Computer user security: A model facilitating measurement.

Computer user security considers the actions of computer users in supporting or thwarting computer security. This research considered computer users that were employees or other workers that acted like fulltime employees of organizations. Most security failures had some link to users; despite the best technical products and plans, one could not overcome user risks. It was therefore important to know the status of computer user security, changes in this area over time, and comparative levels between areas. There appeared to be no objective method to measure the computer security abilities of a group of users in an organization. Little agreement was evident on what constituted user security with over one hundred different descriptive words used in formal literature. A further problem was that important terms like awareness had numerous and even opposing definitions. This research aimed to create a strong theoretical model based on an extensive review of the literature. Next, it evaluated the viability of the model using quantitative methods including surveys and partial least squares (PLS) statistical analysis. The research emulated and extended UTAUT by Venkatesh, Morris, Davis, and Davis who published the model as "User Acceptance of Information Technology: Toward a Unified View" in MISQ, 2003. Finally, this research extended findings to practical measurement. The outcome found support for the new model, but indicated that security technology usage had external influences that limited the relevance of UTAUT. The measurement system identified specific facets and locations that were either strong or weak. Included in the sample data were two apparent anomalies that later proved to have been accurate detection and measurement by the new system. This exploratory research created a basis that promoted the ability for organizations to objectively comply with legal reporting requirements, identify weaknesses in the most serious security areas, isolated specific locations needing improvement, and allowed for efficient budget allocations. The judgment of remediation efficacy was a further anticipated benefit.