Abstract
Two important factors that define how humans go about performing tasks are self-efficacy and motivation. Through a better understanding of these factors, and how they are displayed by professionals in different roles within the cyber security discipline we can start to explore better ways to exploit the human capability within our cyber security. From our study of 137 cyber security professionals we found that those in attack-focussed roles displayed significantly higher-levels of self-efficacy than those in defensive-focussed roles. We also found those in attack-focussed roles demonstrated significantly higher levels of intrinsic motivation and significantly lower levels of externally regulated motivation. It should be noted we found no correlation with age or experience with either the focus of the practitioners task (whether offensive or defensive focussed) or their levels of motivation or self-efficacy. These striking findings further highlight the differences between those performing tasks that are self-described as offensive and those that are self-described as defensive. This also demonstrates the asymmetry that has long existed in cyber security from both a technical and opportunity viewpoint also exists in the human dimension.
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
Cyber security is an important concern to organisations, with increasing numbers of cyber security decisions being moved from the technical domain to the boardroom. Whilst organisations continually consider the technical solutions to managing their cyber risk, few are building on these technical solutions through investing in people.
Whilst people are often considered the biggest risk [1] it is clear that people, specifically staff, represent the biggest defence against cyber attack [2]. People design defensive systems, processes and procedures; during an attack people triage the effects and staff the network operations centre; and post-attack people manage recovery and the lessons-learned phases. Whilst all staff in an organisation have a responsibility to help manage the security posture and within their daily activity all staff have the opportunity to weaken or strengthen this posture, this is a secondary effect from their business function, for example, a HR manager may weaken the posture of an organisation by opening a phishing email but the primary focus of their business function is not securing the organisation. This paper will focus on the staff who are explicitly tied to cyber security as it is these individuals whose primary focus of their daily tasks can be directly attributed to ensuring the secure operation of an organisation.
The tasks individuals employed in cyber security are varied and diverse from those employed in strategic-level risk management through to the technical security analysts ensuring the operational-level of the organisation is running securely. This paper considers how these individuals go about their daily tasks and what characteristics they typically exhibit performing these tasks. Through understanding the characteristics displayed by individuals we hope to start to better understand how staff can differ in their ability to perform tasks and, through this better understand how individuals can be better able to perform their tasks.
In order to explore the tasks that cyber security professional typically perform we can break typical tasks into offence-focused (or adversarial) tasks and defence-focussed tasks. Whilst the author acknowledges the over-militarisation of the cyber discussion [3], it is useful at this stage to break typical tasks in cyber security down into attack-focussed and defence-focussed tasks.
Defence-focussed tasks are those such as writing policy, managing and designing networks under attack. These represent tasks that are largely pro-active and are designed to reduce either the likelihood of an attack being successful or reduce the impact of a successful attack. These are often a mixture of technical and management tasks.
Attack-focussed tasks include tasks such as red-teaming and penetration testing – where a team has been given suitable legal authority to attempt to compromise an organisation or system. These clearly represent an attack-focussed task – however there are a number of other offensive-focussed tasks which are less obvious, an example would be exploit development where a researcher is looking to prove that a vulnerability can be exploited and the degree to which that vulnerability can compromise a system (e.g. remote code execution, privilege escalation, etc.).
How successful we are at performing tasks in the workplace is a function of a number of different variables related to both the task and our own skills and attributes. The workplace can also have an effect on the efficacy of individuals in their work [4]. This work focusses on two particular factors that are related to how an individual performs tasks as part of their daily lives [5], these are self-efficacy and motivation.
In this paper we focus on these two particular characteristics individuals display in the workplace that have a tangible effect on how individuals go about these tasks, namely self-efficacy and motivation. The ability to believe in ones own ability and persist longer on a task, twinned with the inherent motivation to continue with the task are clearly important whether its balancing the risk and business requirements of an organisation whilst working with a security policy, exploring a piece of malware or red-teaming an organisation. Hence, motivation and self-efficacy are both important factors in the ability of security professionals to perform the tasks required of them, or more importantly to be creative and innovative in their approaches to their tasks.
This paper continues with a discussion of both self-efficacy and motivation before outlining the study presented in this paper. The paper continues to present the results from the study before closing with a final discussion.
1.1 Self-efficacy
Self-efficacy is the extent or strength of one’s belief in one’s own ability to complete tasks and reach goals [6], those with higher self-efficacy are more likely to make efforts to complete a task, and to persist longer in those efforts, particularly in the face of adversity, than those with lower self-efficacy.
However, at very high self-efficacy, some individuals may feel overconfident and reduce their efforts [7], Assuming that individuals feel efficacious about surmounting problems, holding some doubt about whether one will succeed can mobilize effort and lead to better use of strategies than will feeling overly confident [8].
In many cyber security roles there are clearly ‘hard’ tasks which require persistence notably under adversity, whether this adversity is a tangible actor or the task itself.
1.2 Motivation
Work motivation can be defined as the ‘...a set of energetic forces that originates both within as well as beyond an individual’s being, to initiate work related behaviour’ [9] or ‘...the process of instigating and sustaining goal-directed behaviour.’ [10]. However, clearly it is not just the degree of motivation that is important but how that motivation is orientated (i.e. how the motivation manifests itself). This orientation of motivation is also a function of the individual and the activity, for example an academic may be internally motivated to perform research tasks yet externally motivated to complete marking.
The orientation of motivation is aligned along a continuum representing the degree to which goals or tasks have been internalised [11], this is shown in Fig. 1.
A scale of human motivation
The most internal type of motivation is Intrinsic Motivation, which is defined as the doing of an activity for it’s inherent satisfactions. When intrinsically motivated an individual is moved to act for the fun or challenge entailed rather that from external rewards. In contrast the lowest level of internal orientation is amotivation, which is a state of lacking an intention to act, this typically results from the lack of personally valuing an activity [12].
Extrinsic motivation is another orientation of motivation that is important for work-based activities. Extrinsic motivation is the construct that pertains when an activity is done in order to attain some separable outcome [13]. However, extrinsic motivation can be modulated in a number of different ways as an individual translates or internalises the external motivation. For example a member of staff who is motivated by not wanting to be reprimanded and a member of staff who is motivated by wanting a promotion and better career prospects are both externally motivated but have internalised this motivation in different ways. To capture this extrinsic motivation is typically broken down into four different categories as shown in Fig. 1.
The least autonomous form of extrinsic motivation is external regulation, this involves engaging in an activity only in order to satisfy an external demand or obtain an externally imposed reward.
Introjected regulation is another form of external regulation; this involves the internalisation of external controls that are then applied through self-imposed pressures in order to avoid guild or anxiety or to attain pride. In this case although the regulation is internal the locus of causality is still external [13].
Identified regulation involves a conscious acceptance of the behaviour as being important in order to achieve an outcome that is personally valued, for example a life goal.
The most autonomous form of extrinsic motivation is integrated regulation, this occurs when the identified regulation has been fully assimilated within the self. This shares many qualities with intrinsic motivation, however since the behaviour is still measured against some external outcome which is separate form the behaviour itself [13] (e.g. because this job is part of my life).
Examples of statements associated with these differing regulations with respect to work are shown in Table 1. These motivations can be combined to create a work self-determination index [14] which can be particularly useful for representing the individuals level of self-determination [15].
It is clear that motivation twinned with self-efficacy is key to complex problem solving indeed ‘...creative solutions are not found unless the individual is motivated to apply his or her skills’ [16].
1.3 Creativity
Whilst some have argued that creativity is simply a function of self-efficacy and motivation [5, 17], we believe that whilst creative individuals will typically display high levels of self-efficacy and, generally, will have a more internal motivation there are other factors that cause individuals to display high levels of creativity. In addition to these personal factors, creativity can be encouraged by the organisation and the fundamental environment in which individuals work [4].
In a similar vein to that explored in this paper understanding the difference in creativity between attack-focussed and defence-focussed cyber professionals would be an exciting prospect and it is clear that this research on self-efficacy and motivation are the early steps to a more complete understanding of the differing factors between employees.
2 Method
In order to explore the current levels of self-efficacy and motivation in cyber security professionals a simple study was performed which looked to survey those in cyber security and attempt to find evidence of these factors.
A survey was created that used well-regarded scales to measure motivation [18] and self-efficacy [19] in addition to biographic questions regarding age and experience in cyber security. The participants were also asked to estimate the ‘...ratio between the amount of ‘defence-focused’ work (defending networks, writing process and policy, etc.) and ‘attack-focused work (red teaming / penetration testing, exploit development, etc.)’ where the answer was a seven point Likert scale ‘all defensive-focussed’, ‘mostly defensive-focussed’, ‘some defensive-focus’, ‘even-split’, ‘some attack-focus’, ‘mostly attack-focussed’ and ‘all attack-focussed’.
This survey followed the Cranfield University Research Ethics (CURES) process and achieved full permission before being deployed; the participants were sampled using snowball sampling in social networks. This resulted in 137 respondents who completed the entire survey.
3 Results
The demographics of the respondents are shown in Fig. 2 as can be seen there is a relatively even spread over both the age range 18–44. The respondents had a spread of experience, just over a third had experience of between 0–3 years and 3–5 years with slightly under a third having more than 5 years experience.
A Pearsons Chi-squared test resulted in a p-value of 0.02486 indicating there was some dependence between the experience and age of the respondentsFootnote 1. We could expect to see some correlation between age and experience, particularly given approximately a third of respondents were aged between 18–24 and hence unlikely to have more than 3 years experience.
Age and experience of respondents.
The self-declared offensive/defensive ratio of the respondents tasks are shown in Fig. 3, this shows that the largest group are entirely defensively focussed with another large group consider themselves to have an even split between defensive and offensive tasks. There is also another large group who have ‘some offensive-focus’ to their tasks.
Ratio of attack-focused and defence-focused work.
The respondents were broken down into two categories – those who have more defensive focussed tasks and those who have more offensive focussed tasks (for this initial analysis those who claimed an even split were discarded).
Membership of either of these two categories was not found to be dependent on age or experience; a Pearsons Chi test resulted in approximate p-values of 0.887 and 0.218. Whilst these are approximate (since there are a small number of respondents in the higher age and higher experience categories) it is clear that we cannot reject the null hypothesis that, within our sample, the age and experience are statistically independent of the ratio of work tasks.
The scale used in this study to estimate self-efficacy [19] results in a score of 10 to 40 with 40 representing high levels of self-efficacy. The kernel density estimate (KDE) of the self-efficacy estimates and a boxplot is shown in Figs. 4 and 5 for the attack-focused and defence-focused groups.
Self-efficacy associated with the respondents.
Self-efficacy associated with the respondents.
In general there are high-levels of self-efficacy amongst all respondents, yet there is a tendency for the attack focussed individuals to have a higher level of self-efficacy. A bootstrapped two-sample Kolmogorov-Smirnov test confirms the two distributions are drawn from different underlying distributions (p-value of 8.54e-4). A Pearsons correlation between the full ordinal scale representing the ratio of work and the levels of self-efficacy also led to the conclusions that there is a positive correlation between the ratio of defensively-focussed and offensively-focussed work and self-efficacy (with a p-value of 5.23e-6). This implies that those performing offensive-focused tasks tend to demonstrate greater self-efficacy than those employed performing defensive-focused tasks.
Participants were also asked to complete a survey exploring different measures of motivation [18]. The test provides estimates of the six different measures of motivation shown in Fig. 1. The distributions of these measures across the two categories are shown in Fig. 6.
Breakdown of the motivations for the groups (dotted-lines represent the defence-focused group, solid lines the attack-focused group).
It is clearly apparent that both groups of individuals demonstrate little amotivation and are, in general, motivated to perform tasks that form part of their work.
Bootstrapped two-sample Kolmogorov-Smirnov tests were performed on the data from these six different measures of motivation and the results are shown in Table 2. This table, in effect, shows the p-values associated with a null hypothesis that the two classes have distributions drawn from the same underlying distribution. In addition it shows the p-values from Pearsons correlation, indicating where there is a statistically significant correlation between the ordinal measure of the work ratio and the measures of motivation.
Work self-determination index associated with the respondents.
From the results shown in Fig. 6 and Table 2, we can clearly see that there are similar degrees of amotivation, integrated regulation and introjected regulation between the groups. However, there are statistically different distribution between the two populations when considering externally regulated external motivation; with those engaged in defensive-focussed roles being significantly more externally regulated than those in offensive-focussed roles. It is also noteworthy that those in defensive-focus roles are statistically less intrinsically motivated (whilst this is less clear it is still statistically at a 0.02 confidence level).
Work self-determination index associated with the respondents.
These measures of motivation can be broken down to a single measure, the self-determination index (SDI), this is shown for the two classes in Figs. 7 and 8. Since the individual measures of motivation show that those in attack focussed roles would be more self-determined it is not surprising that the SDI of those working in roles dominated by offensive tasks are statistically more self determined (a two-sample Kolmogorov-Smirnov test resulted in a p-value of 8.104e-5). In addition, a Pearsons correlation between W-SDI and the ordinal ratio between task types shows a statistically significant correlation (p-value 7.927e-5).
4 Conclusion and Further Work
From this study of 137 cyber security professionals it is clear that those whose work is more biased towards offensive cyber tasks are more internally motivated, less externally motivated with a higher self-determination index and have a higher self-efficacy than those employees who are focussed on defensive cyber tasks.
This leads to a very interesting question – are those who are more internally motivated drawn to offensive tasks whilst defensive tasks are structured to be more externally motivating? Or alternatively are those in defensive tasks poorly managed and organisations are unable to support the staff in ways that maintains both their self-efficacy and motivation?
In this research we have focussed on those attack-focussed and defence-focussed cyber security professionals within the workplace. Within the cyber security domain there are clearly very important and influential actors who exist outside the workplace—particularly partaking in offensive actions in cyberspace. This varies from individual hobbyists, through to well-resourced cyber crime groups and nation-states. To contrast similar measures between these cohorts would prove very interesting.
Future work will look to build on this platform with a more complex picture of creativity. Creativity has been identified as increasingly important within cyber security [20], however there is little discussion or evidence of the degrees to which organisations are being creative at present and the potential observable differences increased creativity would make to an organisation.
The striking findings in this paper highlight the differences between those performing tasks that are self-described as offensive and those that are self-described as defensive. This also demonstrates the asymmetry that has long existed in cyber security from both a technical and opportunity viewpoint [21] also exists in the human dimension.
Notes
- 1.
Although this is approximate given the small number of respondents in the higher age brackets.
References
Choo, K.K.R.: The cyber threat landscape: challenges and future research directions. Comput. Sec. 30(8), 719–731 (2011)
Caldwell, T.: Plugging the cyber-security skills gap. Comput. Fraud Sec. 2013(7), 5–10 (2013)
Lawson, S., Putting the war in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States. First Monday 17(7) (2012)
Andriopoulos, C.: Determinants of organisational creativity: a literature review. Manag. Decis. 39(10), 834–841 (2001)
Malik, M.A.R., Butt, A.N., Choi, J.N.: Rewards and employee creative performance: moderating effects of creative self-efficacy, reward importance, and locus of control. J. Organ. Behav. 36(1), 59–74 (2015)
Bandura, A.: Self-efficacy mechanism in human agency. Am. Psychol. 37(2), 122 (1982)
Salomon, G.: Television is ‘easy’ and print is ‘tough’: the differential investment of mental effort in learning as a function of perceptions and attributions. J. Educ. Psychol. 76(4), 647 (1984)
Schunk, D.H.: Self-efficacy for reading and writing: Influence of modeling, goal setting, and self-evaluation. Read. Writ. Q. 19(2), 159–172 (2003)
Pinder, C.C.: Work Motivation in Organizational Behavior. Psychology Press, Hove (2014)
Schunk, D.H.: Learning Theories. Printice Hall Inc., New Jersey (1996)
Deci, E.L., Ryan, R.M.: Handbook of Self-determination Research. University Rochester Press, Rochester (2002)
Ryan, R.M.: Psychological needs and the facilitation of integrative processes. J. Pers. 63(3), 397–427 (1995)
Ryan, R.M., Deci, E.L.: Intrinsic and extrinsic motivations: classic definitions and new directions. Contemp. Educ. Psychol. 25(1), 54–67 (2000)
Vallerand, R.J.: Toward a hierarchical model of intrinsic and extrinsic motivation. Adv. Exp. Soc. Psychol. 29, 271–360 (1997)
Green-Demers, I., Pelletier, L.G., Ménard, S.: The impact of behavioural difficulty on the saliency of the association between self-determined motivation and environmental behaviours. Can. J. Behav. Sci./Rev. Can. Sci. Comportement 29(3), 157 (1997)
Runco, M.A.: Motivation, competence, and creativity. In: Handbook of Competence and Motivation, pp. 609–623 (2005)
Prabhu, V., Sutton, C., Sauser, W.: Creativity and certain personality traits: understanding the mediating effect of intrinsic motivation. Creativity Res. J. 20(1), 53–66 (2008)
Tremblay, M.A., Blanchard, C.M., Taylor, S., Pelletier, L.G., Villeneuve, M.: Work extrinsic and intrinsic motivation scale: its value for organizational psychology research. Can. J. Behav. Sci./Rev. Can. Sci. Comportement 41(4), 213 (2009)
Schwarzer, R., Jerusalem, M., Generalized self-efficacy scale. In: Measures in Health Psychology: A User’s Portfolio. Causal and Contrl Beliefs, pp. 35–37 (1995)
Patrick, H., Fields, Z.: A need for cyber security creativity. In: Collective Creativity for Responsible and Sustainable Business Practice, pp. 42–61. IGI Global (2017)
Colbaugh, R., Glass, K.: Asymmetry in coevolving adversarial systems. In: IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp. 360–367. IEEE (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Hodges, D., Buckley, O. (2017). Its Not All About the Money: Self-efficacy and Motivation in Defensive and Offensive Cyber Security Professionals. In: Tryfonas, T. (eds) Human Aspects of Information Security, Privacy and Trust. HAS 2017. Lecture Notes in Computer Science(), vol 10292. Springer, Cham. https://doi.org/10.1007/978-3-319-58460-7_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-58460-7_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-58459-1
Online ISBN: 978-3-319-58460-7
eBook Packages: Computer ScienceComputer Science (R0)