Ever wonder why it’s so hard for people to change, follow directions, achieve desired outcomes, or avoid behavior that is not desired?

If so, you’re not alone. And, if you manage people, or are asked to manage the behavior of people who do not report to you, it helps to have more tools in your kit-bag to motivate others to “do the right things.” One such tool is the self-efficacy theory of motivation.

What’s this Self-Efficacy Theory of Motivation?

The self-efficacy theory of behavior, from psychology, describes people’s willingness to try behaviors to achieve or avoid outcomes based on a belief (disbelief) in their own competency.

A brief explanation

Have you ever wondered what it takes to get to work?

Let’s assume you drive to get to work (those taking trains, planes, trolleys or horses can try another time). You walk out to your car, unlock the front door, get in the front seat, insert the key in the ignition and turn the key to start the car.

From experience you know that if you turn the key, you will start the engine in the car, which will allow you to drive to work. The objective you have is getting to work. But, you have a lot of learned behavior you’re executing to simply get there.

What would happen if the engine did not turn-over after you turned the key; do you think you’d turn the key again? For most of us the answer is obviously, “yes, maybe four of five times or more.”

Factors Influencing People’s Willingness to Act to Obtain/Avoid Outcomes

The act of placing and turning that key in the ignition to start the engine in the car is one of the factors affecting someone’s self-efficacy and it’s known as the “Experience” factor. You’ve turned the car on in the past with the ignition-key, and this was but one-step in a long set of procedures that got you to work. The success you had in the past is the “experience” that tells you it will work again.

In addition to “Experience”, other factors influencing whether people will undertake a behavior to achieve or avoid an outcome, include: “Modeling” through vicarious behavior, “Persuasion” where the opinion of others influences you, and “Physiological” factors that are common in stressful situations.

An example of “Modeling” might be a person who needs to take the MCAT exams to gain entry into Medical school, convincing herself that because others her age had previously passed the exam, she will also. An example of “Persuasion” might be your boss telling you “it has to be done this week”, while a “Physiological” factor might be the cold-sweats you break out into when you realize you have to tell your family that you have to miss your son’s little league baseball game to get work done that week.

Use the self-efficacy theory of behavior to motivate your teams to achieve more that they thought possible. Use it to modify behavior of others at work, but remember the four factors:

• Experience
• Modeling
• Persuasion
• Physiological

 Example of Using Self Efficacy to Motivate People and Teams

An interesting example of persuasion is a program implemented by a leading CISO with the use of a “wall of shame” that he pushes to all of the business stakeholders in his company. Because none of the business stakeholders of IT want to see their business unit and he personally does not want his name associated with being on the “wall of shame”, the persuasion is very effective at motivating employees to think about the “rules of the road” when it comes to information security. Getting on the wall of shame changes from time-to-time, and in this way, accommodates a gradual changing of employee behavior and the achievement of conformance with policy.

What have you got to lose by learning about and using the self-efficacy theory of motivation?

Inertia.

See the ways that self-efficacy is used when communicating and reporting about IT, and how this is having an impact on outcomes in the latest research report, Data Driven Reporting and Communications about IT

Additional sources on Self Efficacy

University of Illinois

Wikipedia

Albert Bandura

Have you ever asked yourself the following question: Why is it that information security professionals are told to learn about other disciplines in their organizations, but that others don’t have to learn a thing about security?

You’re not alone if you’ve had this experience. I was at dinner with a group of CISOs when one with a healthcare organization asked everyone at the table: “Why is it that I have to learn about finance, or patient care, or any number of other functions in my company, and they don’t have to learn a thing about security? Does this happen to you?”

Everyone around the table confirmed that this is indeed a shared experience. There were some polite explanations and some embarrassing guffaws to explain the behavior (nothing you’d want to print in a family newspaper anyway) and it’s a rather interesting question.

Jack-of-all-other trades, master-of-your own

Why is it that Security Pro’s have to be jack-of all-other-trades in addition to being master-of-their-own?

A few brief (paraphrased) explanations I heard that evening included:

• “They’re the ones with the money. Follow the money.”
• “Security’s about how people use information and systems.”
• “They don’t understand it (security) even when you explain it at a 1^st grade-level, so be glad it’s not the other way around.”
• “Use the opportunity to show what security is doing for the business stakeholders.”
• “Security starts and ends with people.”
• “It’s always been this way, and won’t change any time soon.”
• “I wish I had people asking us to understand their business.”
• “We insist on this: it gets us into everyday life at the company.”
• “While it’s (security) about technology: it’s also about people and business procedures.”

Research results confirm the benefits

If you’d like to see what happens at organizations experiencing very different outcomes, from worst to best, then see that latest research report, Data Driven Reporting and Communication about IT: Better Results, Less Risk.

Containing findings on the very real differences in who’s involved in the information security reporting and decision-making process, the research clearly shows more people being involved means better outcomes and higher spending to manage real business risks.

The research results point to an obvious conclusion: be happy if you are being asked to “walk in their shoes and understand the business”: take advantage of it. If it’s not occurring, the research indicates you should insist on it.

Let us know what you think

Do you have this shared experience of feeling like you are a jack-of-many-trades while also being a master-of-your-own? Or is your experience different? And, what are your explanations for the behavior?

In an article entitled “Flaw Found in an Online Encryption Method”, the New York Times cites research conducted by Arjen Lenstra, James Hughes,
Maxime Augier, Joppe W. Bos, Thorsten Kleinjung, and Christophe Wachter that identifies an error in the RSA algorithm amounting to 99.8%, or 2-in-1000 instances of the algorithm being used.

The New York Times

The New York Times article can be found (subscription required) here: https://myaccount.nytimes.com/auth/login?URI=/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html

Sydney Morning Herald

An alternative mainstream publication not requiring a subscription can be found at the Sydney Morning Herald, here: http://www.smh.com.au/technology/technology-news/researchers-find-flaw-in-online-encryption-20120215-1t5w0.html

The original research publication

If you are interested in reading the original paper, “Ron was Wrong, Whit is Right”, by the authors, download it from this location:

http://eprint.iacr.org/2012/064.pdf

Next steps?

The flaw in the generation of random-seeds, impacting 2-in-1000 instances puts the eror at slightly more than 3 standard deviations, probably good enough for some-things, but not good enough for lots of transactions involving large numbers of the uses of the algorithm – such as on-line Banking.

The question for organizations that rely on the RSA method is: what are the downside business risks, and if unacceptable what can be done to manage the risks?

The IT networks, systems and applications of the now-defunct Canadian maker of network telecommunications switches were apparently compromised by hackers from China, according to a story written by Siobhan Gorman on the front-page of the Wall Street Journal on February 14, 2012. The WSJ article can be found here: Chinese Hackers Suspected in Long-Term Nortel Breach – which may require a subscription.

Nortel Networks hacked for a decade

The activity of the hackers was discovered in 2004, although it is believed the IT systems at Nortel were compromised as early as 2000 according to a Mr. Shields, who’s cited as being a former employee who led an internal investigation of the breach.

The Journal article claims that technical papers, R&D plans, business plans and employee emails were among the intellectual property stolen by the hackers.

SEC guidance on cybersecurity risks and incidents

In a little-noticed section of the article, Siobhan Gorman mentions the new guidance from the SEC requiring public firms to disclose Cyber-security risks and incidents. Written on October 13, 2011, the guidance from the SEC (see CF Disclosure Guidance: Topic No. 2) may be a little-too-late for creditors and companies that are acquiring the assets of the former Nortel.

The SEC states that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. As with other operational and financial risks, registrants (publicly-traded organizations) should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”

Why heed the SEC cybersecurity guidance

Had the guidance from the SEC been written earlier than October 2011, it is far more likely that buyers would have futher discounted their purchase prices for Nortel Network assets. And had the guidance been in place when Nortel was a going-concern, it is likely to have had more of an impact on share-price, earnings, and customer retention.

Going forward, some smart lawyers are going to figure out what the opportunities are and it will likely involve your shareholders’ assets if the company is not demonstrating due-diligence and adhering to the new SEC guidance regarding cybersecurity.

Think of the IT security budget as cheap insurance. Although this is new territory for the SEC and the courts, the amount spent on due-diligence and managing the business risks related to information security will likely pale in comparison to erosion of shareholder value, lost-market opportunity from thieves reselling ill-gotten gains, from fines meted out by the SEC, or by awards from courts of law.

More than a few chief information security officers (CISO’s) have told me, “What I really worry about, is what I can’t see and what I don’t know.”

When I ask these people, some friends and others acquaintances, to explain this a bit, they all mention obvious threats such as viruses and malware, as well as underlying vulnerabilities in IT systems and applications. But as we talk further, many also mention the uses – and misuses – of IT by employees and contractors, some with rather funny and others with sad tales. And some CISOs even mention a burning need to know more about their vendors because more of the organizations business risks are related to the use of IT as hosted applications, Cloud-services, off-site systems, and network services they have no control over. As we talk some more, I find we’re also discussing web-applications, hacks and Internet security threats, the losses of sensitive information, as well as user accounts and credentials that are as old as time, and have never been deleted or cleaned-out.

See the latest — free — report, Data Reporting and Communication about IT: Better Results, Less Risk, today.

In short, these CISOs are referring to any possible threat they cannot see, are unaware of, or cannot identify that can explode and cause havoc for the organization. Sound familiar? If does if you’re a CISO or you work for one.

What the best do to make risks visible

Despite well-deserved complaints about information overload, the best CISOs make sure that more information is acquired, centrally stored, analyzed and reported on. Depending on the business-impact, the information may be acquired and reported in near-real-time, to cycles involving weekly, bi-weekly and even monthly gatherings and collections.

In comparison, there is either no capturing of information, no storing of it, no analysis of what it means to the organization, and no reporting among the worst performers. Or, if there is some collection and reporting occurring among these organizations, it takes place each year for the annual budget justification cycle; not to prevent damage to the organization, its customers or shareholders.

See the latest — free — report, Data Reporting and Communication about IT: Better Results, Less Risk, today.

But for more of the best performing organizations, information relevant to business risks related to the use of IT is collected and reported on more frequently than all other organizations.

Frequency of gathering and reporting on findings about IT that impact the business

Source: IT Policy Compliance Group, 2012

What’s being collected

Almost everything; but for starters, the list includes log data from most systems in the environment, systems and software configuration data, vulnerability scan and penetration test data, findings from audit tests, surveys conducted with employees, contractors and vendors, security threat information and data, and security test report data. Not to be sublime, these people also look for the same information whether the information and systems and applications are implemented in-house or by vendors. In their words, “there’s no perimeter anymore.”

Scope of Coverage

Not only is information acquired more often, but the information being collected covers a larger proportion of business procedures, as well as application and systems in the IT environment. The number of people from which information is collected ranges from lows averaging 2-in-10 people among those with the worst outcomes, to highs averaging 6-in-10 people among those with the best outcomes. The difference in IT systems and applications from which information is gathered ranges from 2-in-10 among the worst performers, to averages of 7-in-10 systems and applications among the best performers.

Lessons learned

If you are worried about what you don’t know, and can’t see, then do what those with the best outcomes do, gather, store, analyze and report on a basis of more information — about threats and business risks — more frequently.

And, if you’d like to find out what else the best performers are doing, and why they have larger budgets, then see the latest — free — report, Data Reporting and Communication about IT: Better Results, Less Risk, today.

If you are in information security, are you already known as “Dr. No?”

If you’re not, is this what the head of information security is called in your organization?

Something happened over the course of the past thirty years that turned much of the information security profession into the “Dr. No’s” of the corporate world.

Reminds me of the song “Hit the road Jack” by Ray Charles that went something like “Hit the road Jack, and don’t you come back no more, no more, no more, no more….” A nice version of the song can be found on Youtube at www.youtube.com/watch?v=Q8Tiz6INF7I. This is the reaction many information security professionals run into after another “Dr. No” explanation with the boss.

In fact, the primary words heard from the lips of many security professionals is “You can’t do this”, “You can’t do that”, and other explanations involving the word “No.”

A business unit manager at a large conglomerate once told me, “We just avoid them (the security group in IT) and do what we want.” A CIO and a consumer products company once said, “We have these folks on staff, and I’m scared of them, so we try to minimize their impact on operations.”

We’ve done it to ourselves

A CISO at a large company recently told me and others I was with that when it comes to “Dr. No”, “We’ve done it to ourselves.” His argument is, “we’ve focused only on telling people what they can’t do” and a culture of “what can go wrong, will go wrong”, or the equivalent of Murphy’s laws for the security profession. While it’s okay to be prepared for the possible worst downside risks (that’s after all part of the job, isn’t it?), using this approach for all public communications to the rest of the organization is simply just a three letter acronym: FUD.

And, he’s right. One of the reasons why fear, uncertainty and doubt (FUD) works is that no one wants to be associated with it, but the problem with FUD is that when it’s the only thing people hear, people turn off or ignore the message. And, if it’s the only message that continues to be heard, people turn off and ignore the messenger, which often results in lower budgets and a marginalization of contributions from the security group that could otherwise help organizations improve results and avoid real business risks.

What can you do?

So, what can you do avoid being tagged as a “Dr. No” or dig-out from being seen as “Dr. No?”

Do what this CISO did: tell everyone that worked for him that the word “No” was no longer to be used. Alternatives to using “no” that were acceptable included such phrases as “You can’t do it exactly that way, but you could do it this way”, or “Not exactly but this would be more effective.” The change in language by his staff went a long way to reinforcing a change in approach that signaled a willingness to find acceptable alternatives with those darn users, business owners and stakeholders.

In addition, one of the most critical changes you should consider introducing is to re-frame all conversation about security from “no” and “yes” or “black and white”, to a new conversation involving “trade-offs”, one that put the onus for the business risk decisions back in the hands of the business owners. As in, “You can do this if you like, but here are the consequences of the business decisions. Here are some alternatives, and here are the trade-offs you’ll be making.”

Consequences of changing the culture

We’ve learned from research conducted with thousands of organizations that this risk-benefit trade-off approach is a winning formula being implemented by the organizations with the least unplanned business downtime from IT hiccups; the lowest rates of loss or theft of sensitive information and data; far fewer vulnerabilities in IT networks, systems and applications; and the fewest problems with audit in IT.

It turns out that these same organizations spend more money on information security, in every industry and by organizations of all sizes. In fact, the amount spent on IT by these firms is 3 times higher than all others, and the amount spent on information security is 1.7 times more. And, the reason for higher spending among these organizations is that IT and information security are business-relevant with choices expressed in terms of trade-offs for business owners.

The research also shows that in addition to the small things like the changes in language and approach, changing from Dr. No to a business risk-benefit trade-off culture in IT requires an ability to consistently gather information from people and IT systems, and turn this into relevant insights covering business impact status, trends and forecasts.

Instead of the annual budget challenge of digging-up some information, the frequencies range from daily and weekly, to monthly and quarterly, depending on the type of information being sought. The much more frequent rate of collection is achieved by higher levels of automation to collect, store, analyze, report and communicate the business impacts of using IT.

What’s it going to cost you?

Almost all of the IT and internal auditors I’ve ever talked with will tell you that assessing and dispassionately explaining the status, trends and forecasts of the benefits and risks is an approach that has worked for them. Now maybe it’s time for IT and information security professional to implement the same successful risk-benefit trade-off discussion and culture with business leaders.

The only downside risk or additional cost you’re going to experience is no more “Dr. No”  -  no more, no more, no more, no more!

See the latest research, “Data Driven Reporting and Communications about IT: Better Results, Less Risk, to learn more at IT Policy Compliance Group.

Is your data safe?

If you are a consumer you may want to check some of the following.

If you are in IT, you may want to check your evidence logs.

Recent events involving the loss of theft of sensitive information – of those that are known or reported – include events that are reported to have hit the following organizations, among many others:

• Video Game Plus
• Catalog Retail Marketing International
• Beauty.nl
• City College of San Francisco
• Namesco Limited
• Japan Aerospace Exploration Agency
• MDwise
• ANZ Bank
• Dreamhost

You can find more information on the above by searching on the names.

One of the more notable recent events is the huge data breach involving 24 million names, dates of birth, email addresses, phone numbers and passwords that occured at Zappos.com, an online shoe seller reportedly owned by Google.

You can find more information about the Zappos incident at USA Today and at: http://www.usatoday.com/tech/news/story/2012-01-16/zappos-security-breach/52605292/1

For those living in the European Union, there are currently no requirements that data breaches be reported. As a result, no one in Europe really knows if a data-breached occurred – even though Europe has some of the toughest privacy laws on the books.

But, new legislation is brewing in the EU that may require notifications of data breaches within 24 hours of their occurrence. See the article at PC World and here: www.pcworld.com/businesscenter/article/248566/eus_data_protection_proposals_likely_to_include_24hour_breach_notification.htm

Hackers for Hire (cheap): It’s easy to hack or to find others to do your dirty work for you and according to a recent story in the Wall Street Journal, it’s also apparently rather affordable, depending on your perspective. For more information, see the Wall Street Journal article Hackers-for-Hire: Easy to Find and at http://online.wsj.com/article/SB10001424052970203471004577145140543496380.html

Check your data: And to finish this edition of “Where’s Your Data – Today?”, we suggest members of the Chamber of Commerce in the U.S. make sure they’ve checked and changed on-line account and identify information. See the Wall Street Journal article China Hackers Hit U.S. Chamber of Commerce and at http://online.wsj.com/article/SB10001424052970204058404577110541568535300.html

Is the use of Smartphones or good for business? The answers are yes and no. Explore some of the compelling benefits, risks, and what the best-in-class are doing to manage both. And, find out why some are avoiding certain mobile devices and why.

The use of Smartphones and Tablet computers are resulting in some compelling benefits and very real business risks. One of the primary actions to manage the risk-benefit tradeoff of using these supercharged pocket devices is to limit their use in the workplace. But, the organizations allowing more employees to use Smartphones experience higher revenue and profit, while those with fewer employees using Smartphones post lower revenue and profit.

Download the report here

If the benefits are that obvious, then why are organizations limiting the number of employees who can use Smartphones? Because the business risks are not only very obvious, they are currently enough to outweigh the benefits unless appropriate practices and controls are implemented.

If you know which policies, practices and controls to implement, and which phones are best to avoid for now, then you can do what the best performers are doing: which is to let more employees use Smartphones and Tablet computers.

In this groundbreaking benchmark report, the IT Policy Compliance Group reveals the key Apps driving the use of Smartphones and Tablet computers in the workplace today, which devices employees can bring from home and which can’t, the business benefits and risks of using Mobile computing, the actions organizations are taking to manage its benefits and risks, policies and practices governing the use of these devices in the workplace, operational and legal challenges contributing to business risks, and the practices and controls most responsible for determining outcomes being experienced by organizations.

In addition, the report covers current employee usage rates, whether Smartphones or Tablet computers are being artificially limited in the workplace, which of the two are expected to increase in use, which are expected to decline in the next two years, and what current sentiment about mobile phone and tablet platforms (including Android, Apple, Blackberry and Windows) means for you by 2013.

Download the report here

Your highest performing competitors are using IT to:

• Gain your customers
• Retain more customers
• Post revenue that is 5 percent higher than your industry average
• Record profit that is 5 percent higher than average
• Significantly reduce business risk related to the use of IT

What do these High Performance Organizations (HPOs) share in common?

It’s not industry and it’s not size:
although larger-size companies and certain industries do exhibit tendencies toward better outcomes when compared with others.

It’s not just profit and revenue:
some of the highest revenue generators and profit-makers are achieving results from short-term financial shuffling, not from operations.

Spend on IT, information security and audit matter
One defining characteristic of HPOs is the outsize-spend being allocated to IT, information security and audit by these winner-take-all competitors, as follows:

• Spending on IT that is 70 percent higher than industry average

• Spending on information security is 100 percent higher than industry average

• Spending on audit is 50 percent higher than industry average

Top-line spending on IT by HPOs is allocated to:

• Attracting customers
• Retaining customers
• Financial opportunity
• Market advantage
• Competitive advantage

Spend to manage business risk by HPOs is allocated to:

• Information security
• Audit
• Frequent assessments of change in the environment
• Controls to manage risk-reward
• Contextual scorecards for operating responses
• Contextual scorecards about IT for stakeholders

The newest ITPCG research report, How High Performance Organizations Manage IT, is a wake-up call about how IT is being used and managed by the highest performers in your industry to gain your customers, for their financial and market advantage.

Chock full of fact-based findings, the report focuses on the competitive advantage of IT among the highest performing companies, top-line outcomes, adverse risk outcomes, how and why IT matters, how business risk related to the use of IT is being managed by these organizations, the simple risk-reward cycle implemented by these organizations, the four simple questions asked by decision-makers at these firms, information gathering, automation, contextual scorecards, indicators, composites and benchmarks.

Obtain your own free copy of How High Performance Organizations Manage IT today.

The traditional management disciplines involve the use of directing, organizing, planning, staffing and controls to manage outcomes for organizations.

Of these, the most important is directing: it is through the tone and direction established and reinforced daily by senior managers that organizations become either industry leaders or laggards. The same disciplines are as important to managing IT as they are to managing the organization.

Beyond the five management disciplines are some telltale characteristics of how well — or poorly — organizations are doing in managing the IT portfolio to support peer-beating growth results, including revenue and profit; while avoiding industrial espionage, the loss of intellectual-property, the theft of customer data, and headline-grabbing events that result in damage to reputations and brands.

Take the IT Rorschach Test

Which of the following are true at your organization?

• The business value of IT is visible to senior management

• Business risks from the use of IT are visible to senior management

• The business value of IT assets are prioritized

• Unacceptable business risks related to the use of IT are documented

• Acceptable risks and control exceptions for IT are documented

• Business risks for IT assets are prioritized

• IT controls for legal and regulatory compliance are prioritized

Add up the number of times you said yes to each of the seven questions, then find out what the results mean.

1 to 2 “Yes”: Least value delivered and highest risk

3 to 6 “Yes”: Middle of the pack for value delivered and risk

6 to 7 “Yes”: Most value delivered and least risk

This simple IT Rorschach Test is based on research conducted with more than 1,600 other organizations. More compelling are the two-minute self-assessments that enable comparison with your industry, peers and those that are answering “7’s” to the IT Rorschach Test.

Assess Yourself against Your Peers and the Best Performers — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk

http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=20

What Color Is Your Information Risk – Today?

http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=19