External, Internal, and Inherent Factors Affecting End-User Security Awareness within Institutions of Higher Learning
The intent of information systems security (ISS) is to prevent unauthorized access to organizational data. Research shows that reduced employee awareness has caused 50-80% of ISS breaches, annually, since 2001, with damages more than $20 billion a year for organizations in the United States alone. Key research by Decker (2008) showed that end-user levels of ISS awareness (ISSA) are driven by inherent, internal, and external factors. The use of these factors provided an integrated means of assessing end-user levels of ISSA. However, Decker's survey instrument was never validated. The purpose of this study was to assess the extent to which Decker's survey had construct validity, assessed by model fit, discriminant validity, and convergent validity. Using a quantitative methodology, Decker's original survey was administered to a cross-sectional sample of 1,287 staff members from 38 institutions of higher education in the state of Kansas. Confirmatory factor analysis was then applied to a 1-factor measurement model and a 4-factor measurement model. Results from the 1-factor measurement model showed good model fit and good discriminant and convergent validity, confirming construct validity for the use of the 4 factors as measures of ISSA. The 4-factor measurement model indicated poor fit, good discriminant validity, but poor convergent validity, suggesting that the Decker survey requires refinement. Based on model fit statistics, the inherent factor was not captured well. Based on measures of convergent validity, the internal factor showed significant problems. The results may guide further research into creating a more effective measurement instrument of ISSA, assisting organizations in elevating and controlling end-user levels of ISSA, and thereby contributing to positive social change.