Types of Employee Perceptions of Information Security Using Q Methodology: An Empirical Study

10.6702/ijbi.2015.10.4.6

Chung-Chu Liu

Information security ； perception types ； Q methodology ； perception ； sorting

International Journal of Business and Information

10卷4期（2015 / 12 / 01）

557 - 575

英文

Information security is integral to creating competitive advantage in business today, particularly in light of the increasing number of security breaches made possible through technological advances. The purpose of this research is to help in understanding and developing types of information security in businesses based on employee perceptions. The study examines the types of employee perceptions of information security within companies. To create useful perception types, this study conducted a review of the literature and gathered data from the managers and employees of some companies in Taiwan, using a questionnaire and interviews incorporating 36 Q questions. The study used Q methodology to analyze the data collected. The Q process yielded 22 valid responses from an initial sample of 30. Based on the results, the study identifies four types of employee perceptions with regard to information security: conception installment (Type 1), mechanism monitoring (Type 2), employee controlling (Type 3), and software monitoring (Type 4). The study summarizes the demographics, statements, and possible implications of each type, along with references for each. The results provide a reference for companies seeking to better understand their employees' perceptions of information security and to evaluate methods they have adopted with regard to ensuring information security.

1. Anderson, R.,Moore, T.(2006).The economics of information security.Science,314(5799),610-613.
2. Bodin, L.D.,Gordon, L.A.,Loeb, M.P.(2005).Evaluating information security investments using the analytic hierarchy process.Communications of the ACM,48(2),78-83.
3. Boss S. R.,Kirsch, L.J.,Angermeier, I.,Shingler, R.A.,Boss, R.W.(2009).If someone is watching, I'll do what I'm asked: Mandatoriness, control, and information security.European Journal of Information Systems,18(2),151-164.
4. Bulgurcu, B.,Cavusoglu, H.,Benbasat, I.(2010).Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness.MIS Quarterly,34(3),523-548.
5. Cattell, R.B.(1996).The scree test for the number of factors.Multivariate Behavioral Research,1,245-276.
6. Chang, S E.,Chen, S.Y.,Chen, C.Y.(2011).Exploring the relationships between IT capabilities and information security management.International Journal of Technology Management,54(2/3),147-166.
7. Chang, S E.,Lin, C.(2007).Exploring organizational culture for information security management.Industrial Management & Data System,107(3),438-458.
8. Colwill, C.(2009).Human factors in information security: The insider threat - Who can you trust these days?.Information Security Technical Report,14(4),186-196.
9. Cross, R.M.(2005).Exploring attitudes: The case for Q methodology.Health Education Research,20(2),206-213.
10. Da Veiga, A.,Eloff, J.H.P.(2010).A framework and assessment instrument for information security culture.Computers & Security,29(2),196-207.
11. D'Agostino Sr.,R.B.,Russell, H. K.(2005).Encyclopedia of Biostatistics.Chichester, UK:John Wiley & Sons.
12. D'Arcy, J.,Hovav, A.,Galletta, D.(2009).User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach.Information Systems Research,20(1),79-98.
13. David, S.,Marlys, M.,David, B.,Mark, W.(2014).A theory of employee compliance with information security.MWAIS 2014 Proceedings
14. Desserler, G.(2000).Human Resource Management.Upper Saddle River, NJ:Prentice Hall.
15. Fulford, H.,Doherty, N.(2003).The application of information security policies in large UK-based organizations: An exploratory investigation.Information Management & Computer Security,11(2/3),106-114.
16. Hagen, J. M.,Albrechtsen, E.,Hovden, J.(2008).Implementation and effectiveness of organizational information security measures.Information Management & Computer Security,16(4),377-397.
17. Höne, K.,Eloff, J.H.P.(2002).What makes an effective information security policy?.Network Security,2002(6),14-16.
18. Hong, K.,Chi, Y.,Chao, L.R.,Tang, J.(2003).An integrated system theory of information security management.Information Management & Computer Security,11(5),243-248.
19. Hsu, M.L.(1979).Predicting American elderly viewer preferences in elderly-oriented television programming.American Studies,9(4),81-112.
20. Hu, Q.,Dinev, T.,Hart, P.,Cooke, D.(2012).Managing employee compliance with information security policies: The critical role of top management and organizational culture.Decision Sciences,43(4),615-660.
21. Jirasek, V.(2012).Practical application of information security models.Information Security Technical Report,17(1/2),1-8.
22. Kaiser, H.F.(1985).The varimax criterion for analytic rotation in factor analysis.Psychometrics,23,187-200.
23. Kankanhalli, A.,Hock-Hai, T.,Bernard, C.Y.T.,Kwok-Kee, W.(2003).An integrative study of information systems security effectiveness.International Journal of Information Management,23,139-154.
24. Knapp, K. J.,Marshall, T.E.,Rainer, R.K.,Ford, F.N.(2006).Information security: Management's effect on culture and policy.Information Management & Computer Security,14(1),24-36.
25. Lim, J S.,Atif, A.,Shanton, C.,Sean, M.(2010).Embedding information security culture emerging concerns and challenges.PACIS 2010 Proceedings
26. Ma, Q.,Johnston, A.C.,Pearson, J.M.(2008).Information security management objectives and practices: A parsimonious framework.Information Management & Computer Security,16(3),251-270.
27. Mejias, R.J.,Harvey, M.G.(2012).A case for information security awareness (ISA) programmes to protect global information, innovation and knowledge resource.International Journal of Transitions and Innovation Systems,2(3/4),302-324.
28. Myyry, L.,Siponen, M.,Pahnila, S.,Vartiainen, T.,Vance, A.(2009).What levels of moral reasoning and values explain adherence to information security rules? An empirical study.European Journal of Information Systems,18(2),126-139.
29. Puhakainen, P.,Siponen, M.(2010).Improving employees' compliance through information systems security training: An action research study.MIS Quarterly,34(4),757-778.
30. Saint-Germain, R.(2005).Information security management best practice based on ISO/IEC 17799.Information Management Journal,39(4),60-66.
31. Schlinger, M.J.(1969).Cues on Q-technique.Journal of Advertising Research,9(3),53-60.
32. Schuler, S.,Jackson, E.(2000).Managing Human Resources.Cincinnati, OH:South-Western College Publishing.
33. Shaw, R S.,Chen, C.C.,Harris, A.L.,Huang, H.J.(2009).The impact of information richness on information security awareness training effectiveness.Computers & Education,52,92-100.
34. Siponen, M.,Pahnila, S.,Mahmood, M.A.(2010).Compliance with information security policies: An empirical investigation.Computer,43(2),64 -71.
35. Sotirakou, T.,Zeppou, M.(2005).How to align Greek civil service with European Union public sector management policies - A demand role for HR managers in the contemporary public administrative context.International Journal of Public Sector Management,18(1),54-82.
36. Sveen, F.O.,Sarriegi, J.M.,Rich, E.,Gonzalez, J.J.(2007).Toward viable information security reporting systems.Information Management & Computer Security,15(5),408-419.
37. Van Niekerk, J.F.,Von Solms, R.(2010).Information security culture: A management perspective.Computers & Security,29(4),476-486.
38. Vermeulen, C.,Von Solms, R.(2002).The information security management toolbox - Taking the pain out of security management.Information Management & Computer Security,10(2/3),119-125.
39. Von Solms, R.(1999).Information security management: Why standards are important.Information Management & Computer Security,7(1),50-58.
40. Von Solms, R.,Van Der Haar, H.,von Solms, S. H.,Caelli, W. J.(1994).A framework for information security evaluation.Information & Management,26(3),143-153.
41. Vroom, C.,Von Solms, R.(2004).Towards information security behavioral compliance.Computers & Security,23(3),191-198.
42. Warkentin, M.,Davis, K.,Bekkering, E.(2004).Introducing the check-off password system (COPS): A advancement in user authentication methods and information security.Journal of Organizational and End User Computing,16(3),41-58.
43. Whitten, D.(2008).The chief information security officer: An analysis of the skills required for success.Journal of Computer Information Systems,48(3),15-19.
44. Workman, M.,Bommer, W.H.,Straub, D.(2008).Security lapses and the omission of information security measures: A threat control model and empirical test.Computers in Human Behavior,24(6),2799-2816.
45. Zakaria, O.(2006).Employee security perception in cultivating information security culture.IFIP International Federation for Information Processing,193,83-92.
46. Zall, M.(2000).Internet recruiting.Strategic Finance,81(12),67-72.

1. 劉仲矩、陳秀育(2017)。以Q方法探討訪客對橘色港口認知類型之研究。管理實務與理論研究，11(1)，1-18。