Determinants of Information Security Affecting Adoption of Web-based Integrated Information Systems
The purpose of this paper is to analyze determinants of
information security affecting adoption of the Web-based integrated
information systems (IIS). We introduced Web-based information
systems which are designed to formulate strategic plans for Peruvian
government. Theoretical model is proposed to test impact of
organizational factors (deterrent efforts and severity; preventive
efforts) and individual factors (information security threat; security
awareness) on intentions to proactively use the Web-based IIS .Our
empirical study results highlight that deterrent efforts and deterrent
severity have no significant influence on the proactive use intentions
of IIS, whereas, preventive efforts play an important role in proactive
use intentions of IIS. Thus, we suggest that organizations need to do
preventive efforts by introducing various information security
solutions, and try to improve information security awareness while
reducing the perceived information security threats.
[1] A. Blumstein, "Introduction in deterrence and incapacitation: Estimating
the effects of criminal sanctions on crime rates," National Academy of
Sciences, Washington, DC, USA, 1978.
[2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information security policy
compliance: An empirical study of rationality-based beliefs and
information security awareness," MIS Quarterly, vol. 34, no. 3, pp.
523-548, 2010.
[3] H. Cavusoglu, J. Son, and I. Benbasat, "Information security control
resources in organizations: A multidimensional view and their key
drivers," Working Paper, Sauder School of Business, University of
British Columbia, 2009.
[4] CEPLAN, "KSP mission to CEPLAN Peru," CEPLAN, 2010.
[5] J. D-Arcy, A. Hovav, and D. Galletta, "User Awareness of Security
Countermeasures and its Impact on Information Systems Misuse: A
Deterrence Approach," Information Systems Research, vol. 20, no. 1, pp.
79-98, 2009.
[6] M. Fishbein, and J.N. Cappella, "The role of theory in developing
effective health communications," Journal of Communication, vol. 56,
pp. 1-17, 2006.
[7] M. Fishbein, and M.C. Yzer, "Using theory to design effective health
behavior interventions," Communication Theory, vol. 13, no. 2, pp.
164-183, 2003.
[8] K.A. Forcht, "Computer security management," Boyd and Fraser,
Danvers, MA, USA, 1994.
[9] R.D. Gopal, and G.L. Sanders, "Preventive and Deterrent Controls for
Software Piracy," Journal of Management Information Systems, vol. 13,
no. 4, pp. 29-47, 1997.
[10] A.C. Johnston, and N. Warkentin , "Fear appeals and information security
behaviors: An empirical study," MIS Quarterly, vol. 34, no. 3, pp.
549-566, 2010.
[11] A. Kankanhalli, H.H. Teo, B.C.Y. Tan, and K.K. Wei, "An integrative
study of information systems security effectiveness," International
Journal of Information Management, vol. 23, pp. 139-154, 2003.
[12] Klete, "Some minimum requirements for legal sanctioning systems with
special emphasis on detection, in Deterrence and Incapacitation:
Estimating the Effects of Criminal Sanctions on Crime Rates," National
Academy of Sciences, Washington, DC, USA , 1978.
[13] K.J. Knapp, R.F. Morris, T.E. Marshall, and T.A. Byrd, "Information
security policy: An organizational-level process model," Computers and
Security, vol. 28, no. 7, pp. 493-508, 2009.
[14] E. Kritzinger, and E. Smith, "Information security management: An
information security retrieval and awareness model for industry,"
Computers and Security, vol. 27, pp. 224-231, 2008.
[15] C.Y. Ku, Y.W. Chang, and D.C. Yen, "National information security
policy and its implementation: A case study in Taiwan,"
Telecommunications Policy, vol. 33, pp. 371-384, 2009.
[16] K.D. Loch, H.H. Carr, and M.E. Warkentin, " Threats to information
systems: Today-s reality, yesterday-s understanding," MIS Quarterly,
vol. 16, no. 2, pp. 173-186, 1992.
[17] K. Mathieson, "Predicting user intentions: comparing the technology
acceptance model with the theory of planned behavior," Information
System Research, vol. 3, no. 2, pp. 173-191, 1991.
[18] W.D. Nance, and D.W. Straub, "An Investigation into the Use and
Usefulness of Security Software in Detecting Computer Abuse," in
Proc.9th Annu. Conf. on Information Systems, Minneapolis, MN, 1988.
[19] D.D. Parker, "Fighting computer crime," Scribner-s, New York, USA,
1983.
[20] F.S. Pearson, and N.A. Weiner, "Toward an Integration of Criminological
Theories," Journal of Crime and Criminology, vol. 76, no. 1, pp. 116-150,
1985.
[21] R.W. Rogers, "A protection motivation theory of fear appeals and attitude
change," Journal of Psychology, vol. 91, pp. 93-114, 1975.
[22] J.H. Schuessler, "General deterrence theory: Assessing information
systems security effectiveness in large versus small businesses" [online],
University of North Texas, Available from: < http://joseph.schuessler
sounds.com/Research/Dissertation/Schuessler_Dissertation.pdf >, [Last
Accessed March 29, 2011], 2009.
[23] M. Silberman, "Toward a Theory of Criminal Deterrence," American
Sociological Review, vol. 41, pp. 442-461, 1976
[24] T. Siponen, "A conceptual foundation for organizational information
security awareness", Information Management and Computer Security,
vol. 8, no. 1, pp. 31-41, 2000.
[25] M. Siponen, and A.O. Vance, "Neutralization: New insights into the
problem of employee systems security policy violations," MIS Quarterly,
vol. 34, no. 3, pp.487-502, 2010.
[26] G.D. Spicer, "Information systems management maturity and information
technology security effectiveness," University of Lethbridge, Alberta,
Canada, 2004.
[27] D.W. Straub, "Computer abuse and computer security: Update on an
empirical study," Security, Audit, and Control Review, vol. 4, no. 2, pp.
21-31, 1986.
[28] D.W. Straub, and W.D. Nance, "Discovering and disciplining computer
abuse in organizations: A field study," Management Information Systems
Quarterly, vol. 14, no. 1, pp. 45- 62, 1990.
[29] D.W. Straub, "Effective IS Security: An Empirical Study," Information
Systems Research, vol. 1, no. 3, pp. 255-276, 1990.
[30] D. W. Straub, and R.J. Welke, "Coping with systems risk: Security
planning models for management decision making," MIS Quarterly, vol.
22, no. 4, pp. 441-469, 1998.
[31] D.W. Straub, "Coping with systems risk: Security planning models for
management decision making," MIS Quarterly, vol. 22, no. 4, pp.
441-469, 1998.
[32] K.R. Williams, and R. Hawkins, "Perceptual Research on General
Deterrence: A Critical Review," Law and Society, vol. 20, no. 4, pp.
545-572, 1986.
[33] M. E. Whitman, "In defense of the realm: Understanding the threats to
information security," International Journal of Information Management,
vol. 24, no. 1, pp. 43-57, 2004.
[34] R. Weber, "EDP Auditing: Conceptual Foundations and Practice,"
McGraw Hill, New York, NY, 1988.
[35] K. Witte, "Putting the fear back into fear appeals: The extended parallel
process model," Communication Monograph, vol. 59, pp. 329-349, 1992.
[36] K. Witte, K.A. Cameron, J.M. McKeon, and J.M. Berkowitz, "Predicting
risk behaviors: Development and validation of a diagnostic scale,"
Journal of Health Communication, vol. 1, pp. 317-341, 1996.
[37] Q.Y. Yeh, and A.J.T. Chang, "Threats and countermeasures for
information system security: A cross-industry study", Information and
Management, vol. 44, no. 5, pp. 480-491, 2007.
[1] A. Blumstein, "Introduction in deterrence and incapacitation: Estimating
the effects of criminal sanctions on crime rates," National Academy of
Sciences, Washington, DC, USA, 1978.
[2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information security policy
compliance: An empirical study of rationality-based beliefs and
information security awareness," MIS Quarterly, vol. 34, no. 3, pp.
523-548, 2010.
[3] H. Cavusoglu, J. Son, and I. Benbasat, "Information security control
resources in organizations: A multidimensional view and their key
drivers," Working Paper, Sauder School of Business, University of
British Columbia, 2009.
[4] CEPLAN, "KSP mission to CEPLAN Peru," CEPLAN, 2010.
[5] J. D-Arcy, A. Hovav, and D. Galletta, "User Awareness of Security
Countermeasures and its Impact on Information Systems Misuse: A
Deterrence Approach," Information Systems Research, vol. 20, no. 1, pp.
79-98, 2009.
[6] M. Fishbein, and J.N. Cappella, "The role of theory in developing
effective health communications," Journal of Communication, vol. 56,
pp. 1-17, 2006.
[7] M. Fishbein, and M.C. Yzer, "Using theory to design effective health
behavior interventions," Communication Theory, vol. 13, no. 2, pp.
164-183, 2003.
[8] K.A. Forcht, "Computer security management," Boyd and Fraser,
Danvers, MA, USA, 1994.
[9] R.D. Gopal, and G.L. Sanders, "Preventive and Deterrent Controls for
Software Piracy," Journal of Management Information Systems, vol. 13,
no. 4, pp. 29-47, 1997.
[10] A.C. Johnston, and N. Warkentin , "Fear appeals and information security
behaviors: An empirical study," MIS Quarterly, vol. 34, no. 3, pp.
549-566, 2010.
[11] A. Kankanhalli, H.H. Teo, B.C.Y. Tan, and K.K. Wei, "An integrative
study of information systems security effectiveness," International
Journal of Information Management, vol. 23, pp. 139-154, 2003.
[12] Klete, "Some minimum requirements for legal sanctioning systems with
special emphasis on detection, in Deterrence and Incapacitation:
Estimating the Effects of Criminal Sanctions on Crime Rates," National
Academy of Sciences, Washington, DC, USA , 1978.
[13] K.J. Knapp, R.F. Morris, T.E. Marshall, and T.A. Byrd, "Information
security policy: An organizational-level process model," Computers and
Security, vol. 28, no. 7, pp. 493-508, 2009.
[14] E. Kritzinger, and E. Smith, "Information security management: An
information security retrieval and awareness model for industry,"
Computers and Security, vol. 27, pp. 224-231, 2008.
[15] C.Y. Ku, Y.W. Chang, and D.C. Yen, "National information security
policy and its implementation: A case study in Taiwan,"
Telecommunications Policy, vol. 33, pp. 371-384, 2009.
[16] K.D. Loch, H.H. Carr, and M.E. Warkentin, " Threats to information
systems: Today-s reality, yesterday-s understanding," MIS Quarterly,
vol. 16, no. 2, pp. 173-186, 1992.
[17] K. Mathieson, "Predicting user intentions: comparing the technology
acceptance model with the theory of planned behavior," Information
System Research, vol. 3, no. 2, pp. 173-191, 1991.
[18] W.D. Nance, and D.W. Straub, "An Investigation into the Use and
Usefulness of Security Software in Detecting Computer Abuse," in
Proc.9th Annu. Conf. on Information Systems, Minneapolis, MN, 1988.
[19] D.D. Parker, "Fighting computer crime," Scribner-s, New York, USA,
1983.
[20] F.S. Pearson, and N.A. Weiner, "Toward an Integration of Criminological
Theories," Journal of Crime and Criminology, vol. 76, no. 1, pp. 116-150,
1985.
[21] R.W. Rogers, "A protection motivation theory of fear appeals and attitude
change," Journal of Psychology, vol. 91, pp. 93-114, 1975.
[22] J.H. Schuessler, "General deterrence theory: Assessing information
systems security effectiveness in large versus small businesses" [online],
University of North Texas, Available from: < http://joseph.schuessler
sounds.com/Research/Dissertation/Schuessler_Dissertation.pdf >, [Last
Accessed March 29, 2011], 2009.
[23] M. Silberman, "Toward a Theory of Criminal Deterrence," American
Sociological Review, vol. 41, pp. 442-461, 1976
[24] T. Siponen, "A conceptual foundation for organizational information
security awareness", Information Management and Computer Security,
vol. 8, no. 1, pp. 31-41, 2000.
[25] M. Siponen, and A.O. Vance, "Neutralization: New insights into the
problem of employee systems security policy violations," MIS Quarterly,
vol. 34, no. 3, pp.487-502, 2010.
[26] G.D. Spicer, "Information systems management maturity and information
technology security effectiveness," University of Lethbridge, Alberta,
Canada, 2004.
[27] D.W. Straub, "Computer abuse and computer security: Update on an
empirical study," Security, Audit, and Control Review, vol. 4, no. 2, pp.
21-31, 1986.
[28] D.W. Straub, and W.D. Nance, "Discovering and disciplining computer
abuse in organizations: A field study," Management Information Systems
Quarterly, vol. 14, no. 1, pp. 45- 62, 1990.
[29] D.W. Straub, "Effective IS Security: An Empirical Study," Information
Systems Research, vol. 1, no. 3, pp. 255-276, 1990.
[30] D. W. Straub, and R.J. Welke, "Coping with systems risk: Security
planning models for management decision making," MIS Quarterly, vol.
22, no. 4, pp. 441-469, 1998.
[31] D.W. Straub, "Coping with systems risk: Security planning models for
management decision making," MIS Quarterly, vol. 22, no. 4, pp.
441-469, 1998.
[32] K.R. Williams, and R. Hawkins, "Perceptual Research on General
Deterrence: A Critical Review," Law and Society, vol. 20, no. 4, pp.
545-572, 1986.
[33] M. E. Whitman, "In defense of the realm: Understanding the threats to
information security," International Journal of Information Management,
vol. 24, no. 1, pp. 43-57, 2004.
[34] R. Weber, "EDP Auditing: Conceptual Foundations and Practice,"
McGraw Hill, New York, NY, 1988.
[35] K. Witte, "Putting the fear back into fear appeals: The extended parallel
process model," Communication Monograph, vol. 59, pp. 329-349, 1992.
[36] K. Witte, K.A. Cameron, J.M. McKeon, and J.M. Berkowitz, "Predicting
risk behaviors: Development and validation of a diagnostic scale,"
Journal of Health Communication, vol. 1, pp. 317-341, 1996.
[37] Q.Y. Yeh, and A.J.T. Chang, "Threats and countermeasures for
information system security: A cross-industry study", Information and
Management, vol. 44, no. 5, pp. 480-491, 2007.
@article{"International Journal of Information, Control and Computer Sciences:59830", author = "Jaehun Joo and Mie-jung Kim and Ismatilla Normatov and Lyunhwa Kim", title = "Determinants of Information Security Affecting Adoption of Web-based Integrated Information Systems", abstract = "The purpose of this paper is to analyze determinants of
information security affecting adoption of the Web-based integrated
information systems (IIS). We introduced Web-based information
systems which are designed to formulate strategic plans for Peruvian
government. Theoretical model is proposed to test impact of
organizational factors (deterrent efforts and severity; preventive
efforts) and individual factors (information security threat; security
awareness) on intentions to proactively use the Web-based IIS .Our
empirical study results highlight that deterrent efforts and deterrent
severity have no significant influence on the proactive use intentions
of IIS, whereas, preventive efforts play an important role in proactive
use intentions of IIS. Thus, we suggest that organizations need to do
preventive efforts by introducing various information security
solutions, and try to improve information security awareness while
reducing the perceived information security threats.", keywords = "Information security, Deterrent efforts, deterrentseverity, preventive efforts, information security awareness,information security threats, integrated information systems", volume = "5", number = "6", pages = "651-6", }