Information Technology and Management

, Volume 16, Issue 3, pp 173–192 | Cite as

Relationships between need-pull/technology-push and information security management and the moderating role of regulatory pressure



Information security management (ISM) has become more important than ever, as the expansion of corporate information systems and the use of networks continue to increase. Many organizations consider ISM an important part of organizational innovation and key to strategic and operational efficiency. Managers require a firm understanding of the behavioral aspect of ISM, particularly of how their firms’ internal and external characteristics affect the ISM process. This study draws on need-pull–technology-push (NP–TP) theories and employs data on information security users to investigate the NP and TP factors influencing the awareness, development, and performance stages of ISM. This study also examines the moderating role of regulatory pressure in those relationships. The research model is tested with data taken from a random sample of global organizations obtained through the Korea Composite Stock Price Index, the Korean Securities Dealers Automated Quotation, and the Korea Foreign Company Association. The results indicate that all NP–TP variables had positive effects on the ISM process (with the exception of perceived benefits). Moreover, regulatory pressure had positive effects as a moderator between ISM awareness and ISM development and performance.


Information security management Internal needs/external pressure (need-pull/technology-push) Regulatory pressure 



This research was supported by Kyungpook National University A.S Research Fund, 2014. The authors would like to thank the editor and anonymous reviewers for all their suggestions.


  1. 1.
    Anderson DL, Agarwal R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Q 34(3):613–643Google Scholar
  2. 2.
    Appari A, Johnson ME (2009) HIPAA compliance: an institutional theory perspective. In: AMCIS 2009 proceedingsGoogle Scholar
  3. 3.
    Babatunde DA, Selamat MH (2012) Investigating information security management and its influencing factors in the Nigerian banking industry: a conceptual model. Int J Soc Sci Econ Art 2(2):55–59Google Scholar
  4. 4.
    Baker WH, Wallace L (2007) Is information security under control? IEEE Secur Priv 5(1):36–44CrossRefGoogle Scholar
  5. 5.
    Barua A, Konana P, Whinston AB, Yin F (2004) An empirical investigation of net-enabled business value: an exploratory investigation. MIS Q 28(4):585–620Google Scholar
  6. 6.
    Bassellier G, Benbasat I (2004) Business competence of information technology professionals: conceptual development and influence on IT–business partnerships. MIS Q 28(4):673–694Google Scholar
  7. 7.
    Bentler PM (1990) Comparative fit indexes in structural models. Psychol Bull 107:238–246CrossRefGoogle Scholar
  8. 8.
    Brandon DP, Hollingshead AB (2004) Transactive memory systems in organizations: matching tasks, expertise, and people. Organ Sci 15(6):633–644CrossRefGoogle Scholar
  9. 9.
    Brown CV, Sambamurthy V (2001) Coordination theory in the context of the IT function: linking the logic of governance and coordination mechanisms. University of Maryland Working PaperGoogle Scholar
  10. 10.
    Browne MW, Cudeck R (1993) Alternative ways of assessing model fit. In: Bollen KA, Long JS (eds) Testing structural equation models. Sage, Newbury Park, pp 136–162Google Scholar
  11. 11.
    Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q 34(3):523–548Google Scholar
  12. 12.
    Carmines EG, McIver JP (1981) Analyzing models with unobserved variables. In: Bohrnstedt GW, Borgatta EF (eds) Social measurement: current issues. Sage, Beverly Hills, pp 65–115Google Scholar
  13. 13.
    Chang SE, Ho CB (2006) Organizational factors to the effectiveness of implementing information security management. Ind Manag Data Syst 106(3):345–361CrossRefGoogle Scholar
  14. 14.
    Chatterjee D, Grewal R, Sambamurthy V (2002) Shaping up for e-commerce: institutional enablers of the organizational assimilation of web technologies. MIS Q 26(2):65–89CrossRefGoogle Scholar
  15. 15.
    Chau PYK, Tam KY (1997) Factors affecting the adoption of open systems: an exploratory study. MIS Q 21(1):1–24CrossRefGoogle Scholar
  16. 16.
    Chau PYK, Tam KY (2000) Organizational adoption of open systems: a ‘technology-push, need-pull’ perspective. Inf Manag 37(5):229–239CrossRefGoogle Scholar
  17. 17.
    Chidamber SR, Kon HB (1994) A research retrospective of innovation inception and success: the technology-push, demand-pull question. Int J Technol Manag 9(1):94–112Google Scholar
  18. 18.
    Chin W (1998) The partial least squares approach for structural equation modeling. In: Marcoulides GA (ed) Modern methods for business research. Lawrence Erlbaum, Hillsdale, pp 295–336Google Scholar
  19. 19.
    Cohen J (1992) A power primer. Psychol Bull 112(1):155–159CrossRefGoogle Scholar
  20. 20.
    Cooper R, Zmud R (1990) Information technology implementation research: a technological diffusion approach. Manag Sci 36(2):123–139CrossRefGoogle Scholar
  21. 21.
    D’Arcy J, Hovav A, Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res 20(1):79–98CrossRefGoogle Scholar
  22. 22.
    Dhillon G, Backhouse J (2000) Information system security management in the new millennium. Commun ACM 43(7):125–128CrossRefGoogle Scholar
  23. 23.
    DiMaggio PJ, Powell WW (1983) The iron cage revisited: institutional isomorphism and collective rationality in organizational fields. Am Sociol Rev 48(2):147–160CrossRefGoogle Scholar
  24. 24.
    Dodge CR, Carver C, Ferguson JA (2007) Phishing for user security awareness. Comput Sci 26(1):73–80Google Scholar
  25. 25.
    Fichman RG (2004) Real options and IT platform adoption: implications for theory and practice. Inf Syst Res 15(2):132–154CrossRefGoogle Scholar
  26. 26.
    Flanagin AJ (2000) Social pressures on organizational website adoption. Hum Commun Res 26(4):618–646CrossRefGoogle Scholar
  27. 27.
    Fornell C, Larcker DF (1981) Evaluating structural equation models with unobservable variables and measurement error. J Mark Res 18(1):39–50CrossRefGoogle Scholar
  28. 28.
    Furnell S (2008) End-user security culture: a lesson that will never be learnt? Comput Fraud Secur 2008(4):6–9CrossRefGoogle Scholar
  29. 29.
    Furnell SM, Gennatou M, Dowland PS (2002) A prototype tool for information security awareness and training. Logist Inf Manag 15(5/6):352–357CrossRefGoogle Scholar
  30. 30.
    Galliers R (2007) Strategizing for agility: confronting information systems inflexibility in dynamic environments. In: DeSouza K (ed) Agile information systems. Butterworth-Heinemann, Elsevier Inc, Burlington, pp 1–15Google Scholar
  31. 31.
    Grover V, Saeed KA (2007) The impact of product, market, and relationship characteristics on interorganizational system integration in manufacturer–supplier dyads. J Manag Inf Syst 23(4):185–216CrossRefGoogle Scholar
  32. 32.
    Grover V, Goslar MD (1993) The initiation, adoption, and implementation of telecommunications technologies in US organizations. J Manag Inf Syst 10(1):141–163Google Scholar
  33. 33.
    Guo KH, Yuan Y, Archer NP, Connelly CE (2011) Understanding nomnalicious security violations in the workplace: a composite behavior model. J Manag Inf Syst 28(2):203–236CrossRefGoogle Scholar
  34. 34.
    Han IG, Sun HK (1998) A case study on the information security management system for major Korean business groups. Asia Pac J Inf Syst 8(2):105–119Google Scholar
  35. 35.
    Ho CR, Chi YP, Tai YM (2005) A structural approach to measuring uncertainty in supply chains. Int J Electron Commer 9(3):91–114Google Scholar
  36. 36.
    Hsu C, Lee JN, Straub DW (2012) Institutional influences on information systems security innovations. Inf Syst Res 23(1):1–22CrossRefGoogle Scholar
  37. 37.
    Hu Q, Hart P, Cooke D (2007) The role of external and internal influences on information systems security—a neo-institutional perspective. J Strateg Inf Syst 16(2):153–172CrossRefGoogle Scholar
  38. 38.
    Ives B, Olson MH (1984) User involvement and MIS success: a review of research. Manag Sci 30(5):586–603CrossRefGoogle Scholar
  39. 39.
    Jung WJ, Shin Y, Lee SYT (2012) The behavioral attitude of financial firms’ employees on the customer information security in Korea. Asia Pac J Inf Syst 22(1):53–77Google Scholar
  40. 40.
    Kearns GS, Lederer AL (2004) The impact of industry contextual factors on IT focus and the use of IT for competitive advantage. Inf Manag 41(7):899–919CrossRefGoogle Scholar
  41. 41.
    Keller S, Powell A, Horstmann B, Predmore C, Crawford M (2005) Information security threats and practices in small business. Inf Syst Manag 22(2):7–19CrossRefGoogle Scholar
  42. 42.
    Khalifa M, Davison RM (2006) SME adoption of IT: the case of electronic trading systems. IEEE Trans Eng Manag 53(2):275–284CrossRefGoogle Scholar
  43. 43.
    Kim HS (1999) A study on the quantification of information security level. Asia Pac J Inf Syst 9(4):181–201Google Scholar
  44. 44.
    Kim JK, Lee DH (2005) A research on information security risk-based antecedents influencing electronic commerce user’s trust. Asia Pac J Inf Syst 15(2):65–96Google Scholar
  45. 45.
    Kim S, Garrison G (2010) Understanding users’ behaviors regarding supply chain technology: determinants impacting the adoption and implementation of RFID technology in South Korea. Int J Inf Manag 30(5):388–398CrossRefGoogle Scholar
  46. 46.
    Ko EJ, Kim SH, Kim MS, Woo JY (2008) Organizational characteristics and the CRM adoption process. J Bus Res 61(1):65–74CrossRefGoogle Scholar
  47. 47.
    Koo JM, Park JS, Park JH (2013) Study about the impact of information security systems on corporate performance: based on IT relatedness theory. Asia Pac J Inf Syst 23(4):129–149Google Scholar
  48. 48.
    Kuan KKY, Chau PYK (2001) A perception-based model for EDI adoption in small businesses using a technology–organization–environment framework. Inf Manag 38(8):507–521CrossRefGoogle Scholar
  49. 49.
    Lee CP, Shim JP (2007) An exploratory study of radio frequency identification (RFID) adoption in the healthcare industry. Eur J Inf Syst 16(6):712–724CrossRefGoogle Scholar
  50. 50.
    Lee Y, Kozar KA (2008) An empirical investigation of anti-spyware software adoption: a multitheoretical perspective. Inf Manag 45(2):109–119CrossRefGoogle Scholar
  51. 51.
    Lee Y, Larsen KR (2009) Threat of coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. Eur J Inf Syst 18(2):177–187CrossRefGoogle Scholar
  52. 52.
    Lewis W, Agarwal R, Sambamurthy V (2003) Sources of influence on beliefs about information technology use: an empirical study of knowledge workers. MIS Q 27(4):657–678Google Scholar
  53. 53.
    Li H, Zhang J, Sarathy R (2010) Understanding compliance with internet use policy from the perspective of rational choice theory. Decis Support Syst 48(4):635–645CrossRefGoogle Scholar
  54. 54.
    Liang H, Saraf N, Hu Q, Xue Y (2007) Assimilation of enterprise systems: the effect of institutional pressures and the mediating role of top management. MIS Q 31(1):59–87Google Scholar
  55. 55.
    Lu Y, Ramamurthy K (2011) Understanding the link between information technology capability and organizational agility: an empirical examination. MIS Q 35(4):931–954Google Scholar
  56. 56.
    Ma Q, Ratnasingam P (2008) Factors affecting the objectives of information security management. In: International conference on information resources management 2008 proceedingsGoogle Scholar
  57. 57.
    Markus ML, Mao JY (2004) Participation in development and implementation—updating an old, tired concept for today’s IS contexts. J Assoc Inf Syst 5(11–12):514–544Google Scholar
  58. 58.
    Mowery D, Rosenberg N (1979) The influence of market demand upon innovation: a critical review of some recent empirical studies. Res Pol 8(2):102–153CrossRefGoogle Scholar
  59. 59.
    Munro H, Noori H (1988) Measuring commitment to new manufacturing technology: integrating technological push and marketing pull concepts. IEEE Trans Eng Manag 35(2):63–70CrossRefGoogle Scholar
  60. 60.
    Nunnally JC (1978) Psychometric theory. McGraw Hill, New YorkGoogle Scholar
  61. 61.
    Premkumar G, Ramamurthy K (1995) The role of interorganizational and organizational factors on the decision mode for adoption of interorganizational systems. Decis Sci 26(3):303–336CrossRefGoogle Scholar
  62. 62.
    Rai A, Patnayakuni R (1996) A structural model for CASE adoption behavior. J Manag Inf Syst 13(2):205–234Google Scholar
  63. 63.
    Richardson R (2011) 2010/2011 CSI computer crime and security survey. Computer Security Institute, New yorkGoogle Scholar
  64. 64.
    Rogelberg SG, Stanton JM (2007) Introduction: understanding and dealing with organizational survey nonresponses. Organ Res Methods 10(2):195–209CrossRefGoogle Scholar
  65. 65.
    Rogers EM (2003) Diffusion of innovations, 5th edn. The Free Press, New YorkGoogle Scholar
  66. 66.
    Schon DA (1967) Technology and change. Delacorte Press, New YorkGoogle Scholar
  67. 67.
    Sharma R, Yetton P (2007) The contingent effects of training, technical complexity, and task interdependence on successful information systems implementation. MIS Q 31(2):219–238Google Scholar
  68. 68.
    Shih HP (2006) Technology-push and communication-pull forces driving message-based coordination performance. J Strateg Inf Syst 15(2):105–123CrossRefGoogle Scholar
  69. 69.
    Siponen MT (2001) Five dimensions of information security awareness. Comput Soc 31(2):24–29CrossRefGoogle Scholar
  70. 70.
    Son JY, Narasimhan S, Riggins F (2005) Effects of relational factors and channel climate on EDI usage in the customer–supplier relationship. J Manag Inf Syst 22(1):321–353Google Scholar
  71. 71.
    Spears JL, Barki H (2010) User participation in information systems security risk management. MIS Q 34(3):503–522Google Scholar
  72. 72.
    Templeton G, Lewis B, Snyder C (2002) Development of a measure for the organizational learning construct. J Manag Inf Syst 19(2):175–218Google Scholar
  73. 73.
    Teo HH, Wei KK, Benbasat I (2003) Predicting intention to adopt interorganizational linkages: an institutional perspective. MIS Q 27(1):19–49Google Scholar
  74. 74.
    Wixom BH, Watson HJ (2001) An empirical investigation of the factors affecting data warehousing success. MIS Q 25(1):17–41CrossRefGoogle Scholar
  75. 75.
    Xue Y, Liang H, Boulton WR (2008) Information technology governance in information technology investment decision processes: the impact of investment characteristics, external environment, and internal context. MIS Q 32(1):67–96Google Scholar
  76. 76.
    Yildirim EY, Akalp G, Aytac S, Bayram N (2011) Factors influencing information security management in small-and medium-sized enterprises: a case study from Turkey. Int J Inf Manag 31(4):360–365CrossRefGoogle Scholar
  77. 77.
    Zaheer A, Zaheer S (1997) Catching the wave: alertness, responsiveness, and market influence in global electronic networks. Manag Sci 43(11):1493–1509CrossRefGoogle Scholar
  78. 78.
    Zhu K, Kraemer KL, Xu S (2006) The process of innovation assimilation by firms in different countries: a technology diffusion perspective on e-business. Manag Sci 52(10):1557–1576CrossRefGoogle Scholar
  79. 79.
    Zhu K, Dong S, Xu SX, Kraemer KL (2006) Innovation diffusion in global contexts: determinants of post-adoption digital transformation of European companies. Eur J Inf Syst 15(6):601–616CrossRefGoogle Scholar
  80. 80.
    Zmud RW (1984) An examination of ‘push-pull’ theory applied to process innovation in knowledge work. Manag Sci 30(6):727–738CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.School of Business AdministrationKyungpook National UniversityDaeguSouth Korea
  2. 2.Anderson School of Management, MSC05 1University of New MexicoAlbuquerqueUSA

Personalised recommendations