The email from IT hits your inbox. “Suspicious activity detected, change your password immediately.” Panic hits. Did the whole office get this message or is this directed at you? What triggered it? That’s a normal response. According to Allen Johnston, the Hewson Professor of Cybersecurity at The University of Alabama’s Culverhouse College of Business, the reason is because, “They’re afraid of being sanctioned. They’re afraid of being called out informally, socially ostracized because they did something that affected their community, their group or their department.”
That instinct to avoid being that person whose lapse slows everyone down sits at the heart of Johnston’s research. In his Journal of the Association for Information Systems research paper, “Understanding Employees’ Security Behavior from a Goal Systems Perspective,” Johnston and his coauthors examine why workers lock screens, update software, and reset passwords. Is fear really the whole story or is it just the most obvious part of it?
Johnston explored this idea at a research session when he and the group he was with noticed almost all the research being presented covered the same theme. “Employees are doing security behaviors because they’re afraid of being punished,” Johnston said.
Walking out of the conference, the group continued discussing the issue and thought there’s got to be more to it. They wondered whether security might be tied to something more positive, like people’s own work goals. “What if security behaviors were integrated into your job, your performance of your job or your goals?” Johnston said.
What they found went beyond avoiding discipline. Workers talked about wanting to perform well, avoid being blamed for mistakes, and to simply do the right thing for coworkers. “Somebody forgets to log out. Just do right. I’m going to log out for them. No big deal. I’m just doing it because I can be a good citizen,” Johnston said as an example of wanting to do the right thing.
Another strong theme was not wanting to be associated with a breach at all. A colleague introduced a German term, “Ubenkont,” which Johnston summarized as “not being associated or not being known for something.” In other words, someone who doesn’t want to be “that guy” who people point as the reason for massive security violations.
After identifying these motivations qualitatively, the next step was to test them. Some ideas held up more than others. “Performance was the primary,” Johnston said, meaning employees were most motivated when security helped them do their jobs well. Avoiding blame was also powerful, though slightly weaker. Surprisingly, the “good citizen” impulse did not show up as strongly in the data. Still, Johnston cautioned, “I don’t think our study definitively establishes that it’s not a positive driver…I’m going to chalk it off as an exception rather than a rule.”
The most important takeaway is practical. Organizations, Johnston said, should rethink how they frame security training. “They need to think about security rather as not a compliance issue, not solely a compliance issue, but also a capability issue,” he explained.
In other words: “It comes [as] a competency issue as opposed to merely [as] a compliance issue.”
That shift shows up in simple tools like password managers. Johnston pointed out that the University provides one, yet few people use it. Encouraging employees to adopt those tools, he argued, lets security support productivity rather than interrupt it. As he put it, “if you have a separate password for every spot and then you keep it in a password manager you don’t deal with that.”