Philosophy of Motivational and Normative Actions in IT Governance

By Michael Curry

My research is an effort to predict information technology (IT) success in the small to medium size enterprise (SME) by assessing organizational norms and attitudes. In this paper I will use the Humean and cognitive theories of motivation to show how norms can influence actions which lead to better IT. Specifically, my intent is to define what is meant by a shared culture of beliefs, values and attitudes about organizational IT. I will also use theories of motivation show how IT governance norms can motivate actions. I begin by examining the non-cognitive or Humean belief-desire theory of motivation which I will argue is inadequate and requires a cognitive theory of motivation to satisfactorily justify normative action.

Humean Theory of Motivation

The Humean Theory of Motivation (HTM) is based on David Hume’s convincing argument “Of the influencing motives of the will” (Hume, 1978) and is a prominent theory of current philosophical psychology (Radcliffe, 2010, p. 477).  
Hume’s original theory of motivation states (in part):

The modern HTM reinterprets 1) as a theory of motivation which requires both belief and desire in order to cause action (Smith, 1987) and by rephrasing the passions described in 3) to be encompassed by the term desire (Radcliffe, 2010, p. 477). For this reason, the HTM is characterized as a theory about motivating reasons versus normative reasons (Smith, 1987).

According to the HTM, belief and desire separately are not sufficient to cause action (Radcliffe, 2010, p. 477-478). For example, Susan may desire to see her organization’s IT kept secure from unauthorized access but since IT security is not her responsibility, she does not know what actions could accomplish her desire. Therefore, her desire alone is not sufficient to motivate any action. Alternatively, Roger understands that using complex passwords can prevent someone from guessing his password and thereby gain unauthorized access to the organization’s IT system. Roger is currently using a weak password and is aware his password could be easily guessed. Despite his beliefs, Roger does not act to change his password possibly because he does not have the same desire as Susan. Roger’s behavior is consistent with empirical evidence that users often use weak passwords despite being warned otherwise (Yan et al., 2000). 

The HTM mandate of a belief-desire pair can help explain why adopting an IT governance framework is not sufficient to drive organizational IT success. Although frameworks are known to generate higher quality IT outcomes, unless this fact becomes a shared belief accompanied by a matching desire for better IT within the organization then there is no motivation for action. 

Beliefs and desires have the ability to shape attitudes, but they each have a different functional role. Beliefs passively represent the current state of the world, while desires are active and seek satisfaction in changing the world (McNaughton, 1988, p. 105).
For example, Roger knows (or holds beliefs) that:

But despite a) and b), there is no preference by Roger to change the state of the world (McNaughton, 1988, p 107).   Put another way, beliefs are like maps that describe what courses of actions one could take (McNaughton, 1988, p. 105, Smith, 1987), or like inventories of what is currently available in the world (Humberstone, 1992). Beliefs may provide a rationale for our action; beliefs may also help us rank order actions (e.g. from good to bad); however, beliefs do not motivate our action. 

Desires involve elements of belief concerning the desirability of actions and actively seek to change the world (Garrard and McNaughton, 1998, McNaughton, 1988, Smith, 1987). Therefore, in order for Roger to change his password he must desire to see a change in his belief that someone might guess his current password and gain unauthorized access to the IT system. 

While the HTM is helpful in explaining motivational actions, it does not allow for the possibility that Roger would develop a desire through logic or reason, and so it may be referred to as a non-cognitive theory. Hume argued that reason and logic play no part in our actions, although we may classify our actions as rational or irrational based on whether the beliefs we held at the time we were motivated to action were true or false (Radcliffe, 2010, p. 489). In judging the merit of actions, a desire which is satisfying beliefs which we believe are better than other beliefs are said to be acting for the greater good. For example, Roger may believe there is little risk to the IT systems, so he finds no fault with not changing his password. If this belief were to change, for example, if Roger learned a co-worker’s account was compromised because of a weak password, this could cause him to reevaluate his action and formulate a new desire to change his password. 

The absence of a role for reason in motivating actions is  contrary to the philosophy of Aristotle and Kant (Radcliffe, 2010, p. 477-482) and a weakness of the HTM. Without reason, it becomes difficult to explain how norms influence actions. Objections to the HTM are primarily with its demand that desires always be non-cognitive (McNaughton, 1988, p. 107). Disciplining ourselves to do something we do not wish to do (such as changing a password), seems to require an ability to influence our desires with reason.

Cognitive Theory of Motivation

In contrast to the HTM, a cognitive theory of motivation (CTM) allows reason to provoke action and can therefore be characterized as a normative or justifying motivational theory (Smith, 1987, p. 44). To illustrate the CTM, consider the following example. Roger knows his password is weak and he would like to change his password. However, crafting a new complex password requires Roger to first think of a memorable non-dictionary phrase, next decide on a combination of upper and lower case letters, numbers and special characters (e.g. the phrase: [I] [s]wim [i]n [t]he [l]ake [a]t [n]ight becomes the password: i$1tL@n), then commit this sequence to memory (McDowell et al., 2009). Completing this task is requires privacy, time and cognitive overhead that might otherwise be spent performing other actions (Yan et al., 2004, Yan et al., 2000).

In fact, Roger is very busy at work and is motivated by a desire to complete his work and a belief that right now fulfilling his responsibility is more important than changing his password. “I am very busy and do not have time to change my password,” Roger thinks to himself.  Just then he may recall a conversation he had with Tina, his manager. “We must be more proactive about reducing security risks to the IT systems,” she said. “Imagine how upset our customers would be if their personal data were compromised.” Tina has expressed her value belief that reducing IT risk is a desirable goal for the organization. 

Values are desires about how the world should be, which also have a strong emotional element to them (McNaughton, 1988). Tina judges that protecting customer information is more than just her desire, it is good and right. She has a strong emotional feeling that protecting customer information is morally superior to being careless about storing it on the IT systems. Now Roger, who is busy working on some pressing task, may not have any strong feelings about protecting customer information, or has not extensively contemplated the consequences of unauthorized access to the information system. He may now remember the conversation he had with Tina and the conviction of her statement makes him pause and deliberate his actions. Roger then decides to change his password immediately rather than wait until later. 

Although it seems obvious that reason played a role in motivating Roger’s action, the HTM advocate will disagree. It was a different desire that overcame him and caused his action the Humean may argue. What desires? Perhaps he wished to be a good employee and satisfy Tina’s concern, or he may have wanted to avoid being the source of an IT security breach. Because good people desire to perform good actions then if Roger believes one action is superior to another, this provides desire to motivate action. Many IT governance best practices are non-intuitive (e.g. using non-dictionary words for passwords), so the HTM belief-desire theory may be the best explanation of motivating action in many cases. 

However, attributing Roger’s actions to a new desire feels unsatisfactory. I prefer to believe that organizations have values and expectations for conduct that are expressed in norms which serve to guide behavior (Beauchamp, 2010, p. 494). A cognitive effort to justify actions in light of an abstract IT governance concept  seems like a more plausible explanation for normative behavior (Smith, 1987, p. 39). For example, Roger may have decided to change his password because he deduced the action was an effective means to reduce IT risk or to protect customer information. Either conclusion should be sufficient to demonstrate that reason can motivate action (Korsgaard, 1986, p. 10-22, Garrard and McNaughton, 1998, p. 43-58).

Roger was already aware that he had a weak password which could expose the IT system to risk. As a result of Tina’s expression of values, Roger’s attitude changed about the urgency of updating his password. Attitudes imply caring about something, which is more than just believing they are good to do (McNaughton, 1988, p. 57). This change in attitude towards reducing IT risk is an example of how IT governance norms can improve IT quality when the best practices become shared values in organizations.

Clearly not all normative reasons produce action.  For example, Susan’s password is her cat’s name.  Susan loves her cat and secretly typing the cat’s name into the IT system gives her an inexplicably pleasant feeling.  Susan was also present when Tina expressed the need to reduce IT risk, and like Roger, she understands why changing her password is prudent, necessary and expected but she does not. Instead of adopting the norm as a behavioral requirement Susan remains skeptical about the role her actions play on reducing IT security risks and has chosen to override the norm (Garrard and McNaughton, 1998, McNaughton, 1988). 

Some reasons are understood as being rational for accomplishing a goal and may cause action, but others do not (Smith, 1987, p. 44). Although Susan has not yet changed her password to reduce IT risk, the organizational norms can still influence her attitude. Eventually, someone in the IT department may decide that instead of asking everyone to voluntarily change their password, the IT system should enforce a stronger password security policy. This change is implemented and the next time Susan logs in, the system requires she choose a new complex password. 

A shared culture of IT governance norms is one in which the beliefs, values and attitudes are consistent with the spirit of the IT governance frameworks and their checklists. If the organization has a strong culture of IT governance norms, then it is very likely Susan will happily comply with this requirement to change her password. She was aware it was a normative requirement but chose to disregard it before. Now when confronted she is willing to participate. Even though she lacked the motivation (or justification) she believes changing her password is the right thing to do in light of her desire to continue working with the IT system.
Alternatively, if the organization has a weak culture of IT governance norms, then Susan (and others) are likely to be upset and complain about the new password requirements. She may change her password because the system forces her to, but she will not be happy about this, and will likely not support other IT governance activities. 

As I have discussed, the Humean theory of motivation requires a desire and belief pair to motivate actions and can be used to explain actions. However in order to provide normative justification for actions, a cognitive theory of motivation is also necessary. I have attempted to justify the role IT governance norms play in improving IT quality by arguing they serve to change beliefs, values and attitudes in the organization which influence actions. 


ALBAYRAK, C., GADATSCH, A. & OLUFS, D. 2009. Life Cycle Model for IT Performance Measurement: A Reference Model for Small and Medium Enterprises (SME). Information Systems–Creativity and Innovation in Small and Medium-Sized Enterprises.
AXELROD, R. 1986. An evolutionary approach to norms. The American Political Science Review, 80, 1095-1111.
BEAUCHAMP, T. L. 2010. Normativity in the Science of Human Nature. A Companion to Hume. Wiley-Blackwell.
BENBASAT, I., GOLDSTEIN, D. K. & MEAD, M. 1987. The case research strategy in studies of information systems. MIS Quarterly, 369-386.
BERGERON, F., RAYMOND, L. & RIVARD, S. 2004. Ideal patterns of strategic alignment and business performance. Information & Management, 41, 1003-1020.
BROWN, A., VAN DER WIELE, T. & LOUGHTON, K. 1998. Smaller enterprises’ experiences with ISO 9000. International Journal of Quality & Reliability Management, 15, 273-285.
BUCHTA, D., EUL, M. & SCHULTE-CROONENBERG, H. 2009. Strategic IT-Management: Increase value, control performance, reduce costs, Gabler Verlag.
COHON, R. 2010. Hume's Moral Philosophy. In: ZALTA, E. N. (ed.) The Stanford Encyclopedia of Philosophy (Fall 2010 Edition).
D'AMBOISE, G. & MULDOWNEY, M. 1988. Management Theory for Small Business: Attempts and Requirements. The Academy of Management Review, 13, 226-240.
DAILY, C. M. & DALTON, D. R. 1993. Board of Directors Leadership and Structure: Control and Performance Implications. Entrepreneurship: Theory and Practice, 17.
DE REGT, H. C. D. G. 2006. To Believe in Belief Popper and Van Fraassen on Scientific Realism. Journal for General Philosophy of Science, 37, 21-39.
DELONE, W. H. & MCLEAN, E. R. 1992. Information systems success: the quest for the dependent variable. INFORMATION SYSTEMS RESEARCH, 3, 60-95.
DELONE, W. H. & MCLEAN, E. R. 2003. The DeLone and McLean model of information systems success: A ten-year update. Journal of management information systems, 19, 9-30.
EASTERBY-SMITH, M., THORPE, R. & LOWE, A. 2009. Management research : an introduction, London, Sage Publications.
FEINDT, S., JEFFCOATE, J. & CHAPPELL, C. 2002. Identifying Success Factors for Rapid Growth in SME E-commerce. Small Business Economics, 19, 51-62.
GARRARD, E. & MCNAUGHTON, D. 1998. Mapping Moral Motivation. Ethical Theory and Moral Practice, 1, 45-59.
GHOBADIAN, A. & GALLEAR, D. 1997. TQM and organization size. International Journal of Operations & Production Management, 17, 121-163.
GREMBERGEN, W. V., HAES, S. D. & AMELINCKX, I. 2003. Using COBIT and the Balanced Scorecard as Instruments for Service Level Management. Information Systems Control Journal, 4, 1-7.
GUPTA, M. & CAWTHON, G. 1996. Managerial implications of flexible manufacturing for small/mediumm-sized enterprises. Technovation, 16, 77-83.
HAES, S. D. & GREMBERGEN, W. V. 2008. Analysing the Relationship Between IT Governance and Business/IT Alignment Maturity. Hawaiian International Conference on System Sciences, 1-10.
HENDERSON, J. C. & VENKATRAMAN, N. 1993. Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 32, 4-16.
HUANG, R., ZMUD, R. W. & PRICE, R. L. 2010. Influencing the effectiveness of IT governance practices through steering committees and communication policies. Eur J Inf Syst, 19, 288-302.
HUMBERSTONE, I. L. 1992. Direction of fit. Mind, 101, 59-83.
HUME, D. 1978. A Treatise of Human Nature, edited by LA Selby-Bigge, revised by PH Nidditch. Oxford: Clarendon Press, 2, 17-25.
ITGI 2007. Cobit 4.1: Framework, Control Objectives, Management Guidelines, Maturity Model. Rolling Meadows, IL: IT Governance Institute.
ITGI 2008. Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit. IT Governance Institute.
JOUIROU, N. & KALIKA, M. Year. Strategic alignment: a performance tool (an empirical study of SMEs). In, 2004. 10.
KORSGAARD, C. M. 1986. Skepticism about practical reason. The Journal of Philosophy, 83, 5-25.
LEVY, M. & POWELL, P. 1998. SME Flexibility and the Role of Information Systems. Small Business Economics, 11, 183-196.
LIN, C.-T., CHIU, H. & TSENG, Y.-H. 2006. Agility evaluation using fuzzy logic. International Journal of Production Economics, 101, 353-368.
MCDOWELL, M., RAFAIL, J. & HERNAN, S. 2009. Cyber Security Tip ST04-002: Choosing and Protecting Passwords [Online]. Department of Homeland Security. Available: [Accessed May 19, 2011].
MCNAUGHTON, D. 1988. Moral vision, B. Blackwell.
PARKER, C. C., TANYA 2007. New directions for research on SME-eBusiness: insights from an analysis of journal articles from 2003 to 2006. Journal of Information Systems and Small Business, 1, 21-40.
RADCLIFFE, E. S. 2010. A Companion to Hume, Wiley-Blackwell.
REICH, B. H. & BENBASAT, I. 2000. Factors that influence the social dimension of alignment between business and information technology objectives. MIS Quarterly, 81-113.
RIDLEY, G., YOUNG, J. & CARROLL, P. 2004. COBIT and its Utilization: A framework from the literature.
ROGERS, E. M. 1976. New Product Adoption and Diffusion. The Journal of Consumer Research, 2, 290-301.
SIMONSSON, M. & JOHNSON, P. Year. Defining IT governance-a consolidation of literature. In, 2006. Citeseer.
SMITH, M. 1987. The Humean theory of motivation. Mind, 96, 36-61.
TRONDSEN, T. J. 1997. IS IT POSSIBLE TO IDENTIFY SUCCESS FACTORS IN YOUNG, GROWING FIRMS? Journal of Small Business and Enterprise Development, 4, 87-94.
VAN FRAASSEN, B. C. 1980. The Scientific Image, Oxford, Oxford University Press.
VENKATRAMAN, N. 1989. Strategic orientation of business enterprises: The construct, dimensionality, and measurement. Management Science, 35, 942-962.
YAN, J., BLACKWELL, A., ANDERSON, R. & GRANT, A. 2000. The memorability and security of passwords-some empirical results. Technical Report-University Of Cambridge Computer Laboratory.
YAN, J., BLACKWELL, A., ANDERSON, R. & GRANT, A. 2004. Password memorability and security: Empirical results. Security & Privacy, IEEE, 2, 25-31.


Modeling Systems in UMLSystems are a combination of hardware, software and peripherals collectively working in an environment where together they fulfill a need of those who use the system. Because there are often many intangible components, it is difficult to create an accurate representation or model of complex engineered IT systems.

This tutorial explains how to create UML diagrams of IT systems in language any business analyst will find easy to read and understand.

Organizations with effective IT alignment realize cost savings, productivity improvements, and better organizational efficiency. Helping organizations achieve alignment is the goal of my consulting practice and ongoing research.

If you would like to know more about alignment or how I assess and improve alignment in organizations, please feel free to contact me today.


Michael's strongest strength is that he tells us what he will do, then he does what he says. I would gladly recommend him to any other business considering a website.

Stein Swenson, Founder Maverix Golf Tour