the_more

8/6/2019 The_more

http://slidepdf.com/reader/full/themore 1/19

The more secure the better?A study of information security

readiness Jun Sun, Punit Ahluwalia and Kai S. Koong

The University of Texas – Pan American, Edinburg, Texas, USA

Abstract

Purpose – This paper seeks to investigate which factors influence user attitudes toward differentlevels of security measures for protecting data of differing importance. The paper also examines usercharacteristics including IT proficiency and risk propensity, which give rise to individual differencesin such attitudes.

Design/methodology/approach – To capture user attitudes toward a security measure,a construct called “information security readiness” (ISR) and its corresponding measurement itemswere developed. Observations were collected from a laboratory experiment based on a 2 £ 3 factorialdesign, with data criticality and security level as the treatment variables. The participants wereundergraduate students of a major American university. The moderating effect of data criticality onthe relationship between security level and ISR was tested with multi-group structural equationmodeling. In addition to the treatment variables, IT proficiency and risk propensity were included ascovariates in the analysis.

Findings – The results revealed a nonlinear relationship between security level and ISR. For data of high criticality, enhancing security level had a positive impact on ISR, but only up to the pointperceived as appropriate by the participants. For data of low criticality, the enhancement of securitylevel was perceived as unnecessary. In addition, IT proficiency was found to be a significant covariate,especially when data criticality was high.

Practical implications – In practice, the specification of a security measure requires a trade-off between the utility of the data protected and the usability of the security method. The measure of ISR provides a means to locate the equilibrium by examining user attitudes across different securitylevels in relation to a particular level of data criticality. The significance of IT proficiencydemonstrates the importance of user training.

Originality/value – This study introduces the ISR construct to capture evaluation, power, andactivity dimensions underlying an individual’s cognitive beliefs, affective responses, and behavioralinclinations toward the adoption of security measures. The results provide interesting insights into therole of interaction between security level and data criticality in influencing ISR.

Keywords Data security, Information technology, Risk management

Paper type Research paper

1. IntroductionNew challenges have emerged in the task of protecting data in widely networkedinformation systems as more and more individuals and organizations benefit from theadoption of information and communication technologies and the digitizationof information. These challenges arise because of the ease of duplicating digital dataand increased deployment of distributed data sources by organizations, resulting in anincreased likelihood of unauthorized access by cybercriminals. Existing literaturesuggests that individuals worry about their privacy and desire complete control over

The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0263-5577.htm

IMDS111,4

570

Received 10 August 2010Revised 7 December 2010Accepted 3 February 2011

Industrial Management & Data

Systems

Vol. 111 No. 4, 2011

pp. 570-588

q Emerald Group Publishing Limited

0263-5577

DOI 10.1108/02635571111133551

8/6/2019 The_more


their private data (Norberg et al., 2007). Organizations must protect the data whichprovide them with competitive advantages in the marketplace (Huang et al., 2006).Providing information security, defined as “the technical guarantees that ensure that thelegal requirements and good practices with regard to privacy will be effectively met”

(Flavian and Guinaliu, 2006, p. 604), is a significant issue confronting IT managers andpractitioners.

Organizations face significant challenges as more and more people are providedaccess to data stored on internetworked computer-based systems. A study conducted in2003 found that 29 percent of the respondents had experienced unauthorized exposure of stored data (Swartz, 2004). Information security is a very important area of research withsignificant implications for practice (Knight et al., 2007; Schultz, 2007; Dotson, 2007).Organizations and individuals employ authentication procedures to protect their data.Among these, the most widely used authentication method identifies a user through theinput of a unique user name and determines that the person is legitimate through theinput of a correct password (Adams and Sasse, 1999). In recent years, more advancedtechniques such as biometrics have been proposed to protect database systems fromunauthorized persons. Such methods entail verification of users through matchingfingerprints, facial features, irises, or voices ( Jain et al., 2006). Even though these newertechnologies are being gradually adopted, the user name and password authenticationmethod remains the most widely used procedure for protecting data.

The existing literature points to the tension between user preference for easypasswords and the risks associated with such passwords. Previous studies have shownthat if there are no constraining requirements, users often select easy-to-remember usernames and passwords (Riddle et al., 1989; Adams and Sasse, 1999). Selection of simpleand/or familiar strings for user names and passwords makes it easier for the malicioushackers to decode (crack) these values (Klien, 1990). The “crackability” of passwordsdepends on several factors such as the variety of character set (e.g. numbers, letters,

and case sensitive), the number of characters used, and other constraints such as avoidingdictionary words (Proctor et al., 2002). It follows that the level of protection offered bypasswords is directly related to their complexity. However, increasing the complexity of passwordsleads to a greater degree of difficulty of recall, higherprobability of errors in theauthentication process, and increased user resistance. This reality leads to the dilemmaconfronted by IT managers and practitioners, which is that the level of security offered byan authentication method is inverselyrelated to its convenience. This phenomenon createsa paradox for IT security managers. On one hand, IT managers seek to increase theusability of the system, while on the other hand they need to enhance security, requiringthem to increase the complexity of the authentication parameters. Therefore, the specificarrangements of a security measure may exhibit distinct characteristics which depend onthe trade-off between simplicity and safety.

People’s trust in the integrity of information is closely related to its perceived securityand privacy (Chen and Barnes, 2007). Therefore, organizations seek to increase thecomplexity of security requirements to the highest possible level for all of their systems(for example, require users to use complex passwords and to update passwordsfrequently). However, all types of data are not homogeneous in value and criticality;some require tremendous effort to obtain and hold significant value, and thus are moreimportant than other routine data. Users and organizations would experience a greatsense of loss if there were leakage of or damage to highly critical data. Thus, people’s

Informationsecurity

readiness

571

8/6/2019 The_more


attitudes towards the adequacy of the security measures depend on not only the level of security provided but also the criticality of the protected data.

This study aims to verify the interaction between security levels and data criticalityand their influence on user attitudes. Enhancing a security measure does not always

yield desirable results; rather, it may cause resistance from users if the measure isperceived to be more rigorous than necessary. Such a relationship could have importantimplications for practice. Few empirical studies have been conducted to examine howdifferent levels of security measures influence user attitudes toward such measures,under varying levels of data criticality.

The sparsity of research studies that examine user attitudes towards security levelscould be due to the erroneous notion that people willingly comply with a higher level of security measure because it provides better protection. However, this supposition maynot always apply, because people perceive extra efforts to meet the mandated securitylevels as unnecessary overhead or costs. For example, a security policy may require theuse of certain non-standard characters in passwords, require users to change theirpasswords frequently, and restrict repetition of previously used passwords (forexample, users cannot reuse any of the ten previously used passwords). This increasedcomplexity leads to undesirable and unexpected effects, such as some users writing theirpasswords on paper, thus actually increasing the probability of identity theft. Therefore,if the information is not perceived to be critical, and there is a choice, people may choosemethods that provide only a basic level of security.

This study empirically investigates the influence of security level and data criticalityon user attitudes. A psychological construct called “information security readiness” (ISR)and its corresponding measures were developed to capture userattitudes toward securitymeasures. The research hypotheses were tested by conducting a laboratory experiment.The research model hypothesizes that data criticality moderates the relationshipbetween security level and ISR. For practitioners, the results may yield important

implications on how best to implement optimum security measures for the protection of particular data.This paper is structured as follows. The existing related literature is reviewed andthe

hypotheses are stated in Section 2. Section 3 presents the methodology. Section 4 reportsthe results. The conclusions and implications are discussed in Section 5.

2. Literature review and research modelThis study seeks to confirm a nonlinear relationship between security level and ISRmoderated by data criticality. Therefore, it is necessary to examine how willing peopleare to use different levels of security measures in different situations. The existingIS literature suggests the technology acceptance model (TAM) (Davis, 1989), and relatedmodels such as the unified theory of acceptance and use of technology (Venkatesh et al.,

2003) to study user acceptance of information technology. These frameworks predict anindividual’s behavioral intention regarding whether or not to use an information systembased on his/her perceptions of its main characteristics, namely utility (e.g. usefulness)and usability (e.g. ease of use).

As for the predictor of actual behavior, the behavioral intention concerns the binarydecision on whether to use a given system or not. However, a comparison of userreactions to different levels of security measures involves multiple alternatives. Whenthere are options, it is best not to assume that users make separate decisions and form

IMDS111,4

572

8/6/2019 The_more


an intention for each (Benbasat and Barki, 2007). In this sense, behavioral intention is notan appropriate dependent variable for this study. Also, users typically perceive securitymeasures as rules and procedures that they need to follow to protect the integrity of dataresiding on a system. Therefore, security measures cannot be characterized as

useful/useless and usable/unusable without taking into account the factors of dataimportance and security policy. In this sense, constructs such as perceived usefulnessand perceived ease of use are not well suited for examining user attitudes towardsecurity measures.

Attitude, defined as the psychological tendency expressed by evaluating a particularentity with some degree of favor or disfavor, is commonly used to explain and predicthuman behavior (Eagly and Chaiken, 1993).

This study proposes the ISR construct to describe user attitudes toward a securitymeasure. It measures user cognitive beliefs, affective responses, and behavioralintentions toward the adoption of a security measure for protection of certain data. Theterm “readiness” indicates the degree of preparedness and inclination to use a method,rather than the decision whether or not to use it. Also, the construct is different fromsecurity awareness, which represents the knowledge of users regarding how well theirinformation assets are protected (Thomson and von Solms, 1998).

ISR can be used as the dependent variable to find out how people react to differentlevels of security measures implemented for different systems. That is, the assessmentof ISR may reveal a nonlinear relationship underlying the dilemma facing IT securitymanagers. On the one hand, enhancing a security measure may lead to higher ISR of users because it provides them more protection; on the other hand, if the enhancedsecurity measure is too stringent or complicated it may negatively impact ISR becauseits compliance requires excessive effort.

Although technology acceptance research does not provide the needed constructs, itsbasic framework sheds light on the development of research model used in this study.

TAM and related models are based on the premise that user behavior depends on theutility and usability of an information system. For a security measure, utility is associatedwith the importance of protected data, and usability is related to the complexity of itsrequirement. Unlike an information system, however, a security measure can hardly beimplemented to maximize both utility and usability. Besnard and Arief (2004) presentedthe issue of computer security as a trade-off between productivity and acceptance of certain amount of risk. They posited that a certain amount of loss is acceptable because itis too demanding to protect every single piece of data. The conflict between functionalityand information security has been identified in several quantitative studies of userbehavior (Post and Kagan, 2007; Albrechtsen, 2007). In terms of the effort required fromusers, researchers found that the usability of an authentication method has an inverserelationship with the protection level it offers (Warkentin et al., 2004). Thus, there is a

paradox of security enhancement, because it is driven by the increasing need for dataprotection, but may ultimately be perceived as excessive, thereby causing user resistance.

To address this paradox, data criticality is posited as a potential moderator of therelationship between security level and ISR. Users are likely to consider the importanceof data in forming their attitudes toward a security measure, based on the protection itoffers and the effort it requires. A more complex authentication process would offer ahigher level of security in terms of information access control, but its compliance wouldrequire more effort. If a security measure is perceived to provide either less or more

Informationsecurity

readiness

573

8/6/2019 The_more


protection than needed, users are likely to be reluctant to use it. In this sense, ISR reflectsuser tolerance towards both the risk and the effort associated with a security measurethat is employed to protect the data residing on a system. The foregoing discussion leadsto the proposition that user ISR toward authentication methods depends on the

interaction between security level and data criticality.In an empirical study, such a moderating relationship may be tested by comparing

the effect of security levels on ISR at different levels of data criticality. In terms of authentication procedures, users are likely to prefer a security level that is perceived asadequate but not excessive for the protection of particular data. For critical data, usersmay tolerate more stringent measures. In such a case, the increased complexity isacceptable. However, for non-critical data, users are less likely to be concerned aboutsecurity, and may prefer simpler measures that requires less effort for compliance. Theabove discussion leads to our first set of hypotheses:

H1a. When the data to be protected are not critical to users, the increase in securitylevel will not enhance their ISR.

H1b. When the data to be protected are critical to the users, the increase in securitylevel will enhance their ISR, but only up to a point before the measure isperceived as excessive.

The personal characteristics of a user may also affect his/her attitude toward a securitymeasure. Compared with security level and data criticality, such characteristics do nothave a direct impact on ISR, but rather make differences in it across individuals. Thus,they are potential covariates of ISR. However, like security level, their effects on thedependent variable may still be subject to the moderation of data criticality. That is,users with different characteristics may exhibit different levels of ISR depending on thecriticality of data.

Among such personal characteristics, IT proficiency and risk propensity areparticularly relevant. IT proficiency is related to an individual’s knowledge and skill inusing IT, determining how comfortable the person is with various technologies (Smith,2002). Information security technology has been recognized as an important componentof IT, and people who are proficient in IT are likely to have a good understanding of security technology. They are likely to appreciate the complexity in the securitymeasures, especially when the data protected are critical. However, for non-critical data,users may not care about the security measure, regardless of their proficiency levels.Thus, we state the second group of research hypotheses:

H2a. When the data to be protected are not critical to users, their IT proficiency notdoes not make much difference to their ISR.

H2b. When the data to be protected are critical to users, those who are IT proficientare likely to have higher ISR than those who are not.

Risk propensity relates to whether an individual is risk prone or risk averse, thereforeit has been found to regulate human behavior involving possible harm and loss (Fagleyand Miller, 1990; Zuckerman and Kuhlman, 2000). A security measure is supposed toprotect users from potential compromise of valuable data, and thus risk propensitymay also be a relevant covariate of ISR. Compared with those who are risk-proneand risk-averse users are more likely to prefer greater protection of their data with

IMDS111,4

574

8/6/2019 The_more


sufficient security measures, especially when the data are critical. Thus, the thirdgroup of hypotheses is as follows:

H3a. When the data to be protected are not critical to users, whether they are risk

averse or risk prone does not make much difference to their ISR. H3b. When the data to be protected are critical to users, those who are risk averse

are likely to have higher ISR than those who are risk prone.

The above discussion leads to the research model shown in Figure 1. In this figure, thesolid lines indicate the relationships of primary interest and the dashed lines indicate therelationships of secondary interest. Our primary interest is to find out how the securitylevel of authentication methods influences users’ ISR, and how data criticality moderatesthat relationship. The study also examines how the covariates of IT proficiency and riskpropensity influence individual differences in ISR at different levels of data criticality.

3. Methodology

3.1 Experiment designLaboratory experiments allow the exercise of desired control of treatment variables so asto test their hypothesized effects on outcome variables. To maximize the effect sizes, it isnecessary to make the experimental conditions as different as possible (Kerlinger, 1986).In this study, security level anddata criticality are the treatment variables, and ISR is theoutcome variable. Thus, a factorial design was adopted to control the levels of the twotreatment variables.

Data criticality is hypothesized to moderate the relationship between security leveland ISR. We arranged two levels of data criticality (high vs low) in order to examine theinteraction effect of security level and data criticality on ISR. Criticality of data may becategorized based on the impact of its loss or compromise. Stine et al. (2008) identifyconfidentiality, integrity, and availability as the three objectives of securing data.

In general, people are likely to consider their private financial data as more critical thandata in their e-mail accounts. The impact of the loss or compromise of data in personalfinancial accounts is likely to be high because such events may lead to financial losses,evoke significant anxiety, and cause other problems (for example, negative impact on

Figure 1.Research model

IT proficiency

Security level

Risk propensity

Data

criticality

Information

security

readiness (ISR)

H 2

H1

H 3

Informationsecurity

readiness

575

8/6/2019 The_more


8/6/2019 The_more


(64.2 percent) and 39 were female (35.8 percent). A student sample in this study isappropriate because the participants use various types of information systems on a dailybasis in their academic, professional, and social lives. All students enrolled at theuniversity access their accounts to register for classes and view their personal academic

information such as course grades and tuition. They use distance learning technologiessuch as “blackboard” to submit assignments, take online quizzes and exams, and viewtheir course grades.

A drawback of using students as the subjects may be that they do not represent thereal-world users (Birnberg and Nath, 1968; Ashton and Kramer, 1980). The literaturesuggests that the limitation of using student participants should be examined in light of the research goals. In the applied fields, it is important to examine whether the studentsin the sampling frame would behave differently from the target population whenreceiving experimental intervention (Liyanarachchi and Milne, 2005). Calder et al. (1981)suggested that for theory testing, it is preferable to have a homogeneous sample. From ameta-analysis, Peterson (2001) found that student samples are generally morehomogeneous than non-student samples. To investigate the relationships involvingattitudinal constructs, students may well serve as surrogates for the target population(Beltramini, 1983). The participants use a range of information security measures intheir daily lives including accessing their e-mails, academic records, and online banking,therefore the use of students as subjects is appropriate for this study.

3.3 Measurement Attitude has been conceptualized to be comprised of cognitive, affective, and conative(behavioral) components (Katz and Stotland, 1959; Rosenberg and Hovland, 1960; Zannaand Rempel, 1988). There is a long history of support in the literature for this tripartitetheory of attitude, and of empirical evidence supporting its validity (Breckler, 1984;Kothandapani, 1971; Ostrom, 1969). Therefore, from the perspective of attitude theory,

ISR should also include these three components.For measurement of the underlying components of ISR, items were adapted from the

instrument developed by Crites et al. (1994) to capture the affective and cognitiveattitudes toward a wide variety of concepts. The original instrument consists of 15 semantic differential items, eight affective and seven cognitive, each using a pair of bipolar adjectives. These items were modified to make them suitable for security as theattitudinal object in this study. An examination of the original instrument showed thatthe item “easy-difficult” was not included among the cognitive items, but it is a relevantbelief about security measures. In addition, two items for the behavioral component of ISR were also included: “disinclined-inclined” and “hesitant-eager.” Finally, some minoradjustments were made to remove the ambiguity in some existing items. Table III liststhe components of the ISR, questionnaire statements, and the corresponding semantic

differential items.Semantic differential methodology is a simple, flexible, and economical means for

eliciting participants’ responses on different aspects of an attitude object (Heise,1970). Withthe help of factor-analytic procedures, researchers have identified three general attitudinaldimensions underlying the semantic differential responses in multidimensional semanticspace. These are evaluation, power/potency, and activity (EPA) (Osgood et al., 1957). Theevaluation dimension corresponds to the unfavorable-favorable assessment thatdominates most attitudinal scales. In addition, the power dimension and activity

Informationsecurity

readiness

577

8/6/2019 The_more


dimension reflect the perceptions of the power/potency (for example, weak/strong) andbehavioral properties (for example, slow/fast), respectively, associated with the attitudinalobject. The inclusion of activity and power dimensions provides researchers with richerinformation and makes the semantic differential scales appropriate for a comprehensiveassessment of attitude (Ostrom, 1969).

The items used to measure the cognitive and affective components of ISR can becategorized into the EPA dimensions. The items of the evaluation dimension measureusers’ assessment of a security measure itself. The items of the activity dimensionmeasure users’ feelings and beliefs toward using a security measure. The powerdimension,on the other hand, deals with users’ senseof control regarding the adoptionof a security measure. Thus, the cognitive and affective items capture user beliefs andfeelings with regard to a security measure itself, how to apply the measure, and what to

expect on its delivery. In addition, the behavioral items capture the behavioral tendencytoward the measure. The ISR scale provides a means for comprehensive understandingof user attitudes toward security measures, as it covers multiple dimensions underlyingdifferent attitudinal components.

Risk propensity was measured with the risk taking index (RTI) developed andvalidated by Nicholson et al. (2005). RTI measures the propensity of subjects towardsrecreational, health, career, financial, safety, and social risks in the past and in thepresent. IT proficiency was measured using three items developed by the authors forknowledge, frequency, and efficacy related to the use of information technology.

3.4 ProcedureThe data collection method adopted a mixture of between-subject design (random

assignment of participants to treatment groups) and within-subject design (collection of repeated measures). Participants were randomly assigned to one of three groups, eachcorresponding to a security level. This procedure resulted in almost equal numbers of participants in each group. Random assignment of treatments also mitigated the effectof potential bias due to any pre-experimental exposure of the participants to variousauthentication methods.

At the start of the experiment, all the subjects answered the questions about riskpropensity and IT proficiency. After that, those in each group were given the

Component(dimension) Questionnaire statement Semantic differential item

Behavioral I am ___ to use the security measure Disinclined/inclined; hesitant/

eagerAffective(evaluation)

I feel ___ toward the security measure Dislike/like; rejecting/accepting

Affective (activity) I feel ___ in using the security measure Tensed/relaxed; bored/excitedAffective (power) I feel ___ with the protection provided Annoyed/content; sad/happyCognitive(evaluation)

I believe that the security measure is ___ Useless/useful; imperfect/perfect

Cognitive (activity) I believe that it is ___ to use the securitymeasure

Difficult/easy; unsafe/safe

Cognitive (power) I believe that adopting the security measure is ___

Foolish/wise; harmful/beneficial

Table III.ISR measurement

IMDS111,4

578

8/6/2019 The_more


password requirements and the description of the system (i.e. e-mail or online bank).Then, the participants answered the questions regarding their ISR. After that, thedescription of the second system was given and participants gave their ISR responsesbased on the same authentication method. The sequence of two systems given in all

groups was randomized to control the order effect (Maxwell and Delaney, 2004).A pilot study was conducted to assess the appropriateness of the treatment

manipulation, the questionnaire wording, and the experimental procedure. In total,55 participants provided their responses via paper questionnaires in a classroomenvironment (Sun and Ahluwalia, 2008). Like the participants of the main study, theparticipants of the pilot study were also undergraduate students enrolled in CISscourses. In the post-experiment debriefing session, the participants were asked abouttheir perceptions of the data stored in the two systems, and almost all of them indicatedthat the data in their online bank account were much more important to them than thedata in the free e-mail accounts (e.g. Yahoo and Hotmail). The preliminary results alsoindicated that ISR varied significantly across different treatment levels. Based onparticipant feedback and reliability analysis, some minor changes were made to the

wording of instructions and questions included in the questionnaire.In the formal phase of this study, the experiment was implemented on a web server to

simulate the log-in procedures corresponding to the three security levels.As experimental treatments, the participants were shown the log-in screens, withappropriate instructions for setting up new passwords for e-mail accounts or online bankaccounts. Using the actual log-in screens placed the participants naturally within theexperiential framework (Kock, 2005). Immediately, after the exposure to the treatment,the participants answered the questions related to their ISR.

4. ResultsThe reliability of the participants’ responses in terms of internal consistency was assessedwith Cronbach’s (1947) coefficient alpha. Table IV reports the results of reliabilityanalysis. The reliability of ISR measures was assessed at two levels: the attitudinalcomponent level and the overall level. The coefficient alphas for cognitive, affective, andbehavioral components were above 0.8, and the overall coefficient alpha was above 0.9.Compared to the original instrument developed by Crites et al. (1994) (of which coefficientalphas were 0.84 for cognitive items and 0.71 for affective items), the responses to the ISRmeasure obtained in this study were more reliable. This improvement in the reliability of ISR measurement may be because the newly developed fill-in-the-blankstatements reflectthe EPA dimensions of the semantic differential scales, making the items easy tounderstand. The measurement results of this study and the previous pilot study(Sun and Ahluwalia, 2008) were similar, suggesting that the instrument is able to elicit

Construct No. of items Coefficient a

Security readiness 14 0.938Cognitive 6 0.923Affective 6 0.826Behavioral 2 0.826

IT proficiency 3 0.722Risk propensity 3 0.714

Table IV.Reliability analysis

Informationsecurity

readiness

579

8/6/2019 The_more


relatively stable and internally consistent responses from the participants. In addition,the coefficient alphas for IT proficiency and risk propensity were above 0.7, indicatingacceptable internal consistency for both measures.

To understand the response pattern for each measure, a descriptive analysis was

conducted. In this study, participants answered the questions regarding theirIT proficiency and risk propensity before the experimental treatments. To study whateffects such personal characteristics have on ISR, these two variables were treated as thecovariates along with the predictive treatment variable. Thus, their index scores wereobtained based on the averages of item scores. The scales had a range of 1 (least) through5 (most) with 3 as the neutral point. For IT proficiency, the mean of index scores was 3.40and the standard deviation was 0.80; and for risk propensity, the mean of index scoreswas 3.37 and the standard deviation was 0.79. The results suggested that mostparticipants had marginally positive self-perceptions toward using informationtechnology and taking risks.

Participants responded to the ISR measure based on their exposure to each

experimental treatment. There are two treatment variables: security level as the directpredictor and data criticality as the moderator. To compare the response patterns of ISRacross different levels of both variables, the descriptive statistics of ISR were obtainedfor each treatment. Table V gives the means and standard deviations of the index scoresof ISR across three security levels (low, medium, and high) for two systems withdifferent levels of data criticality (email vs online bank). The scales had a range of 1 (leastready) through 7 (most ready) with 4 as the neutral point.

A comparison between the two systems reveals an interesting pattern shown clearlyin Figure 2. When the security level of the authentication method was increased from lowto medium, the ISR of participants increased marginally ( t ¼ 0.66, p-value ¼ 0.508) forthe e-mail system (low criticality), but more significantly ( t ¼ 4.75, p-value , 0.01) forthe online banking system (high criticality). When the security level was further

increased from medium to high, participants exhibited lower ISR for both groups, moresignificantly for the e-mail system ( t ¼22.27, p-value ¼ 0.024) than for the onlinebanking system ( t ¼21.74, p-value ¼ 0.083). This pattern supported the theoreticalbasis of the research hypotheses; thatusers prefer an appropriate level of security, neithertoo low nor too high. Owing to the moderating influence of data criticality, security leveldoes not have a simple linear relationship with ISR, but rather a curvilinear relationship.

ISR being a psychological construct, structural equation modeling (SEM) is wellsuited to test the relationships involving a latent variable ( Joreskog etal., 1979).To assesshow a categorical variable moderates the relationships between independent anddependent variables, a multi-group SEM analysis is preferred (Byrne, 1994). In this study,the moderator is data criticality, and it is a categorical variable with two levels (low for

Data criticalitySecurity level Low (e-mail account) SD High (online bank account) SD

Low 4.84 0.84 4.62 1.32Medium 4.92 0.94 5.38 1.02High 4.58 1.25 5.12 1.18Overall 4.77 1.04 5.06 1.21

Table V.Mean and standarddeviation of ISR

IMDS111,4

580

8/6/2019 The_more


the free e-mail account vs high for the online bank account). In the multi-group analysis,the responses were divided into two parts using data criticality as the grouping variable,and the model was estimated simultaneously for both groups. The sample size in eachgroup was 109, resulting in the total sample size of 218. The number of observations inthe analysis doubled that of the number of participants because each participant gavetwo sets of responses due to the within-subject design on data criticality. Within eachgroup however, the responses were independent from one other because of the

between-subject design on security level. In this study, the main interest is to comparethe hypothesized relationships across two groups, each corresponding to a different levelof data criticality. Because the repeated measures were separated into two groups instatistical analysis, their interference on the results due to inter-correlation wasminimized.

To control for the influence of personal characteristics on ISR, a structural model(Figure 3) was developed to test all three research hypotheses at the same time. In thismodel, the dependent variable is ISR, a latent construct that has three indicators, theindex scores of affective, cognitive, and behavioral items, respectively. The threestructural weights from a latent construct to its observed indicators were measurementweights, and one of them was set at to be one to remove scale ambiguity. The predictorsof primary interest are the two dummy variables representing the three security levels

(low – 0-0, medium – 1-0, and high – 1-1). The covariates of secondary interest are ITproficiency and risk propensity. The estimates of the four structural weights from theindependent variables to the dependent latent construct can be used to test the researchhypotheses.

The multi-group analysis yielded the pooled fit indices (rather than two sets of indices) that enabled the assessment of model fit. The root mean square of errorapproximation was 0.068, below the cutoff of 0.08. The comparative fit index was 0.968and the non-norm fit index was 0.917, both above the cutoff of 0.90. The acceptable

Figure 2.Means plot

4.6

4.8

5

5.2

5.4

5.6

Low Medium High

I n f o r m a t i o n s e c u r i t y r e a d i n e s s ( I S

R )

Security level

Information criticality: Low

Information criticality: High

Informationsecurity

readiness

581

8/6/2019 The_more


goodness-of-fit indices supported the validity of the model that describes how treatment

variables and covariates influence ISR as indicated by its cognitive, affective, andbehavioral factors. In addition, multi-group analysis made it possible to test the

significance of the overall moderating effect by comparing the model fit between the free

model and the constrained model. The constrained model fixes the structural weights

(four structural weights and two measurement weights) to be the same across two levels

of data criticality. Compared with the free model, degrees of freedom of the constrained

model increased by six (i.e. six fewer structural weights to be estimated) and the x 2

statistic increased by 13.968. The x 2 difference test was significant at the 0.05 level,

suggesting that data criticality is a significant moderator of the relationships between

the independent variables (security level, IT proficiency, and risk propensity) and the

affective, cognitive, and behavioral components of ISR.

Table VI gives the estimated structural weight (and corresponding standard errors

are given) for each independent variable. At the low level of data criticality, neither

security level 1 nor security level 2 was significant. That is, imposing either the format

requirement or the update requirement on the choice of password did not have a positive

effect on the ISR of participants.

At the high level of data criticality, security level 1 had a highly significant effect

(at 0.01 level) on ISR, but security level 2 did not have a significant effect on ISR. Thus,

in case of online-bank accounts, participants exhibited significantly higher ISR when

format requirements were imposed on the authentication procedure (medium complexity)

compared to the authentication procedure with no restrictions (low complexity). However,

strengthening the authentication procedure to the highest complexity did not enhance

Low criticality (e-mail) SE High criticality (online bank) SE

Security level 1 20.087 0.24 0.823 * 0.308Security level 2 20.327 0.23 20.294 0.297IT proficiency 0.007 0.12 0.321 * * 0.154Risk propensity 20.08 0.12 20.034 0.158

Note: Significance at: *0.05 and * * 0.01 levels

Table VI.Estimatesof structural weights

Figure 3.SEM measurement model

ISR affective

Security level 1

Information

security

readiness

(ISR)

Security level 2

IT proficiency

Risk propensity

ISR behavioral

ISR cognitive

IMDS111,4

582

8/6/2019 The_more


ISR (the structural weight was actually negative). Therefore, H1a and H1b was fullysupported.

According to the analytic results, IT proficiency has a positive linear relationshipwith ISR when data criticality is high. However, this relationship was found to be

insignificant at the low level of data criticality.Participants who are more knowledgeable and skillful in using information

technology are likely to be more prepared toward the adoption of security measures forprotecting important data. For unimportant data, IT proficiency does not make muchdifference in their ISR. This result supported H2a and H2b.

The other personal characteristic as the covariate of ISR, risk propensity, was notsignificant at either the low or high level of data criticality. The estimates, however,indicate that risk propensity tends to have some negative effect on ISR. The direction of the relationship is as expected because a more risk-prone individual may not exhibitmuch concern about securing his/her data. It was hypothesized that risk-averse peopleare more likely to be favorably inclined towards the security measures especially whenthe data protected are important. This was not supported by the result and therefore, H3 was only partially supported ( H3a but not H3b ).

5. Conclusions and implicationsIT security is a very important area for research because of ever-increasing deploymentof interconnected computer-based systems, and the tremendous value attributed to theinformation stored on such systems. Therefore, the relevance of IT security researchextends to individual users, businesses, governments, and individual users. This studyexamines how user attitudes towards complying with IT security procedures andprotocols may be shaped. The paper defines the ISR construct to measure user attitudetowards security systems. The study inquires into the central research question – “Is italways a good idea to strengthen information security measures?” This study examines

user readiness toward IT security at different levels of security measures and datacriticality. The research hypotheses were tested by conducting a laboratory experimentwith undergraduate students as the participants. IT proficiency and risk propensitywere included as the covariates to control for the influence of relevant usercharacteristics. The results confirmed the hypothesized interaction between securitylevel and data criticality in their influence over ISR. Furthermore, IT proficiency wasfound to be a significant covariate of ISR, especially when data are perceived asimportant by users. The relationship between riskpropensity and ISRwas not confirmedby the results, but the direction of relationship was consistent with that of the hypothesis.

This paper makes several contributions to research and practice. First, it proposes analternative approach to study user attitudes toward IT security procedures and policies.The TAM has been extensively studied in IS literature (Davis, 1989; Davis et al., 1989)

and remains the most widely used framework for studying IS adoption. However,several researchers have called for alternative approaches to study user intentionstowards adopting IT products and services (Benbasat and Barki, 2007; McMaster andWastell, 2005). This paper answers these calls by proposing the “information securityreadiness” (ISR) construct to measure user attitudes towards the security procedures.The ISR construct and the measures used in this study capture user cognitive, affective,and behavioral attitudes towards a security measure. More specifically, it can elicit userbeliefs and feelings related to the measure itself (evaluation), the interaction with such

Informationsecurity

readiness

583

8/6/2019 The_more


a measure (activity), and the sense of control from using it (power). Compared with theexisting constructs in technology acceptance research (for example, perceived easeof use, perceived usefulness, and intention to use), ISR is not to predict whether a userwill use a system with a certain level of security measure or not, butrather to describethe

inclination of an individual toward using the security measure itself. The paper alsomakes a distinction between behavioral intention to adopt IT products and attitudetowards IT security. The TAM model considers IT adoption in isolation, however ITmanagers face various choices in situations of setting security levels and policies. Thispaper posits that the security requirements should correspond to the criticality of thedata to be protected. It follows that implementation of IT security requirements andpolicies is not a binary choice but a continuum.

The research hypotheses were tested by conducting a laboratory experiment andusing SEM to conduct the analysis. A 3 £ 2 factorial design was used comprising of three levels of security levels and two levels of data criticality. To increase the responses,within-subjects repeated measure design was employed. The analytic results revealed anonlinear pattern of user attitude toward a security measure. That is, for a given level of data criticality, users make subjective judgments about the security requirements.Because any increase in the security requirements is linked to increased complexity inusability, users do not want to go through the complex security requirements if they donot perceive any benefit in doing so.

The outcomes of the study may have limited generalizability because of the use of astudent sample in the laboratory experiment. The university undergraduate subjectsmay not be representative of actual user population in the business environment,therefore, the results of the study may not be extensible to a wider population. However,a few steps were taken in the research design to mitigate this issue. First, all participantswere students enrolled in CIS courses. These students are familiar with IT securitysystems as they use many such systems in their daily lives. All students access the

university’s enterprise registration system to view their grades, look up financialinformation, print transcripts, and record their personal information. They also useother online learning technologies to give exams, view grade books, and access coursematerial. The operationalization of data criticality was implemented in the form of usingweb-based e-mails and online bank accounts. The web-based survey experimentsimulated the real-world experiences of logging into such systems by displaying mocklog-in screens. Federal Information Processing Standard 199 (FIPS 199), defines securitycategories based on the quantum of harm/loss expected if the information wascompromised (Stine et al., 2008). The impact may be assessed in terms of losses inconfidentiality, integrity, and availability of information (Stine et al., 2008). This studyposits that the subjects would experience greater impact by compromise of financialinformation compared to the information stored in e-mail accounts. Although the results

of this study show some support for this supposition, future research can be conductedthat includes precise treatments of information categories as recommended in FIPS 199.We call upon the research community to study security-related user behavior inorganizational context as well. Future research could also examine user attitudes whenusing other security methods such as fingerprints, facial features, irises, and voicesamples (Jain et al., 2006).

This paper has implications for practice. In situations where IT security policies andprocedures are forced upon users, ISR may influence their career-related attitudes, such

IMDS111,4

584

8/6/2019 The_more


as job satisfaction. Typical users often access multiple information systems at theirworkplaces. The organizations may generate greater user acceptance of security policiesby correct framing of users’ perceptions about data criticality of such systems. The userswith low levels of IT proficiency may correlate data criticality with security measures

mandated by organizations. The significant influence of IT proficiency on ISRsuggests the importance of education and training on security-related practices forusers. Studies have shown that if IT security requirements are made too complex, usersmay inadvertently increase security risk by taking undesirable actions such as writingtheir passwords on paper or downloading and saving critical data from secured serversto their personal computers to avoid frequent log-ins. Therefore, user education andcorrect framing of data criticality are likely to mitigate such actions.

In the realm of information security, the IT managers confront a dilemma: the utilityand usability of system cannot be maximized simultaneously. The results of this studysuggest that users’ ISR hinges on the perceived appropriateness of a security measure interms of the balance between complexity and data criticality. People are likely to formhigher ISR when they feel that the level of complexity is in line with the importance of

data to be protected. In other words, users are expected to be averse to using morecomplex security measures unless, in their judgment, the criticality of informationwarrants a higher level of complexity. The bigger the gap between “what is necessary”and “what is required,” lower the ISR.

This study provides general guidelines for practitioners on ways to determineappropriate security measures. The study also provides the construct of ISR as a tool forthe assessment of user attitudes toward using IT security requirements and procedures.Practitioners may use the focus group method to elicit user responses about theirperceptions of things like criticality of data and sufficiency of security requirementsand policies. This study has implications for e-commerce companies which want to keepthe access of their web sites easy, and at the same time protect their customersfrom fraud.

References

Adams, A. and Sasse, M.A. (1999), “Users are not the enemy”, Communications of the ACM ,Vol. 42 No. 12, pp. 41-6.

Albrechtsen, E. (2007), “A qualitative study of users’ view on information security”, Computersand Security, Vol. 26, pp. 276-89.

Ashton, R. and Kramer, S. (1980), “Students as surrogates in behavioral accounting research:some evidence”, Journal of Accounting Research, Vol. 18 No. 1, pp. 1-15.

Beltramini, R. (1983), “Student surrogates in consumer research”, Journal of the Academy of Marketing Science, Vol. 11 No. 4, p. 438.

Benbasat, I. and Barki, H. (2007), “Quo vadis, TAM”, Journal of the Association for Information

Systems, Vol. 8 No. 4, pp. 211-8.

Besnard, D. and Arief, B. (2004), “Computer security impaired by legitimate users”,Computers and Security, Vol. 23, pp. 229-37.

Birnberg, J. and Nath, R. (1968), “Laboratory experimentation in accounting research”, Accounting Review, Vol. 43 No. 1, pp. 38-45.

Breckler, S.J. (1984), “Empirical validation of affect, behavior, and cognition as distinctcomponents of attitude”, Journal of Personality and Social Psychology, Vol. 47 No. 6,pp. 1191-205.

Informationsecurity

readiness

585

8/6/2019 The_more


Byrne, B. (1994), Structural Equation Modeling with EQS and EQS/Windows: Basic Concepts, Applications, and Programming , Sage, Thousand Oaks, CA.

Calder, B.J., Phillips, L.W. and Tybout, A.M. (1981), “Designing research for application”, Journal of Consumer Research, Vol. 8, pp. 197-207.

Chen, Y. and Barnes, S. (2007), “Initial trust and online buyer behaviour”, Industrial Management & Data Systems, Vol. 107 No. 1, p. 21.

Crites, S.L., Fabrigar, L.R. and Petty, R.E. (1994), “Measuring the affective and cognitiveproperties of attitudes: conceptual and methodological issues”, Personality and Social

Psychology Bulletin, Vol. 20 No. 6, pp. 619-34.

Cronbach, L. (1947), “Test reliability: its meaning and determination”, Psychometrika, Vol. 12No. 1, pp. 1-16.

Davis, F. (1989), “Perceived usefulness, perceived ease of use, and user acceptance of informationtechnology”, MIS Quarterly, Vol. 13 No. 3, pp. 319-40.

Davis, F.D., Bagozzi, R.P. and Warshaw, P.R. (1989), “User acceptance of computer technology:a comparison of two theoretical models”, Management Science, Vol. 35 No. 8, pp. 982-1003.

Dotson, D.S. (2007), “Information security resources: a selected annotated bibliography”,Science & Technology Libraries, Vol. 27 No. 3, pp. 29-51.

Eagly, H. and Chaiken, S. (1993), The Psychology of Attitudes, Harcourt Brace Jovanovich CollegePublishers, Fort Worth, TX.

Fagley, N. and Miller, P. (1990), “The effect of framing on choice: interactions with risk-takingpropensity, cognitivestyle, and sex”, Personality and Social Psychology Bulletin, Vol. 16No. 3, p. 496.

Flavian, C. and Guinaliu, M. (2006), “Consumer trust, perceived security and privacy policy”, Industrial Management & Data Systems, Vol. 106 No. 5, pp. 601-20.

Heise, D.R. (1970), “Causal inference from panel data”, Sociological Methodology, Vol. 2, pp. 3-27.

Huang, S., Lee, C. and Kao, A. (2006), “Balancing performance measures for information securitymanagement: a balanced scorecard framework”, Industrial Management & Data Systems,Vol. 106 Nos 1/2, pp. 242-55.

Jain, A.K., Ross, A. and Pankati, S. (2006), “Biometrics: a tool for information security”, IEEE Transactions on Information Forensics and Security, Vol. 1 No. 2, pp. 125-43.

Joreskog, K., Sorbom, D., Magidson, J. and Cooley, W. (1979), Advances in Factor Analysis and Structural Equation Models, Abt Books, Cambridge, MA.

Katz, D. and Stotland, E. (1959), Psychology: A Study of a Science, McGraw-Hill, New York, NY.

Kerlinger, F.N. (1986), Foundations of Behavioral Research, Holt Rinehart and Winston Inc., FortWorth, TX.

Klien, D.V. (1990), “Foiling the cracker: a survey of, and improvements to, password security”, Proceedings of the USENIX UNIX Security Workshop, Portland .

Knight, S., Buffett, S. and Hung, P. (2007), “Special issue on privacy, security and trusttechnologies and e-business services. Guest editors’ introduction”, International Journal of

Information Security, Vol. 6 No. 5, pp. 285-6.

Kock, N. (2005), “Media richness or media naturalness? The evolution of our biologicalcommunication apparatus and its influence on our behavior toward e-communicationtools”, IEEE Transactions on Professional Communication, Vol. 48 No. 2, pp. 117-30.

Kothandapani, V. (1971), “Validation of feeling, belief, and intention to act as three components of attitude and their contribution to prediction of contraceptive behavior”, Journal of

Personality and Social Psychology, Vol. 19 No. 3, pp. 321-33.

IMDS111,4

586

8/6/2019 The_more


Liyanarachchi, G. and Milne, M. (2005), “Comparing the investment decisions of accounting

practitioners and students: an empirical study on the adequacy of student surrogates”,

In Accounting Forum, Vol. 29, pp. 121-35.

McMaster, T. and Wastell, D.G. (2005), “The agency of hybrids: overcoming the symmetrophobic

block”, Scandinavian Journal of Information Systems, Vol. 17 No. 1, pp. 175-82.

Maxwell, S. and Delaney, H. (2004), Designing Experiments and Analyzing Data: A Model

Comparison Perspective, Lawrence-Erlbaum, Mahwah, NJ.

Nicholson, N., Soane, E., Fenton-O’Creevy, M. and Willman, P. (2005), “Personality and

domain-specific risk taking”, Journal of Risk Research, Vol. 8 No. 2, pp. 157-76.

Norberg, P., Horne, D. and Horne, D. (2007), “The privacy paradox: personal information

disclosure intentions versus behaviors”, Journal of Consumer Affairs, Vol. 41 No. 1,

pp. 100-26.

Osgood, C.E., Suci, G.J. and Tannenbaum, P.H. (1957), The Measurement of Meaning , University

of Illinois Press, Urbana, IL.

Ostrom, T.M. (1969), “The relationship between the affective, behavioral, and cognitive

components of attitude”, Journal of Experimental Social Psychology, Vol. 15 No. 1, pp. 12-30.

Peterson, R. (2001), “On the use of college students in social science research: insights from a

second-order meta-analysis”, Journal of Consumer Research, Vol. 28 No. 3, pp. 450-61.

Post, G.V. and Kagan, A. (2007), “Evaluating information security tradeoffs: restricting access

can interfere with user tasks”, Computers and Security, Vol. 26, pp. 253-64.

Proctor, R., Lien, M., Schultz, E. and Salvendy, G. (2002), “Improving computer security for

authentication of users: influence of proactive password restrictions”, Behavior Research

Methods, Instruments, & Computers, Vol. 34 No. 2, pp. 163-9.

Riddle, B.L., Miron, M.S. and Semo, J.A. (1989), “Passwords in use in a university timesharing

environment”, Computers and Security, Vol. 8 No. 7, pp. 569-79.

Rosenberg, M.J. and Hovland, C.I. (1960), Attitude Organization and Change: An Analysis of Consistency, Yale University Press, New Haven, CT.

Schultz, E.E. (2007), “Research on usability in information security”, Computer Fraud & Security,

Vol. 6, pp. 8-10.

Smith, S. (2002), “The role of social cognitive career theory in information technology based

academic performance”, Information Technology Learning and Performance Journal ,

Vol. 20, pp. 1-10.

Stine, K., Barker, W.C., Fahlsing, J. and Gulick, J. (2008), Guide for Mapping Types of Information

and Information Systems to Security Categories, Vol. I, NIST Special Publication 800-60,

Gaithersburg, MD.

Sun, J. and Ahluwalia, P. (2008), “How users respond to authentication methods – a study of

security readiness”, Proceedings Fourteenth Americas Conference on Information Systems,Toronto, Canada.

Swartz, N. (2004), “Survey accesses the state of information security worldwide”, Information

Management Journal , Vol. 38 No. 1.

Thomson, K.-L. and von Solms, R. (1998), “Information security awareness: educating our users

effectively”, Information Management & Computer Security, Vol. 6 No. 4, pp. 167-73.

Venkatesh, V., Morris, M.G., Davis, G.B. and Fred, D. (2003), “User acceptance of information

technology: toward a unified view”, MIS Quarterly, Vol. 27 No. 3, pp. 425-78.

Informationsecurity

readiness

587

8/6/2019 The_more


Warkentin, M., Davis, K. and Bekkering, E. (2004), “Introducing the check-off password system(COPS): an advancement in user authentication methods and information security”,

Journal of Organizational and End User Computing , Vol. 16 No. 3, pp. 41-58.

Zanna, M.P. and Rempel, J.K. (1988), The Social Psychology of Knowledge, Cambridge University

Press, New York, NY.Zuckerman, M. and Kuhlman, D. (2000), “Personality and risk-taking: common bisocial factors”,

Journal of Personality, Vol. 68 No. 6, pp. 999-1029.

Corresponding authorKai S. Koong can be contacted at: [email protected]

IMDS111,4

588

To purchase reprints of this article please e-mail: [email protected] visit our web site for further details: www.emeraldinsight.com/reprints

the_more

Documents