Title: Strategic Response to the Institutional Process on the Adoption and Assimilation of IS Security Mana
1Strategic Response to the Institutional Process
on the Adoption and Assimilation of IS Security
Management A Two Stage Empirical Investigation
1
Carol Hsu National Taiwan University Jae-Nam
Lee Korea University Business School
2Agenda
2
- Research Motivation/Objectives
- IS Security Management as an Administrative
Innovation - Theoretical Framework Hypotheses
- Institutional pressure for IS security management
adoption and assimilation - Strategic response to institutional conformity
- Research Method
- Empirical Results
- Analysis and Implications
- Limitations and Future Research
3Research Motivation
- Commoditisation of information technology-
emphasis on vulnerabilities, not opportunities - Increasing IS security breaches and external
risks - Introduction of regulatory compliance
requirements - Search for a IS security management process
- Concept of an administrative innovation
4Research Objectives
- Identifying IS security management as an
administrative innovation - The institutional effects at different stage of
diffusion (adoption/assimilation) - Analyse the different moderators of institutional
conformity at adoption and assimilation stages
5IS Security Management as an Administrative
Innovation
- Classification of IS security literature
- Dhillon and Backhouse (2001), Siponen (2005),
Siponen and Willison (2007) - From innovation perspective
- Technological innovation
- Deals with security technology artefacts
- Administrative innovation
- a philosophy of developing a security management
programme including policy, management committee,
team structure and employee education
6IS Security Management as an Administrative
Innovation
- Emerging social-organisational aspect of IS
security research - Characteristics of administrative innovation
- Management-oriented
- Continuous improvement to adapt to changing
environmental contingencies - Associated with the change in the social
structure of organization
7Theoretical Framework Hypotheses
- Institutional Pressure for IS Security Management
Diffusion - Coercive force
- Mimetic force
- Normative force
- Diffusion of Administrative Innovation
- Adoption an organizational mandate for change
- Assimilation becomes ingrained within
organizational behaviours
8Theoretical Framework Hypotheses
- Strategic Response to Institutional Conformity
- Instead of passive compliance, organizations
actively manage their relationship with the
environment - Moderators of Institutional Conformity
- Adoption stage economic-oriented factors
- Assimilation stage organizational capability
factors
9Theoretical Framework Hypotheses
10Research Method
- Survey method Empirical test using a two-stage
study of IS security management program in Korea - Data set 140 organizations implementing or had
already implemented IS security management
program in the company - Development of measurements from the previous
literature on institutional theories and
innovation diffusion
11Research Method
- Sample and Data Collection
- Sample frame
- 500 large firms from Maeil Business Newspapers
Annual Corporation Reports in Korea - CIO of each firm was identified from the Book of
Listed Firms publish by the Korea Stock Exchange - Personal phone call to CIO regarding the project
- Questionnaire sent out with cover letter and
follow-up postcard - Conducted in two-phase
12Research Method
- Phase One focusing on adoption
- Mailed to 436 CIOs expressed willingness in
participation - 183 firms responded (response rate of 42)
- 32 response was discarded owing to incomplete
data - Phase Two focusing on assimilation
- Mailed to 151 firms responded in phase one
- 145 firms responded
- 5 response was discarded owing to incomplete data
13Reliability and Validity
- 140 valid responses for the final analysis
- Content validity
- Adopting instruments validated by prior studies
- Pre-tests with 15 IS professionals and 10
companies - Convergent validity
- Evaluated by the item-to-total correlation
(higher than 0.5) - Discriminant validity
- Checked by means of factor analysis
- Reliability
- Calculated using Cronbachs alpha (0.8080.965)
14Hypothesis Testing
- Hierarchical Regression Model was used
- Followed the GLM procedures in SPSS
- The effects of the six moderating variables on
the base relationships were assessed - by using the degree of the difference in R square
between the restricted model and the full model. - To confirm the moderating effects
- We explore the interaction plots
15Hypothesis Testing - Adoption
16Hypothesis Testing - Assimilation
17Interaction Plots e.g., Environal Uncertainty
(b) Moderating effect of supervisory authority
influence
- Moderating effect
- of peer influence
- The increase in the adoption associated with
increases in (a) peer influence and (b)
supervisory authority influence is greater when
there is a high level of perceived environmental
uncertainty, which supports Hypothesis 1.
18Empirical Results
19Analysis and Implications
- Theoretical implications
- Extends the support to other studies that argue
for an integrative framework in organizational
studies - Development of an integrative framework in the
context of administrative innovation and IS
security management - Highlight the inextricably complex relationship
between institutional pressures and IS security
management - Practical implications
- Proactive evaluation of economic conditions
allows the managers make a timely strategic
response - Importance of top management and culture
acceptability at the assimilation stage
20Limitations and Future Research
- Limitations
- Two-stage survey possibility of some unexpected
threats to internal validity - Limitation of single respondent
- Limitation of single country
- Future research
- Stimulate discussion on further theoretical
development - Replicate the studies in different geographical
settings - Impact of IS security management on
organizational performance
21Thank you!Any Questions Comments?
22Appendix Profile of the Sample
22
(a) Industry type
(b) Total sales revenue
23Appendix - Profile of the Sample
23
(c) IT budget as a percentage of total sales
(d) IS security standard adopted
24Appendix Reliability and Validity
24
25Appendix Factor Analysis
25
26Appendix Correlation
26
27Interaction Plots Competitive Advantage
Categories Low competitive advantage 1-4 (77
firms) Moderate
competitive advantage 4-5 (36 firms)
High competitive advantage 5-7 (27
firms)
28Interaction Plots Resource Availability
(b) Moderating effect of supervisory authority
influence
- Moderating effect
- of peer influence
Categories Low resource availability 1-4 (53
firms) Moderate resource
availability 4-5 (51 firms)
High resource availability 5-7 (36 firms)
29Interaction Plots Top Mgt Support
(b) Moderating effect of supervisory authority
influence
- Moderating effect
- of peer influence
Categories Low top management support 1-4 (56
firms) Moderate
top management support 4-5 (48 firms)
High top management support 5-7 (36
firms)
30Interaction Plots Cultural Acceptability
(b) Moderating effect of supervisory authority
influence
- Moderating effect
- of peer influence
Categories Low cultural acceptability 1-4
(53 firms)
Moderate cultural acceptability 4-5 (41 firms)
High cultural acceptability
5-7 (46 firms)