This study examines non-compliance with policy, or not following the rules, within the cybersecurity domain, which is commonly perceived as the cause of cybersecurity incidents. Specifically, it...Show moreThis study examines non-compliance with policy, or not following the rules, within the cybersecurity domain, which is commonly perceived as the cause of cybersecurity incidents. Specifically, it researches contributing factors of motivation. For this, literature from other domains is examined for approaches on using motivation to increase compliance, and whether these could be applied to cybersecurity. To this end the underlying theoretical frameworks of governance, policy, compliance, non-compliance, and motivation are first examined. The motivational approach to stimulate compliance with policy rules were identified as either extrinsic or intrinsic motivation. The former relies on incentives or deterrents, as stipulated by General Deterrence Theory (GDT), and is commonly employed in cybersecurity. The latter uses autonomy, competence, and relatedness from Cognitive Evaluation Theory (CET), which could be used as an alternative approach within cybersecurity. The different approaches from other domains which successfully increased compliance were examined and found to utilize alternative styles of governance, policy, communication, and education. These approaches could either directly or indirectly be related to CET, indicating viability for application in the cybersecurity domain. Based on this, alternative approaches for application to cybersecurity were hypothesized. Although further research for their application is required, the findings of this study provide a foundation for an alternative approach within cybersecurity which could improve compliance with cybersecurity policy.Show less
