Acceptance factors influencing adoption of National Institute of Standards and Technology information security standards: A quantitative study

Adoption of a comprehensive information security governance model and security controls is the best option organizations may have to protect their information assets and comply with regulatory requirements. Understanding acceptance factors of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) comprehensive security governance framework and NIST SP 800-53 security controls will help organizations be better prepared for adoption of these standards and assist educators/trainers in tailoring content to address shortcomings in existing course material or training content. The purpose of this study was to investigate how the Unified Theory of Acceptance and Use of Technology (UTAUT) explained the relationship between the intent to adopt and actual use of NIST RMF and SP 800-53 security controls within U.S. organizations. The study was administered by soliciting participants from the Information Security Community group, a LinkedInRTM social networking group dedicated to information security professionals. Analysis of the research data was conducted using Partial Least Squares regression analysis to evaluate the reliability and validity of the measures and assess the path coefficients between the latent and manifest variables. This research study reveals that social influence is a valid predictor of intention to adopt NIST RMF and SP 800-53 standards and facilitating conditions is a predictor of actual use of NIST RMF and SP 800-53 standards within U.S. organizations. However, performance expectancy, effort expectancy, and behavioral intention are not valid indicators for predicting the intention to adopt or actual use of NIST RMF and SP 800-53 standards within U.S. organizations.