Authors: Jaehun Joo, Mie-jung Kim, Ismatilla Normatov, Lyunhwa Kim

Abstract:

The purpose of this paper is to analyze determinants of information security affecting adoption of the Web-based integrated information systems (IIS). We introduced Web-based information systems which are designed to formulate strategic plans for Peruvian government. Theoretical model is proposed to test impact of organizational factors (deterrent efforts and severity; preventive efforts) and individual factors (information security threat; security awareness) on intentions to proactively use the Web-based IIS .Our empirical study results highlight that deterrent efforts and deterrent severity have no significant influence on the proactive use intentions of IIS, whereas, preventive efforts play an important role in proactive use intentions of IIS. Thus, we suggest that organizations need to do preventive efforts by introducing various information security solutions, and try to improve information security awareness while reducing the perceived information security threats.

Keywords: Information security, Deterrent efforts, deterrentseverity, preventive efforts, information security awareness, information security threats, integrated information systems

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1075893

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2265

References:

[1] A. Blumstein, "Introduction in deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates," National Academy of Sciences, Washington, DC, USA, 1978.
[2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness," MIS Quarterly, vol. 34, no. 3, pp. 523-548, 2010.
[3] H. Cavusoglu, J. Son, and I. Benbasat, "Information security control resources in organizations: A multidimensional view and their key drivers," Working Paper, Sauder School of Business, University of British Columbia, 2009.
[4] CEPLAN, "KSP mission to CEPLAN Peru," CEPLAN, 2010.
[5] J. D-Arcy, A. Hovav, and D. Galletta, "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, vol. 20, no. 1, pp. 79-98, 2009.
[6] M. Fishbein, and J.N. Cappella, "The role of theory in developing effective health communications," Journal of Communication, vol. 56, pp. 1-17, 2006.
[7] M. Fishbein, and M.C. Yzer, "Using theory to design effective health behavior interventions," Communication Theory, vol. 13, no. 2, pp. 164-183, 2003.
[8] K.A. Forcht, "Computer security management," Boyd and Fraser, Danvers, MA, USA, 1994.
[9] R.D. Gopal, and G.L. Sanders, "Preventive and Deterrent Controls for Software Piracy," Journal of Management Information Systems, vol. 13, no. 4, pp. 29-47, 1997.
[10] A.C. Johnston, and N. Warkentin , "Fear appeals and information security behaviors: An empirical study," MIS Quarterly, vol. 34, no. 3, pp. 549-566, 2010.
[11] A. Kankanhalli, H.H. Teo, B.C.Y. Tan, and K.K. Wei, "An integrative study of information systems security effectiveness," International Journal of Information Management, vol. 23, pp. 139-154, 2003.
[12] Klete, "Some minimum requirements for legal sanctioning systems with special emphasis on detection, in Deterrence and Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates," National Academy of Sciences, Washington, DC, USA , 1978.
[13] K.J. Knapp, R.F. Morris, T.E. Marshall, and T.A. Byrd, "Information security policy: An organizational-level process model," Computers and Security, vol. 28, no. 7, pp. 493-508, 2009.
[14] E. Kritzinger, and E. Smith, "Information security management: An information security retrieval and awareness model for industry," Computers and Security, vol. 27, pp. 224-231, 2008.
[15] C.Y. Ku, Y.W. Chang, and D.C. Yen, "National information security policy and its implementation: A case study in Taiwan," Telecommunications Policy, vol. 33, pp. 371-384, 2009.
[16] K.D. Loch, H.H. Carr, and M.E. Warkentin, " Threats to information systems: Today-s reality, yesterday-s understanding," MIS Quarterly, vol. 16, no. 2, pp. 173-186, 1992.
[17] K. Mathieson, "Predicting user intentions: comparing the technology acceptance model with the theory of planned behavior," Information System Research, vol. 3, no. 2, pp. 173-191, 1991.
[18] W.D. Nance, and D.W. Straub, "An Investigation into the Use and Usefulness of Security Software in Detecting Computer Abuse," in Proc.9th Annu. Conf. on Information Systems, Minneapolis, MN, 1988.
[19] D.D. Parker, "Fighting computer crime," Scribner-s, New York, USA, 1983.
[20] F.S. Pearson, and N.A. Weiner, "Toward an Integration of Criminological Theories," Journal of Crime and Criminology, vol. 76, no. 1, pp. 116-150, 1985.
[21] R.W. Rogers, "A protection motivation theory of fear appeals and attitude change," Journal of Psychology, vol. 91, pp. 93-114, 1975.
[22] J.H. Schuessler, "General deterrence theory: Assessing information systems security effectiveness in large versus small businesses"
[online], University of North Texas, Available from: < http://joseph.schuessler sounds.com/Research/Dissertation/Schuessler_Dissertation.pdf >,
[Last Accessed March 29, 2011], 2009.
[23] M. Silberman, "Toward a Theory of Criminal Deterrence," American Sociological Review, vol. 41, pp. 442-461, 1976
[24] T. Siponen, "A conceptual foundation for organizational information security awareness", Information Management and Computer Security, vol. 8, no. 1, pp. 31-41, 2000.
[25] M. Siponen, and A.O. Vance, "Neutralization: New insights into the problem of employee systems security policy violations," MIS Quarterly, vol. 34, no. 3, pp.487-502, 2010.
[26] G.D. Spicer, "Information systems management maturity and information technology security effectiveness," University of Lethbridge, Alberta, Canada, 2004.
[27] D.W. Straub, "Computer abuse and computer security: Update on an empirical study," Security, Audit, and Control Review, vol. 4, no. 2, pp. 21-31, 1986.
[28] D.W. Straub, and W.D. Nance, "Discovering and disciplining computer abuse in organizations: A field study," Management Information Systems Quarterly, vol. 14, no. 1, pp. 45- 62, 1990.
[29] D.W. Straub, "Effective IS Security: An Empirical Study," Information Systems Research, vol. 1, no. 3, pp. 255-276, 1990.
[30] D. W. Straub, and R.J. Welke, "Coping with systems risk: Security planning models for management decision making," MIS Quarterly, vol. 22, no. 4, pp. 441-469, 1998.
[31] D.W. Straub, "Coping with systems risk: Security planning models for management decision making," MIS Quarterly, vol. 22, no. 4, pp. 441-469, 1998.
[32] K.R. Williams, and R. Hawkins, "Perceptual Research on General Deterrence: A Critical Review," Law and Society, vol. 20, no. 4, pp. 545-572, 1986.
[33] M. E. Whitman, "In defense of the realm: Understanding the threats to information security," International Journal of Information Management, vol. 24, no. 1, pp. 43-57, 2004.
[34] R. Weber, "EDP Auditing: Conceptual Foundations and Practice," McGraw Hill, New York, NY, 1988.
[35] K. Witte, "Putting the fear back into fear appeals: The extended parallel process model," Communication Monograph, vol. 59, pp. 329-349, 1992.
[36] K. Witte, K.A. Cameron, J.M. McKeon, and J.M. Berkowitz, "Predicting risk behaviors: Development and validation of a diagnostic scale," Journal of Health Communication, vol. 1, pp. 317-341, 1996.
[37] Q.Y. Yeh, and A.J.T. Chang, "Threats and countermeasures for information system security: A cross-industry study", Information and Management, vol. 44, no. 5, pp. 480-491, 2007.