The more secure the better? A study of information security readiness

This paper seeks to investigate which factors influence user attitudes toward different levels of security measures for protecting data of differing importance. The paper also examines user characteristics including IT proficiency and risk propensity, which give rise to individual differences in such attitudes.

To capture user attitudes toward a security measure, a construct called “information security readiness” (ISR) and its corresponding measurement items were developed. Observations were collected from a laboratory experiment based on a 2×3 factorial design, with data criticality and security level as the treatment variables. The participants were undergraduate students of a major American university. The moderating effect of data criticality on the relationship between security level and ISR was tested with multi‐group structural equation modeling. In addition to the treatment variables, IT proficiency and risk propensity were included as covariates in the analysis.

The results revealed a nonlinear relationship between security level and ISR. For data of high criticality, enhancing security level had a positive impact on ISR, but only up to the point perceived as appropriate by the participants. For data of low criticality, the enhancement of security level was perceived as unnecessary. In addition, IT proficiency was found to be a significant covariate, especially when data criticality was high.

In practice, the specification of a security measure requires a trade‐off between the utility of the data protected and the usability of the security method. The measure of ISR provides a means to locate the equilibrium by examining user attitudes across different security levels in relation to a particular level of data criticality. The significance of IT proficiency demonstrates the importance of user training.

This study introduces the ISR construct to capture evaluation, power, and activity dimensions underlying an individual's cognitive beliefs, affective responses, and behavioral inclinations toward the adoption of security measures. The results provide interesting insights into the role of interaction between security level and data criticality in influencing ISR.