Three Essays on Adoption and Continuous Improvement of Information Security Management in Organizations

Abstract

In information intensive organizations secured management of information has become an important issue. Although organizations have been actively investing on information security, crime rate in this area keep increasing. Practitioners and academics have started to realize that information security cannot be achieved through only technological tools. Effective organizational information security depends on how to manage such activities in organizations. Empirical research on the management side of information security behaviors and factors influencing them is still in its infancy. The aim of this three essay dissertation is to focus on adoption and continuous improvement of information security management practices in organizations and uncover factors that play a significant role on IT professionals’ and managers’ decisions in dominant security contexts. More specifically, the first essay explores the factors which affect decision makers’ intention to adopt novel authentication systems. It examines how usability, deployability and security, as evaluation criteria of authentication systems, influence IT professionals’ decision making process in this regard. Further, the second essay elaborates on information security activities in organizations which occur prior to the incident. Taking a prototype-willingness model perspective, this essay aims to investigate how both rational and heuristic aspects of decision making can affect IT professionals’ proactive information security behavior. Finally, the third essay focuses on continuous improvement in information security management. Drawing upon organizational learning perspective, this study suggests organizational absorptive capacity enhances the way organizations dynamically and repeatedly make improvements in their information security management processes.