The more secure the better? A study of information security readiness

Jun Sun (The University of Texas – Pan American, Edinburg, Texas, USA)
Punit Ahluwalia (The University of Texas – Pan American, Edinburg, Texas, USA)
Kai S. Koong (The University of Texas – Pan American, Edinburg, Texas, USA)

Industrial Management & Data Systems

ISSN: 0263-5577

Publication date: 26 April 2011



This paper seeks to investigate which factors influence user attitudes toward different levels of security measures for protecting data of differing importance. The paper also examines user characteristics including IT proficiency and risk propensity, which give rise to individual differences in such attitudes.


To capture user attitudes toward a security measure, a construct called “information security readiness” (ISR) and its corresponding measurement items were developed. Observations were collected from a laboratory experiment based on a 2×3 factorial design, with data criticality and security level as the treatment variables. The participants were undergraduate students of a major American university. The moderating effect of data criticality on the relationship between security level and ISR was tested with multi‐group structural equation modeling. In addition to the treatment variables, IT proficiency and risk propensity were included as covariates in the analysis.


The results revealed a nonlinear relationship between security level and ISR. For data of high criticality, enhancing security level had a positive impact on ISR, but only up to the point perceived as appropriate by the participants. For data of low criticality, the enhancement of security level was perceived as unnecessary. In addition, IT proficiency was found to be a significant covariate, especially when data criticality was high.

Practical implications

In practice, the specification of a security measure requires a trade‐off between the utility of the data protected and the usability of the security method. The measure of ISR provides a means to locate the equilibrium by examining user attitudes across different security levels in relation to a particular level of data criticality. The significance of IT proficiency demonstrates the importance of user training.


This study introduces the ISR construct to capture evaluation, power, and activity dimensions underlying an individual's cognitive beliefs, affective responses, and behavioral inclinations toward the adoption of security measures. The results provide interesting insights into the role of interaction between security level and data criticality in influencing ISR.



Sun, J., Ahluwalia, P. and Koong, K. (2011), "The more secure the better? A study of information security readiness", Industrial Management & Data Systems, Vol. 111 No. 4, pp. 570-588.

Download as .RIS



Emerald Group Publishing Limited

Copyright © 2011, Emerald Group Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.
To rent this content from Deepdyve, please click the button.