Get documents about "Shropshire Environment_ Motivation_ and System Hardening
Shared by: hedongchenchen
-
Stats
- views:
- 1
- posted:
- 11/25/2011
- language:
- English
- pages:
- 27
Document Sample
ENVIRONMENT, MOTIVATION, AND SYSTEM HARDENING
Jordan Shropshire
Abstract
The present study provides a theoretical basis for understanding the determinants of system
hardening performance. Using self-determination theory (SDT), an integrated motivational
model is developed and tested. Constructs systems familiarity and threat awareness are included
as antecedents of competence and autonomy and as indirect determinants of self-determined
motivation. In turn, the latter impacts system hardening performance. An empirical study for
analyzing this model was conducted. Some 179 current and potential systems administrators
completed surveys and hardened Linux webservers in a controlled laboratory environment. The
results confirm the proposed relationships. The model accounted for 33.3% of the variance in
motivation and 17.2 % of the variance in system hardening performance. Implications for
research and practice are discussed.
Keywords:
Security, environment, motivation, system hardening, perceived competence,
perceived autonomy, security awareness, system familiarity, threat awareness
-1-‐
ENVIRONMENT, MOTIVATION, AND SYSTEM HARDENING
INTRODUCTION
In the modern, hyper-connected business environment the effects of poor information security have
become quite salient. US firms annually lose hundreds of millions of dollars to unexpected system
downtime and data loss or compromise (Richardson 2010). Customers also suffer because the privacy of
their data is jeopardized (Son and Kim 2008). Corporate investors note the effect of security breaches
when stock shares lose value (Gordon and Loeb 2002; Ko and Dorantes 2006). In sum, information
security breaches have devastating consequences (Tsiakis and Stephanides 2005). This is unfortunate
because many information security incidents could be avoided if systems were properly hardened
(Gordon et al. 2011; Siponen et al. 2009).
Hardening is the process of securely configuring a system (Paquet 2009). The purpose is to
protect the information system against unauthorized access, intruders, malware, hackers, viruses, and
other vulnerabilities (Kaeo 2004). The procedure begins with a methodical review of the components
necessary to provision a particular information service. The hardware, software, data and procedures
which are most susceptible to accidental or purposeful compromise are identified. The most secure
configuration for each flagged component is then determined. This may involve extensive research or
consultation with industry standards and regulations. Reconfiguration steps are then taken. Service
assurance levels increase when the plans are implemented. Hence, a relatively weak system is “hardened”
when security risks are reduced.
The scope, formality, and frequency of system hardening are variable (Jacobson 2009). As a
general practice, system-wide security exercises are conducted on a quarterly or annual basis (Fink et al.
2006). This may involve outside security consultants in addition to the entire IT department. Besides
securing systems the outcome of the process may include reports and formal presentations to
management. The procedures also occur less formally on an ongoing basis. New hardware or software
may be introduced or existing components may be reconfigured. When such system changes occur, it
-2-‐
becomes necessary to ensure business continuity by conducting system hardening. Involvement may be
limited to only those responsible for the specific system components. For instance, following the
transition from IPv.4 to IPv.6 only the networking team may dedicate time towards hardening the
protocols and routing processes which have been affected. Or, after a major website upgrade a single
database administrator might engage in precursory hardening to prevent SQL injections.
System hardening is a relatively complex task (Panko 2004). A systems administrator must be
capable of thinking through multiple system layers in order to identify potential problems. Changes aimed
at securing one component may indirectly impact other facets of the system. A common example of this is
closing firewall ports which must remain open in order to provide services. Further, it is necessary to
balance security with usability (Bulgurcu et al. 2010). It is possible to harden a system to such a degree
that interaction is overly-taxing and users avoid it altogether (Johnston and Warkentin 2010; Spears and
Barki 2010). To avoid pitfalls and elicit better results, hardening requires significant effort and
concentration.
Because hardening is an intellectually-challenging process, it is a relatively difficult process to
manage (Scherling 2011). IT managers must be able to visualize an entire system and ensure coordination
among their workers (Campbell et al. 2003). They must not allow any overlap in systems hardening
responsibilities or else the final configuration will not be optimal (Weaver 2007). They must also prevent
gaps in task delineation or else parts of the system may not be secured. Managers must assign IT workers
some degree of responsibility based on their projected performance (Cross et al. 2010). These
determinations are often subjective and may be based on limited evidence (Livari and Huisman 2007).
This may result in results which do not meet expectations. For better results, it is necessary to make more
deliberate decisions. Previous studies indicate that performance expectations should be based on
psychological and behavioral guidance (Venkatesh 1999).
Over the years, behavioral studies have indicated that one factor which determines IT worker
behavior is motivation (Bartol and Martin 1982; Malhotra et al. 2008; Stanley et al. 1993; Venkatesh
2000). These findings have already been used within the information security domain, but not to
-3-‐
understand system hardening (Mahmood et al. 2010). The purpose of this research is to propose and test a
motivational model of IT worker performance at system hardening. A comprehensive motivational
sequence, including environmental variables, psychological mediators, motivation, and behavioral
outcome is proposed and tested. This model is framed using self-determination theory (SDT) (Deci and
Ryan 1985). It represents one of the earliest attempts to combine SDT with information security. The
remainder of this study is organized as follows: background information on self-determination theory is
provided in the following section. Next, the proposed research model is introduced and corresponding
hypotheses are stated. Hypothesis testing methods are described and the procedure for evaluating the
hypotheses is explained. Finally, study results and conclusions are made.
BACKGROUND: SELF-DETERMINATION THEORY
Self-determined motivation is based on action out of choice and/or pleasure rather than threat of
consequences (Deci and Ryan 1985; Vallerand 1997). SDT incorporates the determinants and sequences
of self-determined motivation into an integrated causal model consisting of four elements (see Figure 1)
(Grouzet et al. 2004). This motivational sequence begins with environmental factors such as feedback or
reward. Environmental conditions stimulate psychological needs (the need for self-competence, for
example). Consequently, need satisfaction is a contributor to self-determined motivation. In turn,
motivation leads to consequences or action. This motivational sequence can exist at three levels of
generality: global (regarding personality), contextual (within a specific domain), or situational (with
respect to a certain activity) levels (Vallerand 2000). This study concerns individual performance at a
specific activity. Therefore, the focus of this research is the situational level. The remainder of this section
describes the elements of the integrated motivation sequence at the situational level.
Figure 1: Self-Determination Theory
-4-‐
Prior studies hold that environment influences psychological state and indirectly shapes
motivation (Ryan 1982). The environmental forces which are relevant depend on the specific context. For
instance, a number of studies in the education field have focused on the impact of student motivation on
class performance (Parkes and Henderson 2004; Thill and Mouanda 1990; Whitehead and Corbin 1991).
In these cases, the most important environmental variables were related to teacher feedback. Within the
marketing sector, a range of salient variables have emerged. Increases in salesman motivation have been
linked to environmental stimuli such as changes in economic conditions, prior sales success, perceived
financial need, customer feedback, and changes in compensation (Deci et al. 1999; Zuckerman et al.
1978) . Separately, the role of environment has also been studied within the technical fields. Contrasting
with the business discipline, environment cues for engineers are based less on social interactions and
more on technical mastery. For instance, it has been demonstrated that engineers’ motivation to take on
complex assignments begins with their discipline-specific knowledge and their ability to interact with the
problem space (Baillie and Fitzgerald 2000). Such environmental factors, acting through psychological
mediators, may significantly increase or decrease self-determined motivation.
Psychological needs are stimulated by environmental factors and are the antecedents of self-
determined motivation (Deci and Ryan 1985; Grouzet et al. 2004). Hence, they act as psychological
mediators. Need satisfaction is a direct contributor of motivation. SDT holds that the most relevant
psychological needs are competence, autonomy, and relatedness (Vallerand 1997). Perceived competence
refers to the ability to cope with the environment. Perceived autonomy is the freedom to control one’s
destiny and act in accordance with the integrated self. It should be noted that autonomy does not infer
independence of others but freedom to make choices. Perceived relatedness refers to a sense of security
and fit within a social group. Collectively, these are fundamental needs which individuals constantly seek
to fulfill. Positive perceptions of competence, autonomy, and relatedness enhance self-determined
motivation as individuals are motivated to perform activities which meet their psychological needs. Each
need is influenced by environmental conditions. For instance, positive feedback has been shown to
stimulate autonomy and competence. The reverse is also true: low competence is a result of negative
-5-‐
feedback. To reiterate, psychological needs mediate the relationship between environment factors and
motivation.
Previous research has focused on two type of motivation: intrinsic and extrinsic motivation (Deci
and Ryan 2000). Intrinsic motivation is self-developed and endorsed. It refers to performing a behavior
that is satisfying and interesting. An IT professional who finds a task to be intellectually stimulating
would be intrinsically motivated. Extrinsic motivation is based on external pressure to obtain something
positive or avoid something negative. The intrinsically-motivated employee views a task as a means to an
end. It is suggested that extrinsic and intrinsic motivation are not negatively related but are endpoints on a
motivation continuum. Within this scheme, self-determined motivation is aligned with the intrinsic end of
the continuum. Need satisfaction catalyzes intrinsic motivation, as individuals will seek to pursue
activities which fulfill their basic needs for autonomy, competence, and relatedness (Deci and Ryan
1985).
The causal impact of motivation on resulting actions is well-documented. Examples include
school performance (Guay and Vallerand 1996), computer use (Davis et al. 1992; Igbaria et al. 1996;
Venkatesh 2000), and social interactions (Blais et al. 1990). Thus, the more self-determined the
motivation, the more positive the results (Ryan et al. 1983). In summary, environmental factors influence
psychological needs and indirectly shape motivation while self-determined motivation leads to behavioral
outcomes.
THEORETICAL DEVELOPMENT
This research integrates the elements of SDT with situation-specific environmental factors into a
comprehensive model for understanding system hardening performance (see Figure 2). Based on an
analysis of the system hardening environment and a comprehensive literature review, two factors emerged
as potentially relevant environmental variables for the information security environment. They are threat
awareness and systems familiarity. Consistent with previous studies of motivation in the technical fields,
they are based on expertise and problem manipulation (Wickens and Hollands 1999). Both are
-6-‐
hypothesized determinants of perceived autonomy and perceived competence. In turn, the psychological
needs are predicted to influence self-determined motivation. Finally, situational motivation is expected to
dictate individual performance at system hardening. The hypothesized relationships between these
constructs are explained in the following section.
Figure 2: Research Model
To begin, SDT holds that the environment is a combination of conditions which collectively
shape psychological need (Deci et al. 1994; Deci and Ryan 1985). Therefore, it is necessary to identify
unique factors which influence psychological need and indirectly impact motivation and security
performance. Based on structured observation of the system security environment two conditions were
selected. They are system familiarity and threat awareness. Neither variable has yet been applied to
behavioral research in information security although they have been addressed in prior SDT studies
(Goldberg and Pedulla 2011; Greitzer et al. 2008; Perry and Lindell 2003; Taylor et al. 2002). They are
expected to play a formative role in the development of psychological needs.
Over forty years ago, system familiarity was conceived as the degree to which an individual is
proficient at manipulating some combination of software, data, and hardware (Lee 1970). It is expected to
determine motivation and hardening behavior via psychological need. The proposed role of system
familiarity is sustained by related studies in the extant literature (Arthur and Hart 1989; Goldberg and
Pedulla 2011; Marcoulides 1988; Taylor et al. 2002). Furthermore, Davis (1993) conceptualized system
-7-‐
familiarity within the complete motivational sequence as an environmental stimulus, determinant of
attitude, and indirect antecedent of behavioral action. Although it was not used in a predictive capacity,
the concept of familiarity has been broached in information security research (Hui et al. 2007). Based on
this evidence, system familiarity is anticipated to be a significant determinant of psychological need and
indirectly impact motivation.
To illustrate the role of system familiarity within the information security context, consider a
scenario in which it becomes necessary to harden a particular network-attached storage (NAS) array. An
IT worker who is proficient with Openfiler and FreeNAS is expected to have a relatively high degree of
competence, as they are two of the most common open source NAS platforms (Lynn 2010). The
individual would pursue the hardening assignment because it validates his or her perceptions of
competence. In addition to perceived competence, it is projected that system familiarity is also a
determinant of perceived autonomy. IT workers with systems familiarity will feel more comfortable in
decision making and in greater control. Conversely, IT workers with less familiarity will have low
perceived autonomy, because they will doubt their ability to implement the proper changes. To
summarize, system familiarity is expected to influence psychological need. Therefore, it is proposed that:
HYPOTHESIS 1: System familiarity will have a positive influence on perceived competence
and
HYPOTHESIS 2: System familiarity will have a positive influence on perceived autonomy
The second environmental factor is threat awareness – understanding the means by which
systems may be purposely or inadvertently compromised. The concept of threat awareness has already
been established within the information security space (Chen et al. 2008; Greitzer et al. 2008; Perry and
Lindell 2003). Studies of environmental factors related to threat awareness support its proposed
relationship with psychological need and motivation (Furnell et al. 2007; Gagne and Deci 2005;
Hirschberger et al. 2009; Walczuch and Lundgren 2004). Based on this evidence, threat awareness is
included as an essential element in predicting system hardening performance. It is not possible to secure a
system without awareness of possible system threats (Du et al. 2006; Stafford and Poston 2010).
-8-‐
Specifically, it is anticipated that individuals without such information will have lower perceptions of
competence. By contrast, IT workers with a keen awareness of security threats will feel more competent
because they understand the latest system risks and the best approaches for neutralizing them. Besides
competence, threat awareness is also expected to influence perceived autonomy. IT professionals with
greater threat awareness will feel perceive more freedom to make their own decisions because they
understand the options. For example, suppose an organization migrates its domain naming service (DNS)
from Windows Server 2003 to Linux-based BIND. After the transition it will be necessary to select an IT
professional to harden the new server. The individual who understands the potential threats to DNS will
perceive greater decision making flexibility because he or she understands the decisions which must be
made. Simplified, the IT worker who is more aware of security threats to DNS will perceive greater
autonomy. These relationships are expressed in the following hypotheses:
HYPOTHESIS 3: Threat awareness will have a positive influence on perceived competence
and
HYPOTHESIS 4: Threat awareness will have a positive influence on perceived autonomy
Both of the environmental factors are necessary to effect security improvements. The IT
professional cannot harden a system if he or she cannot identify the potential threats and determine a best
course for reducing the risks of their occurrence (Stafford and Poston 2010). Understanding security
threats is alone not sufficient. The IT professional must also be able to reconfigure a system in order to
implement a security fix (Tjhai and Furnell 2007). This requires familiarity with the system. Combined,
threat awareness and system familiarity shape psychological need and indirectly stimulate self-determined
motivation to harden a system.
The elements of psychological need - competence and autonomy - are included as antecedents of
motivation. Past research demonstrates that they mediate the relationship between the environmental
factors and motivation (Gagne 2003; Grouzet et al. 2004; Guthrie and Davis 2003; Ryan et al. 2006; Shah
2003). Perceived competence is expected to build motivation in a variety of scenarios. For example, a
newly-hired IT worker may view system hardening as an opportunity to demonstrate his or her technical
-9-‐
prowess. In doing this he or she seeks to reinforce the fundamental need for competence. The link
between competence and motivation is well-established (Deci and Ryan 2000; Elliot 2005; Vallerand
1997). To extend this rationale the following hypothesis is considered:
HYPOTHESIS 5: Perceived competence will have a positive influence on self-determined motivation
Perceived autonomy is the second hypothesized predictor of motivation. For instance, an
individual may be motivated to partake in system hardening because he or she considers it to be an option
reserved for a few trusted experts. The individual’s desire to control his or her own destiny and select
interesting work is based on autonomy. The path from perceived autonomy to motivation has already
been demonstrated (Dickinson 1995; Ehrman et al. 2003; Vallerand 1997). This supports the basic desire
for autonomy, performing the task out of choice.
HYPOTHESIS 6: Perceived autonomy will have a positive influence on self-determined motivation
It should be noted that relatedness is not included in the current model. Recent studies of SDT
indicate that relatedness plays a smaller role in intrinsic motivation development when the behavioral
outcome is not based on social interaction (Vallerand 2000). Because system hardening is undertaken as
an individual activity, it is concluded that relatedness is not relevant to this study.
As previously described, system hardening is the process of identifying weaknesses in current
system configurations and finding and implementing solutions for reducing security risks (Panko 2004).
This procedure requires a great deal of concentration on the part of the IT worker as it is necessary to
think through complex system processes in order to pinpoint and reconcile vulnerabilities (Scherling
2011). Surface-level problems may be apparent but less salient issues require more effort to uncover
(Campbell et al. 2003). For instance, consider the task of hardening a virtual private network (VPN)
installation. Ensuring that exterior, incoming resource requests are routed through the authentication
system is a relatively straightforward task. Reconciling discrepancies between planned privilege levels
and actual user domains for authenticated, external clients is a more consuming process. While even the
amotivated worker will perform the former task, only a self-determined employee will do the latter. For
-10-‐
such intellectually-challenging activities, the difference between active engagement and simply going
through the motions has substantial security implications.
Differences in motivation generally correspond to degree of performance (Erez and Judge 2001;
Mohr and Bitner 1995; Richardson and Abraham 2009). Self-determined IT workers are expected to do a
better job. In the case of VPN hardening, the average IT worker may neglect to check for inconsistencies
between directory permissions for remote clients and subnet structure. His or her task performance is
likely based on extrinsic motivation - fear of punishment for not completing the task and/or reward of
continued salary for performing the work. In contrast, the IT professional who is motivated by the thrill of
outsmarting deviant users may perform the check and uncover a flaw which allows VPN access into a
sensitive, off-limits file system. This individual is acting out of intrinsic, self-determined motivation. The
link between motivation and performance of complex tasks has already been established in similar studies
in marketing, sales, administration, and management, where more motivated individuals did better at
solving a range problems in the business domain (Barrick et al. 2002; Bowman and Narayandas 2004;
Miao et al. 2006; Sins et al. 2007). Therefore, self-determined motivation is expected to be a significant
determinant of system hardening performance. Accordingly, the following hypothesis is proffered:
HYPOTHESIS 7: Self-determined motivation will have a positive influence on system hardening
performance
To summarize the preceding hypotheses, system familiarity and threat awareness are included as
environmental factors. They are determinants of self-competence and autonomy. Self-perception is an
antecedent of self-determined motivation, which predicts behavioral outcomes. The following sections
describe the evaluation of the hypotheses.
METHODS
Procedure
To evaluate the research model, the laboratory study method was employed and a combination of
computer-data and survey results were collected. First, subjects completed a pen-and-paper survey which
-11-‐
included items for measuring the predictors. To provide behavioral data for the dependent variable system
hardening performance, they participated in a simulated security exercise. In this exercise, participants
were asked to do their best job securing virtual machine webservers by identifying and reconciling
weaknesses and security threats. Each subject configured a virtual machine via desktop computer and a
hypervisor for a period of 45 minutes. Subjects were granted internet access but were not allowed to
speak with each other. After the allotted time, snapshots of virtual machines were taken and the lab was
concluded (see appendix A for more details). Participants were then debriefed and excused.
Sample
Subjects were expected to harden a webserver – a task which may be completed by entry-level IT
workers. Therefore, the sample was comprised of individuals with similar traits. For inclusion into the
study subjects were required to meet two conditions. First) they must have the equivalent of between 3
months to two years of full-time work experience, and (2) they should have completed at least 6 college
credit hours of formal training in systems administration and security. Based on these guidelines a
sufficiently large pool of candidates was composed. It consisted of individuals who were either recent
graduates or were enrolled part-time or full-time in the I.T. program at a large, public university in the
Southeastern United States. Subjects were then recruited via email, twitter, and Facebook channels and
asked to participate in the study. For prescreening, individuals were asked to indicate if they met the
training and experience requirements. Only those with acceptable IT experience and education were
included in the sample. These steps ensured that the sample approximated the population of interest in the
current study.
Instrumentation
Measures for independent variables were adapted primarily from the Intrinsic Motivation Inventory (IMI)
(Ryan 1982). Perceived competence was operationalized using 6 items, perceived autonomy was
measured with 7 items, and motivation was operationalized using 7 items. The IMI has previously been
used in a number of related studies (Deci et al. 1994; Plant and Ryan 1985; Ryan 1982; Ryan et al. 1983).
-12-‐
Through these studies, the validity of the IMI has been reaffirmed. Furthermore, McAuley (1987)
conducted a meta-analysis of the psychometric properties of the IMI and confirmed its soundness. All the
items from the IMI were measured using 5 point Likert scales.
Because the environmental variables are context-specific, no previously-validated scales were
available. Instead, system familiarity and threat awareness were operationalized via proprietary tests on
Linux administration and information security. The tests were developed by a HR staffing and placement
firm and are used to screen applicants for entry level positions in IT. The first test is composed of 19
multiple choice questions on Linux operating system management. It was used to operationalize system
familiarity. The second test consisted of 22 multiple choice questions for identifying candidates with a
basic understanding of common security risks and practices. These questions were used to measure threat
awareness. This approach to measuring environmental variables is consistent with earlier research on
intrinsic motivation. For instance, previous studies of student motivation have used various facets of test
performance to operationalize environmental factors (Grouzet et al. 2004).
The dependent variable was based on the extent to which individuals secured virtual machines.
Two qualified research assistants independently assessed each subject’s attempt at securing an insecure
server. They reviewed security audits conducted on each virtual machine using specialized software. Each
virtual machine was rated on a scale of 1 to 5, where 1 corresponded with “very insecure” and 5
correlated with “very secure.” It should be noted that if no security improvements were made then a
virtual machine would be considered very insecure and indicative of poor performance at server
hardening. On the contrary, servers which were made to be very secure are evidence of a superior
hardening performance.
RESULTS
A total of 418 individuals were initially recruited. Of the 205 individuals who agreed to participate, 189
qualified subjects ultimately passed the screening requirements and participated in the study. Four surveys
were incomplete or otherwise unusable. These surveys were excluded from the data analysis. In addition,
-13-‐
6 surveys were rejected because a response set was detected (Andrich 1978; Kerlinger 1973; Rennie
1982). Thus, 179 surveys were ultimately used in data analysis. Although the independent variables and
dependent variables were derived from separate sources of data, a test for common methods variance
(CMV) was conducted (Podsakoff et al. 2003). The results confirmed the suitability of the data for
further analysis.
Prior to model testing, extensive analyses were conducted to ensure validity of measures. The
components-based approach (Gefen et al. 2000) for structural equations modeling was employed via the
SmartPLS software package (Ringle and Wende 2009). Convergent and discriminant validity of reflective
constructs were assessed using factor loadings. Such loadings indicate if items cross-load or fail to
significantly load on their respective latent variable (Straub et al. 2004). Specifically, convergent validity
is demonstrated when items load above 0.70 on their respective construct and when the average variance
extracted (AVE) is above 0.50 for each construct. Discriminant validity is identified when item loadings
are greater for their respective construct than for other constructs in the model, and when each construct’s
square rooted AVE should greater than its intercorrelation with other constructs. As indicated in Tables 1
and 2, the conditions for both convergent and discriminant validity are met.
To gauge reliability, the internal consistency measure for each construct was examined.
Constructs which exceeded the .70 level of internal consistency were judged to possess sufficient
reliability (Barclay et al. 1995; Fornell and Bookstein 1982). As shown in Table 2, the internal
consistency for each construct was above .90, which exceeds the recommended threshold for construct
reliability.
-14-‐
Table 1: Psychometric Properties of Reflective Measures
Construct
Construct
Item
PC
PA
M
AVE
PC1
.900
.287139
.357633
PC2
.912
.378545
.474205
Perceived
PC3
.892
.397988
.492692
Competence
.756
PC4
.864
.381608
.389609
(PC)
PC5
.880
.291173
.404723
PC6
.760
.260122
.295855
PA1
.297114
.773
.341798
PA2
.435475
.876
.428941
Perceived
PA3
.299435
.850
.461665
Autonomy
PA4
.232584
.760
.312627
.645
(PA)
PA5
.220542
.732
.426962
PA6
.362899
.808
.337810
PA7
.316682
.813
.426951
M1
.369969
.434496
.752
M2
.387743
.352991
.800
Self-‐
M3
.399027
.465077
.854
Determined
M4
.369244
.441826
.834
.620
Motivation
M5
.328612
.438595
.719
(M)
M6
.315905
.309295
.790
M7
.422438
.331189
.752
Table 2: Correlations Among Constructs
Construct
RELI
PC
PA
M
Perceived
Competence
.949
.869
Perceived
Autonomy
.927
.389
.803
Motivation
.919
.471
.491
.787
Square-‐rooted
AVE
on
Diagonal;
RELI
=
Composite
Reliability
Following instrument validation, hypothesized direct effect paths were tested using bootstrap
resampling (Gefen et al. 2000). The results of the PLS analysis are reported in Table 3. It appears that the
path from threat awareness to perceived competence (H3) was not supported. All the other paths between
the predicting variables and ISPC are significant at the .05 alpha level. The model accounts for 17.2% of
the variance in system hardening performance (see Figure 3). For the supported paths, tests of mediation
-15-‐
were conducted following the steps outlined by Baron and Kenny (1986). It was determined that
perceived competence mediates the relationship between system familiarity and motivation, perceived
autonomy mediates the relationship between the environmental factors and motivation, and self-
determined motivation mediates the relationship between the psychological mediators and system
hardening performance.
Table
3:
Outcome
of
the
Hypothesis
Tests
T
or
F
Hypothesis
Path
Coefficient
Value
P-‐value
Supported?
H1
SF
→
PC
.392
3.079
p<.0018
H2
SF
→PA
.323
2.889
p<.0043
H3
TA
→PC
.162
1.390
p<.0831
X
H4
TA
→PA
.489
2.201
p<.0290
H5
PC
→M
.329
3.121
p<.0021
H6
PA→
M
.363
3.636
p<.0003
H7
M
→
SHP
.414
5.071
p<.0001
SF
=
System
Familiarity;
TA
=
Threat
Awareness;
SHP
=
System
Hardening
Performance
Figure
3:
Supported
Paths
DISCUSSION AND CONTRIBUTION
The results of this study provide a basis for understanding the role of environmental factors,
psychological states, and motivation on performance of security-related work. The findings indicate that a
system administrator’s performance at system hardening is determined in part by the direct influence of
self-determined motivation. Those whose motivation stems from self-directed factors turn out the highest
quality results. In addition, self-determined motivation was confirmed to be derived from elements of the
-16-‐
individual’s psychological state. Finally, this research indicates that perceptions of competence and
autonomy were based on systems familiarity and threat awareness.
Interestingly, the path from threat awareness to perceived competence was not supported. A
possible interpretation of this result is that risk appreciation does not build stimulate competence. For IT
professionals, perceived competence may be derived only from system-specific knowledge. In contrast,
both system familiarity and threat awareness were significantly linked to perceived autonomy. It may be
that IT workers perceive the autonomy to perform their tasks only if they possess security and system-
specific knowledge. In order to improve motivation managers must approach each of the psychological
states independently, as each is impacted by a different combination of factors. This requires more
sophisticated efforts, but may yield significant improvements over old techniques. This finding has
implications for both managerial and research endeavors involving the administrative aspects of
information security, technical training, and the hiring of IT personnel.
Chief information officers seeking improvements in system security should consider conducting
in-house training programs and ongoing refresher courses. The results of this study indicate that
employees with system familiarity are more able to effect improvements in IT infrastructure. Those who
do not understand the technical details regarding a system’s operation will not be able to effectively
implement security measures. IT managers should implement training sessions to refresh the memories of
systems administrators. This is a simple but often-overlooked step. Even if an employee has been
managing a system for several years it is likely that he or she will eventually forget key details. This can
happen to even the most ardent professional and inadvertently leave seams in the security perimeter.
Security awareness can be boosted through informal discussions, workshops, and reminders at meetings.
By simply asking an employee to consider the security implications of a given configuration, much
thought and foresight will be developed. For more specific recommendations, see Table 4.
-17-‐
Table 4: Fostering Improvements in Employee Security Performance
Environmental Factor Suggested Actions
• Develop refresher courses and in-house training for IT staff
• Rotate employees through functional positions in order to
encourage holistic, system-wide thinking
System Familiarity • Encourage mentoring of junior workers among senior IT
professionals
• Offer to send top performers and promising new hires to technical
boot camps for advanced training.
• Discuss current events regarding information security and ask how
they might impact enterprise systems.
• Create challenges or competitions in which IT workers can
compete to demonstrate their security capabilities
Security Awareness
• Ask individuals to consider the impact of compromised systems on
their areas of responsibility
• Encourage employees to complete specialized information security
certifications such CISSP.
The application of self-determination theory to information security is unique to this study but
provides numerous opportunities for future research in this area. This research found that self-motivated
employees will work harder to improve security than those whose motivation stems from other sources.
However, much of the variance in system hardening performance remained unaccounted for in this study.
Future research should consider both alternative and complimentary explanations for system hardening
performance and for other security-related tasks performed by IT professionals. A unique attribute of this
study is that it measures actual performance, not just intention to perform security-related work. The
accurate assessment of work-related outcomes is relatively difficult to achieve. This is especially true for
complex assignments such as information security. Thus, this research makes an important contribution
by developing a method to isolate and gauge performance of complicated system tasks. Further, the
research focused on the impact of the IT professional, not the end user. This represents a significant shift
from previous studies of information security. This is a desirable direction, as IT workers would be
expected to have more influence on organizational information security than passive users. Specifically,
this research focused on IT workers who were relatively inexperienced. Future opportunities exist to
explore the dynamics of more seasoned workers.
-18-‐
CONCLUSION
IT directors and CIOs must ensure that they properly equip, motivate, train, and deploy their workforce in
order to minimize risks to information systems. By ensuring that IT workers are prepared to cope with
their technical environment they can stimulate confidence and build motivation to tackle challenging
security tasks. This research focused on system hardening, as it is a common task which most IT workers
are expected to perform. To advance the domain knowledge, this study applied self-determination theory
to information security. It identified two relevant factors which influence motivation – system familiarity
and security awareness. By understanding and controlling key environmental factors, IT directors and
managers can indirectly build motivation and improve organizational security.
-19-‐
REFERENCES
Andrich,
D.
1978.
"A
Rating
Formulation
for
Ordered
Response
Categories,"
Psychometrika
(43:4),
pp
561-‐573.
Arthur,
W.,
and
Hart,
D.
1989.
"Empirical
Relationships
between
Cognitive
Abilitie
and
Computer
Familiarity,"
in:
Annual
Meeting
of
the
Southwestern
Psychological
Association
Houston,
TX.
Baillie,
C.,
and
Fitzgerald,
G.
2000.
"Motivation
and
Attrition
in
Engineering
Students,"
European
Journal
of
Engineering
Education
(25:2),
pp
145-‐155.
Barclay,
D.,
Higgins,
D.,
and
Thompson,
R.
1995.
"The
Partial
Least
Squares
Approach
to
Causal
Modeling:
Personal
Computer
Adoption
and
Use
as
an
Illustration,"
Technology
Studies
(2:2),
pp
285-‐309.
Baron,
R.,
and
Kenny,
D.
1986.
"The
Moderator-‐Mediator
Variable
Distinction
in
Social
Psychological
Research:
Conceptual,
Strategic
and
Statistical
Considerations.,"
Journal
of
Personality
and
Social
Psychology
(51:1),
pp
1173-‐1182.
Barrick,
M.,
Stewart,
G.,
and
Piotrowski,
M.
2002.
"Personality
and
Job
Performance:
Test
of
the
Mediating
Effects
of
Motivation
among
Sales
Representatives,"
Journal
of
Applied
Psychology
(87:1),
pp
1-‐9.
Bartol,
K.,
and
Martin,
D.
1982.
"Managing
Information
Systems
Personnel:
A
Review
of
the
Literature
and
Managerial
Implications,"
MIS
Quarterly
(6:4),
pp
49-‐70.
Blais,
M.,
Sabourin,
S.,
Boucher,
C.,
and
Vallerand,
R.
1990.
"Toward
a
Motivational
Model
of
Couple
Happiness,"
Journal
of
Personality
and
Social
Psychology
(59:3),
pp
1021-‐1031.
Bowman,
D.,
and
Narayandas,
D.
2004.
"Linking
Customer
Management
Effort
to
Customer
Profitability
in
Business
Markets,"
Journal
of
Marketing
Research
(41:1),
pp
433-‐447.
Bulgurcu,
B.,
Cavusoglu,
H.,
and
Benbasat,
I.
2010.
"Information
Security
Policy
Compliance:
An
Empirical
Study
or
Rationality-‐Based
Beliefs
and
Information
Security
Awareness,"
MIS
Quarterly
(34:3),
pp
523-‐548.
Campbell,
P.,
Calvert,
B.,
and
Boswell,
S.
2003.
Security+
Guide
to
Network
Security.
Boston,
MA:
Thomson
Chen,
J.,
Schmidt,
M.,
Phan,
D.,
and
Arnett,
K.
2008.
"E-‐Commerce
Security
Threats:
Awareness,
Trust
and
Practice,"
International
Journal
of
Information
Systems
and
Change
Management
(3:1),
pp
16-‐32.
Cross,
R.,
Dowling,
C.,
Gerbasi,
A.,
Gulas,
V.,
and
Thomas,
R.
2010.
"How
Organizational
Network
Analysis
Facilitated
Transition
from
Regional
to
a
Global
It
Function,"
MIS
Quarterly
Executive
(9:3),
pp
133-‐145.
Davis,
F.
1993.
"User
Acceptance
of
Information
Technology:
System
Characteristics,
User
Perceptions
and
Behavioral
Impacts,"
International
Journal
of
Man-‐Machine
Studies
(38:3),
pp
475-‐487.
Davis,
F.,
Bagozzi,
R.,
and
Warshaw,
P.
1992.
"Extrinsic
and
Intrinsic
Motivation
to
Use
Computers
in
the
Workplace
"
Journal
of
Applied
Social
Psychology
(22:14),
pp
1111-‐1132.
Deci,
E.,
Eghrari,
H.,
Patrick,
B.,
and
Leone,
D.
1994.
"Facilitating
Internalization:
The
Self-‐Determination
Theory
Perspective,"
Journal
of
Personality
(62:4),
pp
119-‐142.
Deci,
E.,
Koestner,
R.,
and
Ryan,
R.
1999.
"A
Meta-‐Analytic
Review
of
Experiments
Examining
the
Effects
of
Extrinsic
Rewards
on
Intrinsic
Motivation,"
Psychological
Bulletin
(125:3),
pp
627-‐668.
Deci,
E.,
and
Ryan,
R.
1985.
Intrinsic
Motivation
and
Self
Determination
in
Human
Behavior.
New
York:
Plenum
Press.
Deci,
E.,
and
Ryan,
R.
2000.
"The
“What”
and
“Why”
of
Goal
Pursuits:
Human
Needs
and
the
Self-‐
Determination
of
Behavior,"
Psychological
Inquiry
(11:1),
pp
227-‐268.
Dickinson,
L.
1995.
"Autonomy
and
Motivation:
A
Literature
Review,"
System
(23:2),
pp
165-‐174.
-20-‐
Du,
J.,
Jiao,
Y.,
and
Jiao,
J.
2006.
"A
Security
Blueprint
for
E-‐Business
Applications,"
in:
Enterprise
Information
Systems
Assurance
and
System
Security,
M.
Warkentin
and
R.
Vaughn
(eds.).
Hershey,
PA:
Idea
Publishing
Group,
pp.
80-‐94.
Ehrman,
M.,
Leaver,
B.,
and
Oxford,
R.
2003.
"A
Brief
Overview
of
Individual
Differences
in
Second
Language
Learning,"
System
(31:3),
pp
313-‐330.
Elliot,
A.
2005.
Handbook
of
Competence
and
Motivation.
New
York,
NY:
The
Guilford
Press.
Erez,
A.,
and
Judge,
T.
2001.
"Relationship
of
Core
Self-‐Evaluations
to
Goal
Setting,
Motivation,
and
Performance,"
Journal
of
Applied
Psychology
(86:6),
pp
1270-‐1279.
Fink,
D.,
Huegle,
T.,
and
Dortschy,
M.
2006.
"A
Model
for
Information
Security
Governance
for
E-‐
Business,"
in:
Enterprise
Information
Systems
Assurance
and
System
Security,
M.
Warkentin
and
R.
Vaughn
(eds.).
Hershey,
PA:
Idea
Group
Publishing,
pp.
1-‐15.
Fornell,
C.,
and
Bookstein,
F.
1982.
"Two
Structural
Equation
Models:
Lisrel
and
Pls
Applied
to
Consumer
Exit-‐Voice
Theory,"
Journal
of
Marketing
Research
(19:1),
pp
440-‐452.
Furnell,
S.,
Bryant,
P.,
and
Phippen,
A.
2007.
"Assessing
the
Security
Perceptions
Fo
Personal
Internet
Users,"
Computers
&
Security
(26:5),
pp
410-‐417.
Gagne,
M.
2003.
"Autonomy
Support
and
Need
Satisfaction
in
the
Motivation
and
Well-‐Being
of
Gymnasts,"
Journal
of
Applied
Sports
Psychology
(15:2),
pp
372-‐390.
Gagne,
M.,
and
Deci,
E.
2005.
"Self-‐Determination
Theory
and
Work
Motivation,"
Journal
of
Organizational
Behavior
(26:4),
pp
331-‐362.
Gefen,
D.,
Straub,
D.,
and
Boudreau,
M.
2000.
"Structural
Equation
Modeling
Techniques
and
Regression:
Guidelines
for
Research
Practice,"
Communications
of
the
AIS
(7:7),
pp
1-‐78.
Goldberg,
A.,
and
Pedulla,
J.
2011.
"Performance
Differences
According
to
Test
Mode
and
Computer
Familiarity
on
a
Practice
Graduate
Record
Exam,"
Educational
and
Psychological
Management
(62:6),
pp
1053-‐1067.
Gordon,
L.,
and
Loeb,
M.
2002.
"The
Economics
of
Information
Security
Investment,"
ACM
Transactions
on
Information
and
Systems
Security
(5:4),
pp
438-‐457.
Gordon,
L.,
Loeb,
M.,
and
Zhou,
L.
2011.
"The
Impact
of
Information
Security
Breaches:
Has
There
Been
a
Downward
Shift
in
Costs?,"
Journal
of
Computer
Security
(19:1),
pp
33-‐56.
Greitzer,
F.,
Moore,
A.,
Cappelli,
D.,
Andrews,
D.,
Carroll,
L.,
and
Hull,
T.
2008.
"Combating
the
Insider
Security
Threat,"
IEEE
Security
&
Privacy
(6:1),
pp
61-‐64.
Grouzet,
F.,
Vallerand,
R.,
Thill,
E.,
and
Provencher,
P.
2004.
"From
Environmental
Factors
to
Outcomes:
A
Test
of
an
Integrated
Motivational
Sequence,"
Motivation
and
Emotion
(28:4),
pp
331-‐346.
Guay,
F.,
and
Vallerand,
R.
1996.
"Social
Context,
Students'
Motivation,
and
Academic
Achievement:
Toward
a
Process
Model
"
Social
Psychology
of
Education
Journal
(1:3),
pp
211-‐233.
Guthrie,
J.,
and
Davis,
M.
2003.
"Motivating
Struggling
Readers
in
Middle
School
through
an
Engagement
Model
of
Classroom
Practice,"
Reading
&
Writing
Quarterly
(19:1),
pp
59-‐83.
Hirschberger,
G.,
Pyszczynski,
T.,
and
Ein-‐Dor,
T.
2009.
"Vulnerability
and
Vigilance:
Threat
Awareness
and
Perceived
Adversary
Intent
Moderate
the
Impact
of
Mortality
Salience
on
Intergroup
Violence,"
Personality
and
Social
Psychology
Bulletin
(35:5),
pp
597-‐607.
Hui,
K.,
Teo,
H.,
and
Lee,
S.
2007.
"The
Value
of
Privacy
Assurance:
An
Exploratory
Field
Experiment,"
MIS
Quarterly
(31:1),
pp
19-‐33.
Igbaria,
M.,
Parasuraman,
S.,
and
Baroudi,
J.
1996.
"A
Motivational
Model
of
Microcomputer
Usage,"
Journal
of
Management
Information
Systems
(13:1),
pp
127-‐143.
Jacobson,
D.
2009.
Introduction
to
Network
Security.
Boca
Raton,
FL:
Chapman
&
Hall.
Johnston,
A.,
and
Warkentin,
M.
2010.
"Fear
Appeals
and
Information
Security
Behaviors:
An
Empirical
Study,"
MIS
Quarterly
(34:3),
pp
549-‐566.
Kaeo,
M.
2004.
Designing
Network
Security.
Indianapolis,
IN:
Cisco
Press.
Kerlinger,
F.
1973.
Foundations
of
Behavioral
Research,
(2nd
ed.).
London,
UK:
Holt
Reinhart
&
Winston.
-21-‐
Ko,
M.,
and
Dorantes,
C.
2006.
"The
Impact
of
Information
Security
Breaches
on
Financial
Performance
of
the
Breached
Firms:
An
Empirical
Investigation
"
Journal
of
Information
Technology
Management
(17:2),
pp
13-‐22.
Lee,
R.
1970.
"Social
Attitudes
and
the
Computer
Revolution,"
Public
Opinion
Quarterly
(34:1),
pp
53-‐59.
Livari,
J.,
and
Huisman,
M.
2007.
"
The
Relationship
between
Organizational
Culture
and
the
Deployment
of
Systems
Development
Methodologies,"
MIS
Quarterly
(31:1),
pp
35-‐48.
Lynn,
S.
2010.
"How
to
Buy
a
Nas
Device,"
in:
PC
Magazine.
Ziff
Davis,
Inc.
Mahmood,
M.,
Siponen,
M.,
Straub,
D.,
Rao,
R.,
and
Raghu,
T.
2010.
"Moving
toward
Black
Hat
Research
in
Information
System
Security:
An
Editorial
Introduction
to
the
Special
Issue,"
MIS
Quarterly
(34:3),
pp
431-‐433.
Malhotra,
Y.,
Galletta,
D.,
and
Kirsch,
L.
2008.
"How
Endogenous
Motivations
Influence
User
Intentions:
Beyond
the
Dichotomy
of
Extrinsic
and
Intrinsic
User
Motivations,"
Journal
of
Management
Information
Systems
(25:1),
pp
267-‐299.
Marcoulides,
G.
1988.
"The
Relationship
between
Computer
Anxiety
and
Computer
Achievement,"
Journal
of
Educational
Computing
Research
(4:2),
pp
151-‐158.
McAuley,
E.,
Duncan,
T.,
and
Tammen,
V.
1987.
"Psychometric
Properties
of
the
Intrinsic
Motivation
Inventory
in
a
Competitive
Sport
Setting:
A
Confirmatory
Factor
Analysis,"
Research
Quarterly
for
Exercise
and
Sport
(60:1),
pp
48-‐58.
Miao,
C.,
Evans,
K.,
and
Shaoming,
Z.
2006.
"The
Role
of
Salesperson
Motivation
in
Sales
Control
Systems
-‐
Intrinsic
and
Extrinsic
Motivation
Revisited,"
Journal
of
Business
Research
(60:5),
pp
417-‐425.
Mohr,
L.,
and
Bitner,
M.
1995.
"The
Role
of
Employee
Effort
in
Satisfaction
with
Service
Transactions,"
Journal
of
Business
Research
(32:3),
pp
239-‐252.
Panko,
R.
2004.
Corporate
Computer
and
Network
Security.
Upper
sdaddle
River,
NJ:
Prentice
Hall.
Paquet,
C.
2009.
Implementing
Cisco
Ios
Network
Security.
Indianapolis,
IN:
Cisco
Press.
Parkes,
A.,
and
Henderson,
M.
2004.
"Teenagers'
Use
of
Sexual
Health
Services:
Perceived
Need,
Knowledge
and
Ability
to
Access,"
Journal
of
Family
Planning
and
Reproductive
Health
Care
(30:4),
pp
217-‐224.
Perry,
R.,
and
Lindell,
M.
2003.
"Prepardness
for
Emergency
Response:
Guidelines
for
the
Emergency
Planning
Process,"
Disasters
(27:4),
pp
336-‐350.
Plant,
R.,
and
Ryan,
R.
1985.
"Intrinsic
Motivation
and
the
Effects
of
Self-‐Consciousness,
Self-‐Awareness,
and
Ego-‐Involvement:
An
Investigation
of
Internally-‐Controlling
Styles,"
Journal
of
Personality
(53:2),
pp
435-‐449.
Podsakoff,
P.,
Mackenzie,
S.,
lee,
J.,
and
Podsakoff,
N.
2003.
"Common
Method
Bias
in
Behavioral
Research:
A
Critical
Review
of
the
Literature
and
Recommended
Remedies,"
Journal
of
Applied
Psychology
(88:5),
pp
879-‐903.
Rennie,
L.
1982.
"Research
Note:
Detecting
a
Response
Set
to
Likert-‐Style
Attitude
Items
with
the
Rating
Model,"
Educational
Research
and
Perspectives
(9:1),
pp
114-‐118.
Richardson,
M.,
and
Abraham,
C.
2009.
"Conscientiousness
and
Achievement
Motivation
Predict
Performance,"
European
Journal
of
Personality
(23:7),
pp
589-‐605.
Richardson,
R.
2010.
2010
Csi/Fbi
Computer
Crime
and
Security
Survey.
San
Fransico:
Computer
Security
Institute.
Ringle,
C.,
and
Wende,
S.
2009.
"Smartpls
2.0.,").
Ryan,
R.
1982.
"Control
and
Information
in
the
Intrapersonal
Sphere:
An
Extension
of
Cognitive
Evaluation
Theory,"
Journal
of
Personality
and
Social
Psychology
(43:3),
pp
279-‐306.
Ryan,
R.,
Mims,
V.,
and
Koestner,
R.
1983.
"Relation
of
Reward
Contingency
and
Interpersonal
Context
to
Intrinsic
Motivation:
A
Review
and
Test
Using
Cognitive
Evaluation
Theory,"
Journal
of
Personality
and
Social
Psychology
(45:1),
pp
736-‐750.
-22-‐
Ryan,
R.,
Rigby,
C.,
and
Pryzybylski,
A.
2006.
"The
Motivational
Pull
of
Video
Games:
A
Self-‐
Determination
Theory
Approach,"
Motivation
and
Emotion
(30:3),
pp
347-‐363.
Scherling,
M.
2011.
Practical
Risk
Management
for
the
Cio.
London,
UK:
Taylor
&
Francis
Group.
Shah,
J.
2003.
"Automatic
for
the
People:
How
Representations
of
Significant
Others
Implicitly
Affect
Goal
Pursuit,"
Journal
of
Personality
and
Social
Psychology
(84:4),
pp
661-‐681.
Sins,
P.,
Joolingen,
W.,
Savelsbergh,
E.,
and
van
Hout-‐Wolters,
B.
2007.
"Motivation
and
Performance
within
a
Collaborative
Computer-‐Based
Modeling
Task:
Relations
between
Students’
Achievement
Goal
Orientation,
Self-‐Efficacy,
Cognitive
Processing,
and
Achievement,"
Contemporary
Educational
Psychology
(33:1),
pp
58-‐77.
Siponen,
M.,
Mahmood,
M.,
and
Pahnila,
S.
2009.
"Technical
Opinion:
Are
Employees
Putting
Your
Company
at
Risk
by
Not
Following
Information
Security
Policies?,"
Communications
of
the
ACM
(52:12),
pp
145-‐147.
Son,
J.,
and
Kim,
S.
2008.
"Internet
Users'
Information
Privacy-‐Protective
Responses:
A
Taxonomy
and
a
Nomological
Model,"
MIS
Quarterly
(32:3),
pp
503-‐529.
Spears,
J.,
and
Barki,
H.
2010.
"User
Participation
in
Information
Systems
Security
Risk
Management,"
MIS
Quarterly
(34:3),
pp
503-‐528.
Stafford,
T.,
and
Poston,
R.
2010.
"Online
Security
Threats
and
Computer
User
Intentions,"
Computer
(43:1),
pp
58-‐64.
Stanley,
S.,
Mclean,
E.,
and
Tanner,
J.
1993.
"Managing
High-‐Achieving
Information
Systems
Professionals,"
Journal
of
Management
Information
Systems
(9:4),
pp
103-‐120.
Straub,
D.,
Boudreau,
M.,
and
Gefen,
D.
2004.
"Validation
Guidelines
for
Is
Positivist
Research,"
Communications
of
the
AIS
(13:1),
pp
380-‐427.
Taylor,
C.,
Kirsch,
I.,
Jamieson,
J.,
and
Eignor,
D.
2002.
"Examining
the
Relationship
between
Computer
Familiarity
and
Performance
on
Computer
Familiarity
and
Performance
on
Computer-‐Based
Language
Tasks,"
Language
Learning
(49:2),
pp
219-‐274.
Thill,
E.,
and
Mouanda,
J.
1990.
"Autonomy
or
Control
in
the
Sports
Context:
Validity
of
Cognitive
Evaluation
Theory,"
International
Journal
of
Sports
Psychology
(21),
pp
1-‐20.
Tjhai,
G.,
and
Furnell,
S.
2007.
"Strengthening
the
Human
Firewall,"
in:
Advances
in
Networks,
Computing,
and
Communications,
P.
Dowland
and
S.
Furnell
(eds.).
Plymouth,
UK:
University
of
Plymouth.
Tsiakis,
T.,
and
Stephanides,
G.
2005.
"The
Economic
Approach
of
Information
Security,"
Computers
&
Security
(24:2),
pp
105-‐108.
Vallerand,
R.
1997.
"Toward
a
Hierarchical
Model
of
Intrinsic
and
Extrinsic
Motivation,"
in:
Advances
in
Experimental
Social
Psychology,
M.
Zanna
(ed.).
New
York:
Academic
Press.
Vallerand,
R.
2000.
"Deci
and
Ryan's
Self-‐Determination
Theory:
A
View
from
the
Hierarchical
Model
of
Intrinsic
and
Extrinsic
Motivation,"
Psychological
Inquiry
(11:4),
pp
312-‐318.
Venkatesh,
V.
1999.
"Creation
of
Favorable
User
Perceptions:
Exploring
the
Role
of
Intrinsic
Motivation,"
MIS
Quarterly
(23:2),
pp
239-‐260.
Venkatesh,
V.
2000.
"Determinants
of
Perceived
Ease
of
Use:
Integrating
Control,
Intrinsic
Motivation,
and
Emotion
into
the
Technology
Acceptance
Model,"
Information
Systems
Research
(11:4),
pp
342-‐366.
Walczuch,
R.,
and
Lundgren,
H.
2004.
"Psychological
Antecedents
of
Institution-‐Based
Consumer
Trust
in
E-‐Retailing,"
Information
&
Management
(42:1),
pp
159-‐177.
Weaver,
R.
2007.
Guide
to
Network
Defense
and
Countermeasures
Boston,
MA:
Thomson.
Whitehead,
J.,
and
Corbin,
C.
1991.
"Youth
Fitness
Testing:
The
Effects
of
Percentile-‐Based
Evaluative
Feedback
on
Intrinsic
Motivation,"
Research
Quarterly
for
Excercise
and
Sport
(62),
pp
225-‐231.
Wickens,
C.,
and
Hollands,
J.
1999.
Engineering
Psychology
and
Human
Performance.
Upper
Saddle
River,
NJ:
Prentice
Hall.
-23-‐
Zuckerman,
M.,
Porac,
J.,
Lathin,
D.,
Smith,
R.,
and
Deci,
E.
1978.
"On
the
Importance
of
Self-‐
Determination
for
Intrinsically-‐Motivated
Behavior,"
Personality
and
Social
Psychology
Bulletin
(4:4),
pp
443-‐446.
-24-‐
APPENDIX
A:
Server
Hardening
Laboratory
The exercise involved hardening virtual machine images of production web-servers. The servers are based
on the LAMP stack (see Figure 3). The LAMP architecture (an acronym for Linux, Apache HTTP Server,
MySQL, and PHP) was selected because it is widely adopted as an enterprise ecommerce platform. The
servers were configured to include a number of basic security weaknesses which the average junior
systems administrator would be expected to address. The weaknesses included unsecured configuration
files, default passwords, passwords saved in plaintext, unsecured apache server access, root access via
the internet, plaintext transfer of passwords in programs such as telnet, open ports, unnecessary web
services, web-enabled directory browsing, and insecure file permissions.
Figure 3: Server Configuration
To create a more realistic environment, the virtualization platform was based on the ESXi
hypervisor developed by VMware. This platform was selected because it is one of the most commonly
used virtualization environments in the enterprise systems class. It also includes a number of features
which are useful in the present study, such as the snapshot feature. This function makes it possible to
capture and assess the state of a virtual machine’s configurations at a given point in time.
-25-‐
Virtual machine snapshots were analyzed using a modified version of Bastille Linux - a security
audit and hardening program designed specifically for the Redhat/Fedora flavor of Linux. This program
reviews server configurations and identifies weaknesses and security risks. The original software was
updated and modified for this project to incorporate an analysis of the web and database services included
in the virtual machine. For output, Bastille provides a report of the status of each server’s security profile.
These reports were later coded and used in the empirical analysis.
-26-‐
APPENDIX
B:
Construct
Measures
Responses
were
gauged
using
5
point
scales
(1=
strongly
disagree,
5
=
strongly
agree).
Self-‐Determined
Motivation
I
enjoyed
doing
this
activity
very
much.
This
activity
was
fun
to
do.
I
thought
this
was
a
boring
activity.
This
activity
did
not
hold
my
attention
at
all.
I
would
describe
this
activity
as
very
interesting.
I
thought
this
activity
was
quite
enjoyable.
While
I
was
doing
this
activity,
I
was
thinking
about
how
much
I
enjoyed
it.
Perceived
Competence
After
working
at
this
activity
for
a
while,
I
felt
pretty
competent.
I
was
pretty
skilled
at
this
activity.
This
was
an
activity
that
I
couldn’t
do
very
well.
I
think
I
did
pretty
well
at
this
activity,
compared
to
other
students.
I
think
I
am
pretty
good
at
this
activity.
I
am
satisfied
with
my
performance
at
this
task.
Perceived
Autonomy
I
didn’t
really
have
a
choice
about
doing
this
task.
I
felt
like
I
had
to
do
this.
I
did
this
activity
because
I
wanted
to.
I
believe
I
had
some
choice
about
doing
this
activity.
I
did
this
activity
because
I
had
no
choice.
I
felt
like
it
was
not
my
own
choice
to
do
this
task.
I
did
this
activity
because
I
had
to.
-27-‐
