Date of Award

Spring 5-1-2017

Document Type

Dissertation

Degree Name

Doctor of Science in Information Systems

Department

Business and Information Systems

First Advisor

Kevin Streff

Second Advisor

Wayne Pauli

Third Advisor

Gabe Mydland

Fourth Advisor

Shuyuan Deng

Abstract

In the fast-changing business world of today, organizations heavily rely on information systems to efficiently perform various business tasks. Using information systems involves some risks, particularly risks related to cybersecurity. Most organizations develop technical and procedural measures to protect their information systems. However, relying only on technical based security solutions is not enough. Organizations must consider technical security solutions along with social, human, and organizational factors (employees). The human element represents the employees (insiders) who use the information systems and other technology resources in their day-to-day operations. Employees’ information security awareness, specifically information security policy (ISP) awareness, is essential to protect organizational information systems. This study adapts the Innovation Diffusion Theory along with other theoretical foundations to examine the antecedents of ISP awareness and its impact on the satisfaction with ISP and security practices. Information security behavior and ISP compliance have been investigated heavily in the last two decades. However, there are still some gaps in this area, and more research is needed as cybersecurity risks are likely to continue in the future. One of the gaps is the lack of empirical investigations of the antecedents of ISP awareness. Another gap is that the literature addresses the impact of ISP awareness on several behavioral aspects, such as attitude toward ISP compliance, intention to comply with ISP, actual compliance behavior, and perception beliefs, but none of the prior studies examine the ISP awareness effects on the satisfaction with ISPs. Therefore, the current study aims to address these gaps by identifying the antecedents of ISP awareness and investigating the relationships between ISP awareness and satisfaction. In particular, the researcher categorizes the antecedents into two categories: organizational and individual enablers. The proposed research model posits that along with individuals’ factors (self-efficacy and technology awareness), employees’ ISP awareness is impacted by organizational factors (ISP fairness and ISP quality). The study further posits that ISP awareness has a direct impact on the satisfaction with ISP and security practices. The researcher used a survey to collect data that captures beliefs and perceptions regarding ISP awareness. A sample of 236 employees in universities in the United States is collected to evaluate the research model. Results indicated that ISP quality, self-efficacy, and technology security awareness significantly impact ISP awareness. ISP awareness is found to have a significant direct effect on the satisfaction with ISP and security practices and an indirect effect through perceived usefulness of ISP. However, ISP fairness is found to have a nonsignificant impact on the ISP awareness. Overall, the current study presents significant contributions toward understanding the antecedents of ISP awareness and its role in impacting the perceptions of information security policies. This study provides a starting point toward including satisfaction aspect in information security behavioral domain.

Download

Share

COinS