Perception Model Of Information Security And Its Applications

Information security involves not only technology, but also human factors. However, little research has been conducted to study the antecedences and consequences of people's perception of information security. The objectives of this study include 1) to investigate how people perceive information security and to unveil the factors that influence people's perception of different threats to information security, and 2) to investigate the effects of people's perception of information security on their intention to adopt IT appliances 3) to investigate the effects of people's perception of information security on their intention to follow security practices.A six-factor structure modeling people's perception of information security was firstly developed, using survey study and statistically analysis. In the survey study, 602 respondents were asked to evaluate one of 21 common threats to information security with regard to its rank related to each of the 20 threat-related features. An exploratory factor analysis was then conducted, and a six-factor model was derived, which includes factors of perceived Knowledge, Impact, Severity, Controllability, Possibility and Awareness. Using this model (referred to as the KISCAP model), the characteristics of the five most dangerous threats (hackers, worms, viruses, Trojan horses and backdoor programs) and the five least dangerous threats (spam, piratical software, operation accidents, users'online behaviour being recorded and deviation in quality of service) were discussed and compared. The relationships between the factors and the perceived overall danger of threats were found and then tested by multiple regression analyses. Significant effects were also found in people's perception of information security related to computer experience and types of loss.Based on the KISCAP model, six hypotheses exploring the effects of people's perception of information security on their intention to adopt IT appliances and intention to follow security practices were developed. To test the hypotheses, two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intentions to adopt e-banking were measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intentions to create a strong password were measured by a questionnaire, and the objective strength of the passwords they created was calculated. The results of ANOVA and the path models derived from path analysis indicated that 1) people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness. The results indicated that changing their perceived Controllability is the most effective way, and 2) people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility. The results indicated that changing their perceived Knowledge and Severity are the most effective ways. Suggestions were also generated from exploratory interviews.Theoretical and empirical findings of this dissertation provide a solid foundation for the study of human factors in information security. Design guidelines for IT practitioners to encourage the adoption of IT appliances and the desire to comply with security practices are proposed upon these findings.