Dissertation Title

Employee adoption of information security measures in the manufacturing sector using extended TAM under a quantitative study Change Matrix for Revisions made as per comments

Comment Change

A1 Acronym spelt out

A2 Wordiness corrected

A3 Sentence clarity enhanced

A4 Acronym spelt out

A5 Clarified

A6 Would changed to will

A7 Sentence changed from passive to active voice

Section 1. Research Problem, Significance, Question(s), Title

1.1 Research Study State the research problem your study will investigate, including its background. See Instructions. Significant developments in understanding information technology (IT) security measures in information systems has been in existence for decades (Kim, Tao, Shin, & Kim, 2010; Liang & Xue, 2010). Despite an increased investment in technology aimed at increasing system security whose lack is the main problem being addressed, striking failures that constitute much of the problem exist. Security breach in using information systems withinin leading organizations like HP is one of such failures. The same issue exists in mobile technology (Subashini & Kavitha, 2011; Weber, 2010). Concern on the issue has increased especially in the digital age (Bélanger & Crossler, 2011). Nevertheless, increased investment in security has not contributed much in stopping security breaches as seen in previous studies and surveys (Subashini & Kavitha, 2011). Consequently, the problem to be addressed entails the ability to adopt information security systems’ measures as an aspect of end-user behavior when using an information security system. Armerding (2012) indicates that incidence and severity of data breaches are related to size of organization and industry, with large organizations and those operating in the financial sector most affected. Human factors pose the greatest threat to security issues, which is typically a major challenge to organizations since human conduct contributes to most system vulnerabilities as well as security breaches (Chiu, Lin, & Tang, 2005; Jones, McCarthy, & Halawi, 2010). This aspect raises great security concerns (Alice, 2010; D’Arcy, Hovav, & Galletta, 2009; PEW, 2013).

Bélanger and Crossler (2011) have conducted a study on security issues focusing on the digital age and indicated that information systems have a significant weakness. It has been difficult to determine whether participants provide the desirable answers expected of them or not with self-reported data. A major problem could be in adhering to information security policies as studied by Bulgurcu, Cavusoglu, and Benbasat (2010). Jones et al. (2010) intended to determine the mode of conducting study and its coverage in developing the sampling procedures. Similarly, no insights or empirical studies on employee adoption of information systems security measures based on specific industries, with studies assuming that adoption is similar across all sectors (Chuttur, 2009; Jones et al., 2010).

1.2 Purpose of the Research

State the purpose of the study. Typically, the purpose is to contribute to knowledge and solve the research problem. See Instructions. The purpose of this quantitative study is to establish the relationship between independent factors like employee perception, attitudes, and management support to the user behaviors regarding information systems security measures under the Theory of Planned Behavior. The independent variables, which include employees’ perceptions, attitudes, and management support, determine the change in the dependent variable. Behavior in using information security system measures is highly considered (Trochim, 2006; Vogt, 2007). The factors considered in this case will be evaluated according to their effect on the user behavior regarding the use of information system. Factors like employees’ perceptions, attitudes, and management support have the potential of influencing employee adoption regarding the use of information system security measures for a specific industry. The industry of concern is the manufacturing industry that could be found to have either vast differences or no differences between organizations and employees when it comes to observing information security measures. Differences among employees could also occur within a given company. The industry has reported high incidences of security breaches due to unobserved security protocols (Rieback, Crispo, & Tanenbaum, 2007).This research uses a non-experimental study with the original Technology Acceptance Model (TAM), as an outgrowth of the Theory of planned Behavior (TPB), which will be extended to be comparable to the one used in Jones et al. (2010).

The research aims to extend the original TAM model for comparison to that of Jones et al (2010) in order to take into account the attitudes of the employees with regards to their peers, managers, and supervisors, or the job with respect to the same model according to Kozar, Larsen, and Lee (2003). This is because their attitudes may affect the intention of the employees to adopt and follow information systems security measures (Phelps, Nowak, & Ferrell, 2000). This would be done, through an empirical research, using a theoretical framework according to the Theory of Planned Behavior on which TAM is based. The Theory of Planned Behavior considers attitude and subjective norm as important constructs. Literally, the study by Jones et al. (2010) showed that subjective norm highly influenced employees’ intention to adopt and use system security measures. The model by Jones et al. (2010) is applied by considering companies operating in the US in a specific industry, and by incorporating the variable of management support. This marks one of the gaps to be addressed. Further, by determining the influence generated by the attitudes of the employees with regards to their peers, managers, and supervisors, or the job, this research extends the use of Jones et al. (2010) extended TAM model, which incorporates management support as the intervening variable on subjective norms according to Jones, McCarthy, Halawi, and Mujtaba (2010).

Management support is incorporated in this study as an independent variable alongside employees’ attitudes and perceptions, while factors such as age and management level are used as intervening variables. The research provides new insights into ways of promoting employee acceptance of technology as well as assist in the development of appropriate security measures through the analysis of employee attitudes, management support and external controls on technology acceptance levels. An empirical study of the management support would validate the development of intervention measures relating to employee support.

1.3 Significance of the Study.

Describe the significance of your study’s investigation of the research problem. Include a statement of the study’s particular significance to the field of Organization and Management. See Instructions. This study is significant because it shows the usefulness of the study of the research problem to all stakeholders: system developers, policy makers, entrepreneurs, and managers, and information system users since it will offer additional insights with regards to promoting employee adoption and acceptance, as well as use of computer information system security measures. Managers can gain new insight into ways that promote employee acceptance and use of security systems policies, particularly for large corporations, by using the findings of the study. The empirical study will also help in determining the major factors that influence employees’ adoption of information systems security measures.

The research will thus contribute to new knowledge about the adoption information system and the respective security measures within a specific industry such as manufacturing, which may contribute to reducing system security measures adoption failures in organizations. Important information and insight is also provided, which security professionals and management can use in designing information security measures that promote usage by employees, and communicating them to the employees (Jones et al., 2010). Its significance to the academic field of study is that students, using future researcher, can gain an insight of the problem from a broader perspective since the study would bring together various aspects from previous studies and include some aspects that have never been tackled in such studies. Researchers would also gain a basis of arguing for the need to focus on information security measures even at an individual level (Chin, Felt, Sekar, & Wagner, 2012).

1.4 Research Question

Write out your research question. If there are sub-questions or more than one, number them accordingly. See Instructions. Using information system is a sensitive practice, but some employees within some organizations may not observe the necessary security measures adequately. The failure in this aspect could be associated with a number of factors, which are the variables to be used for the research. The statistical model used to test the omnibus/overall hypothesis is TAM, which is a modification from Jones et al. (2013) using a probability sample obtained using the random sampling method.

These variables then lead to the following research questions:

Main RQ: To what extent do employees’ perceptions, attitudes, and management support predict end-user behavior in adopting information security systems based on the theory of planned behavior?

Sub-Questions

RQ1: To what extent do employees’ perceptions predict end-user behavior in adopting information security systems, based on the theory of planned behavior?

RQ2: To what extent do employees’ attitudes predict end-user behavior in adopting information security systems, based on the theory of planned behavior?

RQ3: To what extent does management support predict end-user behavior in adopting information security systems, based on the theory of planned behavior?

1.5 HypothesesFor each quantitative question and sub-question (sub-Q), list hypotheses for their investigation. Give nulls and alternates for each sub-Q. See Instructions. Ho1: There is no significant relationship between employees’ perceptions in predicting end-user behavior when using Information Systems

Ha1: There is a significant relationship between employees’ perceptions in predicting end-user behavior when using Information Systems

Ho2: There is no significant relationship between employee attitudes in predicting end-user behavior when using Information Systems

Ha2: There is a significant relationship between employees’ attitudes in predicting end-user behavior when using Information Systems

Ho3: There is no significant relationship between management support influence to employees’ behavioral intentions when using Information Systems

Ha3: There is a significant relationship between management support influences to employees’ behavioral intentions when using Information Systems.

1.6 Method overview Briefly describe the methodologies and methods (data collection, statistical models, and analysis) that will be used to conduct the study. The proposed method is a quantitative study that is non-experimental. Quantifiable data is used to derive a solution to the research problem as a quantitative study. A meaningful research design would be considered for the quantitative study. The design is based on targeting major corporations in the manufacturing industry approach on a sample of 2*102 respondents from 10 leading major corporations in the manufacturing sector, specifically those operating in the US. This implies that from each corporation, 20 respondents would be selected from 10 corporations through random sampling and the final list maintained for the research. Permission will be obtained from the responsible management. This sample size would be large enough to minimize biasness of the research results. Only the corporations having information systems security measures in place would be considered. An online survey tool, specifically Survey Monkey, will be used. The link for the survey will be distributed via e-mail to potential respondents. Questionnaires will be used for the survey. Each of the respondents would be chosen randomly and completely by chance. All the respondents would have an equal probability of being selected from any of the 10 corporations during the sampling process. The technique would be a surveying technique that is hardly biased (Yates, David, Daren, 2008).

Partial Least Squares (PLS), which is an element-based structural equation modeling method, will be used to analyze the data collected. PLS graph, build 1126, version 3 will be used for data analysis. The guidelines specified in Chin et al. (2003) shall be followed while analyzing the data; additionally, other exemplars in Information Systems research will also be followed. Modeling of the constructs will be done using reflective indicators. Employee attitude will be coded as per the score of each participant, while perception will be coded as an ordinal variable; this will be consistent with Davis (2000).

Ordinal data would be tested for normality in order to be used for parametric testing with respect to the numerical scores placed on the variable (Sheskin, 2007). Prior to indicating the terms of interaction, the variables will be mean-centered at the indicator level. This will help limit certain multicollinearity. To test the various PLS models, bootstrapping method will be employed.

1.7 Dissertation Title

Do not write the title until Items 1.1-1.6 are complete. See Instructions. Employee adoption of information security measures in the manufacturing sector using extended TAM under a quantitative study

DISSERTATION RESEARCHERS: STOP!!!

If this RP is for your dissertation (after comps), forward completed Section 1 plus your references gathered so far (section 8) to your Mentor for review and for Specialization Chair’s Approval. (Work on your full Literature Review while waiting for topic approval)

Section 2. Overall Methodology and Approach

2.1 Research Design

Describe your research design in words. See Instructions. The study would be based on a quantitative research methodology, which focuses on gathering data, usually in numerical form. The data would then be generalized across large groups of people, especially employees within similar organizations. A non-experimental approach shall be used on a sample of 200 respondents from 10 leading major corporations in the manufacturing sector, specifically those operating in the US. From each corporation, 20 respondents shall be considered for the research. Each of the companies must have information systems security measures in place. Since the research is quantitative in nature, quantitative methods of data collection and analysis shall be used for the survey. An online survey tool and a Survey Monkey will be used since the data will be collected through online means. To make the online survey possible online questionnaires will be distributed via e-mail to potential respondents, which would be done through the Survey Monkey audience service. The potential respondents will be typically selected using a random sampling technique. Each of the 10 organizations will offer an opportunity for testing the research model in real world settings. The potential respondents will be derived from the ten different organizations offering different functional areas. In all the ten organizations, data will be collected over a period of five months with four measurement points. The data shall then be compiled for analysis. The analysis shall also be quantitative.

2.2 Approach

Quantitative approaches include experimental, quasi-experimental, or non-experimental. Please state the approach, then how it is consistent with your research problem/question. See Instructions for details. The approach that shall be utilized for this study, as has already been mentioned, shall be a non-experimental approach, which either describes something that has happened or evaluates the relationships between variables. This approach is selected since this study has a number of independent variables that are to be studied against a dependent variable, which cannot be manipulated; the research question is what drives this study. Non-experimental research approach is used in determining the nature of a given situation as it is at the time of a given study. With this kind of approach, no control or administration of treatment is required as is the case with experimental approach. Despite the fact that non-experimental is not usually meant to test hypothesis, a casual comparative approach, which is directed towards hypothesis testing is used. This hypothesis testing is used because it can provide a good description of the relationship between perceptions, attitudes, and management support influence when using Information Systems.

2.3 Methodological Model

Describe the statistical model. If using a particular quantitative model (e.g., structural equation modeling or a specific kind of regression analysis), describe it here. The model must align with the research question. If not, type N/A. See Instructions for details. PLS, Partial Least Squares, which is an element-based structural equation modeling method, will be used to analyze the data collected. PLS graph, build 1126, version 3 will be used for data analysis. According to Chin, Marcolin, and Newsted (2003), PLS have very minimal restrictions with regards to the sample size used as well as the distributional assumptions. The guidelines specified in Chin et al. (2003) shall be followed while analyzing the data; additionally, other exemplars in Information Systems research will also be followed such as Structured Equation Modeling (SEM). Modeling of the constructs will be done using reflective indicators. Employee attitude will be coded as per the score of each participant, while perception will be coded as an ordinal variable; this will be consistent with Davis (2000). Prior to indicating the terms of interaction, the variables will be mean-centered at the indicator level. This will help limit certain multicollinearity. Bootstrapping method will be employed to test the various PLS models.

2.4 Rationale

Discuss how your design is suited to answering your research question(s). See Instructions for details. The 10 organizations will offer an opportunity for testing the research model in real world settings. This design will enable hypothesis testing, specifically allow for the description of the relationship between perceptions, attitudes, and management support influence when using Information Systems. The use of a large sample would provide results that reflect close to the actual population being studied due to lack of biasness.

Section 3. Framework, Constructs, Variables, Operational Definitions

3.1 Theoretical Framework

Describe the business theory base that guides or focuses this study or defines the constructs it will investigate. See Instructions. Previous studies using TAM such as Jones et al. (2010) have focused more on three wide areas including some of them replicating TAM and focusing on psychometric features of TAM constructs; other have offered theoretical underpinning of great importance for TAM constructs, specifically with regards to perceived ease of use and perceived usefulness; others have sought to extended the TAM model by adding some more constructs as determinants of the original TAM constructs. The behavioral theory also explains two of the three constructs, attitude and perception in terms of cognitive dissonance theory and the self-perception theory respectively.

Such theories explain how these variables relate to one another and the way they can influence the adoption of information security measures by employees. Motivation theory of management could be used for management support construct to strengthen the moderation aspect of the variable as discussed further in the paper. Further, studies into employee adoption of information system security measures that have been carried out using the extended TAM such as that of Jones et al. (2010), have focused on self-reported data, which are usually considered to cause a lot of concern since it is difficult to accurately rate their behavior. In fact, with self-reported data, it is difficult to determine whether participants’ gives expected desirable answers or the most truthful answers.

There are no insights or empirical studies on employee adoption based on specific industries as well. Most studies assume that such adoption is similar across all sectors (Chuttur, 2009; Jones et al., 2010). With this in mind, this research develops a theoretical framework which incorporates and somewhat extends TAM with the aim of assessing the factors that influence employee adoption and use of information system security measures for a specific industry, the manufacturing industry, which has reported high incidences of security breaches.

The TAM model proposed is comparable to that used in Jones et al. (2010) but takes into account additional constructs including the attitudes of the employees with regards to their peers, managers, and supervisors, or the job. This is because employees’ attitudes may affect the intention of the employees to adopt and follow information systems security measures. Thus, this theoretical framework is based on the Theory of Planned behavior. This is because the Theory of Planned behavior considers attitude and subjective norm as important constructs. In fact, the study by Jones et al. (2010) also showed that subjective norm had the largest effect on employees’ intention to adopt and use system security measures. Further, by determining the effect of the attitudes of the employees with regards to their peers, managers, and supervisors, or the job, this research extends the use of Jones et al (2010) extended TAM model which incorporates management support as the intervening variable on subjective norms. Management support is however incorporated as the intervening variable on employees’ attitudes to use in this study.

The research consequently provides new insight into ways of promoting employee acceptance of technology as well as assist in the development of appropriate security measures through the analysis of employee attitudes, management support and external controls on technology acceptance levels. An empirical study into the management support would validate the development of intervention measures relating to employee support.

3.2 Unit(s) of Analysis

Describe the unit(s) of analysis for this study. Typically, the unit of analysis will be individual or group. Multiple research questions may require different units of analysis. See Instructions. This study focuses on analyzing employee behavior and adoption of information security systems. In order to analyze employee adoption of security systems, data regarding employee perceptions, attitudes, and management support will be collected, and will be used to determine whether these variables influence employee adoption of security systems. In this study, the unit of analysis is an individual from the sample versus a behavior portrayed by the individual, particularly, employee attitudes and perception with regards to adoption of information security systems. In this regard, to determine and accept whether the hypothesis is probably true or false, certain steps are taken. The research questions and the related hypothesess being addressed are:

Main RQ: To what extent do employees’ perceptions, attitudes, and management support predict end-user behavior in adopting information security systems based on the theory of planned behavior?

Sub-Question and Respective Hypotheses

RQ1: To what extent do employees’ perceptions predict end-user behavior in adopting information security systems, based on the theory of planned behavior?

Ho1: There is no significant relationship between employees’ perceptions in predicting end-user behavior when using Information Systems

Ha1: There is a significant relationship between employees’ perceptions in predicting end-user behavior when using Information Systems

RQ2: To what extent do employees’ attitudes predict end-user behavior in adopting information security systems, based on the theory of planned behavior?

Ho2: There is no significant relationship between employee attitudes in predicting end-user behavior when using Information Systems

Ha2: There is a significant relationship between employees’ attitudes in predicting end-user behavior when using Information Systems

RQ3: To what extent does management support predict end-user behavior in adopting information security systems, based on the theory of planned behavior?

Ho3: There is no significant relationship between management support influence to employees’ behavioral intentions when using Information Systems

Ha3: There is a significant relationship between management support influences to employees’ behavioral intentions when using Information Systems.

3.3 Constructs

Define each construct required by the research question and title. Provide citations showing your theoretical framework. Number each construct. See Instructions. Various constructs are required by the research questions and title in this study. A construct refers to a conceptual term that describes a scenario that cannot be directly observed; it is basically an abstract idea or image meant for a given study. The constructs are defined as follows:

Employees’ Attitudes

The study evaluates employee behavior particularly, employee attitudes and perception with regards to adoption of information security systems. Attitude and perception are mainly attributed to lack of experience among people. Attitudes and perception can be explained through the Cognitive Dissonance Theory, which allows the action of dissonance between the factors causing levels of uncomfortable feeling and a determination wavering thereby reflecting the need to change due to this. This aspect could ultimately generate some variation in the way employees respond to the use of information systems (Jeffrey, 2005).

Employees’ Perception

The study also evaluates employees’ perceptions towards the use of information security measures. Perception is essentially the way an individual perceives something in terms of the benefits or issues associated with it (Ion & Langheinrich et al., 2010). The theory of Self-perception can explain this construct and accounts for attitude formation among people. According to the theory, individuals develop their attitudes due to lack of experience (Laird, 2007). The lack of experience determines the way people would perceive something such as using information security measures in the case of this study.

Management Support

The research investigates employees’ behavioral intention to adopt and use information security measures and the relationship to management support, employee attitudes and employee perception. Management happens within an organizational setting that is well structured with prescribed roles, and it is set to achieve aims and objectives by influencing employees’ efforts. Management support can be achieved through the Theory of Motivation, in which the management provides the best motivational support possible to its employees (Kautish & Thapliyal, 2012).

The IVs (Independent Variables) in this study are employee’s perception and employee’s attitudes while the dependent variable is the employees’ behavioral intention to adopt and use information security systems. Management support, on the other hand, acts as an MV, Moderating Variable. Other MV, Moderating Variables related to the research question and the hypothesis include: (i) age, (ii) level of management or work, and (iii) years of employment. Age is a demographic variable used as an MV. It has some impact on Internet usage besides haltering the attitude and perception of people towards the use of information security measures (Teo, 2001; Zukowski & Brown, 2007).

3.4 Variables (Definitions of Constructs as variables)

Define each construct (in Item 3.3) as a variable. Provide citations to theoretical framework or previous research supporting the selection of variable type. See Instructions. Employee’s Perception: Perception refers to people’s sensory experience of their environment, involving both recognition and actions in response to environmental stimuli and contributes to the way one perceives something in real life (Goldstein & Cialdini, 2009). In this study, employee perceptions are considered as being reality; it is what the employees perceive or consider about security measures regardless of the management’s intent about security measures (Sandhu & Samarati, 1994).

Employee’s Attitude: Attitude can be defined as being an investigative and evaluative judgment either unfavorable or favorable that is directed or is possessed by an individual towards an object, attitude object according to Laird (2007) An object or attitude object can either be concrete, such as the internet, or abstract, such as information technology security measures.An individual or a group could depict the attitude. (Sarker, Valacich, & Sarker, 2005). Usually, employees are typically somewhat biased towards those objects, in which their examination is positive; they are also against those attitude objects in which their evaluation is negative.

Management Support: Management support is a moderating variable. Management support entails the use of prescribed roles to assist employees in their activities by enhancing their efforts. The support can be offered through employee motivation, through guidance, leading by example, as well as through encouragement (Kautish & Thapliyal, 2012). The theory of motivation can be useful in this case such as security protection motivation (Herath & Rao, 2009). In their study, Kautish and Thapliyal (2012) investigated decision support system and established that it is highly related to knowledge management, which is an aspect of management support.

3.5 Operational Definitions

Present an operational definition for each construct you will measure (with citations for published measures). See Instructions. Employee’s Attitude: In this study, the interest is to the extent to which an employee’s attitude towards information system’s security measures are moderated by their age, employment or management level, and management support.

Employee’s Perception: The interest in this research is to the extent to which an employee’s perception of information system’s security measures is moderated by their age, employment or management level, and management support. The perception can determine the effort employed in the fight to protect information (Sovern, 1999).

Management Support: The interest in this research is show the effect of each independent variable with respect to the support by the management can influence information security measures among employees within the 10 corporations.

3.6 Relationships among Variables

1) State the relationships between or among variables. Ensure consistency with research question and title. 2) Draw a picture of the relationship of the relationship of the DVs, IV and any other variables with the appro