Understanding organizational information security usage from the risky decision-making perspectives

Most of the research on information security has focused on the technical issue, but securing organizational systems has its grounding in personal behavior. In the past two years, more and more scholars concerned adoption and compliance behavior of information systems security technology. Most of these studies examined the predictors to security technology adoption in organizations based on traditional the theory of planned behavior (TPB), the technology acceptance model (TAM), the protection motivation theory (PMT), and their extensions. The scholars have distinct contributions but few of them examined security technology adoption from the risky decision-making perspective. Based on the research of risky decision behavior as well as the extension of both TAM and PMT, this study proposes a conceptual model that employs risk-related factors to predict managerial attitude toward adopting security technologies. Unlike most works that merely consider perceived usefulness of technology from the positive benefits perspective, this study suggests that the downside of risk is a major determinant of managerial behavior in adopting security technology. This study places two perceived risks and decision-maker risk propensity into the model to clarify the relationships between the three risk-related factors and perceived usefulness, as well as their effects on security technology adoption. Propositions derived from the conceptual model provide an agenda for future studies of security technology adoption in organizational settings.