This Is AuburnElectronic Theses and Dissertations

A Comparison Of Information Security Trends Between Formal And Informal Environments

Date

2006-08-15

Author

Ryan, James

Type of Degree

Dissertation

Department

Management

Abstract

The study compared the awareness and practice of information security between formal and informal computing-environments. This study was conducted to develop a measurement instrument for user-level awareness and practice of information security and establish a foundation upon which further research could be based. The study results included a delineation of the information security awareness domain, a tested measurement instrument, a tested model for user-level information security awareness, and a statistical profile of user-level information security awareness and practice among employees of a public research university. Characteristics which represent the operational definition of information security awareness and practice were found to be: personal innovativeness, computer self-efficacy, individual awareness, formal practice, and informal practice. Individual awareness was measured over perspectives of technology, policy, and threat-context. Formal practice was measured over perspectives of deterrent, preventive, and combined deterrent-preventive efforts. Informal practice was measured over perspectives of access control, physical protection, user authentication, security management, and encryption. Established scales were used to measure personal innovativeness and computer self-efficacy. The measurement instrument also included demographic variables and technology variables between computing-environments. All of these characteristics were considered ISA domain measures and were included in the developed measurement instrument. The extent of user-level information security awareness was supported by the measure to which these characteristics were acknowledged by individual computer users. A sample of 531 university employees indicated that the measurement instrument exhibited acceptable properties of reliability and validity. The survey data showed that the university employees had information security awareness to some extent. Also, the sample data had satisfactory fit within the research model. The study’s results supported the research model hypotheses. Personal innovativeness and computer self-efficacy had direct, positive relationships with individual awareness. Individual awareness mediated personal innovativeness and computer self-efficacy over direct, positive relationships with formal and informal practice. Formal practice mediated individual awareness over a direct, positive relationship with informal practice. The study’s results also indicated demographic and technology known-groups had effects over the ISA domain measures.