DG

Long-form Article

Facilitating Conditions Are The Whole Game

The four UTAUT constructs are not equally weighted in asymmetric-risk domains. In cybersecurity and clinical settings, facilitating conditions function as a gating threshold rather than a co-equal predictor — and that single observation reshapes how adoption-conscious systems should be built.

UTAUT — the Unified Theory of Acceptance and Use of Technology, formulated by Venkatesh and colleagues in 2003 — has four constructs. Performance expectancy. Effort expectancy. Social influence. Facilitating conditions. The standard model treats all four as additive predictors of behavioral intention and use. In low-stakes consumer settings, this works. In asymmetric-risk domains, it does not.

That sentence is the core finding of a doctoral dissertation I defended earlier this year, but I want to make the case in plain language here, because I think the implications matter beyond the academy. Facilitating conditions are not a co-equal predictor of adoption in cybersecurity. They are a gating threshold. Below that threshold, the other three constructs cannot compensate, no matter how high they score.

What facilitating conditions are.

UTAUT defines facilitating conditions as the degree to which an individual believes that organizational and technical infrastructure exists to support use of the system. In practice: do you have the permissions? Does it integrate with the tools you already use? Is there training? Will someone help you when it breaks? Is there budget for the ongoing licensing? These are unglamorous variables, which is part of why they get under-modeled.

Adoption is asymmetric. The four UTAUT constructs do not sit shoulder-to-shoulder; facilitating conditions are the whole game.

Why the asymmetry exists.

In consumer settings, performance expectancy (does it do what I want?) and effort expectancy (is it easy?) carry most of the predictive weight because the downside of a bad decision is small. If you adopt a meditation app and it doesn’t work for you, you delete it. The asymmetry of consequences is mild, and so the four constructs can compete on roughly equal terms for the explanation of why you bought it.

Cybersecurity is different. The downside of a bad adoption decision is non-linear: the wrong EDR doesn’t just underperform, it leaves you exposed. The wrong SIEM integration doesn’t just slow analysts down, it generates so much false-positive noise that real threats are missed. The asymmetry of consequences breaks the model. In domains where the cost of failure is high, buyers will not adopt unless the facilitating conditions are unambiguously present. Performance expectancy and effort expectancy become necessary conditions for purchase but not sufficient conditions for use.

The dissertation’s empirical contribution is to show this with structural equation modeling on survey data from cybersecurity practitioners. The path coefficients tell the story: when facilitating conditions are above some context-specific threshold, performance expectancy and effort expectancy have strong, statistically significant effects on use. When facilitating conditions are below that threshold, the path coefficients on the other three constructs collapse to near zero. Adoption simply doesn’t happen, no matter how good the product is.

What this means for how you build.

If you accept the finding, the implications for product strategy are sharp. You do not solve adoption with better marketing. You do not solve it with a more accurate model. You solve it by engineering facilitating conditions into the product from the beginning. Three specific moves follow:

  • Sit above existing tooling, not in place of it. Replacement requires the buyer to convince procurement, integrate from scratch, retrain analysts, and rewrite playbooks. Augmentation requires none of those. The facilitating-condition cost is an order of magnitude lower.
  • Ship a free tier inside a tool buyers already use. If your tool appears as a plugin inside an environment the analyst already opens daily, the facilitating-conditions cost approaches zero. This is why OBSIDIAN’s first product is a Wireshark plugin and not a standalone SaaS application.
  • Make the model transparent before you make it sophisticated. Buyers in asymmetric-risk domains will not adopt black boxes, even high-accuracy ones. The trust required to clear the facilitating-conditions threshold demands explanation. Sophistication can be added in v1.2; transparency has to be there in v0.1.

Where this generalizes.

The argument is not unique to cybersecurity. Any domain where the cost of a failed adoption decision is high — clinical decision support, automated trading systems, aviation safety tooling, regulated industries broadly — should expect the same asymmetry. I’m currently testing the empirical claim in clinical decision-support adoption as a working paper, and the early signal is consistent. Whether the gating-threshold finding holds in education technology, civic technology, or other domains with different risk profiles is an open question worth researching.

The point.

For five years I watched founders in this space ship technically impressive products that nobody used. The standard diagnosis was always “they need to spend more on go-to-market.” Sometimes that was right. More often, the problem was that the product had been designed around performance expectancy when adoption was being gated by facilitating conditions. The fix wasn’t more marketing. It was different architecture.

If you’re building in a high-stakes domain and adoption isn’t happening: don’t optimize the model. Audit the facilitating conditions.