Strategic Response to the Institutional Process on the Adoption and Assimilation of IS Security Mana

1
Strategic Response to the Institutional Process
on the Adoption and Assimilation of IS Security
Management A Two Stage Empirical Investigation
1
Carol Hsu National Taiwan University Jae-Nam
Lee Korea University Business School
2
Agenda
2

• Research Motivation/Objectives
• IS Security Management as an Administrative
  Innovation
• Theoretical Framework Hypotheses
• Institutional pressure for IS security management
  adoption and assimilation
• Strategic response to institutional conformity
• Research Method
• Empirical Results
• Analysis and Implications
• Limitations and Future Research

3
Research Motivation

• Commoditisation of information technology-
  emphasis on vulnerabilities, not opportunities
• Increasing IS security breaches and external
  risks
• Introduction of regulatory compliance
  requirements
• Search for a IS security management process
• Concept of an administrative innovation

4
Research Objectives

• Identifying IS security management as an
  administrative innovation
• The institutional effects at different stage of
  diffusion (adoption/assimilation)
• Analyse the different moderators of institutional
  conformity at adoption and assimilation stages

5
IS Security Management as an Administrative
Innovation

• Classification of IS security literature
• Dhillon and Backhouse (2001), Siponen (2005),
  Siponen and Willison (2007)
• From innovation perspective
• Technological innovation
• Deals with security technology artefacts
• Administrative innovation
• a philosophy of developing a security management
  programme including policy, management committee,
  team structure and employee education

6
IS Security Management as an Administrative
Innovation

• Emerging social-organisational aspect of IS
  security research
• Characteristics of administrative innovation
• Management-oriented
• Continuous improvement to adapt to changing
  environmental contingencies
• Associated with the change in the social
  structure of organization

7
Theoretical Framework Hypotheses

• Institutional Pressure for IS Security Management
  Diffusion
• Coercive force
• Mimetic force
• Normative force
• Diffusion of Administrative Innovation
• Adoption an organizational mandate for change
• Assimilation becomes ingrained within
  organizational behaviours

8
Theoretical Framework Hypotheses

• Strategic Response to Institutional Conformity
• Instead of passive compliance, organizations
  actively manage their relationship with the
  environment
• Moderators of Institutional Conformity
• Adoption stage economic-oriented factors
• Assimilation stage organizational capability
  factors

9
Theoretical Framework Hypotheses
10
Research Method

• Survey method Empirical test using a two-stage
  study of IS security management program in Korea
• Data set 140 organizations implementing or had
  already implemented IS security management
  program in the company
• Development of measurements from the previous
  literature on institutional theories and
  innovation diffusion

11
Research Method

• Sample and Data Collection
• Sample frame
• 500 large firms from Maeil Business Newspapers
  Annual Corporation Reports in Korea
• CIO of each firm was identified from the Book of
  Listed Firms publish by the Korea Stock Exchange
• Personal phone call to CIO regarding the project
• Questionnaire sent out with cover letter and
  follow-up postcard
• Conducted in two-phase

12
Research Method

• Phase One focusing on adoption
• Mailed to 436 CIOs expressed willingness in
  participation
• 183 firms responded (response rate of 42)
• 32 response was discarded owing to incomplete
  data
• Phase Two focusing on assimilation
• Mailed to 151 firms responded in phase one
• 145 firms responded
• 5 response was discarded owing to incomplete data

13
Reliability and Validity

• 140 valid responses for the final analysis
• Content validity
• Adopting instruments validated by prior studies
• Pre-tests with 15 IS professionals and 10
  companies
• Convergent validity
• Evaluated by the item-to-total correlation
  (higher than 0.5)
• Discriminant validity
• Checked by means of factor analysis
• Reliability
• Calculated using Cronbachs alpha (0.8080.965)

14
Hypothesis Testing

• Hierarchical Regression Model was used
• Followed the GLM procedures in SPSS
• The effects of the six moderating variables on
  the base relationships were assessed
• by using the degree of the difference in R square
  between the restricted model and the full model.
• To confirm the moderating effects
• We explore the interaction plots

15
Hypothesis Testing - Adoption
16
Hypothesis Testing - Assimilation
17
Interaction Plots e.g., Environal Uncertainty
(b) Moderating effect of supervisory authority
influence

• Moderating effect
• of peer influence

• The increase in the adoption associated with
  increases in (a) peer influence and (b)
  supervisory authority influence is greater when
  there is a high level of perceived environmental
  uncertainty, which supports Hypothesis 1.

18
Empirical Results
19
Analysis and Implications

• Theoretical implications
• Extends the support to other studies that argue
  for an integrative framework in organizational
  studies
• Development of an integrative framework in the
  context of administrative innovation and IS
  security management
• Highlight the inextricably complex relationship
  between institutional pressures and IS security
  management
• Practical implications
• Proactive evaluation of economic conditions
  allows the managers make a timely strategic
  response
• Importance of top management and culture
  acceptability at the assimilation stage

20
Limitations and Future Research

• Limitations
• Two-stage survey possibility of some unexpected
  threats to internal validity
• Limitation of single respondent
• Limitation of single country
• Future research
• Stimulate discussion on further theoretical
  development
• Replicate the studies in different geographical
  settings
• Impact of IS security management on
  organizational performance

21
Thank you!Any Questions Comments?
22
Appendix Profile of the Sample
22
(a) Industry type
(b) Total sales revenue
23
Appendix - Profile of the Sample
23
(c) IT budget as a percentage of total sales
(d) IS security standard adopted
24
Appendix Reliability and Validity
24
25
Appendix Factor Analysis
25
26
Appendix Correlation
26
27
Interaction Plots Competitive Advantage
Categories Low competitive advantage 1-4 (77
firms) Moderate
competitive advantage 4-5 (36 firms)
High competitive advantage 5-7 (27
firms)
28
Interaction Plots Resource Availability
(b) Moderating effect of supervisory authority
influence

• Moderating effect
• of peer influence

Categories Low resource availability 1-4 (53
firms) Moderate resource
availability 4-5 (51 firms)
High resource availability 5-7 (36 firms)
29
Interaction Plots Top Mgt Support
(b) Moderating effect of supervisory authority
influence

• Moderating effect
• of peer influence

Categories Low top management support 1-4 (56
firms) Moderate
top management support 4-5 (48 firms)
High top management support 5-7 (36
firms)
30
Interaction Plots Cultural Acceptability
(b) Moderating effect of supervisory authority
influence

• Moderating effect
• of peer influence

Categories Low cultural acceptability 1-4
(53 firms)
Moderate cultural acceptability 4-5 (41 firms)
High cultural acceptability
5-7 (46 firms)