Security concerns of system users: A study of perceptions of the adequacy of security

In the past several years, a number of researchers have raised the issue of the level of security concern among system users, suggesting that security may be undervalued in both centralized and decentralized IS departments, and among IS staff as well as end-users. Since protective measures often require significant managerial vigilance, an appropriate level of awareness and concern may be a prerequisite for adequate security protection. Given its importance, there is a need for a better understanding of what leads to security concern. This paper focuses on users’ perceptions about the security of their systems. Based on previous work on individuals’ attitudes and beliefs about IS and IS environments, it is hypothesized that a user’s concern about security is a function of three different constructs: industry risk, company actions, and individual awareness. The study tests the main assertions of the model, using a cross-sample comparison of perceptions from two different survey instruments. The first sample used 570 randomly selected DPMA members. The second sample surveyed 357 end-users. The theoretical model does provide some explanation for level of concern among IS professionals in the mainframe and minicomputer environment. Both company actions and individual awareness were statistically significant, although the explained variance was not large. Problems with using post hoc analysis may have contributed to the partial and weak support for the model.