Utilizing the Technology Acceptance Model to Assess the Employee Adoption of Information Systems Security Measures
Jones, Cynthia M., McCarthy, Richard V., Halawi, Leila, Journal of International Technology and Information Management
Companies are increasing their investment in technologies to enable better access to information and to gain a competitive advantage. Global competition is driving companies to reduce costs and enhance productivity, increasing their dependence on information technology. Information is a key asset within an organization and needs to be protected. Expanded connectivity and greater interdependence between companies and consumers has increased the damage potential of a security breach to a company's information systems. Improper unauthorized use of computer systems can create a devastating financial loss even to the point of causing the organization to go out of business. It is critically important to understand what causes users to understand, accept and to follow the organization's information systems security measures so that companies can realize the benefits of their technological investments. In the past several years, computer security breaches have stemmed from insider misuse and abuse of the information systems and non-compliance to the information systems security measures. The purpose of this study is to address the factors that affect employee acceptance of information systems security measures.
This article discusses the information systems security measures and explains the Technology Acceptance Model (TAM). This is followed by a presentation of the methodology and the results of the statistical analysis. The article closes with a discussion of the conclusions, implications and contribution of this research.
INFORMATION SYSTEMS SECURITY MEASURES
For over 25 years companies have become increasingly vulnerable to both internal and external threats to their information systems. These threats are categorized as computer crime. With the increasing threat of computer crime, information technology security has become of great concern to companies. As businesses operate in the global arena, it has become vitally important to guard and protect information and the computer assets from computer crimes. Based on recent studies and reported incidents, the threat of computer crime is real and increasing. More incidents of computer crime are being reported each year and criminals are becoming more sophisticated in their attacks (Mujtaba, Griffin, & Oskal, 2004).
In 2005, a five-year industry analysis showed a gradual rise in the number of security incidents, with 34% of companies reporting one to five security breaches in 1999 and 47% reporting one to five breaches in 2004 (Emrich, 2005). In 2006, losses due to security breaches were reported to be over $52 million for the 313 respondents that were willing and able to estimate losses (Gordon et al., 2006). The 2006 CSI/FBI survey estimated the average loss per respondents was $167,713 (Gordon et al., 2006). Companies are vulnerable to both external and internal attack. According to research conducted by Gartner, Inc. in 2006, the cost of recovery from a security breach can be up to 15 times greater than the cost of prevention by protecting the data in the first place. A company with 10,000 customer accounts can spend $6 to $16 dollars per customer on data encryption and intrusion detection and prevention as compared to $90 per customer account when a data breach occurs (anonymous, 2006).
The human factor has been considered the weakest link in the security solution or at a minimum it plays a critically important role in the protection of information and information systems. "A security technique no matter how effectual can be misused or misinterpreted by users, thereby losing its usefulness" (Siponen, 2000, p. 197). If users are unwilling to accept security measures and systems, the systems will not bring the full benefits of the technology to the organization (Venkatesh & Davis, 1996).
The perpetrator of a cybercrime is increasingly being identified as an employee, rather than an unknown hacker (Mujtaba et al. …