The current issue and full text archive of this journal is available at www.emeraldinsight.com/0263-5577.

htm

IMDS 111,4

The more secure the better? A study of information security readiness

Jun Sun, Punit Ahluwalia and Kai S. Koong
The University of Texas Pan American, Edinburg, Texas, USA
Abstract
Purpose This paper seeks to investigate which factors inuence user attitudes toward different levels of security measures for protecting data of differing importance. The paper also examines user characteristics including IT prociency and risk propensity, which give rise to individual differences in such attitudes. Design/methodology/approach To capture user attitudes toward a security measure, a construct called information security readiness (ISR) and its corresponding measurement items were developed. Observations were collected from a laboratory experiment based on a 2 3 factorial design, with data criticality and security level as the treatment variables. The participants were undergraduate students of a major American university. The moderating effect of data criticality on the relationship between security level and ISR was tested with multi-group structural equation modeling. In addition to the treatment variables, IT prociency and risk propensity were included as covariates in the analysis. Findings The results revealed a nonlinear relationship between security level and ISR. For data of high criticality, enhancing security level had a positive impact on ISR, but only up to the point perceived as appropriate by the participants. For data of low criticality, the enhancement of security level was perceived as unnecessary. In addition, IT prociency was found to be a signicant covariate, especially when data criticality was high. Practical implications In practice, the specication of a security measure requires a trade-off between the utility of the data protected and the usability of the security method. The measure of ISR provides a means to locate the equilibrium by examining user attitudes across different security levels in relation to a particular level of data criticality. The signicance of IT prociency demonstrates the importance of user training. Originality/value This study introduces the ISR construct to capture evaluation, power, and activity dimensions underlying an individuals cognitive beliefs, affective responses, and behavioral inclinations toward the adoption of security measures. The results provide interesting insights into the role of interaction between security level and data criticality in inuencing ISR. Keywords Data security, Information technology, Risk management Paper type Research paper

570
Received 10 August 2010 Revised 7 December 2010 Accepted 3 February 2011

Industrial Management & Data Systems Vol. 111 No. 4, 2011 pp. 570-588 q Emerald Group Publishing Limited 0263-5577 DOI 10.1108/02635571111133551

1. Introduction New challenges have emerged in the task of protecting data in widely networked information systems as more and more individuals and organizations benet from the adoption of information and communication technologies and the digitization of information. These challenges arise because of the ease of duplicating digital data and increased deployment of distributed data sources by organizations, resulting in an increased likelihood of unauthorized access by cybercriminals. Existing literature suggests that individuals worry about their privacy and desire complete control over

their private data (Norberg et al., 2007). Organizations must protect the data which provide them with competitive advantages in the marketplace (Huang et al., 2006). Providing information security, dened as the technical guarantees that ensure that the legal requirements and good practices with regard to privacy will be effectively met (Flavian and Guinaliu, 2006, p. 604), is a signicant issue confronting IT managers and practitioners. Organizations face signicant challenges as more and more people are provided access to data stored on internetworked computer-based systems. A study conducted in 2003 found that 29 percent of the respondents had experienced unauthorized exposure of stored data (Swartz, 2004). Information security is a very important area of research with signicant implications for practice (Knight et al., 2007; Schultz, 2007; Dotson, 2007). Organizations and individuals employ authentication procedures to protect their data. Among these, the most widely used authentication method identies a user through the input of a unique user name and determines that the person is legitimate through the input of a correct password (Adams and Sasse, 1999). In recent years, more advanced techniques such as biometrics have been proposed to protect database systems from unauthorized persons. Such methods entail verication of users through matching ngerprints, facial features, irises, or voices (Jain et al., 2006). Even though these newer technologies are being gradually adopted, the user name and password authentication method remains the most widely used procedure for protecting data. The existing literature points to the tension between user preference for easy passwords and the risks associated with such passwords. Previous studies have shown that if there are no constraining requirements, users often select easy-to-remember user names and passwords (Riddle et al., 1989; Adams and Sasse, 1999). Selection of simple and/or familiar strings for user names and passwords makes it easier for the malicious hackers to decode (crack) these values (Klien, 1990). The crackability of passwords depends on several factors such as the variety of character set (e.g. numbers, letters, and case sensitive), the number of characters used, and other constraints such as avoiding dictionary words (Proctor et al., 2002). It follows that the level of protection offered by passwords is directly related to their complexity. However, increasing the complexity of passwords leads to a greater degree of difculty of recall, higher probability of errors in the authentication process, and increased user resistance. This reality leads to the dilemma confronted by IT managers and practitioners, which is that the level of security offered by an authentication method is inversely related to its convenience. This phenomenon creates a paradox for IT security managers. On one hand, IT managers seek to increase the usability of the system, while on the other hand they need to enhance security, requiring them to increase the complexity of the authentication parameters. Therefore, the specic arrangements of a security measure may exhibit distinct characteristics which depend on the trade-off between simplicity and safety. Peoples trust in the integrity of information is closely related to its perceived security and privacy (Chen and Barnes, 2007). Therefore, organizations seek to increase the complexity of security requirements to the highest possible level for all of their systems (for example, require users to use complex passwords and to update passwords frequently). However, all types of data are not homogeneous in value and criticality; some require tremendous effort to obtain and hold signicant value, and thus are more important than other routine data. Users and organizations would experience a great sense of loss if there were leakage of or damage to highly critical data. Thus, peoples

Information security readiness 571

IMDS 111,4

572

attitudes towards the adequacy of the security measures depend on not only the level of security provided but also the criticality of the protected data. This study aims to verify the interaction between security levels and data criticality and their inuence on user attitudes. Enhancing a security measure does not always yield desirable results; rather, it may cause resistance from users if the measure is perceived to be more rigorous than necessary. Such a relationship could have important implications for practice. Few empirical studies have been conducted to examine how different levels of security measures inuence user attitudes toward such measures, under varying levels of data criticality. The sparsity of research studies that examine user attitudes towards security levels could be due to the erroneous notion that people willingly comply with a higher level of security measure because it provides better protection. However, this supposition may not always apply, because people perceive extra efforts to meet the mandated security levels as unnecessary overhead or costs. For example, a security policy may require the use of certain non-standard characters in passwords, require users to change their passwords frequently, and restrict repetition of previously used passwords (for example, users cannot reuse any of the ten previously used passwords). This increased complexity leads to undesirable and unexpected effects, such as some users writing their passwords on paper, thus actually increasing the probability of identity theft. Therefore, if the information is not perceived to be critical, and there is a choice, people may choose methods that provide only a basic level of security. This study empirically investigates the inuence of security level and data criticality on user attitudes. A psychological construct called information security readiness (ISR) and its corresponding measures were developed to capture user attitudes toward security measures. The research hypotheses were tested by conducting a laboratory experiment. The research model hypothesizes that data criticality moderates the relationship between security level and ISR. For practitioners, the results may yield important implications on how best to implement optimum security measures for the protection of particular data. This paper is structured as follows. The existing related literature is reviewed and the hypotheses are stated in Section 2. Section 3 presents the methodology. Section 4 reports the results. The conclusions and implications are discussed in Section 5. 2. Literature review and research model This study seeks to conrm a nonlinear relationship between security level and ISR moderated by data criticality. Therefore, it is necessary to examine how willing people are to use different levels of security measures in different situations. The existing IS literature suggests the technology acceptance model (TAM) (Davis, 1989), and related models such as the unied theory of acceptance and use of technology (Venkatesh et al., 2003) to study user acceptance of information technology. These frameworks predict an individuals behavioral intention regarding whether or not to use an information system based on his/her perceptions of its main characteristics, namely utility (e.g. usefulness) and usability (e.g. ease of use). As for the predictor of actual behavior, the behavioral intention concerns the binary decision on whether to use a given system or not. However, a comparison of user reactions to different levels of security measures involves multiple alternatives. When there are options, it is best not to assume that users make separate decisions and form

an intention for each (Benbasat and Barki, 2007). In this sense, behavioral intention is not an appropriate dependent variable for this study. Also, users typically perceive security measures as rules and procedures that they need to follow to protect the integrity of data residing on a system. Therefore, security measures cannot be characterized as useful/useless and usable/unusable without taking into account the factors of data importance and security policy. In this sense, constructs such as perceived usefulness and perceived ease of use are not well suited for examining user attitudes toward security measures. Attitude, dened as the psychological tendency expressed by evaluating a particular entity with some degree of favor or disfavor, is commonly used to explain and predict human behavior (Eagly and Chaiken, 1993). This study proposes the ISR construct to describe user attitudes toward a security measure. It measures user cognitive beliefs, affective responses, and behavioral intentions toward the adoption of a security measure for protection of certain data. The term readiness indicates the degree of preparedness and inclination to use a method, rather than the decision whether or not to use it. Also, the construct is different from security awareness, which represents the knowledge of users regarding how well their information assets are protected (Thomson and von Solms, 1998). ISR can be used as the dependent variable to nd out how people react to different levels of security measures implemented for different systems. That is, the assessment of ISR may reveal a nonlinear relationship underlying the dilemma facing IT security managers. On the one hand, enhancing a security measure may lead to higher ISR of users because it provides them more protection; on the other hand, if the enhanced security measure is too stringent or complicated it may negatively impact ISR because its compliance requires excessive effort. Although technology acceptance research does not provide the needed constructs, its basic framework sheds light on the development of research model used in this study. TAM and related models are based on the premise that user behavior depends on the utility and usability of an information system. For a security measure, utility is associated with the importance of protected data, and usability is related to the complexity of its requirement. Unlike an information system, however, a security measure can hardly be implemented to maximize both utility and usability. Besnard and Arief (2004) presented the issue of computer security as a trade-off between productivity and acceptance of certain amount of risk. They posited that a certain amount of loss is acceptable because it is too demanding to protect every single piece of data. The conict between functionality and information security has been identied in several quantitative studies of user behavior (Post and Kagan, 2007; Albrechtsen, 2007). In terms of the effort required from users, researchers found that the usability of an authentication method has an inverse relationship with the protection level it offers (Warkentin et al., 2004). Thus, there is a paradox of security enhancement, because it is driven by the increasing need for data protection, but may ultimately be perceived as excessive, thereby causing user resistance. To address this paradox, data criticality is posited as a potential moderator of the relationship between security level and ISR. Users are likely to consider the importance of data in forming their attitudes toward a security measure, based on the protection it offers and the effort it requires. A more complex authentication process would offer a higher level of security in terms of information access control, but its compliance would require more effort. If a security measure is perceived to provide either less or more

Information security readiness 573

IMDS 111,4

574

protection than needed, users are likely to be reluctant to use it. In this sense, ISR reects user tolerance towards both the risk and the effort associated with a security measure that is employed to protect the data residing on a system. The foregoing discussion leads to the proposition that user ISR toward authentication methods depends on the interaction between security level and data criticality. In an empirical study, such a moderating relationship may be tested by comparing the effect of security levels on ISR at different levels of data criticality. In terms of authentication procedures, users are likely to prefer a security level that is perceived as adequate but not excessive for the protection of particular data. For critical data, users may tolerate more stringent measures. In such a case, the increased complexity is acceptable. However, for non-critical data, users are less likely to be concerned about security, and may prefer simpler measures that requires less effort for compliance. The above discussion leads to our rst set of hypotheses: H1a. When the data to be protected are not critical to users, the increase in security level will not enhance their ISR. H1b. When the data to be protected are critical to the users, the increase in security level will enhance their ISR, but only up to a point before the measure is perceived as excessive. The personal characteristics of a user may also affect his/her attitude toward a security measure. Compared with security level and data criticality, such characteristics do not have a direct impact on ISR, but rather make differences in it across individuals. Thus, they are potential covariates of ISR. However, like security level, their effects on the dependent variable may still be subject to the moderation of data criticality. That is, users with different characteristics may exhibit different levels of ISR depending on the criticality of data. Among such personal characteristics, IT prociency and risk propensity are particularly relevant. IT prociency is related to an individuals knowledge and skill in using IT, determining how comfortable the person is with various technologies (Smith, 2002). Information security technology has been recognized as an important component of IT, and people who are procient in IT are likely to have a good understanding of security technology. They are likely to appreciate the complexity in the security measures, especially when the data protected are critical. However, for non-critical data, users may not care about the security measure, regardless of their prociency levels. Thus, we state the second group of research hypotheses: H2a. When the data to be protected are not critical to users, their IT prociency not does not make much difference to their ISR. H2b. When the data to be protected are critical to users, those who are IT procient are likely to have higher ISR than those who are not. Risk propensity relates to whether an individual is risk prone or risk averse, therefore it has been found to regulate human behavior involving possible harm and loss (Fagley and Miller, 1990; Zuckerman and Kuhlman, 2000). A security measure is supposed to protect users from potential compromise of valuable data, and thus risk propensity may also be a relevant covariate of ISR. Compared with those who are risk-prone and risk-averse users are more likely to prefer greater protection of their data with

sufcient security measures, especially when the data are critical. Thus, the third group of hypotheses is as follows: H3a. When the data to be protected are not critical to users, whether they are risk averse or risk prone does not make much difference to their ISR. H3b. When the data to be protected are critical to users, those who are risk averse are likely to have higher ISR than those who are risk prone. The above discussion leads to the research model shown in Figure 1. In this gure, the solid lines indicate the relationships of primary interest and the dashed lines indicate the relationships of secondary interest. Our primary interest is to nd out how the security level of authentication methods inuences users ISR, and how data criticality moderates that relationship. The study also examines how the covariates of IT prociency and risk propensity inuence individual differences in ISR at different levels of data criticality. 3. Methodology 3.1 Experiment design Laboratory experiments allow the exercise of desired control of treatment variables so as to test their hypothesized effects on outcome variables. To maximize the effect sizes, it is necessary to make the experimental conditions as different as possible (Kerlinger, 1986). In this study, security level and data criticality are the treatment variables, and ISR is the outcome variable. Thus, a factorial design was adopted to control the levels of the two treatment variables. Data criticality is hypothesized to moderate the relationship between security level and ISR. We arranged two levels of data criticality (high vs low) in order to examine the interaction effect of security level and data criticality on ISR. Criticality of data may be categorized based on the impact of its loss or compromise. Stine et al. (2008) identify condentiality, integrity, and availability as the three objectives of securing data. In general, people are likely to consider their private nancial data as more critical than data in their e-mail accounts. The impact of the loss or compromise of data in personal nancial accounts is likely to be high because such events may lead to nancial losses, evoke signicant anxiety, and cause other problems (for example, negative impact on

Information security readiness 575

IT proficiency

H2
Security level H1 H3 Risk propensity Information security readiness (ISR)

Data criticality

Figure 1. Research model

IMDS 111,4

576

credit score). In contrast, data in a free e-mail account are generally considered not as critical because even if the account is hacked, it can be summarily closed, and a new one can be opened without much extra effort. Therefore, in general, the impact of loss of information in an e-mail account may be low or moderate. Accordingly, in the experimental design, the high and low levels of data criticality are related to user authentications for an online bank account and a free e-mail account, respectively. The security level provided by an authentication procedure may be perceived as a variable on a continuum from offering no protection to offering complete protection. Clearly, most systems lie somewhere between these two extremes. In order to enhance the security level, an authentication method may require certain conditions to be met before users have access to the data in a system. Such requirements may include: minimum lengths of user names and passwords, inclusion of special keyboard characters in passwords, changing passwords after a pre-set period, and so on. The more conditions that are required, the higher the level of security that is provided. To test the possible nonlinear pattern of the hypothesized relationship between security level and ISR, three levels (i.e. low, medium, and high) of authentication methods were arranged (Table I). At the rst level of authentication, users can choose any password without any restrictions, the second level imposes password length and character requirements, and the third level adds the periodic update requirement. The arrangement of three security levels and two data criticality levels results in a 2 3 factorial design (Table II). 3.2 Subjects The experimental sample was comprised of 109 students enrolled in computer information systems (CISs) courses at a university in the South-Western USA. Of these, 70 were male
Level 1 Level 2 Level 3 Passwords must to have 8-14 characters, which cannot be all numbers or letters Passwords cannot contain personal information (e.g. birth date) or a dictionary word that is four characters or longer Users need to change their password every six months and they cannot use any of the ten previously used passwords

The users can select just about Passwords must have 8-14 characters, which cannot be all any password. There are no restrictions on length and format numbers or letters of a password Passwords cannot contain personal information (e.g. birth date) or a dictionary word that is four characters or longer Table I. Operationalization of security levels

Data criticality Security level Table II. Factorial experiment design Low Medium High Low No restriction on e-mail password Format requirement on e-mail password Format and update requirement on e-mail password High No restriction on bank password Format requirement on bank password Format and update requirement on bank password

(64.2 percent) and 39 were female (35.8 percent). A student sample in this study is appropriate because the participants use various types of information systems on a daily basis in their academic, professional, and social lives. All students enrolled at the university access their accounts to register for classes and view their personal academic information such as course grades and tuition. They use distance learning technologies such as blackboard to submit assignments, take online quizzes and exams, and view their course grades. A drawback of using students as the subjects may be that they do not represent the real-world users (Birnberg and Nath, 1968; Ashton and Kramer, 1980). The literature suggests that the limitation of using student participants should be examined in light of the research goals. In the applied elds, it is important to examine whether the students in the sampling frame would behave differently from the target population when receiving experimental intervention (Liyanarachchi and Milne, 2005). Calder et al. (1981) suggested that for theory testing, it is preferable to have a homogeneous sample. From a meta-analysis, Peterson (2001) found that student samples are generally more homogeneous than non-student samples. To investigate the relationships involving attitudinal constructs, students may well serve as surrogates for the target population (Beltramini, 1983). The participants use a range of information security measures in their daily lives including accessing their e-mails, academic records, and online banking, therefore the use of students as subjects is appropriate for this study. 3.3 Measurement Attitude has been conceptualized to be comprised of cognitive, affective, and conative (behavioral) components (Katz and Stotland, 1959; Rosenberg and Hovland, 1960; Zanna and Rempel, 1988). There is a long history of support in the literature for this tripartite theory of attitude, and of empirical evidence supporting its validity (Breckler, 1984; Kothandapani, 1971; Ostrom, 1969). Therefore, from the perspective of attitude theory, ISR should also include these three components. For measurement of the underlying components of ISR, items were adapted from the instrument developed by Crites et al. (1994) to capture the affective and cognitive attitudes toward a wide variety of concepts. The original instrument consists of 15 semantic differential items, eight affective and seven cognitive, each using a pair of bipolar adjectives. These items were modied to make them suitable for security as the attitudinal object in this study. An examination of the original instrument showed that the item easy-difcult was not included among the cognitive items, but it is a relevant belief about security measures. In addition, two items for the behavioral component of ISR were also included: disinclined-inclined and hesitant-eager. Finally, some minor adjustments were made to remove the ambiguity in some existing items. Table III lists the components of the ISR, questionnaire statements, and the corresponding semantic differential items. Semantic differential methodology is a simple, exible, and economical means for eliciting participants responses on different aspects of an attitude object (Heise, 1970). With the help of factor-analytic procedures, researchers have identied three general attitudinal dimensions underlying the semantic differential responses in multidimensional semantic space. These are evaluation, power/potency, and activity (EPA) (Osgood et al., 1957). The evaluation dimension corresponds to the unfavorable-favorable assessment that dominates most attitudinal scales. In addition, the power dimension and activity

Information security readiness 577

IMDS 111,4

Component (dimension) Behavioral

Questionnaire statement I am ___ to use the security measure I feel ___ toward the security measure I feel ___ in using the security measure I feel ___ with the protection provided I believe that the security measure is ___

Semantic differential item Disinclined/inclined; hesitant/ eager Dislike/like; rejecting/ accepting Tensed/relaxed; bored/excited Annoyed/content; sad/happy Useless/useful; imperfect/ perfect Difcult/easy; unsafe/safe

578

Affective (evaluation) Affective (activity) Affective (power) Cognitive (evaluation) Cognitive (activity) Cognitive (power)

Table III. ISR measurement

I believe that it is ___ to use the security measure I believe that adopting the security measure is Foolish/wise; harmful/ ___ benecial

dimension reect the perceptions of the power/potency (for example, weak/strong) and behavioral properties (for example, slow/fast), respectively, associated with the attitudinal object. The inclusion of activity and power dimensions provides researchers with richer information and makes the semantic differential scales appropriate for a comprehensive assessment of attitude (Ostrom, 1969). The items used to measure the cognitive and affective components of ISR can be categorized into the EPA dimensions. The items of the evaluation dimension measure users assessment of a security measure itself. The items of the activity dimension measure users feelings and beliefs toward using a security measure. The power dimension, on the other hand, deals with users sense of control regarding the adoption of a security measure. Thus, the cognitive and affective items capture user beliefs and feelings with regard to a security measure itself, how to apply the measure, and what to expect on its delivery. In addition, the behavioral items capture the behavioral tendency toward the measure. The ISR scale provides a means for comprehensive understanding of user attitudes toward security measures, as it covers multiple dimensions underlying different attitudinal components. Risk propensity was measured with the risk taking index (RTI) developed and validated by Nicholson et al. (2005). RTI measures the propensity of subjects towards recreational, health, career, nancial, safety, and social risks in the past and in the present. IT prociency was measured using three items developed by the authors for knowledge, frequency, and efcacy related to the use of information technology. 3.4 Procedure The data collection method adopted a mixture of between-subject design (random assignment of participants to treatment groups) and within-subject design (collection of repeated measures). Participants were randomly assigned to one of three groups, each corresponding to a security level. This procedure resulted in almost equal numbers of participants in each group. Random assignment of treatments also mitigated the effect of potential bias due to any pre-experimental exposure of the participants to various authentication methods. At the start of the experiment, all the subjects answered the questions about risk propensity and IT prociency. After that, those in each group were given the

password requirements and the description of the system (i.e. e-mail or online bank). Then, the participants answered the questions regarding their ISR. After that, the description of the second system was given and participants gave their ISR responses based on the same authentication method. The sequence of two systems given in all groups was randomized to control the order effect (Maxwell and Delaney, 2004). A pilot study was conducted to assess the appropriateness of the treatment manipulation, the questionnaire wording, and the experimental procedure. In total, 55 participants provided their responses via paper questionnaires in a classroom environment (Sun and Ahluwalia, 2008). Like the participants of the main study, the participants of the pilot study were also undergraduate students enrolled in CISs courses. In the post-experiment debrieng session, the participants were asked about their perceptions of the data stored in the two systems, and almost all of them indicated that the data in their online bank account were much more important to them than the data in the free e-mail accounts (e.g. Yahoo and Hotmail). The preliminary results also indicated that ISR varied signicantly across different treatment levels. Based on participant feedback and reliability analysis, some minor changes were made to the wording of instructions and questions included in the questionnaire. In the formal phase of this study, the experiment was implemented on a web server to simulate the log-in procedures corresponding to the three security levels. As experimental treatments, the participants were shown the log-in screens, with appropriate instructions for setting up new passwords for e-mail accounts or online bank accounts. Using the actual log-in screens placed the participants naturally within the experiential framework (Kock, 2005). Immediately, after the exposure to the treatment, the participants answered the questions related to their ISR. 4. Results The reliability of the participants responses in terms of internal consistency was assessed with Cronbachs (1947) coefcient alpha. Table IV reports the results of reliability analysis. The reliability of ISR measures was assessed at two levels: the attitudinal component level and the overall level. The coefcient alphas for cognitive, affective, and behavioral components were above 0.8, and the overall coefcient alpha was above 0.9. Compared to the original instrument developed by Crites et al. (1994) (of which coefcient alphas were 0.84 for cognitive items and 0.71 for affective items), the responses to the ISR measure obtained in this study were more reliable. This improvement in the reliability of ISR measurement may be because the newly developed ll-in-the-blank statements reect the EPA dimensions of the semantic differential scales, making the items easy to understand. The measurement results of this study and the previous pilot study (Sun and Ahluwalia, 2008) were similar, suggesting that the instrument is able to elicit
Construct Security readiness Cognitive Affective Behavioral IT prociency Risk propensity No. of items 14 6 6 2 3 3 Coefcient a 0.938 0.923 0.826 0.826 0.722 0.714

Information security readiness 579

Table IV. Reliability analysis

IMDS 111,4

580

relatively stable and internally consistent responses from the participants. In addition, the coefcient alphas for IT prociency and risk propensity were above 0.7, indicating acceptable internal consistency for both measures. To understand the response pattern for each measure, a descriptive analysis was conducted. In this study, participants answered the questions regarding their IT prociency and risk propensity before the experimental treatments. To study what effects such personal characteristics have on ISR, these two variables were treated as the covariates along with the predictive treatment variable. Thus, their index scores were obtained based on the averages of item scores. The scales had a range of 1 (least) through 5 (most) with 3 as the neutral point. For IT prociency, the mean of index scores was 3.40 and the standard deviation was 0.80; and for risk propensity, the mean of index scores was 3.37 and the standard deviation was 0.79. The results suggested that most participants had marginally positive self-perceptions toward using information technology and taking risks. Participants responded to the ISR measure based on their exposure to each experimental treatment. There are two treatment variables: security level as the direct predictor and data criticality as the moderator. To compare the response patterns of ISR across different levels of both variables, the descriptive statistics of ISR were obtained for each treatment. Table V gives the means and standard deviations of the index scores of ISR across three security levels (low, medium, and high) for two systems with different levels of data criticality (email vs online bank). The scales had a range of 1 (least ready) through 7 (most ready) with 4 as the neutral point. A comparison between the two systems reveals an interesting pattern shown clearly in Figure 2. When the security level of the authentication method was increased from low to medium, the ISR of participants increased marginally (t 0.66, p-value 0.508) for the e-mail system (low criticality), but more signicantly (t 4.75, p-value , 0.01) for the online banking system (high criticality). When the security level was further increased from medium to high, participants exhibited lower ISR for both groups, more signicantly for the e-mail system (t 2 2.27, p-value 0.024) than for the online banking system (t 2 1.74, p-value 0.083). This pattern supported the theoretical basis of the research hypotheses; that users prefer an appropriate level of security, neither too low nor too high. Owing to the moderating inuence of data criticality, security level does not have a simple linear relationship with ISR, but rather a curvilinear relationship. ISR being a psychological construct, structural equation modeling (SEM) is well suited to test the relationships involving a latent variable (Joreskog et al., 1979). To assess how a categorical variable moderates the relationships between independent and dependent variables, a multi-group SEM analysis is preferred (Byrne, 1994). In this study, the moderator is data criticality, and it is a categorical variable with two levels (low for
Data criticality SD 0.84 0.94 1.25 1.04

Security level Table V. Mean and standard deviation of ISR Low Medium High Overall

Low (e-mail account) 4.84 4.92 4.58 4.77

High (online bank account) 4.62 5.38 5.12 5.06

SD 1.32 1.02 1.18 1.21

5.6 Information criticality: Low Information criticality: High Information security readiness (ISR) 5.4

Information security readiness 581

5.2

4.8

4.6 Low Medium Security level High

Figure 2. Means plot

the free e-mail account vs high for the online bank account). In the multi-group analysis, the responses were divided into two parts using data criticality as the grouping variable, and the model was estimated simultaneously for both groups. The sample size in each group was 109, resulting in the total sample size of 218. The number of observations in the analysis doubled that of the number of participants because each participant gave two sets of responses due to the within-subject design on data criticality. Within each group however, the responses were independent from one other because of the between-subject design on security level. In this study, the main interest is to compare the hypothesized relationships across two groups, each corresponding to a different level of data criticality. Because the repeated measures were separated into two groups in statistical analysis, their interference on the results due to inter-correlation was minimized. To control for the inuence of personal characteristics on ISR, a structural model (Figure 3) was developed to test all three research hypotheses at the same time. In this model, the dependent variable is ISR, a latent construct that has three indicators, the index scores of affective, cognitive, and behavioral items, respectively. The three structural weights from a latent construct to its observed indicators were measurement weights, and one of them was set at to be one to remove scale ambiguity. The predictors of primary interest are the two dummy variables representing the three security levels (low 0-0, medium 1-0, and high 1-1). The covariates of secondary interest are IT prociency and risk propensity. The estimates of the four structural weights from the independent variables to the dependent latent construct can be used to test the research hypotheses. The multi-group analysis yielded the pooled t indices (rather than two sets of indices) that enabled the assessment of model t. The root mean square of error approximation was 0.068, below the cutoff of 0.08. The comparative t index was 0.968 and the non-norm t index was 0.917, both above the cutoff of 0.90. The acceptable

IMDS 111,4

Security level 1 ISR affective Security level 2

582
IT proficiency

Information security readiness (ISR)

ISR cognitive

ISR behavioral

Figure 3. SEM measurement model

Risk propensity

goodness-of-t indices supported the validity of the model that describes how treatment variables and covariates inuence ISR as indicated by its cognitive, affective, and behavioral factors. In addition, multi-group analysis made it possible to test the signicance of the overall moderating effect by comparing the model t between the free model and the constrained model. The constrained model xes the structural weights (four structural weights and two measurement weights) to be the same across two levels of data criticality. Compared with the free model, degrees of freedom of the constrained model increased by six (i.e. six fewer structural weights to be estimated) and the x 2 statistic increased by 13.968. The x 2 difference test was signicant at the 0.05 level, suggesting that data criticality is a signicant moderator of the relationships between the independent variables (security level, IT prociency, and risk propensity) and the affective, cognitive, and behavioral components of ISR. Table VI gives the estimated structural weight (and corresponding standard errors are given) for each independent variable. At the low level of data criticality, neither security level 1 nor security level 2 was signicant. That is, imposing either the format requirement or the update requirement on the choice of password did not have a positive effect on the ISR of participants. At the high level of data criticality, security level 1 had a highly signicant effect (at 0.01 level) on ISR, but security level 2 did not have a signicant effect on ISR. Thus, in case of online-bank accounts, participants exhibited signicantly higher ISR when format requirements were imposed on the authentication procedure (medium complexity) compared to the authentication procedure with no restrictions (low complexity). However, strengthening the authentication procedure to the highest complexity did not enhance
Low criticality (e-mail) Security level 1 Security level 2 IT prociency Risk propensity 20.087 20.327 0.007 20.08 SE 0.24 0.23 0.12 0.12 High criticality (online bank) 0.823 * 2 0.294 0.321 * * 2 0.034 SE 0.308 0.297 0.154 0.158

Table VI. Estimates of structural weights

Note: Signicance at: *0.05 and * * 0.01 levels

ISR (the structural weight was actually negative). Therefore, H1a and H1b was fully supported. According to the analytic results, IT prociency has a positive linear relationship with ISR when data criticality is high. However, this relationship was found to be insignicant at the low level of data criticality. Participants who are more knowledgeable and skillful in using information technology are likely to be more prepared toward the adoption of security measures for protecting important data. For unimportant data, IT prociency does not make much difference in their ISR. This result supported H2a and H2b. The other personal characteristic as the covariate of ISR, risk propensity, was not signicant at either the low or high level of data criticality. The estimates, however, indicate that risk propensity tends to have some negative effect on ISR. The direction of the relationship is as expected because a more risk-prone individual may not exhibit much concern about securing his/her data. It was hypothesized that risk-averse people are more likely to be favorably inclined towards the security measures especially when the data protected are important. This was not supported by the result and therefore, H3 was only partially supported (H3a but not H3b). 5. Conclusions and implications IT security is a very important area for research because of ever-increasing deployment of interconnected computer-based systems, and the tremendous value attributed to the information stored on such systems. Therefore, the relevance of IT security research extends to individual users, businesses, governments, and individual users. This study examines how user attitudes towards complying with IT security procedures and protocols may be shaped. The paper denes the ISR construct to measure user attitude towards security systems. The study inquires into the central research question Is it always a good idea to strengthen information security measures? This study examines user readiness toward IT security at different levels of security measures and data criticality. The research hypotheses were tested by conducting a laboratory experiment with undergraduate students as the participants. IT prociency and risk propensity were included as the covariates to control for the inuence of relevant user characteristics. The results conrmed the hypothesized interaction between security level and data criticality in their inuence over ISR. Furthermore, IT prociency was found to be a signicant covariate of ISR, especially when data are perceived as important by users. The relationship between risk propensity and ISR was not conrmed by the results, but the direction of relationship was consistent with that of the hypothesis. This paper makes several contributions to research and practice. First, it proposes an alternative approach to study user attitudes toward IT security procedures and policies. The TAM has been extensively studied in IS literature (Davis, 1989; Davis et al., 1989) and remains the most widely used framework for studying IS adoption. However, several researchers have called for alternative approaches to study user intentions towards adopting IT products and services (Benbasat and Barki, 2007; McMaster and Wastell, 2005). This paper answers these calls by proposing the information security readiness (ISR) construct to measure user attitudes towards the security procedures. The ISR construct and the measures used in this study capture user cognitive, affective, and behavioral attitudes towards a security measure. More specically, it can elicit user beliefs and feelings related to the measure itself (evaluation), the interaction with such

Information security readiness 583

IMDS 111,4

584

a measure (activity), and the sense of control from using it (power). Compared with the existing constructs in technology acceptance research (for example, perceived ease of use, perceived usefulness, and intention to use), ISR is not to predict whether a user will use a system with a certain level of security measure or not, but rather to describe the inclination of an individual toward using the security measure itself. The paper also makes a distinction between behavioral intention to adopt IT products and attitude towards IT security. The TAM model considers IT adoption in isolation, however IT managers face various choices in situations of setting security levels and policies. This paper posits that the security requirements should correspond to the criticality of the data to be protected. It follows that implementation of IT security requirements and policies is not a binary choice but a continuum. The research hypotheses were tested by conducting a laboratory experiment and using SEM to conduct the analysis. A 3 2 factorial design was used comprising of three levels of security levels and two levels of data criticality. To increase the responses, within-subjects repeated measure design was employed. The analytic results revealed a nonlinear pattern of user attitude toward a security measure. That is, for a given level of data criticality, users make subjective judgments about the security requirements. Because any increase in the security requirements is linked to increased complexity in usability, users do not want to go through the complex security requirements if they do not perceive any benet in doing so. The outcomes of the study may have limited generalizability because of the use of a student sample in the laboratory experiment. The university undergraduate subjects may not be representative of actual user population in the business environment, therefore, the results of the study may not be extensible to a wider population. However, a few steps were taken in the research design to mitigate this issue. First, all participants were students enrolled in CIS courses. These students are familiar with IT security systems as they use many such systems in their daily lives. All students access the universitys enterprise registration system to view their grades, look up nancial information, print transcripts, and record their personal information. They also use other online learning technologies to give exams, view grade books, and access course material. The operationalization of data criticality was implemented in the form of using web-based e-mails and online bank accounts. The web-based survey experiment simulated the real-world experiences of logging into such systems by displaying mock log-in screens. Federal Information Processing Standard 199 (FIPS 199), denes security categories based on the quantum of harm/loss expected if the information was compromised (Stine et al., 2008). The impact may be assessed in terms of losses in condentiality, integrity, and availability of information (Stine et al., 2008). This study posits that the subjects would experience greater impact by compromise of nancial information compared to the information stored in e-mail accounts. Although the results of this study show some support for this supposition, future research can be conducted that includes precise treatments of information categories as recommended in FIPS 199. We call upon the research community to study security-related user behavior in organizational context as well. Future research could also examine user attitudes when using other security methods such as ngerprints, facial features, irises, and voice samples (Jain et al., 2006). This paper has implications for practice. In situations where IT security policies and procedures are forced upon users, ISR may inuence their career-related attitudes, such

as job satisfaction. Typical users often access multiple information systems at their workplaces. The organizations may generate greater user acceptance of security policies by correct framing of users perceptions about data criticality of such systems. The users with low levels of IT prociency may correlate data criticality with security measures mandated by organizations. The signicant inuence of IT prociency on ISR suggests the importance of education and training on security-related practices for users. Studies have shown that if IT security requirements are made too complex, users may inadvertently increase security risk by taking undesirable actions such as writing their passwords on paper or downloading and saving critical data from secured servers to their personal computers to avoid frequent log-ins. Therefore, user education and correct framing of data criticality are likely to mitigate such actions. In the realm of information security, the IT managers confront a dilemma: the utility and usability of system cannot be maximized simultaneously. The results of this study suggest that users ISR hinges on the perceived appropriateness of a security measure in terms of the balance between complexity and data criticality. People are likely to form higher ISR when they feel that the level of complexity is in line with the importance of data to be protected. In other words, users are expected to be averse to using more complex security measures unless, in their judgment, the criticality of information warrants a higher level of complexity. The bigger the gap between what is necessary and what is required, lower the ISR. This study provides general guidelines for practitioners on ways to determine appropriate security measures. The study also provides the construct of ISR as a tool for the assessment of user attitudes toward using IT security requirements and procedures. Practitioners may use the focus group method to elicit user responses about their perceptions of things like criticality of data and sufciency of security requirements and policies. This study has implications for e-commerce companies which want to keep the access of their web sites easy, and at the same time protect their customers from fraud.
References Adams, A. and Sasse, M.A. (1999), Users are not the enemy, Communications of the ACM, Vol. 42 No. 12, pp. 41-6. Albrechtsen, E. (2007), A qualitative study of users view on information security, Computers and Security, Vol. 26, pp. 276-89. Ashton, R. and Kramer, S. (1980), Students as surrogates in behavioral accounting research: some evidence, Journal of Accounting Research, Vol. 18 No. 1, pp. 1-15. Beltramini, R. (1983), Student surrogates in consumer research, Journal of the Academy of Marketing Science, Vol. 11 No. 4, p. 438. Benbasat, I. and Barki, H. (2007), Quo vadis, TAM, Journal of the Association for Information Systems, Vol. 8 No. 4, pp. 211-8. Besnard, D. and Arief, B. (2004), Computer security impaired by legitimate users, Computers and Security, Vol. 23, pp. 229-37. Birnberg, J. and Nath, R. (1968), Laboratory experimentation in accounting research, Accounting Review, Vol. 43 No. 1, pp. 38-45. Breckler, S.J. (1984), Empirical validation of affect, behavior, and cognition as distinct components of attitude, Journal of Personality and Social Psychology, Vol. 47 No. 6, pp. 1191-205.

Information security readiness 585

IMDS 111,4

586

Byrne, B. (1994), Structural Equation Modeling with EQS and EQS/Windows: Basic Concepts, Applications, and Programming, Sage, Thousand Oaks, CA. Calder, B.J., Phillips, L.W. and Tybout, A.M. (1981), Designing research for application, Journal of Consumer Research, Vol. 8, pp. 197-207. Chen, Y. and Barnes, S. (2007), Initial trust and online buyer behaviour, Industrial Management & Data Systems, Vol. 107 No. 1, p. 21. Crites, S.L., Fabrigar, L.R. and Petty, R.E. (1994), Measuring the affective and cognitive properties of attitudes: conceptual and methodological issues, Personality and Social Psychology Bulletin, Vol. 20 No. 6, pp. 619-34. Cronbach, L. (1947), Test reliability: its meaning and determination, Psychometrika, Vol. 12 No. 1, pp. 1-16. Davis, F. (1989), Perceived usefulness, perceived ease of use, and user acceptance of information technology, MIS Quarterly, Vol. 13 No. 3, pp. 319-40. Davis, F.D., Bagozzi, R.P. and Warshaw, P.R. (1989), User acceptance of computer technology: a comparison of two theoretical models, Management Science, Vol. 35 No. 8, pp. 982-1003. Dotson, D.S. (2007), Information security resources: a selected annotated bibliography, Science & Technology Libraries, Vol. 27 No. 3, pp. 29-51. Eagly, H. and Chaiken, S. (1993), The Psychology of Attitudes, Harcourt Brace Jovanovich College Publishers, Fort Worth, TX. Fagley, N. and Miller, P. (1990), The effect of framing on choice: interactions with risk-taking propensity, cognitivestyle, and sex, Personality and Social Psychology Bulletin, Vol. 16 No. 3, p. 496. Flavian, C. and Guinaliu, M. (2006), Consumer trust, perceived security and privacy policy, Industrial Management & Data Systems, Vol. 106 No. 5, pp. 601-20. Heise, D.R. (1970), Causal inference from panel data, Sociological Methodology, Vol. 2, pp. 3-27. Huang, S., Lee, C. and Kao, A. (2006), Balancing performance measures for information security management: a balanced scorecard framework, Industrial Management & Data Systems, Vol. 106 Nos 1/2, pp. 242-55. Jain, A.K., Ross, A. and Pankati, S. (2006), Biometrics: a tool for information security, IEEE Transactions on Information Forensics and Security, Vol. 1 No. 2, pp. 125-43. Joreskog, K., Sorbom, D., Magidson, J. and Cooley, W. (1979), Advances in Factor Analysis and Structural Equation Models, Abt Books, Cambridge, MA. Katz, D. and Stotland, E. (1959), Psychology: A Study of a Science, McGraw-Hill, New York, NY. Kerlinger, F.N. (1986), Foundations of Behavioral Research, Holt Rinehart and Winston Inc., Fort Worth, TX. Klien, D.V. (1990), Foiling the cracker: a survey of, and improvements to, password security, Proceedings of the USENIX UNIX Security Workshop, Portland. Knight, S., Buffett, S. and Hung, P. (2007), Special issue on privacy, security and trust technologies and e-business services. Guest editors introduction, International Journal of Information Security, Vol. 6 No. 5, pp. 285-6. Kock, N. (2005), Media richness or media naturalness? The evolution of our biological communication apparatus and its inuence on our behavior toward e-communication tools, IEEE Transactions on Professional Communication, Vol. 48 No. 2, pp. 117-30. Kothandapani, V. (1971), Validation of feeling, belief, and intention to act as three components of attitude and their contribution to prediction of contraceptive behavior, Journal of Personality and Social Psychology, Vol. 19 No. 3, pp. 321-33.

Liyanarachchi, G. and Milne, M. (2005), Comparing the investment decisions of accounting practitioners and students: an empirical study on the adequacy of student surrogates, In Accounting Forum, Vol. 29, pp. 121-35. McMaster, T. and Wastell, D.G. (2005), The agency of hybrids: overcoming the symmetrophobic block, Scandinavian Journal of Information Systems, Vol. 17 No. 1, pp. 175-82. Maxwell, S. and Delaney, H. (2004), Designing Experiments and Analyzing Data: A Model Comparison Perspective, Lawrence-Erlbaum, Mahwah, NJ. Nicholson, N., Soane, E., Fenton-OCreevy, M. and Willman, P. (2005), Personality and domain-specic risk taking, Journal of Risk Research, Vol. 8 No. 2, pp. 157-76. Norberg, P., Horne, D. and Horne, D. (2007), The privacy paradox: personal information disclosure intentions versus behaviors, Journal of Consumer Affairs, Vol. 41 No. 1, pp. 100-26. Osgood, C.E., Suci, G.J. and Tannenbaum, P.H. (1957), The Measurement of Meaning, University of Illinois Press, Urbana, IL. Ostrom, T.M. (1969), The relationship between the affective, behavioral, and cognitive components of attitude, Journal of Experimental Social Psychology, Vol. 15 No. 1, pp. 12-30. Peterson, R. (2001), On the use of college students in social science research: insights from a second-order meta-analysis, Journal of Consumer Research, Vol. 28 No. 3, pp. 450-61. Post, G.V. and Kagan, A. (2007), Evaluating information security tradeoffs: restricting access can interfere with user tasks, Computers and Security, Vol. 26, pp. 253-64. Proctor, R., Lien, M., Schultz, E. and Salvendy, G. (2002), Improving computer security for authentication of users: inuence of proactive password restrictions, Behavior Research Methods, Instruments, & Computers, Vol. 34 No. 2, pp. 163-9. Riddle, B.L., Miron, M.S. and Semo, J.A. (1989), Passwords in use in a university timesharing environment, Computers and Security, Vol. 8 No. 7, pp. 569-79. Rosenberg, M.J. and Hovland, C.I. (1960), Attitude Organization and Change: An Analysis of Consistency, Yale University Press, New Haven, CT. Schultz, E.E. (2007), Research on usability in information security, Computer Fraud & Security, Vol. 6, pp. 8-10. Smith, S. (2002), The role of social cognitive career theory in information technology based academic performance, Information Technology Learning and Performance Journal, Vol. 20, pp. 1-10. Stine, K., Barker, W.C., Fahlsing, J. and Gulick, J. (2008), Guide for Mapping Types of Information and Information Systems to Security Categories, Vol. I, NIST Special Publication 800-60, Gaithersburg, MD. Sun, J. and Ahluwalia, P. (2008), How users respond to authentication methods a study of security readiness, Proceedings Fourteenth Americas Conference on Information Systems, Toronto, Canada. Swartz, N. (2004), Survey accesses the state of information security worldwide, Information Management Journal, Vol. 38 No. 1. Thomson, K.-L. and von Solms, R. (1998), Information security awareness: educating our users effectively, Information Management & Computer Security, Vol. 6 No. 4, pp. 167-73. Venkatesh, V., Morris, M.G., Davis, G.B. and Fred, D. (2003), User acceptance of information technology: toward a unied view, MIS Quarterly, Vol. 27 No. 3, pp. 425-78.

Information security readiness 587

IMDS 111,4

588

Warkentin, M., Davis, K. and Bekkering, E. (2004), Introducing the check-off password system (COPS): an advancement in user authentication methods and information security, Journal of Organizational and End User Computing, Vol. 16 No. 3, pp. 41-58. Zanna, M.P. and Rempel, J.K. (1988), The Social Psychology of Knowledge, Cambridge University Press, New York, NY. Zuckerman, M. and Kuhlman, D. (2000), Personality and risk-taking: common bisocial factors, Journal of Personality, Vol. 68 No. 6, pp. 999-1029. Corresponding author Kai S. Koong can be contacted at: koongk@utpa.edu

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com Or visit our web site for further details: www.emeraldinsight.com/reprints