Self-Determination Theory (SDT)

TLDR: Self-Determination Theory provides six mini theories into what drives security professional’s attitudes and behaviors. This understanding could drive studies to better clarify its impact within the context of why a technically advanced cyber practitioner or leader may knowingly ignore ideal security guidelines or be discouraged enough to leave an organization and its unhealthy working environment.

—

A more general theory widely reviewed and developed is the Self-Determination Theory (SDT). Based on observation and experience, the theory focuses on the nature of motivation, personal growth, and individual personality development and wellness (Martela, F., 2020). The assumption is that individuals are intrinsically self-motivated, curious, and oriented toward personal growth. Persons both react to external stimuli and actively self-regulate toward internal goals. This is a powerful assumption which applies when examining the attitudes and behaviors of cyber professionals and what drives them.

The SDT has six “mini-theories”, each of which have parlance in the study of security behavior and how organizations can foster environments which encourage self-regulated proper security intentions and resulting actions. Understanding what elements foster the highest levels of well-being and self-regulation could be used to inversely comprehend what drives poor cyber hygiene and security conduct.

The first SDT mini theory is ‘cognitive evaluations theory’ (CET). This theory centers on how environments can promote or weaken intrinsic motivation, which impacts high-quality performances. An organization, or cultures within a security division, can impact the performance of executives, managers, and practitioners. This corroborated understanding sets a significant foundation that the environment established and fostered by an organization does impact individual security behaviors.

Next is the mini theory called ‘organismic integration theory’ (OIT). This describes a process where initial extrinsic motivations for behavior are developed into more autonomous regulation, which is a more ideal behavior state It suggests that program designers should understand that more successful strategies promote the shift from these extrinsic motivators toward autonomous regulation, and that they should be identifying elements and activities which encourage this. The OIT process begins with ‘external regulation’ which works to comply with externally available rewards and punishments. Within the context of cyber professionals, the promise of promotion or pay, along with threats of termination, is often used to motivate compliant behaviors. Next in this process is ‘introjected regulation’ which shifts the motivation to self-esteem and guilt. Social acceptability among technology peers or a concern over not being viewed as a worthy professional in the executive boardroom may drive behaviors. The process then moves to ‘identified regulation’, where an individual’s behavior is driven by valuing and discovering self-worth in an action. And finally, OIT characterizes ‘integrated regulation’, which describes when a behavior or action is fully self-endorsed and combined with personal values and identifications. Understanding this continuum of integration provides program designers with a scale in measuring the effectiveness of program elements to encourage the shift toward a state of integrated regulation.

The third mini theory is ‘causality orientations theory’ (COT) and recounts how individuals orient themselves to their environment; for example, how cyber professionals orient themselves within security teams or within the context of the executive boardroom. The COT establishes three orientations. The proactive ‘autonomy’ orientation which means organizing behaviors according to an individual’s own interests and values, and then establishing or joining contexts that support them. Dissimilarly, the ‘controlled’ orientation focuses on social controls or reward probabilities, against which a cyber professional can orient behaviors. In this more dependent alignment, individuals will change behaviors in direct relation to either complying with or intentionally defying these controls. Finally, COT addresses a third orientation, which focuses on an individual’s inability to control outcomes or resist obstacles, called ‘impersonal’ orientation. How a cyber professional orients themselves, and what environment an organization’s culture fosters, impacts their security behavior paradigm.

The fourth mini theory, called ‘basic psychology needs theory’ (BPNT), shifts to a more fundamental appreciation for the essential drivers of an individual. This theory recognizes that individuals have fundamental psychological needs; ‘autonomy’ or a sense of self-determination, ‘competence’ or a necessity for self-efficacy and growth, and ‘relatedness’ or a need for connectedness with others. An examination of failures in security behaviors among cyber professionals should include a review of how an individual’s basic needs are addressed in performing roles and responsibilities, including how leadership promotes or hinders competence and autonomy, while fostering or deterring a genuine connection and support among the security team.

The fifth mini theory, called ‘goal content theory’ (GCT), examines individual aspirations and how goals can affect a person’s well-being. Personal goals can be internally established and rewarding, called ‘intrinsic’, or can be contingent on external factors to establish satisfaction and approval, called ‘extrinsic’. It has been shown that intrinsic goals provide better associations with positive well-being, whereas extrinsic goals proved to have little to no value for well-being (Vansteenkiste, Maarten, et al., 2010). This understanding provides insights into what organizations are doing or not doing to support well-being in security staff, intending to promote ideal security behaviors through employee goal setting and tracking programs.

The final and sixth mini theory within SDT is ‘relationship motivation theory’ (RMT). Interconnected with the BPNT’s concept that individuals need positive connectedness with others, the RMT focuses on what makes a relationship high quality. It suggests that first, individuals have a basic need to seek out relationships, and second, that supporting autonomous motivations engenders a higher quality experience and feelings of positive well-being. Conversely, feelings of conditional regard hinder the quality of participants. This prompts the questioning of how team managers and executives are handling security team members. When leadership styles and management programs discourage autonomous motivations, the bonds between team members and leaders are weakened. Practitioners may be less inclined to follow program changes or volunteer positive behavior, despite understanding the technical benefits to the organization’s security posture.

References:

Martela, F. (2020). Self‐Determination Theory. The Wiley Encyclopedia of Personality and Individual Differences: Models and Theories, 369-373.

Vansteenkiste, M., Niemiec, C. P., & Soenens, B. (2010). The development of the five mini-theories of self-determination theory: An historical overview, emerging trends, and future directions. The decade ahead: Theoretical perspectives on motivation and achievement.