitive, off-limits file system. This individual is acting out of intrinsic, self-determined motivation. The

link between motivation and performance of complex tasks has already been established in similar studies

in marketing, sales, administration, and management, where more motivated individuals did better at

solving a range problems in the business domain (Barrick et al. 2002; Bowman and Narayandas 2004;

Miao et al. 2006; Sins et al. 2007). Therefore, self-determined motivation is expected to be a significant

determinant of system hardening performance. Accordingly, the following hypothesis is proffered:

HYPOTHESIS 7: Self-determined motivation will have a positive influence on system hardening
             performance

        To summarize the preceding hypotheses, system familiarity and threat awareness are included as

environmental factors. They are determinants of self-competence and autonomy. Self-perception is an

antecedent of self-determined motivation, which predicts behavioral outcomes. The following sections

describe the evaluation of the hypotheses.


                                                METHODS

                                                 Procedure

To evaluate the research model, the laboratory study method was employed and a combination of

computer-data and survey results were collected. First, subjects completed a pen-and-paper survey which


                                                     -11-­‐	
  
	
  
included items for measuring the predictors. To provide behavioral data for the dependent variable system

hardening performance, they participated in a simulated security exercise. In this exercise, participants

were asked to do their best job securing virtual machine webservers by identifying and reconciling

weaknesses and security threats. Each subject configured a virtual machine via desktop computer and a

hypervisor for a period of 45 minutes. Subjects were granted internet access but were not allowed to

speak with each other. After the allotted time, snapshots of virtual machines were taken and the lab was

concluded (see appendix A for more details). Participants were then debriefed and excused.

                                                   Sample

Subjects were expected to harden a webserver – a task which may be completed by entry-level IT

workers. Therefore, the sample was comprised of individuals with similar traits. For inclusion into the

study subjects were required to meet two conditions. First) they must have the equivalent of between 3

months to two years of full-time work experience, and (2) they should have completed at least 6 college

credit hours of formal training in systems administration and security. Based on these guidelines a

sufficiently large pool of candidates was composed. It consisted of individuals who were either recent

graduates or were enrolled part-time or full-time in the I.T. program at a large, public university in the

Southeastern United States. Subjects were then recruited via email, twitter, and Facebook channels and

asked to participate in the study. For prescreening, individuals were asked to indicate if they met the

training and experience requirements. Only those with acceptable IT experience and education were

included in the sample. These steps ensured that the sample approximated the population of interest in the

current study.

                                              Instrumentation

Measures for independent variables were adapted primarily from the Intrinsic Motivation Inventory (IMI)

(Ryan 1982). Perceived competence was operationalized using 6 items, perceived autonomy was

measured with 7 items, and motivation was operationalized using 7 items. The IMI has previously been

used in a number of related studies (Deci et al. 1994; Plant and Ryan 1985; Ryan 1982; Ryan et al. 1983).


                                                    -12-­‐	
  
	
  
Through these studies, the validity of the IMI has been reaffirmed. Furthermore, McAuley (1987)

conducted a meta-analysis of the psychometric properties of the IMI and confirmed its soundness. All the

items from the IMI were measured using 5 point Likert scales.

        Because the environmental variables are context-specific, no previously-validated scales were

available. Instead, system familiarity and threat awareness were operationalized via proprietary tests on

Linux administration and information security. The tests were developed by a HR staffing and placement

firm and are used to screen applicants for entry level positions in IT. The first test is composed of 19

multiple choice questions on Linux operating system management. It was used to operationalize system

familiarity. The second test consisted of 22 multiple choice questions for identifying candidates with a

basic understanding of common security risks and practices. These questions were used to measure threat

awareness. This approach to measuring environmental variables is consistent with earlier research on

intrinsic motivation. For instance, previous studies of student motivation have used various facets of test

performance to operationalize environmental factors (Grouzet et al. 2004).

        The dependent variable was based on the extent to which individuals secured virtual machines.

Two qualified research assistants independently assessed each subject’s attempt at securing an insecure

server. They reviewed security audits conducted on each virtual machine using specialized software. Each

virtual machine was rated on a scale of 1 to 5, where 1 corresponded with “very insecure” and 5

correlated with “very secure.” It should be noted that if no security improvements were made then a

virtual machine would be considered very insecure and indicative of poor performance at server

hardening. On the contrary, servers which were made to be very secure are evidence of a superior

hardening performance.

                                                 RESULTS

A total of 418 individuals were initially recruited. Of the 205 individuals who agreed to participate, 189

qualified subjects ultimately passed the screening requirements and participated in the study. Four surveys

were incomplete or otherwise unusable. These surveys were excluded from the data analysis. In addition,



                                                    -13-­‐	
  
	
  
6 surveys were rejected because a response set was detected (Andrich 1978; Kerlinger 1973; Rennie

1982). Thus, 179 surveys were ultimately used in data analysis. Although the independent variables and

dependent variables were derived from separate sources of data, a test for common methods variance

(CMV) was conducted (Podsakoff et al. 2003). The results confirmed the suitability of the data for

further analysis.

         Prior to model testing, extensive analyses were conducted to ensure validity of measures. The

components-based approach (Gefen et al. 2000) for structural equations modeling was employed via the

SmartPLS software package (Ringle and Wende 2009). Convergent and discriminant validity of reflective

constructs were assessed using factor loadings. Such loadings indicate if items cross-load or fail to

significantly load on their respective latent variable (Straub et al. 2004). Specifically, convergent validity

is demonstrated when items load above 0.70 on their respective construct and when the average variance

extracted (AVE) is above 0.50 for each construct. Discriminant validity is identified when item loadings

are greater for their respective construct than for other constructs in the model, and when each construct’s

square rooted AVE should greater than its intercorrelation with other constructs. As indicated in Tables 1

and 2, the conditions for both convergent and discriminant validity are met.

         To gauge reliability, the internal consistency measure for each construct was examined.

Constructs which exceeded the .70 level of internal consistency were judged to possess sufficient

reliability (Barclay et al. 1995; Fornell and Bookstein 1982). As shown in Table 2, the internal

consistency for each construct was above .90, which exceeds the recommended threshold for construct

reliability.




                                                     -14-­‐	
  
	
  
Table 1: Psychometric Properties of Reflective Measures
                                              Construct	
  
         Construct	
         Item	
           PC	
                   PA	
              M	
            AVE	
  
                             PC1	
            .900	
                 .287139	
         .357633	
  
                             PC2	
            .912	
                 .378545	
         .474205	
  
         Perceived	
  
                             PC3	
            .892	
                 .397988	
         .492692	
  
         Competence	
                                                                                 .756	
  
                             PC4	
            .864	
                 .381608	
         .389609	
  
         (PC)	
  
                             PC5	
            .880	
                 .291173	
         .404723	
  
                             PC6	
            .760	
                 .260122	
         .295855	
  
         	
                  	
               	
                     	
                	
             	
  
                             PA1	
            .297114	
              .773	
            .341798	
  
                             PA2	
            .435475	
              .876	
            .428941	
  
         Perceived	
         PA3	
            .299435	
              .850	
            .461665	
  
         Autonomy	
  	
      PA4	
            .232584	
              .760	
            .312627	
      .645	
  
         (PA)	
              PA5	
            .220542	
              .732	
            .426962	
  
                             PA6	
            .362899	
              .808	
            .337810	
  
                             PA7	
            .316682	
              .813	
            .426951	
  
         	
                  	
               	
                     	
                	
             	
  
                             M1	
             .369969	
              .434496	
         .752	
  
                             M2	
             .387743	
              .352991	
         .800	
  
         Self-­‐
                             M3	
             .399027	
              .465077	
         .854	
  
         Determined	
  
                             M4	
             .369244	
              .441826	
         .834	
         .620	
  
         Motivation	
  	
  
                             M5	
             .328612	
              .438595	
         .719	
  
         (M)	
  
                             M6	
             .315905	
              .309295	
         .790	
  
                             M7	
             .422438	
              .331189	
         .752	
  
         	
                  	
               	
                     	
                	
             	
  
	
  	
  
Table 2: Correlations Among Constructs
         Construct	
                  RELI	
                PC	
              PA	
           M	
  
         Perceived	
  Competence	
    .949	
                .869	
            	
             	
  
         	
                           	
                    	
                	
             	
  
         Perceived	
  Autonomy	
      .927	
                .389	
            .803	
         	
  
         	
                           	
                    	
                	
             	
  
         Motivation	
                 .919	
                .471	
            .491	
         .787	
  
         	
                           	
                    	
                	
             	
  
Square-­‐rooted	
  AVE	
  on	
  Diagonal;	
  RELI	
  =	
  Composite	
  Reliability	
  
	
  
                  Following instrument validation, hypothesized direct effect paths were tested using bootstrap

resampling (Gefen et al. 2000). The results of the PLS analysis are reported in Table 3. It appears that the

path from threat awareness to perceived competence (H3) was not supported. All the other paths between

the predicting variables and ISPC are significant at the .05 alpha level. The model accounts for 17.2% of

the variance in system hardening performance (see Figure 3). For the supported paths, tests of mediation



                                                       -15-­‐	
  
	
  
were conducted following the steps outlined by Baron and Kenny (1986). It was determined that

perceived competence mediates the relationship between system familiarity and motivation, perceived

autonomy mediates the relationship between the environmental factors and motivation, and self-

determined motivation mediates the relationship between the psychological mediators and system

hardening performance.

Table	
  3:	
  Outcome	
  of	
  the	
  Hypothesis	
  Tests	
  
                                                                                    T	
  or	
  F	
  
      Hypothesis	
                  Path	
                 Coefficient	
            Value	
          P-­‐value	
  	
   Supported?	
  
              H1	
       SF	
  →	
  PC	
                      .392	
                3.079	
          p<.0018	
             	
  
              H2	
       SF	
  →PA	
                          .323	
                2.889	
          p<.0043	
             	
  
              H3	
       TA	
  →PC	
                          .162	
                1.390	
          p<.0831	
             X	
  
              H4	
       TA	
  →PA	
                          .489	
                2.201	
          p<.0290	
             	
  
              H5	
       PC	
  →M	
                           .329	
                3.121	
          p<.0021	
             	
  
              H6	
       PA→	
  M	
                           .363	
                3.636	
          p<.0003	
             	
  
              H7	
       M	
  →	
  SHP	
                      .414	
                5.071	
          p<.0001	
             	
  
SF	
  =	
  System	
  Familiarity;	
  TA	
  =	
  Threat	
  Awareness;	
  SHP	
  =	
  System	
  Hardening	
  Performance	
  
	
  
Figure	
  3:	
  Supported	
  Paths	
  




                                             DISCUSSION AND CONTRIBUTION

The results of this study provide a basis for understanding the role of environmental factors,

psychological states, and motivation on performance of security-related work. The findings indicate that a

system administrator’s performance at system hardening is determined in part by the direct influence of

self-determined motivation. Those whose motivation stems from self-directed factors turn out the highest

quality results. In addition, self-determined motivation was confirmed to be derived from elements of the

                                                                      -16-­‐	
  
	
  
individual’s psychological state. Finally, this research indicates that perceptions of competence and

autonomy were based on systems familiarity and threat awareness.

        Interestingly, the path from threat awareness to perceived competence was not supported. A

possible interpretation of this result is that risk appreciation does not build stimulate competence. For IT

professionals, perceived competence may be derived only from system-specific knowledge. In contrast,

both system familiarity and threat awareness were significantly linked to perceived autonomy. It may be

that IT workers perceive the autonomy to perform their tasks only if they possess security and system-

specific knowledge. In order to improve motivation managers must approach each of the psychological

states independently, as each is impacted by a different combination of factors. This requires more

sophisticated efforts, but may yield significant improvements over old techniques. This finding has

implications for both managerial and research endeavors involving the administrative aspects of

information security, technical training, and the hiring of IT personnel.

        Chief information officers seeking improvements in system security should consider conducting

in-house training programs and ongoing refresher courses. The results of this study indicate that

employees with system familiarity are more able to effect improvements in IT infrastructure. Those who

do not understand the technical details regarding a system’s operation will not be able to effectively

implement security measures. IT managers should implement training sessions to refresh the memories of

systems administrators. This is a simple but often-overlooked step. Even if an employee has been

managing a system for several years it is likely that he or she will eventually forget key details. This can

happen to even the most ardent professional and inadvertently leave seams in the security perimeter.

Security awareness can be boosted through informal discussions, workshops, and reminders at meetings.

By simply asking an employee to consider the security implications of a given configuration, much

thought and foresight will be developed. For more specific recommendations, see Table 4.




                                                    -17-­‐	
  
	
  
Table 4: Fostering Improvements in Employee Security Performance
Environmental Factor       Suggested Actions
                              • Develop refresher courses and in-house training for IT staff
                              • Rotate employees through functional positions in order to
                                   encourage holistic, system-wide thinking
    System Familiarity        • Encourage mentoring of junior workers among senior IT
                                   professionals
                              • Offer to send top performers and promising new hires to technical
                                   boot camps for advanced training.


                                     •   Discuss current events regarding information security and ask how
                                         they might impact enterprise systems.
                                     •   Create challenges or competitions in which IT workers can
                                         compete to demonstrate their security capabilities
       Security Awareness
                                     •   Ask individuals to consider the impact of compromised systems on
                                         their areas of responsibility
                                     •   Encourage employees to complete specialized information security
                                         certifications such CISSP.


          The application of self-determination theory to information security is unique to this study but

provides numerous opportunities for future research in this area. This research found that self-motivated

employees will work harder to improve security than those whose motivation stems from other sources.

However, much of the variance in system hardening performance remained unaccounted for in this study.

Future research should consider both alternative and complimentary explanations for system hardening

performance and for other security-related tasks performed by IT professionals. A unique attribute of this

study is that it measures actual performance, not just intention to perform security-related work. The

accurate assessment of work-related outcomes is relatively difficult to achieve. This is especially true for

complex assignments such as information security. Thus, this research makes an important contribution

by developing a method to isolate and gauge performance of complicated system tasks. Further, the

research focused on the impact of the IT professional, not the end user. This represents a significant shift

from previous studies of information security. This is a desirable direction, as IT workers would be

expected to have more influence on organizational information security than passive users. Specifically,

this research focused on IT workers who were relatively inexperienced. Future opportunities exist to

explore the dynamics of more seasoned workers.

                                                     -18-­‐	
  
	
  
                                             CONCLUSION

IT directors and CIOs must ensure that they properly equip, motivate, train, and deploy their workforce in

order to minimize risks to information systems. By ensuring that IT workers are prepared to cope with

their technical environment they can stimulate confidence and build motivation to tackle challenging

security tasks. This research focused on system hardening, as it is a common task which most IT workers

are expected to perform. To advance the domain knowledge, this study applied self-determination theory

to information security. It identified two relevant factors which influence motivation – system familiarity

and security awareness. By understanding and controlling key environmental factors, IT directors and

managers can indirectly build motivation and improve organizational security.




                                                   -19-­‐	
  
	
  
                                                                  REFERENCES

Andrich,	
  D.	
  1978.	
  "A	
  Rating	
  Formulation	
  for	
  Ordered	
  Response	
  Categories,"	
  Psychometrika	
  (43:4),	
  pp	
  
             561-­‐573.	
  
Arthur,	
  W.,	
  and	
  Hart,	
  D.	
  1989.	
  "Empirical	
  Relationships	
  between	
  Cognitive	
  Abilitie	
  and	
  Computer	
  
             Familiarity,"	
  in:	
  Annual	
  Meeting	
  of	
  the	
  Southwestern	
  Psychological	
  Association	
  Houston,	
  TX.	
  
Baillie,	
  C.,	
  and	
  Fitzgerald,	
  G.	
  2000.	
  "Motivation	
  and	
  Attrition	
  in	
  Engineering	
  Students,"	
  European	
  Journal	
  
             of	
  Engineering	
  Education	
  (25:2),	
  pp	
  145-­‐155.	
  
Barclay,	
  D.,	
  Higgins,	
  D.,	
  and	
  Thompson,	
  R.	
  1995.	
  "The	
  Partial	
  Least	
  Squares	
  Approach	
  to	
  Causal	
  
             Modeling:	
  Personal	
  Computer	
  Adoption	
  and	
  Use	
  as	
  an	
  Illustration,"	
  Technology	
  Studies	
  (2:2),	
  pp	
  
             285-­‐309.	
  
Baron,	
  R.,	
  and	
  Kenny,	
  D.	
  1986.	
  "The	
  Moderator-­‐Mediator	
  Variable	
  Distinction	
  in	
  Social	
  Psychological	
  
             Research:	
  Conceptual,	
  Strategic	
  and	
  Statistical	
  Considerations.,"	
  Journal	
  of	
  Personality	
  and	
  Social	
  
             Psychology	
  (51:1),	
  pp	
  1173-­‐1182.	
  
Barrick,	
  M.,	
  Stewart,	
  G.,	
  and	
  Piotrowski,	
  M.	
  2002.	
  "Personality	
  and	
  Job	
  Performance:	
  Test	
  of	
  the	
  
             Mediating	
  Effects	
  of	
  Motivation	
  among	
  Sales	
  Representatives,"	
  Journal	
  of	
  Applied	
  Psychology	
  
             (87:1),	
  pp	
  1-­‐9.	
  
Bartol,	
  K.,	
  and	
  Martin,	
  D.	
  1982.	
  "Managing	
  Information	
  Systems	
  Personnel:	
  A	
  Review	
  of	
  the	
  Literature	
  
             and	
  Managerial	
  Implications,"	
  MIS	
  Quarterly	
  (6:4),	
  pp	
  49-­‐70.	
  
Blais,	
  M.,	
  Sabourin,	
  S.,	
  Boucher,	
  C.,	
  and	
  Vallerand,	
  R.	
  1990.	
  "Toward	
  a	
  Motivational	
  Model	
  of	
  Couple	
  
             Happiness,"	
  Journal	
  of	
  Personality	
  and	
  Social	
  Psychology	
  (59:3),	
  pp	
  1021-­‐1031.	
  
Bowman,	
  D.,	
  and	
  Narayandas,	
  D.	
  2004.	
  "Linking	
  Customer	
  Management	
  Effort	
  to	
  Customer	
  Profitability	
  
             in	
  Business	
  Markets,"	
  Journal	
  of	
  Marketing	
  Research	
  (41:1),	
  pp	
  433-­‐447.	
  
Bulgurcu,	
  B.,	
  Cavusoglu,	
  H.,	
  and	
  Benbasat,	
  I.	
  2010.	
  "Information	
  Security	
  Policy	
  Compliance:	
  An	
  Empirical	
  
             Study	
  or	
  Rationality-­‐Based	
  Beliefs	
  and	
  Information	
  Security	
  Awareness,"	
  MIS	
  Quarterly	
  (34:3),	
  
             pp	
  523-­‐548.	
  
Campbell,	
  P.,	
  Calvert,	
  B.,	
  and	
  Boswell,	
  S.	
  2003.	
  Security+	
  Guide	
  to	
  Network	
  Security.	
  Boston,	
  MA:	
  
             Thomson	
  	
  
Chen,	
  J.,	
  Schmidt,	
  M.,	
  Phan,	
  D.,	
  and	
  Arnett,	
  K.	
  2008.	
  "E-­‐Commerce	
  Security	
  Threats:	
  Awareness,	
  Trust	
  
             and	
  Practice,"	
  International	
  Journal	
  of	
  Information	
  Systems	
  and	
  Change	
  Management	
  (3:1),	
  pp	
  
             16-­‐32.	
  
Cross,	
  R.,	
  Dowling,	
  C.,	
  Gerbasi,	
  A.,	
  Gulas,	
  V.,	
  and	
  Thomas,	
  R.	
  2010.	
  "How	
  Organizational	
  Network	
  Analysis	
  
             Facilitated	
  Transition	
  from	
  Regional	
  to	
  a	
  Global	
  It	
  Function,"	
  MIS	
  Quarterly	
  Executive	
  (9:3),	
  pp	
  
             133-­‐145.	
  
Davis,	
  F.	
  1993.	
  "User	
  Acceptance	
  of	
  Information	
  Technology:	
  System	
  Characteristics,	
  User	
  Perceptions	
  
             and	
  Behavioral	
  Impacts,"	
  International	
  Journal	
  of	
  Man-­‐Machine	
  Studies	
  (38:3),	
  pp	
  475-­‐487.	
  
Davis,	
  F.,	
  Bagozzi,	
  R.,	
  and	
  Warshaw,	
  P.	
  1992.	
  "Extrinsic	
  and	
  Intrinsic	
  Motivation	
  to	
  Use	
  Computers	
  in	
  the	
  
             Workplace	
  "	
  Journal	
  of	
  Applied	
  Social	
  Psychology	
  (22:14),	
  pp	
  1111-­‐1132.	
  
Deci,	
  E.,	
  Eghrari,	
  H.,	
  Patrick,	
  B.,	
  and	
  Leone,	
  D.	
  1994.	
  "Facilitating	
  Internalization:	
  	
  The	
  Self-­‐Determination	
  
             Theory	
  Perspective,"	
  Journal	
  of	
  Personality	
  (62:4),	
  pp	
  119-­‐142.	
  
Deci,	
  E.,	
  Koestner,	
  R.,	
  and	
  Ryan,	
  R.	
  1999.	
  "A	
  Meta-­‐Analytic	
  Review	
  of	
  Experiments	
  Examining	
  the	
  Effects	
  
             of	
  Extrinsic	
  Rewards	
  on	
  Intrinsic	
  Motivation,"	
  Psychological	
  Bulletin	
  (125:3),	
  pp	
  627-­‐668.	
  
Deci,	
  E.,	
  and	
  Ryan,	
  R.	
  1985.	
  Intrinsic	
  Motivation	
  and	
  Self	
  Determination	
  in	
  Human	
  Behavior.	
  New	
  York:	
  
             Plenum	
  Press.	
  
Deci,	
  E.,	
  and	
  Ryan,	
  R.	
  2000.	
  "The	
  “What”	
  and	
  “Why”	
  of	
  Goal	
  Pursuits:	
  Human	
  Needs	
  and	
  the	
  Self-­‐
             Determination	
  of	
  Behavior,"	
  Psychological	
  Inquiry	
  (11:1),	
  pp	
  227-­‐268.	
  
Dickinson,	
  L.	
  1995.	
  "Autonomy	
  and	
  Motivation:	
  A	
  Literature	
  Review,"	
  System	
  (23:2),	
  pp	
  165-­‐174.	
  


                                                                           -20-­‐	
  
	
  
Du,	
  J.,	
  Jiao,	
  Y.,	
  and	
  Jiao,	
  J.	
  2006.	
  "A	
  Security	
  Blueprint	
  for	
  E-­‐Business	
  Applications,"	
  in:	
  Enterprise	
  
                Information	
  Systems	
  Assurance	
  and	
  System	
  Security,	
  M.	
  Warkentin	
  and	
  R.	
  Vaughn	
  (eds.).	
  
                Hershey,	
  PA:	
  Idea	
  Publishing	
  Group,	
  pp.	
  80-­‐94.	
  
Ehrman,	
  M.,	
  Leaver,	
  B.,	
  and	
  Oxford,	
  R.	
  2003.	
  "A	
  Brief	
  Overview	
  of	
  Individual	
  Differences	
  in	
  Second	
  
                Language	
  Learning,"	
  System	
  (31:3),	
  pp	
  313-­‐330.	
  
Elliot,	
  A.	
  2005.	
  Handbook	
  of	
  Competence	
  and	
  Motivation.	
  New	
  York,	
  NY:	
  The	
  Guilford	
  Press.	
  
Erez,	
  A.,	
  and	
  Judge,	
  T.	
  2001.	
  "Relationship	
  of	
  Core	
  Self-­‐Evaluations	
  to	
  Goal	
  Setting,	
  Motivation,	
  and	
  
                Performance,"	
  Journal	
  of	
  Applied	
  Psychology	
  (86:6),	
  pp	
  1270-­‐1279.	
  
Fink,	
  D.,	
  Huegle,	
  T.,	
  and	
  Dortschy,	
  M.	
  2006.	
  "A	
  Model	
  for	
  Information	
  Security	
  Governance	
  for	
  E-­‐
                Business,"	
  in:	
  Enterprise	
  Information	
  Systems	
  Assurance	
  and	
  System	
  Security,	
  M.	
  Warkentin	
  and	
  
                R.	
  Vaughn	
  (eds.).	
  Hershey,	
  PA:	
  Idea	
  Group	
  Publishing,	
  pp.	
  1-­‐15.	
  
Fornell,	
  C.,	
  and	
  Bookstein,	
  F.	
  1982.	
  "Two	
  Structural	
  Equation	
  Models:	
  Lisrel	
  and	
  Pls	
  Applied	
  to	
  Consumer	
  
                Exit-­‐Voice	
  Theory,"	
  Journal	
  of	
  Marketing	
  Research	
  (19:1),	
  pp	
  440-­‐452.	
  
Furnell,	
  S.,	
  Bryant,	
  P.,	
  and	
  Phippen,	
  A.	
  2007.	
  "Assessing	
  the	
  Security	
  Perceptions	
  Fo	
  Personal	
  Internet	
  
                Users,"	
  Computers	
  &	
  Security	
  (26:5),	
  pp	
  410-­‐417.	
  
Gagne,	
  M.	
  2003.	
  "Autonomy	
  Support	
  and	
  Need	
  Satisfaction	
  in	
  the	
  Motivation	
  and	
  Well-­‐Being	
  of	
  
                Gymnasts,"	
  Journal	
  of	
  Applied	
  Sports	
  Psychology	
  (15:2),	
  pp	
  372-­‐390.	
  
Gagne,	
  M.,	
  and	
  Deci,	
  E.	
  2005.	
  "Self-­‐Determination	
  Theory	
  and	
  Work	
  Motivation,"	
  Journal	
  of	
  
                Organizational	
  Behavior	
  (26:4),	
  pp	
  331-­‐362.	
  
Gefen,	
  D.,	
  Straub,	
  D.,	
  and	
  Boudreau,	
  M.	
  2000.	
  "Structural	
  Equation	
  Modeling	
  Techniques	
  and	
  
                Regression:	
  Guidelines	
  for	
  Research	
  Practice,"	
  Communications	
  of	
  the	
  AIS	
  (7:7),	
  pp	
  1-­‐78.	
  
Goldberg,	
  A.,	
  and	
  Pedulla,	
  J.	
  2011.	
  "Performance	
  Differences	
  According	
  to	
  Test	
  Mode	
  and	
  Computer	
  
                Familiarity	
  on	
  a	
  Practice	
  Graduate	
  Record	
  Exam,"	
  Educational	
  and	
  Psychological	
  Management	
  
                (62:6),	
  pp	
  1053-­‐1067.	
  
Gordon,	
  L.,	
  and	
  Loeb,	
  M.	
  2002.	
  "The	
  Economics	
  of	
  Information	
  Security	
  Investment,"	
  ACM	
  Transactions	
  
                on	
  Information	
  and	
  Systems	
  Security	
  (5:4),	
  pp	
  438-­‐457.	
  
Gordon,	
  L.,	
  Loeb,	
  M.,	
  and	
  Zhou,	
  L.	
  2011.	
  "The	
  Impact	
  of	
  Information	
  Security	
  Breaches:	
  Has	
  There	
  Been	
  a	
  
                Downward	
  Shift	
  in	
  Costs?,"	
  Journal	
  of	
  Computer	
  Security	
  (19:1),	
  pp	
  33-­‐56.	
  
Greitzer,	
  F.,	
  Moore,	
  A.,	
  Cappelli,	
  D.,	
  Andrews,	
  D.,	
  Carroll,	
  L.,	
  and	
  Hull,	
  T.	
  2008.	
  "Combating	
  the	
  Insider	
  
                Security	
  Threat,"	
  IEEE	
  Security	
  &	
  Privacy	
  (6:1),	
  pp	
  61-­‐64.	
  
Grouzet,	
  F.,	
  Vallerand,	
  R.,	
  Thill,	
  E.,	
  and	
  Provencher,	
  P.	
  2004.	
  "From	
  Environmental	
  Factors	
  to	
  Outcomes:	
  
                A	
  Test	
  of	
  an	
  Integrated	
  Motivational	
  Sequence,"	
  Motivation	
  and	
  Emotion	
  (28:4),	
  pp	
  331-­‐346.	
  
Guay,	
  F.,	
  and	
  Vallerand,	
  R.	
  1996.	
  "Social	
  Context,	
  Students'	
  Motivation,	
  and	
  Academic	
  Achievement:	
  
                Toward	
  a	
  Process	
  Model	
  "	
  Social	
  Psychology	
  of	
  Education	
  Journal	
  (1:3),	
  pp	
  211-­‐233.	
  
Guthrie,	
  J.,	
  and	
  Davis,	
  M.	
  2003.	
  "Motivating	
  Struggling	
  Readers	
  in	
  Middle	
  School	
  through	
  an	
  Engagement	
  
                Model	
  of	
  Classroom	
  Practice,"	
  Reading	
  &	
  Writing	
  Quarterly	
  (19:1),	
  pp	
  59-­‐83.	
  
Hirschberger,	
  G.,	
  Pyszczynski,	
  T.,	
  and	
  Ein-­‐Dor,	
  T.	
  2009.	
  "Vulnerability	
  and	
  Vigilance:	
  Threat	
  Awareness	
  
                and	
  Perceived	
  Adversary	
  Intent	
  Moderate	
  the	
  Impact	
  of	
  Mortality	
  Salience	
  on	
  Intergroup	
  
                Violence,"	
  Personality	
  and	
  Social	
  Psychology	
  Bulletin	
  (35:5),	
  pp	
  597-­‐607.	
  
Hui,	
  K.,	
  Teo,	
  H.,	
  and	
  Lee,	
  S.	
  2007.	
  "The	
  Value	
  of	
  Privacy	
  Assurance:	
  An	
  Exploratory	
  Field	
  Experiment,"	
  
                MIS	
  Quarterly	
  (31:1),	
  pp	
  19-­‐33.	
  
Igbaria,	
  M.,	
  Parasuraman,	
  S.,	
  and	
  Baroudi,	
  J.	
  1996.	
  "A	
  Motivational	
  Model	
  of	
  Microcomputer	
  Usage,"	
  
                Journal	
  of	
  Management	
  Information	
  Systems	
  (13:1),	
  pp	
  127-­‐143.	
  
Jacobson,	
  D.	
  2009.	
  Introduction	
  to	
  Network	
  Security.	
  Boca	
  Raton,	
  FL:	
  Chapman	
  &	
  Hall.	
  
Johnston,	
  A.,	
  and	
  Warkentin,	
  M.	
  2010.	
  "Fear	
  Appeals	
  and	
  Information	
  Security	
  Behaviors:	
  An	
  Empirical	
  
                Study,"	
  MIS	
  Quarterly	
  (34:3),	
  pp	
  549-­‐566.	
  
Kaeo,	
  M.	
  2004.	
  Designing	
  Network	
  Security.	
  Indianapolis,	
  IN:	
  Cisco	
  Press.	
  
Kerlinger,	
  F.	
  1973.	
  Foundations	
  of	
  Behavioral	
  Research,	
  (2nd	
  ed.).	
  London,	
  UK:	
  Holt	
  Reinhart	
  &	
  Winston.	
  

                                                                           -21-­‐	
  
	
  
Ko,	
  M.,	
  and	
  Dorantes,	
  C.	
  2006.	
  "The	
  Impact	
  of	
  Information	
  Security	
  Breaches	
  on	
  Financial	
  Performance	
  
               of	
  the	
  Breached	
  Firms:	
  An	
  Empirical	
  Investigation	
  "	
  Journal	
  of	
  Information	
  Technology	
  
               Management	
  (17:2),	
  pp	
  13-­‐22.	
  
Lee,	
  R.	
  1970.	
  "Social	
  Attitudes	
  and	
  the	
  Computer	
  Revolution,"	
  Public	
  Opinion	
  Quarterly	
  (34:1),	
  pp	
  53-­‐59.	
  
Livari,	
  J.,	
  and	
  Huisman,	
  M.	
  2007.	
  "	
  The	
  Relationship	
  between	
  Organizational	
  Culture	
  and	
  the	
  Deployment	
  
               of	
  Systems	
  Development	
  Methodologies,"	
  MIS	
  Quarterly	
  (31:1),	
  pp	
  35-­‐48.	
  
Lynn,	
  S.	
  2010.	
  "How	
  to	
  Buy	
  a	
  Nas	
  Device,"	
  in:	
  PC	
  Magazine.	
  Ziff	
  Davis,	
  Inc.	
  
Mahmood,	
  M.,	
  Siponen,	
  M.,	
  Straub,	
  D.,	
  Rao,	
  R.,	
  and	
  Raghu,	
  T.	
  2010.	
  "Moving	
  toward	
  Black	
  Hat	
  Research	
  
               in	
  Information	
  System	
  Security:	
  An	
  Editorial	
  Introduction	
  to	
  the	
  Special	
  Issue,"	
  MIS	
  Quarterly	
  
               (34:3),	
  pp	
  431-­‐433.	
  
Malhotra,	
  Y.,	
  Galletta,	
  D.,	
  and	
  Kirsch,	
  L.	
  2008.	
  "How	
  Endogenous	
  Motivations	
  Influence	
  User	
  Intentions:	
  
               Beyond	
  the	
  Dichotomy	
  of	
  Extrinsic	
  and	
  Intrinsic	
  User	
  Motivations,"	
  Journal	
  of	
  Management	
  
               Information	
  Systems	
  (25:1),	
  pp	
  267-­‐299.	
  
Marcoulides,	
  G.	
  1988.	
  "The	
  Relationship	
  between	
  Computer	
  Anxiety	
  and	
  Computer	
  Achievement,"	
  
               Journal	
  of	
  Educational	
  Computing	
  Research	
  (4:2),	
  pp	
  151-­‐158.	
  
McAuley,	
  E.,	
  Duncan,	
  T.,	
  and	
  Tammen,	
  V.	
  1987.	
  "Psychometric	
  Properties	
  of	
  the	
  Intrinsic	
  Motivation	
  
               Inventory	
  in	
  a	
  Competitive	
  Sport	
  Setting:	
  A	
  Confirmatory	
  Factor	
  Analysis,"	
  Research	
  Quarterly	
  
               for	
  Exercise	
  and	
  Sport	
  (60:1),	
  pp	
  48-­‐58.	
  
Miao,	
  C.,	
  Evans,	
  K.,	
  and	
  Shaoming,	
  Z.	
  2006.	
  "The	
  Role	
  of	
  Salesperson	
  Motivation	
  in	
  Sales	
  Control	
  Systems	
  
               -­‐	
  Intrinsic	
  and	
  Extrinsic	
  Motivation	
  Revisited,"	
  Journal	
  of	
  Business	
  Research	
  (60:5),	
  pp	
  417-­‐425.	
  
Mohr,	
  L.,	
  and	
  Bitner,	
  M.	
  1995.	
  "The	
  Role	
  of	
  Employee	
  Effort	
  in	
  Satisfaction	
  with	
  Service	
  Transactions,"	
  
               Journal	
  of	
  Business	
  Research	
  (32:3),	
  pp	
  239-­‐252.	
  
Panko,	
  R.	
  2004.	
  Corporate	
  Computer	
  and	
  Network	
  Security.	
  Upper	
  sdaddle	
  River,	
  NJ:	
  Prentice	
  Hall.	
  
Paquet,	
  C.	
  2009.	
  Implementing	
  Cisco	
  Ios	
  Network	
  Security.	
  Indianapolis,	
  IN:	
  Cisco	
  Press.	
  
Parkes,	
  A.,	
  and	
  Henderson,	
  M.	
  2004.	
  "Teenagers'	
  Use	
  of	
  Sexual	
  Health	
  Services:	
  Perceived	
  Need,	
  
               Knowledge	
  and	
  Ability	
  to	
  Access,"	
  Journal	
  of	
  Family	
  Planning	
  and	
  Reproductive	
  Health	
  Care	
  
               (30:4),	
  pp	
  217-­‐224.	
  
Perry,	
  R.,	
  and	
  Lindell,	
  M.	
  2003.	
  "Prepardness	
  for	
  Emergency	
  Response:	
  Guidelines	
  for	
  the	
  Emergency	
  
               Planning	
  Process,"	
  Disasters	
  (27:4),	
  pp	
  336-­‐350.	
  
Plant,	
  R.,	
  and	
  Ryan,	
  R.	
  1985.	
  "Intrinsic	
  Motivation	
  and	
  the	
  Effects	
  of	
  Self-­‐Consciousness,	
  Self-­‐Awareness,	
  
               and	
  Ego-­‐Involvement:	
  	
  An	
  Investigation	
  of	
  Internally-­‐Controlling	
  Styles,"	
  Journal	
  of	
  Personality	
  
               (53:2),	
  pp	
  435-­‐449.	
  
Podsakoff,	
  P.,	
  Mackenzie,	
  S.,	
  lee,	
  J.,	
  and	
  Podsakoff,	
  N.	
  2003.	
  "Common	
  Method	
  Bias	
  in	
  Behavioral	
  
               Research:	
  A	
  Critical	
  Review	
  of	
  the	
  Literature	
  and	
  Recommended	
  Remedies,"	
  Journal	
  of	
  Applied	
  
               Psychology	
  (88:5),	
  pp	
  879-­‐903.	
  
Rennie,	
  L.	
  1982.	
  "Research	
  Note:	
  Detecting	
  a	
  Response	
  Set	
  to	
  Likert-­‐Style	
  Attitude	
  Items	
  with	
  the	
  Rating	
  
               Model,"	
  Educational	
  Research	
  and	
  Perspectives	
  (9:1),	
  pp	
  114-­‐118.	
  
Richardson,	
  M.,	
  and	
  Abraham,	
  C.	
  2009.	
  "Conscientiousness	
  and	
  Achievement	
  Motivation	
  Predict	
  
               Performance,"	
  European	
  Journal	
  of	
  Personality	
  (23:7),	
  pp	
  589-­‐605.	
  
Richardson,	
  R.	
  2010.	
  2010	
  Csi/Fbi	
  Computer	
  Crime	
  and	
  Security	
  Survey.	
  San	
  Fransico:	
  Computer	
  Security	
  
               Institute.	
  
Ringle,	
  C.,	
  and	
  Wende,	
  S.	
  2009.	
  "Smartpls	
  2.0.,").	
  
Ryan,	
  R.	
  1982.	
  "Control	
  and	
  Information	
  in	
  the	
  Intrapersonal	
  Sphere:	
  An	
  Extension	
  of	
  Cognitive	
  
               Evaluation	
  Theory,"	
  Journal	
  of	
  Personality	
  and	
  Social	
  Psychology	
  (43:3),	
  pp	
  279-­‐306.	
  
Ryan,	
  R.,	
  Mims,	
  V.,	
  and	
  Koestner,	
  R.	
  1983.	
  "Relation	
  of	
  Reward	
  Contingency	
  and	
  Interpersonal	
  Context	
  
               to	
  Intrinsic	
  Motivation:	
  	
  A	
  Review	
  and	
  Test	
  Using	
  Cognitive	
  Evaluation	
  Theory,"	
  Journal	
  of	
  
               Personality	
  and	
  Social	
  Psychology	
  (45:1),	
  pp	
  736-­‐750.	
  


                                                                          -22-­‐	
  
	
  
Ryan,	
  R.,	
  Rigby,	
  C.,	
  and	
  Pryzybylski,	
  A.	
  2006.	
  "The	
  Motivational	
  Pull	
  of	
  Video	
  Games:	
  A	
  Self-­‐
               Determination	
  Theory	
  Approach,"	
  Motivation	
  and	
  Emotion	
  (30:3),	
  pp	
  347-­‐363.	
  
Scherling,	
  M.	
  2011.	
  Practical	
  Risk	
  Management	
  for	
  the	
  Cio.	
  London,	
  UK:	
  Taylor	
  &	
  Francis	
  Group.	
  
Shah,	
  J.	
  2003.	
  "Automatic	
  for	
  the	
  People:	
  How	
  Representations	
  of	
  Significant	
  Others	
  Implicitly	
  Affect	
  
               Goal	
  Pursuit,"	
  Journal	
  of	
  Personality	
  and	
  Social	
  Psychology	
  (84:4),	
  pp	
  661-­‐681.	
  
Sins,	
  P.,	
  Joolingen,	
  W.,	
  Savelsbergh,	
  E.,	
  and	
  van	
  Hout-­‐Wolters,	
  B.	
  2007.	
  "Motivation	
  and	
  Performance	
  
               within	
  a	
  Collaborative	
  Computer-­‐Based	
  Modeling	
  Task:	
  Relations	
  between	
  Students’	
  
               Achievement	
  Goal	
  Orientation,	
  Self-­‐Efficacy,	
  Cognitive	
  Processing,	
  and	
  Achievement,"	
  
               Contemporary	
  Educational	
  Psychology	
  (33:1),	
  pp	
  58-­‐77.	
  
Siponen,	
  M.,	
  Mahmood,	
  M.,	
  and	
  Pahnila,	
  S.	
  2009.	
  "Technical	
  Opinion:	
  Are	
  Employees	
  Putting	
  Your	
  
               Company	
  at	
  Risk	
  by	
  Not	
  Following	
  Information	
  Security	
  Policies?,"	
  Communications	
  of	
  the	
  ACM	
  
               (52:12),	
  pp	
  145-­‐147.	
  
Son,	
  J.,	
  and	
  Kim,	
  S.	
  2008.	
  "Internet	
  Users'	
  Information	
  Privacy-­‐Protective	
  Responses:	
  A	
  Taxonomy	
  and	
  a	
  
               Nomological	
  Model,"	
  MIS	
  Quarterly	
  (32:3),	
  pp	
  503-­‐529.	
  
Spears,	
  J.,	
  and	
  Barki,	
  H.	
  2010.	
  "User	
  Participation	
  in	
  Information	
  Systems	
  Security	
  Risk	
  Management,"	
  
               MIS	
  Quarterly	
  (34:3),	
  pp	
  503-­‐528.	
  
Stafford,	
  T.,	
  and	
  Poston,	
  R.	
  2010.	
  "Online	
  Security	
  Threats	
  and	
  Computer	
  User	
  Intentions,"	
  Computer	
  
               (43:1),	
  pp	
  58-­‐64.	
  
Stanley,	
  S.,	
  Mclean,	
  E.,	
  and	
  Tanner,	
  J.	
  1993.	
  "Managing	
  High-­‐Achieving	
  Information	
  Systems	
  
               Professionals,"	
  Journal	
  of	
  Management	
  Information	
  Systems	
  (9:4),	
  pp	
  103-­‐120.	
  
Straub,	
  D.,	
  Boudreau,	
  M.,	
  and	
  Gefen,	
  D.	
  2004.	
  "Validation	
  Guidelines	
  for	
  Is	
  Positivist	
  Research,"	
  
               Communications	
  of	
  the	
  AIS	
  (13:1),	
  pp	
  380-­‐427.	
  
Taylor,	
  C.,	
  Kirsch,	
  I.,	
  Jamieson,	
  J.,	
  and	
  Eignor,	
  D.	
  2002.	
  "Examining	
  the	
  Relationship	
  between	
  Computer	
  
               Familiarity	
  and	
  Performance	
  on	
  Computer	
  Familiarity	
  and	
  Performance	
  on	
  Computer-­‐Based	
  
               Language	
  Tasks,"	
  Language	
  Learning	
  (49:2),	
  pp	
  219-­‐274.	
  
Thill,	
  E.,	
  and	
  Mouanda,	
  J.	
  1990.	
  "Autonomy	
  or	
  Control	
  in	
  the	
  Sports	
  Context:	
  Validity	
  of	
  Cognitive	
  
               Evaluation	
  Theory,"	
  International	
  Journal	
  of	
  Sports	
  Psychology	
  (21),	
  pp	
  1-­‐20.	
  
Tjhai,	
  G.,	
  and	
  Furnell,	
  S.	
  2007.	
  "Strengthening	
  the	
  Human	
  Firewall,"	
  in:	
  Advances	
  in	
  Networks,	
  
               Computing,	
  and	
  Communications,	
  P.	
  Dowland	
  and	
  S.	
  Furnell	
  (eds.).	
  Plymouth,	
  UK:	
  University	
  of	
  
               Plymouth.	
  
Tsiakis,	
  T.,	
  and	
  Stephanides,	
  G.	
  2005.	
  "The	
  Economic	
  Approach	
  of	
  Information	
  Security,"	
  Computers	
  &	
  
               Security	
  (24:2),	
  pp	
  105-­‐108.	
  
Vallerand,	
  R.	
  1997.	
  "Toward	
  a	
  Hierarchical	
  Model	
  of	
  Intrinsic	
  and	
  Extrinsic	
  Motivation,"	
  in:	
  Advances	
  in	
  
               Experimental	
  Social	
  Psychology,	
  M.	
  Zanna	
  (ed.).	
  New	
  York:	
  Academic	
  Press.	
  
Vallerand,	
  R.	
  2000.	
  "Deci	
  and	
  Ryan's	
  Self-­‐Determination	
  Theory:	
  A	
  View	
  from	
  the	
  Hierarchical	
  Model	
  of	
  
               Intrinsic	
  and	
  Extrinsic	
  Motivation,"	
  Psychological	
  Inquiry	
  (11:4),	
  pp	
  312-­‐318.	
  
Venkatesh,	
  V.	
  1999.	
  "Creation	
  of	
  Favorable	
  User	
  Perceptions:	
  Exploring	
  the	
  Role	
  of	
  Intrinsic	
  Motivation,"	
  
               MIS	
  Quarterly	
  (23:2),	
  pp	
  239-­‐260.	
  
Venkatesh,	
  V.	
  2000.	
  "Determinants	
  of	
  Perceived	
  Ease	
  of	
  Use:	
  Integrating	
  Control,	
  Intrinsic	
  Motivation,	
  
               and	
  Emotion	
  into	
  the	
  Technology	
  Acceptance	
  Model,"	
  Information	
  Systems	
  Research	
  (11:4),	
  pp	
  
               342-­‐366.	
  
Walczuch,	
  R.,	
  and	
  Lundgren,	
  H.	
  2004.	
  "Psychological	
  Antecedents	
  of	
  Institution-­‐Based	
  Consumer	
  Trust	
  in	
  
               E-­‐Retailing,"	
  Information	
  &	
  Management	
  (42:1),	
  pp	
  159-­‐177.	
  
Weaver,	
  R.	
  2007.	
  Guide	
  to	
  Network	
  Defense	
  and	
  Countermeasures	
  Boston,	
  MA:	
  Thomson.	
  
Whitehead,	
  J.,	
  and	
  Corbin,	
  C.	
  1991.	
  "Youth	
  Fitness	
  Testing:	
  The	
  Effects	
  of	
  Percentile-­‐Based	
  Evaluative	
  
               Feedback	
  on	
  Intrinsic	
  Motivation,"	
  Research	
  Quarterly	
  for	
  Excercise	
  and	
  Sport	
  (62),	
  pp	
  225-­‐231.	
  
Wickens,	
  C.,	
  and	
  Hollands,	
  J.	
  1999.	
  Engineering	
  Psychology	
  and	
  Human	
  Performance.	
  Upper	
  Saddle	
  
               River,	
  NJ:	
  Prentice	
  Hall.	
  

                                                                        -23-­‐	
  
	
  
Zuckerman,	
  M.,	
  Porac,	
  J.,	
  Lathin,	
  D.,	
  Smith,	
  R.,	
  and	
  Deci,	
  E.	
  1978.	
  "On	
  the	
  Importance	
  of	
  Self-­‐
       Determination	
  for	
  Intrinsically-­‐Motivated	
  Behavior,"	
  Personality	
  and	
  Social	
  Psychology	
  Bulletin	
  
       (4:4),	
  pp	
  443-­‐446.	
  

	
  

	
  
	
                                           	
  




                                                                      -24-­‐	
  
	
  
APPENDIX	
  A:	
  Server	
  Hardening	
  Laboratory	
  
The exercise involved hardening virtual machine images of production web-servers. The servers are based

on the LAMP stack (see Figure 3). The LAMP architecture (an acronym for Linux, Apache HTTP Server,

MySQL, and PHP) was selected because it is widely adopted as an enterprise ecommerce platform. The

servers were configured to include a number of basic security weaknesses which the average junior

systems administrator would be expected to address. The weaknesses included unsecured configuration

files, default passwords, passwords saved in plaintext, unsecured apache server access, root access via

the internet, plaintext transfer of passwords in programs such as telnet, open ports, unnecessary web

services, web-enabled directory browsing, and insecure file permissions.

Figure 3: Server Configuration




        To create a more realistic environment, the virtualization platform was based on the ESXi

hypervisor developed by VMware. This platform was selected because it is one of the most commonly

used virtualization environments in the enterprise systems class. It also includes a number of features

which are useful in the present study, such as the snapshot feature. This function makes it possible to

capture and assess the state of a virtual machine’s configurations at a given point in time.


                                                    -25-­‐	
  
	
  
        Virtual machine snapshots were analyzed using a modified version of Bastille Linux - a security

audit and hardening program designed specifically for the Redhat/Fedora flavor of Linux. This program

reviews server configurations and identifies weaknesses and security risks. The original software was

updated and modified for this project to incorporate an analysis of the web and database services included

in the virtual machine. For output, Bastille provides a report of the status of each server’s security profile.

These reports were later coded and used in the empirical analysis.




                                                     -26-­‐	
  
	
  
APPENDIX	
  B:	
  Construct	
  Measures	
  
Responses	
  were	
  gauged	
  using	
  5	
  point	
  scales	
  (1=	
  strongly	
  disagree,	
  5	
  =	
  strongly	
  agree).	
  
	
  
Self-­‐Determined	
  Motivation	
  
I	
  enjoyed	
  doing	
  this	
  activity	
  very	
  much.	
  
This	
  activity	
  was	
  fun	
  to	
  do.	
  
I	
  thought	
  this	
  was	
  a	
  boring	
  activity.	
  
This	
  activity	
  did	
  not	
  hold	
  my	
  attention	
  at	
  all.	
  
I	
  would	
  describe	
  this	
  activity	
  as	
  very	
  interesting.	
  
I	
  thought	
  this	
  activity	
  was	
  quite	
  enjoyable.	
  
While	
  I	
  was	
  doing	
  this	
  activity,	
  I	
  was	
  thinking	
  about	
  how	
  much	
  I	
  enjoyed	
  it.	
  
	
  
Perceived	
  Competence	
  
After	
  working	
  at	
  this	
  activity	
  for	
  a	
  while,	
  I	
  felt	
  pretty	
  competent.	
  
I	
  was	
  pretty	
  skilled	
  at	
  this	
  activity.	
  
This	
  was	
  an	
  activity	
  that	
  I	
  couldn’t	
  do	
  very	
  well.	
  
I	
  think	
  I	
  did	
  pretty	
  well	
  at	
  this	
  activity,	
  compared	
  to	
  other	
  students.	
  
I	
  think	
  I	
  am	
  pretty	
  good	
  at	
  this	
  activity.	
  
I	
  am	
  satisfied	
  with	
  my	
  performance	
  at	
  this	
  task.	
  
	
  
Perceived	
  Autonomy	
  
I	
  didn’t	
  really	
  have	
  a	
  choice	
  about	
  doing	
  this	
  task.	
  
I	
  felt	
  like	
  I	
  had	
  to	
  do	
  this.	
  
I	
  did	
  this	
  activity	
  because	
  I	
  wanted	
  to.	
  
I	
  believe	
  I	
  had	
  some	
  choice	
  about	
  doing	
  this	
  activity.	
  
I	
  did	
  this	
  activity	
  because	
  I	
  had	
  no	
  choice.	
  
I	
  felt	
  like	
  it	
  was	
  not	
  my	
  own	
  choice	
  to	
  do	
  this	
  task.	
  
I	
  did	
  this	
  activity	
  because	
  I	
  had	
  to.	
  



	
  




                                                                          -27-­‐	
  
	
  

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:11/25/2011
language:English
pages:27