Research Shows IT Security Funding Hinges on Personalities
Posted: July 2, 2014 at 5:01 am, Last Updated: July 3, 2014 at 7:48 am
By Preston Williams
A senior manager’s personality type can play a significant role in determining how secure a company’s information technology system is, a George Mason University professor has concluded.
The findings of a study conducted by George Mason business professor Nirup Menon could be an inside-secret boon for IT security managers, who cite adequate funding as the top problem in their industry.
Menon, who specializes in information systems and operations management, found that managers with “rational” personalities tend to devote more resources to IT security than managers who make decisions with a more “inspirational” style steeped in emotion.
Whether the expenditure is requested with a positive framing or a negative framing also had an impact on the willingness of supervisors to invest in IT security.
Menon’s research suggests that IT security managers should tailor their request for security resources based on their senior manager’s personality. The better tailored the message, the more likely they are to receive the funding they believe their employer needs to protect its IT system.
The Information Security Forum, the largest information security association in the world, says that lack of financial support by top management looms as the prevailing information security challenge in organizations worldwide.
“The idea is that IT managers find the balance between the problem and their audience,” says Menon, who this past spring presented his findings at the Massachusetts Institute of Technology. “It’s up to the IT manager to determine what would work best for their particular manager.
“With IT security, senior managers like to do the barest minimum and then spread the rest of those resources elsewhere.”
Menon, working with Mikko Siponen from the University of Jyväskylä in Finland, surveyed about 600 senior managers in Finland, asking a series of questions that helped determine personality type and also assessed how the managers cognitively process financial requests through the filter of those personalities.
Menon found that rational managers are more likely to spend on IT security regardless of approach because they weigh the cost and risk and determine that it is a sound investment. They use a central route of decision making that is systematic, deliberate, rule-based and reflective.
Inspirational managers, with more quick, intuitive and impulsive tendencies, are less likely to spend on IT security because they are more motivated by matters concerning strategy, competitive advantage and profit margins. Something as unflashy as IT security—the risk of a breach, the potential loss from a breach, the cost of a solution—does not rouse them to spend in the same way.
Menon also researched the effect that a positive or negative message had on both rational managers and inspirational managers. Negative fear tactics stirred emotions in the inspirational managers and resulted in them devoting more resources to IT security. The rational managers reacted more favorably to facts and evidence and did not take security issues any more seriously when confronted with a doomsday approach.
If IT security managers can determine the proper combination of analytics and emotion that would appeal to the personality of their superiors, they would be more successful in receiving funding for their department.
“We hope that security managers will now have a better inkling of how they should frame their message,” Menon says. “I think most senior managers understand there’s an IT security problem, but the urgency doesn’t get to them.
“They say, ‘Well, there’s a 10 percent chance of a breach. Okay, that’s fine. But right now I have a 20 percent chance of making more money through a marketing campaign.’ It’s a question of priorities.”
Write to Preston Williams at firstname.lastname@example.org