Institutional Drivers of Assimilation of Information Security Policies and Procedures in U.S. Firms: Test of an Empirical Model

摘要

Information security-related policies are important for organizations to safeguard against threats and plan for adverse events. However, adoption of policies (devised to insure security, privacy and acceptable use in organization, as well as to outline audit processes, disaster recovery and business continuance planning) are equally important for organizations to insure legitimacy in the eyes of stakeholders. This paper presents findings from a study that examines the degree to which institutional pressures effect the assimilation of security-related policies and procedures, i.e. The level of adoption. We examine the forces that influence assimilation of policies. Consistent with prior research, we measure mimetic, normative, and coercive forces, as perceived by managers in our sample organizations, and the current level of security-related policy assimilation. We find that the strength and significance of all three forces are confirmed.