Carroll_Tim

i
Employee Perceptions of
Biometric Security Adoption in the Workplace
Dissertation Manuscript
Submitted to Northcentral University
Graduate Faculty of the School of Business
in Partial Fulfillment of the
Requirements for the Degree of
DOCTOR OF BUSINESS ADMINISTRATION
by
TIMOTHY CARROLL
Prescott Valley, Arizona
July 2016

Approval Page
Employee Perceptions of Biometric Security Adoption in the Workplace
By
Timothy Carroll
Approved by:
8/23/16
Chair: Dr. Melanie Shaw Date
Certified by:
Dean of School: Dr. Peter Bemski Date

Abstract
Organizations that fail to understand the reasons that employees accept or reject new
technology may be more susceptible to the misuse of the systems, ultimately resulting in
potential corporate financial losses. The specific problem that was addressed in this study
was the widespread lack of employee participation in the implementation of biometric
security technology in U.S. organizations and the need to understand the factors that
influenced employee participation during the implementation phase. The purpose of this
quantitative study was to use the Technology Acceptance Model (TAM) framework to
examine employee perceptions regarding the use of biometric authentication systems that
will be implemented in information technology. Because there are a variety of biometric
systems that are available in the private and public sector, this study did not focus on a
specific biometric type such as fingerprint, iris scan, or hand geometry. Limiting the
study to one type of biometric could have resulted in bias among the participants. A
quantitative correlational research design was chosen to investigate the research problems
and associated questions. The population for this research study was 600 LinkedIn
connections that are were not currently using biometric security technology in their work
environment, but had prior exposure to biometric technology. Prior exposure indicates
that the participants had experience with using biometrics systems at their former
employers. The target sample for the study was 200 employees who were members of
the LinkedIn network, are were current connections of the researcher, had an anonymous
relationship with the researcher, and worked for information technology organizations
that did not currently utilize biometrics. An Exploratory Factor Analysis (EFA),
Confirmatory Factor Analysis (CFA), and a Structural Equation Modeling (SEM)

analysis were performed during the analysis of the data. The findings revealed that
PEOU was a significantly statistical predictor of BI with a path coefficient of 0.441, t =
5.22, R2
= 0.12 and p = 0.001. SN also had significant evidence indicated by a path
coefficient of 0.331, t = 3.55 and p = 0.001. No statistical evidence was found to indicate
that PU had an influence on BI (path coefficient = 0.05, t = 0.698 and p = 0.485). The
predictions of PEOU and PU were statistically significant by SN, SN to PEOU, the path
coefficient was 0.326, t = 4.12, and p = 0.001, SN to PU, the path coefficient was 0.460, t
= 7.30, and p = 0.001. The findings of this study yielded significant practical and
theoretical contributions to the information security field. Future researchers could
explore the demographics of biometric users, to better understand if there is a potential
predictor based on age groups.

Acknowledgements
Wow what a journey this has been for me, I honestly never thought this day would even
be imaginable a year ago after my battle with a rare form of cancer. I would like to
dedicate this paper to my entire Sarcoma team at Massachusetts General Hospital for
making this paper possible: Dr Francis Hornicek, an amazing surgeon who I bow down to
with my utmost graciousness, for you are truly a god among physicians; Dr Joseph
Schwab, an amazing intelligent and personable doctor who stands among the greatest of
surgeons; Dr Karen Bernstein, the most upbeat and cheerful doctor I have ever met, she
has a personality that is undefined in her line of work, she brings a smile to my face every
time I meet her; and lastly the greatest Nurse Practitioner (Soon to be Dr), Anne Fiore,
she is someone that you could cry in her lap and she would make you feel good, without
her support I do not believe I could have emotionally survived my ordeal.
I would also like to thank the best Dissertation Chair at any school imaginable, Dr.
Melanie Shaw, she is not only a wonderful academic mentor, but someone who
understands the frustrations that I have faced along my journey. Without Melanie I
seriously doubt I would have ever graduated. Finally, I would like to thank the mighty
lord, for he is the one I pray to each and every day for another day of life.

Table of Contents
Chapter 1: Introduction....................................................................................................... 1
Background.................................................................................................................. 3
Statement of the Problem............................................................................................. 8
Purpose of the Study.................................................................................................... 9
Research Questions.................................................................................................... 10
Hypotheses................................................................................................................. 12
Nature of the Study.................................................................................................... 13
Significance of the Study........................................................................................... 15
Definition of Key Terms............................................................................................ 17
Summary.................................................................................................................... 20
Chapter 2: Literature Review............................................................................................ 21
Documentation........................................................................................................... 21
Information Security.................................................................................................. 22
Concept and Theory of Acceptance........................................................................... 28
Theory of Reasoned Action....................................................................................... 33
Theory of Planned Behavior...................................................................................... 36
Technology Acceptance Model ................................................................................. 39
TAM and Information Security ................................................................................. 43
User behavior and Information Technology.............................................................. 45
Effects of Perceived Ease of Use............................................................................... 50
Effects of Perceived Usefulness ................................................................................ 53
Effects of SN.............................................................................................................. 55
IT Investments in Biometric Technology.................................................................. 57
Biometric Technology: An Introduction ................................................................... 58
Social Impact of Biometrics ...................................................................................... 68
Economics and Biometrics ........................................................................................ 71
Summary.................................................................................................................... 72
Chapter 3: Research Method............................................................................................. 75
Hypotheses................................................................................................................. 77
Research Methods and Design................................................................................... 79
Population.................................................................................................................. 80
Sample ....................................................................................................................... 81
Materials/Instruments ................................................................................................ 82
Operational Definition of Variables .......................................................................... 87
Data Collection, Processing, and Analysis................................................................ 90
Limitations................................................................................................................. 94
Delimitations.............................................................................................................. 95
Ethical Assurances..................................................................................................... 95
Summary.................................................................................................................... 96

Chapter 4: Findings........................................................................................................... 99
Results...................................................................................................................... 101
Evaluation of Findings............................................................................................. 112
Summary.................................................................................................................. 117
Chapter 5: Implications, Recommendations, and Conclusions ...................................... 119
Implications ............................................................................................................. 121
Recommendations.................................................................................................... 128
Conclusions.............................................................................................................. 131
References....................................................................................................................... 134
Appendixes ..................................................................................................................... 160
Appendix A: Survey ................................................................................................ 160
Appendix B: Survey Message to Participants ......................................................... 161
Appendix C: Permissions ........................................................................................ 162

List of Tables
Table 1 Physiological and Behavioral Biometric Areas.................................................. 63
Table 2 Constructs and Measurement Instruments......................................................... 85
Table 3 Cronbach Alpha of Constructs from Prior Studies............................................. 85
Table 4. SEM Paths of influence ..................................................................................... 93
Table 5. Descriptive Statistics for Data Collection ....................................................... 103
Table 6. Exploratory Factor Analysis ............................................................................ 104
Table 7. KMO and Bartlett's Test............................................................................... 105
Table 8. Reliability analysis for each construct............................................................. 105

List of Figures
Figure 1. The Theory of Reasoned Action Diagram. Reprinted from User acceptance of
computer technology: ....................................................................................................... 34
Figure 2. The Theory of Planned Behavior Model Ajzen (2006).................................... 37
Figure 3. Technology Acceptance Model Diagram......................................................... 42
Figure 4. TAM2 Diagram ................................................................................................. 42
Figure 5. Perceived Ease of Use Diagram ........................................................................ 51
Figure 6. Hypothesized structural model: A path model of employee’s PU, SN, and
PEOU on their intention to use biometrics. ...................................................................... 76
Figure 7. CFA 4 Factor Measurement model for this research study.............................. 87
Figure 8. Final SEM CFA 4 Factor Measurement model IBM AMOS 23.................... 111
Figure 9. SEM Factor Measurement model IBM AMOS 23......................................... 112

1
Chapter 1: Introduction
Companies have become increasingly vulnerable to internal and external security
threats to their information infrastructure (Nicho & Hendy, 2013). Computer threats and
cyber-terrorism are rapidly increasing and straining the structure of the Internet, due to
their destructive tendencies to disrupt business activities (Brahme, 2012). These
increasing incidents of Internet attacks aimed at online businesses have presented serious
risks to the safety and security of employees and tangible assets. Although many
organizations have physical hardware firewalls and intrusion detection systems in place
to protect internal systems, the use of weak authentication techniques, such as passwords,
are lacking the security necessary for online business transactions (Saleh, Alsmadi, &
Mashhour, 2011). The cost of recovering from a security breach has been up to 20 times
greater than the cost of protecting the data (Ernst & Young, 2012). Thus, there has been
a growing need for technology that can decrease information security breaches (Yayla &
Hu, 2011).
The rate of change in information technology has forced organizational leaders to
update and implement new software solutions and technologies continually (Fang,
Benamati, & Lederer, 2011). The successful implementation of new technology has
allowed organizations to improve productivity and increase their competitive position in
the marketplace (Knani, 2013). One of the most critical technologies that has undergone
continual change has been information security.
A technology that lends itself to the reduction of identity theft is biometrics (Voss
et al., 2013). Biometrics is a technology that enables the identification of individuals by
authentication based on unique physiological or behavioral patterns, such as fingerprints,

2
eye scans, facial recognition, and voice recognition (Hasso, S. A., Hasso, M. A., & Saad,
2012). Technological advances in biometrics has provided tools to enhance security in
the workplace.
Many organizations have already begun to implement biometrics for building
security, personal computer use, and network authentication. For example, RealTime
North America, a Tampa-based company, has been using biometric technology to help
businesses and government agencies improve their internal security (Simmons, 2012).
Apple Inc, has recently added fingerprint biometrics as an added security features to its
new line of iPhones, this new feature has allowed the user to scan their fingerprint and
use that print to unlock the device (Ankeny, 2013). Banco Azteca, is one of Latin
America’s leading specialty retailers, in an effort to help better protect customer
accounts, the bank has introduced a fingerprint biometric system throughout more than
900 of its branch locations with more than 15M customers using the fingerprint
authentication to access their accounts (Pappas, 2012).
However, one of the biggest obstacles organizations face when implementing
technological change has been user acceptance (Pasaoglu, 2011). If users are not willing
to accept and use security measures and systems, organizations will not reap the benefits
of the technology (Barrett, 2013). A few years ago in New York City, the Bloomberg
administration had implemented biometrics in an effort to keep track of its employees.
Many of the employees had expressed concerns that this type of security has violated
their privacy interests. As a result, many of the employees who feared the possible misuse
of their private data, have refused to allow their employers to scan or record any type of
biometric data (Michael, 2012).

3
Prior studies with biometrics and employee acceptance have focused on a variety
of technologies, ranging from the Internet to social media (Morosan, 2012; Todd, 2011).
Factors related to whether employees intend to use biometric security authentication in
their companies have not been investigated (Jones, 2009). Prior studies in the acceptance
of new technology had identified three primary constructs that have been proven useful in
identifying the intention to use a new technology: (a) perceived usefulness (PU); defined
as the likelihood that the use of a new technology will increase a user’s job function, is
one of the factors that has been identified in prior studies to identify the acceptance of
various new technologies (Kim & Lee, 2014); (b) perceived ease of use (PEOU); defined
as the level of effort it will take to use a new technology—the premise being, the easier
the level of effort, the more likely users will want to use and take advantage of the
features of the new system (Kesharwani & Shailendra, 2012); and (c) subjective norm
(SN); defined as the perception that user behavior can be determined by how they believe
their peers and coworkers will accept the technology—if a user’s friends all accept a new
technology without resistance, there is a strong chance that the user will also accept the
technology (Trongmateerut & Sweeney, 2013). By understanding these three factors
related to technology acceptance, leaders will have the ability to adapt business models so
that employees will be more willing to use the new tools (Pasaoglu, 2011).
Background
Organizations have typically lost 5% of their revenue due to security breaches
each year (C. da Silva, J. da Silva, Rodrigues, Nascimento, & Garcia, 2013). Cyber-
terrorist attacks have cost U.S. companies over $100 billion dollars in lost revenue
annually (Rustici, 2011). In January 2012, Zappos reported that 24 million records

4
containing credit card information were hacked and personal information disclosed,
costing the organization over $100 million in legal fees to contain the losses (Sauls &
Gudigantala, 2013). In March 2013, Evernote, a popular Internet-based note-sharing
service, fell victim to a security breach affecting 50 million users, resulting in over $150
million in lost revenue (Kesh & Raghupathi, 2013). In October 2013, Adobe reported
that the credit card information for 3 million customers was stolen as a result of a source
code leak by an employee, resulting in over $150 million in losses (Perlroth, 2013). In
November and December 2013, hackers gained access to over 40 million credit and debit
cards used by Target customers, costing Target at least $100 million to cover legal costs
to repair the damage (Timberg, Yang, & Tsukayama, 2013).
As more organizations operate in the global economy, it has becoming
increasingly apparent to business leaders that safeguarding and protecting informational
assets from computer crimes is a necessary standard business practice (Czosseck, 2013).
To ensure data security, organizations are advised to update and adapt security protocol
changes every 6 to 12 months, according to one estimate (Nassimbeni, Sartor, & Dus,
2012). The results of the 2013 Computer Security Survey indicated that information
security budgets are on the rise in 43% of all U.S. organizations (Ramanauskaite,
Radvile, & Olifer, 2013). Forty-six percent of the organizational leaders surveyed
indicated that expenditures would be directed toward security improvement, innovation,
and expansion (Czosseck, 2013) .
The human factor is generally considered the weakest link in the protection of
information systems (Jaafar & Ajis, 2013). Users can misunderstand and misuse a
security system, no matter how effective the system is believed to be (Malik, Kumra, &

5
Srivastava, 2013). When that misunderstanding and misuse occurs, the system loses its
usefulness.
In a 2013 survey, 90% of technology departments reported that employees abused
Internet usage on a daily basis (Thomopoulas, 2013). The violations ranged from
opening infected email attachments to surfing the Internet for personal use. In a 2013
Computer Crime and Security survey, the majority of the organizations indicated that
insiders accounted for the largest portion of financial losses, with 65% of respondents
reporting that most of the threats were attributable to users who did not accept new
security technology measures.
To help protect organizational security, it is becoming essential for companies to
develop information security strategies and to update and replace older technology
(Stripple, 2012). The objective of system security management is to ensure the
confidentiality of data, the integrity of data, and data availability within the organization.
For security measures to be effective within an organization, employees have been
encouraged to adopt and understand the proper use of these technologies (Chang &
Wang, 2011).
Organizational leaders need to understand that the threats of information security
breaches affect the company as a whole. Appropriate information security policies,
procedures, strategies, and measures are advised to be in place, to understood and be
accepted by employees who use these systems. Security breaches can adversely affect
the market share and reputation of an any organization (Yayla & Hu, 2011). Business
Leaders are encouraged to understand how employees perceive the implementation of
technology related to information security.

6
Biometric authentication techniques have been in existence for decades.
Biometrics of the past were often associated with fingerprinting criminals (Muller, 2011).
Today, biometrics have been used in all types industries, such as hospitals, financial
institutions, border patrol, and personal computers (Chang, Lu, Wu, Yap & Yu, 2011).
As cyber-terrorism attacks become more complex, organizations have been looking for
better security methods for protecting their workplace. Primitive security measures such
as passwords have proven to be unreliable, because many organizations do not enforce a
complex password algorithm (Sangani & Vijayakumar, 2012). Biometric security
authentication techniques have been steadily adapted by many organizations. Fingerprint
authentication has been one of the most efficient and trustworthy methods of biometric
authentication. Many new laptops have built in fingerprint readers, others have slots for
smart cards that have fingerprint information embedded within their internal chips
(Musleh, Nofal, Ba, & Ibrahim, 2012).
As organizations have started to adopt biometrics, many employers have
experienced resistance and frustration by employers who have forced them to implement
and utilize the technologies with little or no training (Bidgoli, 2012). The Bloomberg
administration tried to implement biometric authentication to track employees during the
workday, however, employees refused to allow their personal privacy to be violated and
resisted the technology, resulting in a termination of the biometric authentication policy
(Michael, 2012). Understanding why employees resist biometrics has the potential to
benefit organizations during the planning and implementing phase of biometric security
authentication systems.
The Technology Acceptance Model (TAM) is a theoretical model that has been

7
recognized as one of the most reliable metrics for understanding why employees accept
or reject technology (Kim, 2012). TAM is one of the most widely accepted measures of
the success or failure of new technology acceptance (Jones, 2009). The key constructs
used in the TAM include PEOU, PU, and SN (Davis, 1989; El-Attar, 2006; Huang &
Hsu, 2010).
The knowledge acquired from TAM studies has allowed companies to make
informed decisions regarding the introduction of new technology (Davis, 1989; Huang &
Hsu, 2010). PEOU and PU were the original TAM constructs and are considered the
primary determinants for information technology acceptance behaviors (Davis, 1989).
PU refers to the tendency to use a specific technology in the belief that it will increase the
user’s job performance. PU has been one of the primary constructs used in determining
technology acceptance. Several studies that have used the TAM model have determined
PU to be significant in determining acceptance of new technology, specifically
technologies that involve biometrics (Nwatu, 2011). PEOU is also one of the primary
constructs associated with the significance of technology acceptance. PEOU is defined
as the degree an individual believes that using a particular technology will increase their
job performance (Davis, 1989). PEOU also has been proven to influence PU, since the
easier a system is perceived to be used, the more individuals will utilize it (Davis, 1989).
In 2000, the TAM was modified to include SN as a primary construct (Venkatesh, 2000).
SN refers to how individual decisions are made based on peer pressure. SN was included
in the TAM model because many workplace decisions are based on social pressure from
others within the organization (Jones, 2009). In repeated studies by Venkatesh and
Davis (2000), SN influenced PU when social pressure was incorporated into the decision

8
making process. SN has also been studied in relation to biometric technology acceptance
studies, most recently by Uffen, Kaemmerer, and Breitner (2013); SN was found to be a
significant indicator of acceptance to biometrics in smart phones.
Statement of the Problem
Information Security theft has been increasing at an alarming rate; almost 50%
since the attacks on Sept 11, 2011 (911) (Silic & Back, 2014). Organizations have not
been adopting new security technologies, such as biometrics. Biometrics have the ability
to prevent many of these intrusions (Rashed & Alajarmeh, 2015). The specific problem
to be addressed is that although biometric security systems have many advantages over
traditional security methods, biometrics are not being utilized by companies due to the
acceptance rate of their employees. Determining factors that affect employee satisfaction
with biometric technology would be a benefit to organizations that have decided to utilize
biometrics. Prior research has affirmed that when employees are involved in the selection
and implementation phase of biometrics, satisfaction has increased (Bidgoli, 2012;
bdelbary, 2011; Corazao, 2014; Musleh, Nofal, Ba, & Ibrahim, 2012; Muhammad,
Markkula, & Oivo, 2013;). Since only 2% of businesses as of 2014 have implemented a
security protocol that has addressed Internet security attacks, many businesses are at risk
(Mathias, 2014).
The impact of rapid technological advancement has motivated organizations to
seek innovative security technologies to help defer breaches to internal computer
systems. Researchers and practitioners have identified biometrics as one of the most
innovative technologies that can be implemented in a relatively inexpensive manner.
However, throughout most organizations, it has not been implemented or accepted

9
(Amofa, 2014). It is unclear why companies have not been using biometrics, despite the
simplicity and low implementation costs to organizations. There is a gap in the literature
highlighting the reasons why biometric security technology has not being accepted.
According to the TAM, user behavioral intentions or participation toward the
acceptance of a new technology can be predicted by the technology’s PEOU, PU, and SN
(Bagozzi, 2007; Davis, 1989). These three TAM constructs have been demonstrated in past
studies to be the most significant predictors of user acceptance (Chi, Yeh, & Yang, 2011).
Purpose of the Study
The purpose of this quantitative correlational study was to identify and analyze
the problem of adopting biometric security by investigating the impact that the TAM
constructs: perceived ease of use, perceived usefulness, and subjective norm have among
employees who work in organizations that are examining biometrics as a replacement for
existing security system authentication. The specific problem that was addressed is that
although biometric security systems have many advantages over traditional security
methods, they are not being utilized by companies and readily accepted by their
employees. These behavioral intentions have been due to varies constructs: the exclusion
of employees in the selection process, ethical issues related to biometrics, and poor
training and education in biometric technology. Organizations have been dependent on
employees to perform daily tasks that has often involved financial and sensitive
information that has been relevant to the survival of the organization. By examining
biometric technology acceptance from the employee point of view, organizations should
begin to understand the value of having employees involved during the technology
selection phase. This involvement process, determines the effort involved to make sure

10
the technology is usable, increases employee performance, and possibly reduce security
risks resulting in employee acceptance.
The TAM model constructs of perceived usefulness, perceived ease of use, and
subjective norm are the exogenous variables. Structural equation modeling (SEM)
statistical analysis was used for path analysis to determine whether the exogenous
variables: PU, PEOU, and SN as represented by the TAM theoretical model predicted the
endogenous variable, intention to use biometric authentication systems (Kline, 2010; Teo,
2011, Venkatesh et al., 2003). The SEM approach is selected because of its ability to
analyze all of the regression paths simultaneously (Kline, 2010; Teo, 2011; Venkatesh &
Davis, 2000).
A non-experimental, survey approach was the type of quantitative design that was
used for this study. A quantitative design was better suited for accessing the relationship
among the variables in the study (Feistel, 2014). Probability sampling technique
involving the use of a cross-sectional sample from the population was used for this study.
The target population for this study were members of the LinkedIn community who were
active connections of the researchers, lived within the U.S., worked for technology
organizations who either use biometrics or are in the process of evaluating them. The
appropriate sample size for this study was 200 participants, based on the rule-of-thumb
assumptions for SEM (Kline, 2010).
Research Questions
The TAM has been used to study attitudes to the introduction of many new
information technology systems (Pasaoglu, 2011). The purpose of this quantitative study
is to use the TAM theoretical framework and its constructs of PU, PEOU, and SN to

11
examine TAM’s influence on predicting employee’s intention to use biometric
authentication systems that will be implemented in information technology.
The research structural model consists of three exogenous variables (perceived
usefulness, perceived ease of use, and subjective norm), and one endogenous variable
(intention). Each of the exogenous variables is hypothesized against the direct impact on
intention. PEOU is hypothesized to be a fundamental determinant of intention to use in
hypotheses H1a and H1b. PU is hypothesized to be a fundamental determinant of
intention in hypotheses H2. SN is hypothesized to be a fundamental determinant of
intention to use in hypotheses H3a, H3b, and H3c.
The following is the research question for the study, coupled with its associated
null and alternate hypotheses.
Q1. To what extent, if any, does perceived usefulness have on employee’s
perceptions of the use of biometric authentication?
Q2. To what extent, if any, does perceived ease of use have on employee’s
perceptions of the use of biometric authentication?
Q3. To what extent, if any, does subjective norm have on employee’s perception
of the use of biometric authentication?
Q4. To what extent, if any, does subjective norm have on the perceived
usefulness of employee’s perceptions of the use of biometric authentication?
Q5. To what extent, if any, does subjective norm have on the perceived ease of
use of employee’s perceptions of the use of biometric authentication?
Q6. To what extent, if any, does perceived ease of use have on perceived
usefulness of employee’s perceptions of the use of biometric authentication?

12
Hypotheses
H10. Perceived usefulness (PU) of biometrics will not have a statistically
significant direct positive direct impact on employee’s intention to use a biometric
security technology.
H1a. Perceived usefulness (PU) of biometrics will have a statistically significant
direct positive direct impact on employee’s intention to use a biometric security
technology.
H20. Perceived ease of use (PEOU) of biometrics will not have a statistically
H2a. Perceived ease of use (PEOU) of biometrics will have a statistically
H30. Subjective norm (SN) of biometrics will not have a statistically significant
technology.
H3a. Subjective norm (SN) of biometrics will have a statistically significant
technology.
H40. Subjective norm (SN) will not have a statistically significant direct positive
direct impact on perceived usefulness (PU) of employee’s intention to use a biometric

13
H4a. Subjective norm (SN) will have a statistically significant direct positive
direct impact on perceived usefulness (PU) of employee’s intention to use a biometric
H50. Subjective norm (SN) will not have a statistically significant direct positive
direct impact of perceived ease of use (PEOU) of employee’s intention to use a biometric
H5a. Subjective norm (SN) will have a statistically significant direct positive
direct impact of perceived ease of use (PEOU) of employee’s intention to use a biometric
H60. Perceived ease of use (PEOU) will not have a statistically significant direct
positive direct impact of perceived usefulness (PU) of employee’s intention to use a
biometric security technology.
H6a Perceived ease of use (PEOU) will have a statistically significant direct
positive direct impact of perceived usefulness (PU) of employee’s intention to use a
biometric security technology.
Nature of the Study
The primary intent of this quantitative correlational study was to determine
employee perceptions regarding the use of biometric authentication systems. The
variables perceived ease of use, perceived usefulness, and subjective norm, are constructs
that have been identified from an exhaustive review of the literature of previous studies
involving technology acceptance and security (e.g. Bidgoli, 2012; Ghazizadeh, Lee, &
Boyle, 2012; Huang, & Hsu, 2010; Jones, 2009). All of the variables were measured
with multiple questions using a Likert ordinal scale adapted from published pre-validated

14
instruments measuring perceived ease of use (Venkatesh & Davis, 2000), perceived
usefulness (Venkatest & Davis, 2000), and subjective norm (Davis et al., 1989).
This study was conducted without any variable modification or manipulation.
The design of this study was a quantitative correlational research design, since correlation
research begins with hypotheses that are generated from an existing theory and ends with
an assessment of the relationship among the variables without introducing causality
(Spearing, Connelly, Nghiem, & Pobereskin, 2012). To determine the correlation
between the variables that are established in the six hypotheses, a self-administered
Internet survey was distributed to the target population of 600 LinkedIn connections that
were recruited using probability sampling. With probability sampling, each person in the
target population of 600 users had an equal chance of being selected. The use of a cross-
sectional sample allows for the findings to be generalized to the target population
(Woertman, et al, 2013). An Internet survey was used because of its ability to reach
participants using InMail in LinkedIn. Since respondents can complete the questionnaire
at their leisure, respondents were not feel pressured to answer in a hurried manner.
As survey data had been collected, the information was entered into Microsoft
Excel. Each of the exogenous variables had six questions associated with them. These
six questions were derived by Davis (1989) study of technology acceptance. Likert type
5-point scales ranging from strongly disagree to strongly agree was used as a basis of
questions. The 5-point Likert scale had been used in previous TAM related research
(Jones, 2009). After the data had been collected, a descriptive analysis was performed on
the constructs followed by the development of a structural model. Goodness of fit tests
were performed on the structural model using the IBM SPSS AMOS 23 software package

15
(Teo et al., 2011). The IBM SPPS AMOS 23 software consists of two primary modules:
the first is IBM SPSS Statistics 23, which is used to enter the data that has been collected
and calculate the descriptive statistics. The second is IBM SPSS AMOS 23, a graphical
software that will use the data from the statistics spreadsheet to create the confirmatory
factor model (CFA). The CFA is referred to as measurement model. Once the
measurement model is revised and confirmed, it will be changed to a structural equation
model (SEM)Structural equation model that will test the hypothesized relationships. In
the technology industry, SEM is often used for conducting TAM based research (Noor,
Sreenivasan, & Ismail, 2013; Teo et al., 2011; Venkatesh & Davis, 2000). Confirmatory
factor analysis was used to test the model as to how the variables are interrelated. Each
of the six hypotheses was tested simultaneously using the SEM SPSS Statistics 23and
SPSS AMOS 23 software package. Statistics were generated to analyze the model at
three different levels: (a) the individual item and construct level, (b) the overall fit at the
model level, and (c) the individual path analysis level. SEM model are comprised of both
a measurement model and a structural model. The measurement model relates observed
indicators to latent variables, and the structural model specifies the relationships among
the latent variables on observed variables (Khine, 2013). Confirmatory factor analysis
(CFA) is often used to test the measurement model.
Significance of the Study
The successful implementation of new technology related to security is vital to the
success of any business (Dezdar, & Ainin, 2011). New technologies and systems
improve performance and allow organizations to compete in the global economy. Since
employees are the actual users of security technologies, their acceptance and usage of the

16
systems in a favorable manner is critical to the survival of the business (Çakmak, Benk,
& Budak, 2011). The results of this research may help organizations understand the
factors that enhance employee adoption, use and compliance with information security
measures and to foster a positive attitude toward these systems. The adoption of
information security measures may also help organizations realize the potential benefits
of the technology. Corporate wide adoption of security measures can have a significant
financial benefit, since the acceptance and usage of the technology will decrease security
breaches. In this research study, the TAM variables: perceived ease of use, perceived
usefulness, and subjective norm are assessed to determine the extent to which each of
these variables influence security technology adoption in organizations that currently use
biometrics, or are in the process of evaluating them.
From a research perspective, there have been many studies that have examined
technology acceptance of various types of software systems (Bidgoli, 2012; Ghazizadeh,
Lee, & Boyle, 2012; Huang, & Hsu, 2010; Jones, 2009). Very few studies have
examined information security acceptance and its impact on an organization (Jones,
2009). This study attempted to bridge the gap by examining factors that affect employee
acceptance and adoption of biometric information security measures. This study
contributed to the literature on technology adoption of information security, particularly
in the area of biometrics. Potential users are encouraged to use a technology if they
believe it is easy to use, useful, and that others have accepted the benefits of the
technology. The results of this study helped increase the knowledge about the factors
that affect employee perceptions and their decision to adopt biometric security

17
technologies, which are important for businesses that are looking to implement tighter
security protocols consisting of biometrics.
Definition of Key Terms
The following section represents definitions of significant terms and concepts that
are used through the study.
Attitude. Attitude is a learned tendency to evaluate objects using a certain
method. Attitudes have three components: affective, behavioral, and cognitive.
Affective refers to an individual’s feelings toward an object. Cognitive represents a
person’s awareness and knowledge of an object. Behavioral refers to the intention to act
in a certain way towards something. In the TAM model, attitude is a person’s general
feeling of acceptance or rejection toward the stimuli (Ajzen & Fishbein, 1980).
Behavioral intention. Behavioral Intention is defined as a person’s perceived
likelihood that they will engage in a particular behavior. Behavioral intention is one of
the most accurate predictors of behavior (Ajzen, 1991).
Biometric technology. Biometrics is used to uniquely identify individuals using
a characteristic such as a fingerprint. There are two categories of biometrics:
physiological and behavioral. Physiological characteristics are related to the shape of the
body, for example fingerprints, palm prints, facial recognition, and retina scans.
Behavioral characteristics refer to a pattern of behavior; such as someone’s voice, gait, or
typing rhythm (Harper, 2011).
Endogenous variables. Endogenous variables are defined as a factor in a causal
model whose value is to be determined by the states of the other associated variables in
the system. A variable is said to be endogenous if its value is influenced by one or more

18
independent variables (Antwi, Boadi, & Koranteng, 2014).
Exogenous variables. Exogenous variables are defined as a factor in a causal
model whose value is independent from the other states of variables in the system. A
variable can be made exogenous by incorporating causal relations and additional other
factors in the model (Antwi et al., 2014).
External variables. External variables are additional factors that are outside the
scope of the original TAM, such as situational constraints, individual behavior, and peer
interventions that could affect behavior. These variables would be determinants of
perceived usefulness, perceived ease of use, and subjective norm (Jaber & Al-khawaldeh,
2014).
Perceived ease of use. The term Perceived Ease of Use is one of the original
components of the TAM model (Davis, 1989). Perceived ease of use refers to an
individual’s acceptance and belief that using a technology will be free from cognitive
effort (McDaniel, 2011).
Perceived usefulness. The term Perceived Usefulness is one of the original
components of the TAM model (Davis, 1989). Perceived usefulness is defined as the
degree to which a person believes that using a technology will improve their performance
(Riley, Buckner, Johnson, & Benyon, 2009.
Perceptions. Perceptions are sensory experiences of the environment around us
and involve recognition of stimuli and actions in response to the stimuli (Seijts &
Roberts, 2011). In the TAM model, employee perceptions are attitudes and opinions on
the use of new technology. These opinions and attitudes stem from prior experience,
religious implications, social experiences, peers, and upper management.

19
Subjective norm. The term Subjective norm refers to a person’s own estimation
of the social pressure involved to perform or not perform a particular behavior (Zhang,
Fang, Wei, & Wang, 2012).
Technology. The term technology is defined as the use of methods or
instruments in an organization to enhance existing business processes or solve a problem.
Examples of technology are automated timesheet applications, content management
systems, learning management systems, email applications, records management systems,
and security systems (Spence, 2011).
Technology Acceptance Model. The (TAM) is an extension of Ajzen and
Fishbein’s Theory of Reasoned Action (TRA; Ajzen & Fishbein, 1980). TAM was
originally developed by Fred Davis (Davis, 1989). The original TAM model consisted of
two technology acceptance measures: Perceived Ease of Use and Perceived Usefulness.
The model was later extended in 2000 by Venkatesh to include Subjective Norm
(Venkatesh, 2000).
Theory of Reasoned Action (TRA). The TRA states that attitudes are
influenced by a person’s beliefs resulting in behaviors about the level of intentions
(Ajzen, 2011).
Training. Training is the face-to-face or online support provided to employees to
learn new technology. This support can be demonstrated via simulations or hands-on but
is offered at an expense to the organization (Sundman & Johansson, 2012)
Validity. Validity in data collection means that the findings in the study are a
true representation of the phenomenon that is being measured (Giaretta & Spolaore,
2012).

20
Summary
Biometrics has been shown to be a proven technique for authenticating users
(Arutyunov & Natkin, 2010). Biometrics current use in government and law enforcement
agencies demonstrate that it is a reliable technology that works (Bright, 2011). As
organizations battle with the ongoing challenge of security breaches, biometrics offers
enhanced technology that can help prevent internal and external security threats. The use
of new technology, however, often imposes issues with users who are not willing to
accept and adapt to change (Ajzen & Fishbein, 1980). Upper management has a need to
understand the factors that promote user acceptance of new technology (Ajzen, 2011).
The impact of non-acceptance by the user community has shown the adoption process
often fails. TAM is a proven model. The research applied the TAM model to the
implementation of biometric authentication (Riley et al., 2009).

21
Chapter 2: Literature Review
The purpose of this quantitative correlational study was to examine employee
perceptions regarding the use of biometric authentication systems that will be
implemented in information technology, using TAM as the theoretical framework. The
objective of the literature review was to gain a better understanding of the factors that
affect employee perceptions during the adoption of biometric authentication. This study
was valuable because of the increase in security breaches that have occurred within
organizations that perform business on the Internet. The implementation of biometric
security systems is important for preventing and controlling identity theft.
The literature review begins with an overview of the technology acceptance
models, followed by technology acceptance theory related to biometrics and new
technologies within the workplace. The influence on employee perceptions and
organizational success was also summarized. The existing literature of biometrics was
examined, with an emphasis on biometrics in the work environment.
Documentation
In an effort to maximize the literature review, many different popular scholarly
search databases were used; these include ProQuest, EBSCOHOST, ERIC, SAGE
Journals, and Wiley Online Library. The keyword searches were based on terminology
associated with biometrics and technology acceptance. The method used to search for
relevant literature included the use of phrases, key word, and titles. In addition, other
selected literature was obtained from various doctoral dissertations on the subject and
concepts relevant to the topic of study.

22
Information Security
Information security is defined as the extent to which an organization is free from
the disclosure and destruction of data due to unauthorized access (Hedström, Karlsson, &
Kolkowska, 2013). The review of the literature explains that information security is
broken down into three dimensions: availability, integrity, and confidentiality (Chen, Lo,
& Yeh, 2012). Confidentiality refers to the extent to which organizational information is
prevented from being exposed, disclosed or appropriated. The premise behind
information confidentiality is that the data remains safe from any type of unauthorized
access, including internal and external boundaries (Berezina, Cobanoglu, Miller, &
Kwansa, 2012). Information integrity is the extent to which information remains
compatible and consistent with its original state once it is stored (Ponnuramu, &
Tamilselvan, 2012). The greater the integrity of information, the lower the chances are of
the data being forged. Information availability is referred to as the extent to which
information is available whenever access is required.
Companies have become more dependent on information systems to increase
business effectiveness and efficiency. However, this increased reliance on information
system technology has breaded opportunities for hackers to breach corporate systems
(Chang, & Wang, 2011). Recent studies reported that the number of information security
incidents has had a significant impact on the U.S. economy (Bojanc & Jerman-Blazic,
2013). Because of the drastic increase in the number of information security breaches
and significant financial losses, organizations have made security a top issue in the
management of corporate information systems. In an effort to enhance information
security, several studies have examined critical factors that influence an organization’s

23
security policy enforcement (Chang, & Wang, 2011; Knapp & Ferrante, 2012). In 2011,
a study by Chang and Wang focused on the theoretical perspective that can help
understand the enhancement of information security, namely the resource based view
(RBV). The perspective behind their theory has been that organizations need to invest
and develop technology resources in order to fend off system breaches (Jang, 2013).
Understanding what influences information security has important practical and
theoretical purposes.
To properly protect information within an organization, it has been determined
that companies develop information security strategies and implement accurate security
measures. An information assurance strategy determines how accurate, reliable, secure
and available organizational assets are aligned with corporate strategies (Cheshire, 2011).
Cheshire (2011) found that various common deficiencies exist within information
assurance in many organizations. Cheshire contended that the process of implementing
an information security strategy should be considered at the same time as system is being
designed. Cheshire’s model integrated concepts from security policy theory, risk
management theory, systems and development theory. There were four phases of the
Cheshire model: elaboration, inception, construction, and transition. During each of the
transition stages, the four steps were analyzed. During inception, an overall analysis of
the existing information security infrastructure was examined. During the elaboration
phase, the system was completely analyzed and defined. The key actions in the
elaboration phase included setting up the security and assurance plans. During the
construction phase, the new system was implemented and modified to fit within the
organization. The construction phase involved a continuous testing process. Finally, the

24
transition phase was where the new security system is brought online and made
functional.
Information security risk management is the process that identifies risks to which
a company is exposed, helps to provide an assessment on the impact of the risk to the
business, and enables organizations to make decisions to eliminate or reduce risk to an
acceptable level (Bojanc & Jerman-Blazic, 2013). Risk management requires a
comprehensive evaluation and identification of a company’s digital assets, the
consequences of cyber-attacks, as well as a cost-benefit analysis of the investments in
security. Upper management has a need to be able to manage security risks in order to
properly develop products that meet consumer demands. Information-security
economics, which is a relatively new field of study, utilizes economic models and theory
to analyze the incentives of organizational stakeholders. An analysis of the investments
in security requires a comparative analysis of the costs and benefits. The cost of an
investment includes the price of the hardware, software, and labor; however, it is very
difficult to quantify the benefits (Jalal-Karim, 2013). Enterprise risk management is the
process of managing security breaches with emphasis on controlling, identifying, and
eliminating uncertainties that could prevent a business from being successful.
The primary goal of information security is to prevent unauthorized usage of a
corporate computing system (Nhlanhla & Birch, 2011). The key activities within
information security management are: development of a security policy; assignment of
roles and responsibilities; and the training of personnel on how to use the security
policies (Järveläinen, 2012). The main objective of a security policy is to ensure the
integrity, availability, and confidentiality within information technology. Organization

25
must be able to monitor employee actions, in an effort to protect and guard against
security violations and unauthorized access. Employees must be properly trained on how
to use the security technologies to comply with information security policies (Renaud &
Goucher, 2012).
As the use of information technology continues to grow, controls are needed to
protect an organization from possible computer crime. Chaudhry and Reese (2012),
developed a conceptual model for enterprise information security that stems from four
main pillars: security policy, access control, security awareness, and upper management
support. Their study focused on the problem of organizations storing their information in
one location. This practice increases the chance of intrusions which frequently results in
poor reliability, continuity disruption, and lowered efficiency of processes. Research on
this topic is important because of the current paradigm shift that businesses have been
currently facing. Up until recently, the majority of research performed within the
enterprise information security arena has focused on the technical aspect, such as
firewalls, and anti-virus software (Serova, 2012; Sehgal et al., 2011).
Many companies are in agreement that information security has changed from a
technology centered problem to a management issue that requires the involvement of
upper management (Tsohou, Karyda, Kokolakis, & Kiountouzis, 2012). Recent studies
have concluded that information security should contain five elements that include: (a)
implementing a corporate policy that provides an information security mission statement
that is understood and read by all employees; (b) identifying key personnel that are
responsible for the oversight of the security program; (c) inventory assets to identify
sensitive information and critical components; (d) organizational business reasons

26
highlighting the separation of duty policies, need to know, and privilege hierarchy; and
(e) upper management support for the goals and objectives of the information security
implementation (Njenga & Brown, 2012; Olusegun & Ithnin, 2013).
To strengthen information security technology organizations, there is a need to
define security blueprints, define standard processes that deal with security compliance,
and to plan for identity and access management to monitor and audit employee activity
(Kruger, & Mavis, 2012). Tavakol, and Dennick (2011) performed a study on the
relationship between information security awareness and behavior by analyzing data that
they collected from a Web based Internet survey in Japan. The research participants of
the survey were people who had been working for more than two years for the same
company. Fifty questions were administered with topics such as attitude toward risks and
information security awareness. Two hypotheses were tested: (a) individuals who
understand problematic behavior do not take such problematic behaviors; and (b)
individuals who understand the necessity to collect information security take such
behaviors. An analysis of Spearman’s rank correlation coefficient was performed. In
addition, a Mann-Whitney rank sum test was also performed. Both studies were aimed at
the security awareness of organizations that implement security policies to help prevent
information leaks (Fan, & Datta, 2013). The results of the analysis concluded that many
employees break rules even if the organization implements security policies.
To help organizations comply with nation-wide security standards, the Internal
Standards Organization (ISO) and the International Electrotechnical Commission (IEC)
developed a series of security standards (Disterer, 2013). One of these standards is the
ISO 27000 family of security protocols. The ISO 27000 is a specification that indicates

27
specific requirements that can audited and certified which must be followed by
organizations if they are to maintain their certification standards. One of the key features
of the standards is that they are generic enough to be applied to any organization. The
key concepts of the standards are: (a) organizations are encouraged to perform
assessments of their own security risks; (b) organizations should implement proper
security controls based on their needs; (c) the standards should be used for guidance; (d)
use the Plan, Do, Check, and Act Model, and implement continuous feedback; and (e)
continually assess threats and risks to information security issues (Gillies, 2011).
Security policies are a critical safeguard that provide employees with valuable
information on how they should behave in an effort to protect organizational assets.
Knapp and Ferrante (2012) found that to minimize the probability of information security
incidents, organizations need to be motivated to enforce, communicate, and maintain
security policies. The study investigated a model that explored the impact of policy
awareness, maintenance and enforcement on information security policies. In the
research model, effectiveness to capture information security objectives is measured.
Security effectiveness can often be difficult to measure, because it is challenging to
discover if the hard data is accurate and precise. Organization often face financial losses
and reputational damage if they disclose security incidents, thus many incidents go
unreported (Kaplan, Pope, & Samuels, 2011). In the study by Knapp, rather than
collecting hard numerical data, effectiveness was measured using the judgment of
information security specialists. The variables of the study were: policy awareness,
policy enforcement, and policy maintenance. The participants were all individuals that
possessed the Certified Information System Security Professional (CISSP) certification.

28
SEM was used to analyze the hypotheses, the results indicated that all of the predictor
variables were significant in the cause of the outcome variable: effectiveness.
Concept and Theory of Acceptance
User acceptance is defined as the willingness of an individual to utilize
information technology for the tasks for which it was designed (Show-Hui & Hsu, 2010).
User acceptance is a critical component to the success of new information systems.
Users are often unwilling to use a new technology even if the system promises to yield
significant performance gains in productivity (Pasaoglu, 2011). Both practitioners and
researchers have an interest in understanding why users accept new technology so that
standards for evaluating, designing, and predicting how users will respond to new
technology can be interpreted. Previously, designers of new technology relied on upper
management to encourage workers to accept technology by means of financial rewards.
As technology use increases across our society and organizations become more
dependent on new technology, concerns regarding how information systems will be
designed has increased exponentially (Bienstock & Royne, 2010).
Researchers have studied a wide range of issues surrounding technology
acceptance, from individual user behavior such as cognitive style to internal beliefs and
impacts of usage (Kim, 2012). Acceptance has previously been viewed as a function of
user’s participation in system development or as a measure of the political state of affairs
in an organization. The various types of development processes used and the processes
by which technology are implemented have also been studied (Ghazizadeh et al., 2012).
None of these variables have been able to account for an acceptable level of variance in
acceptance to enable the researcher to predict acceptance reliably. There are, however,

29
distinct patterns in the literature that suggest the issue is not hard to control, and several
variables have been proposed.
Teo, Ursavas, and Bahçekapili (2011) examined the efficiency of the TAM to
explain teachers’ intentions to use technology in Turkey. With the increase of
information and communication technologies used at the institutional level, change has
taken place in education. It is believed that training teachers to use an integrated
technology within the education system could be effectively designed at an early stage.
The predictor variables in this study were: (a) perceived usefulness, and (b) perceived
ease of use. The dependent variables were attitudes toward computer use and intention to
use. Structural equation modeling was utilized, since it lends itself to testing and
validating models that include latent and observed variables. The participants in the study
were 197 pre-service teachers at Rize University in Turkey. The mean age of the sample
was 19.40 years, and 55% were females.
A questionnaire was designed that consisted of two sections; the first required
participants to provide demographic information and the second contained 18 statements
on the seven constructs. Perceived usefulness had three items, perceived ease of use had
three items, attitudes toward computer use had three items, and intention to use had two
items. Each item was measured on a 5-point Likert type scale with values ranging from 1
(strongly disagree) to 5 (strongly agree). The Cronbach alphas were .940 for perceived
usefulness; .951 for perceived ease of use; .899 for attitude toward computer use, and
.832 for intention to use. The model was tested using AMOS 17.0. There were five
hypotheses tested; of these, four were supported. Attitude towards computer use did not
have a significant impact on intention to use. In examining the relationship among the

30
constructs, the results were significant and consistent with Davis (1989); the role of
attitude was only modest in predicting technology acceptance. The limitations of the
study include the variance in intention to use, which was only explained by 51% of the
variance using three variables. Future studies may include other variables, such as those
that impact the exogenous variables. The data in the study were also self-reported and
possibly susceptible to inflation.
In a study by Çakmak, Benk, and Budak (2011), the researchers utilize the TAM
model as a theoretical framework to extend and complement the acceptance of
technology components of a tax automation system (VEDOP), in Turkey. Since tax
officials had to use the VEDOP system to perform their job functions; unaccepted change
in an organization may negatively affect employee job satisfaction, attitudes towards
upper management, and loyalty within the organization. Sabotage and unfaithful
allocations of technology and the resulting costs to organizations is a potential risk that
needs to be prevented. TRA (Azjen & Fishbein, 1980) assumes that beliefs toward a
behavior are based on the individual’s prior experience. TRA contains two core
constructs of intention: attitudes toward behavior and SN. The attitude toward behavior
is based on the user’s previous attitude toward performing the behavior. An individual,
who strongly believes that the outcome will be positive for performing a particular
behavior, will have positive attitudes toward the behavior and vice-versa, if the user has
negative attitudes toward the behavior, then there will be negative attitudes. Subjective
Norm is the social pressure to perform a particular behavior. The idea of SN posits that
what other individuals or peer groups think about a particular behavior will influence the
decision of the individual (Ghazizadeh et al., 2012).

31
In this study, five hypotheses were examined. Each of the hypotheses dealt with
perceptions to use and ease of use cross-referenced with behavior intention. The
participants in the study were 185 tax officers who were employed by the tax offices in
Turkey. The survey questionnaire was administered that consisted of 17 statements on
perceived usefulness, perceived ease of use, attitude toward use, and behavioral intention.
Participants answered the questions using a 7-point Likert type scale, ranging from 1
(strongly disagree) to 7 (strongly agree). The statistical analysis involved examining the
descriptive statistics and accessing the reliability and validity of the measures. In the
research model, both convergent and discriminant validity were examined. The internal
consistency was measured using Cronbach’s alpha coefficient for each construct.
Discriminant validity was evaluated by comparing the square root of the average variance
extracted for each construct. SEM was used to test the data. This technique was chosen
for its ability to examine a series of dependent relationships.
All five of the hypotheses were supported by the data. The findings indicated that
perceived usefulness significantly influenced perceived ease of use (β = 0.44, p < 0.001),
Perceived ease of use significantly influenced attitude toward use, perceived usefulness
significantly influenced attitude toward use and behavioral intention. The limitations of
the study included sample size; the 185 sample size was quite small and not significantly
representative of the population, since the sample covered only one city in Turkey.
Second, although theoretical background was discussed in the literature review, the
analysis only involved discussing the TAM constructs perceived usefulness and
perceived ease of use.

32
Jones, McCarthy, Halawi, and Mujtaba (2010) studied factors that affect
employee acceptance of information security measures by extending the TAM.
Managers must understand that threats of information security breaches are real, and they
must ensure that appropriate security policies, procedures, and measures are in place and
that these measures are communicated to employees and reinforced throughout the
organization. Destruction or loss of information security systems can affect a company’s
financial bottom line as well as affect their reputation and market share. Given the huge
negative impact on organizations finance and goals, companies are advised to develop
procedures to better measure the impact of information security breaches.
In the study, three research questions were addressed: (a) do employee
perceptions regarding information security affect the intention to use those measures? (b)
do the beliefs of others about the use of information security measures affect employee
perceptions and the intention to use those systems? (c) does management support affect
user perception and the intention to use information security systems? The TAM model
was extended to examine the adoption of security measures. The predictor variables in
the model were perceived usefulness, perceived ease of use, and subjective norm. The
dependent variable was the intention to use the information security measures.
A questionnaire was developed to test the hypotheses. The theoretical constraints
were operationalized and measured using items derived from prior research studies. The
questionnaire was designed and presented using Survey Monkey™. The target
population was employees who work for companies that implement information security
measures. A sample size of one hundred and seventy four participants was obtained for
analysis. Partial least squares were used to analyze the data and test the hypotheses. The

33
measurement model consisted of relationships between the conceptual factors and
measures underlying the constructs. Structural Equation Modeling was used to analyze
how well the theoretical model predicted relationships. Perceived usefulness and
perceived ease of use had a positive and statistically significant effect on intention to use.
Perceived ease of use had a significant effect on perceived usefulness.
Limitations of the study included the participant sample, which consisted of
employees who worked for companies in the U.S. and Canada. Self-reported data had
been also used in the study, which often creates a concern since many users have
difficulties rating themselves (Barge & Gehlbach, 2012). To remedy the issues with self-
reported data collection some researchers have started to utilize techniques such as the
Harman one-factor test (Miller, 2009). In the Harman one-factor test all of the variables
are entered into a factor analysis, then the results are examined to determine the number
of factors that are necessary to remedy the variance. Recommendations for further
research include using the TAM model to take into account employee attitudes. Another
recommendation was to conduct an empirical study using the Theory of Planned
Behavior as the theoretical framework, since subjective norm and attitude are key
constructs in this theory.
Theory of Reasoned Action
The TRA was developed by Fishbein and Ajzen (1975) using the behavioral
theory as its base model. According to the theory, the primary predictor of information
technology behavior is the intention to use the technology. TRA takes into consideration
the cognitive qualities of behavior and assumes that individuals are rational, and the
behaviors they exhibit are under volitional control (Madden, Ellen, & Ajzen, 1992;

34
Ajzen, 2002). The Theory of Reasoned Action, accepts as an antecedent the intention
towards performing a certain behavior (Ajzen & Fishbein, 2005). Intention involves the
willingness of individuals to realize certain behavior (Chen, Chen and Kinshuk, 2009).
Because of its success and proven validity, TRA has been used in a broad array of
disciplines. TRA has been used to study ethics, information technology usage,
information sharing, marketing, health management, and renewable energy (Bang,
Ellinger, Hadimarcou, & Traichal, 2000). As shown in Figure 1, the TRA is a social
psychology model that examines determinants of intended behaviors.
Figure 1. The Theory of Reasoned Action Diagram. Reprinted from User acceptance of
computer technology: A comparison of two theoretical models by Davis, F. D., Bagozzi,
R. P., & Warshaw, P. R. (1989).

35
Behavioral intention is defined as a measure of the strength of an individual’s
intention to perform in a certain behavior (Davis et al., 1989). Attitude is defined as an
individual’s positive or negative feelings about performing a certain behavior (Davis et
al., 1989). Subjective norm refers to the social pressure to perform or not perform a
specific behavior (Ajzen, 1991). Behavioral Intention (BI) is a linear function of the
sums of attitude (A) and SN. The TRA states that an individual’s behavior toward a
behavior is determined by their beliefs that performing the behavior will result in a
certain consequence. Evaluation term refers to the implicit evaluation to an outcome
(Fishbein & Ajzen, 1975). An individual who believes that performing a specific
behavior will lead to a positive outcome will have positive attitudes toward that behavior,
and conversely, if that same individual believes a negative outcome will result from
performing a behavior, the person will have a negative attitude towards the behavior
(Fishbein & Ajzen, 1975).
According to the TRA, a person’s subjective norm is determined by the sum of
the person’s normative beliefs, that is, the person’s peer’s expectations, multiplied by the
motivation to abide by those expectations (Davis et al., 1989). According to Davis, the
TRA is a generic model and does not state the beliefs for any particular behavior.
Because of this model, it is recommended that researchers should identify the belief
constructs for a particular behavior. Fishbein and Ajzen (1975) suggested that between
five and nine beliefs are sufficient to determine an individual’s attitude toward a certain
behavior. The TRA is limited to the assessment of human behavior in situations where
individual actions are mandatory (Ajzen, 1991).

36
Yilmaz, Aktas, Özer, and Özcan (2013) conducted a study that investigated
factors affecting information technology usage behavior of tax office employees in the
Black Sea Region of Turkey. Data from 133 tax office employees was gathered through
a questionnaire that was formed using a 5-point Likert-type scale. The research model
was developed using the TRA. In this study the TRA was used as a starting point in an
effort to understand technology usage behavior of tax office employees. In accordance
with the theory, it is proposed that the intention of employees toward technology usage is
the single determinant factor of technology usage behavior. It is assumed if employees
have a positive intention, they are more likely to use technology in their job. The data
had been analyzed using SPSS. Factor, correlation and regression, and reliability were
conducted to formulate relationships between variables. The Kaiser Meyer-Olkin (KMO)
and Barlett tests verified the factor analysis. Reliability was measured using Cronbach’s
α value of variables. Correlation analysis was performed to examine the direction and
intensity of relations between the variables. Two regression models were developed to
test the hypotheses. The first model was developed to test the relationship between the
intention of employees and technology usage. The results indicated that the relationship
between intention of employees and their technology usage are statistically significant.
The second regression model explores the relationship between attitude and subjective
norm of employees and technology usage behavior. Again the results were statistically
significant (attitude: β =0.372; p=0.00; SN: β = 0.193; p=0.00).
Theory of Planned Behavior
The Theory of Planned Behavior (TPB) is an extension of the TRA (Ajzen, 1991).
One of the primary factors of the theory is a person’s intention to perform a given

37
behavior. Ajzen (1991) suggested that individual behavior is driven by intentions which
are a function of a person’s attitude toward behavior, the subjective norms that surround
the behavioral performance, and an individual’s perception of how easily a certain
behavior can be performed. In the study by Ajzen (1991), the independent variables were
attitude toward behavior, perceived behavior, and subjective norm. The dependent
variables were behavioral behavior and intention. Attitude toward behavior is an
individual’s feelings about a behavior. SN refers to the social pressure to perform or not
perform a particular behavior. The degree of perceived behavioral control refers to the
difficulty of performing the behavior. According to the TPB, the more favorable the
subjective norm and attitude, the higher the perceived behavior and the stronger the
behavioral intention will be (Ajzen, 1991). The model for the Theory of Planned
Behavior is show in Figure 2.
Figure 2. The Theory of Planned Behavior Model (Ajzen, 2006)
According to the TPB, behavioral intentions to perform different kinds of
behaviors can be predicted by subjective norm, attitude toward the behavior, and

38
perceived behavioral control. Ajzen (1991) explained that perceived behavioral control
(PCB) exhibits beliefs toward opportunities needed to perform a behavior. Perceived
behavioral control is derived from the sum of control beliefs (cbk) multiplied by
perceived facilitation (pfk). A central factor in the TPB is an individual’s intention to
perform a certain behavior. Intentions capture the motivational factors that tend to
influence behavior, such as how hard people exert themselves and how much of an effort
they plan to exert to perform a behavior (Ajzen, 1991).
Burns and Roberts (2013) performed a study on cyber-crime that examines the
utility of the Theory of Planned Behavior in predicting online behaviors. The research
advanced knowledge by applying the TPB model to predicting general online behavior
rather than individual behavior. The study used a cross-sectional correlation design using
online behavior as the criterion variable. The predictor variables were SN, attitudes, and
perceived behavior control. A priori power analysis based on data from prior studies, Yao
and Linz’s (2008), produced an estimated sample level of 50 participants needed to detect
significant effects at an alpha level of 0.05. Participants were recruited using
advertisements on academic and social networking sites. Online behavior was measured
using a version of the General Caution Protection Scales (Buchanan, Paine, Joinson, &
Reips, 2007). The Caution scales measure the frequency of general behavior. An online
survey questionnaire using SurveyMonkey was submitted to 150 participants. Bivariate
correlations were computed to test the assumptions of the mediation models. The model
explained 81% of the variance in online safety behaviors. The findings indicate a
significant relationship between subjective norm and intention, which suggested that

39
influence from external individuals had a strong bearing on whether a person engages in
protective behavior.
Lwin and Williams (2003) investigated the reasons behind why online users
disguise their identity. A conceptual model was developed from two existing theoretical
frameworks: (a) Lauder and Wolfe’s Multidimensional Approach to Privacy, and (b)
Ajzen’s TPB. An empirical study was conducted using SEM to test the conceptual
model. The results demonstrated that perceived behavioral control, attitudes, and
perceived moral obligations were significant instigators of fabrication, while subjective
norm was not.
Technology Acceptance Model
The TAM addresses user acceptance of information technology related systems.
TAM is one of the most widely used models of user acceptance that has been applied and
validated across multiple technologies and populations through previous research
(Ghazizadeh et al., 2012). The principles behind the TAM model are that the more users
willing to accept new technology, the more likely they will be to modify their existing
behaviors to adapt to the new environment (Davis, 1989). Davis (1989) proposed that
perceptions of usefulness and ease of use were key factors in user’s intentions to adopt
new technology. The effects of external variables were mediated by perceived usefulness
and perceived ease of use. Perceived usefulness refers to the inclination to use or not use
a new technology based on the user’s belief that it will enhance their productivity (David,
1989). Perceived ease of use refers to the level of effort the user must exert in using the
new technology to perform their job (David, 1989).
Davis (1989) conducted two different studies using the TAM. The first study

40
consisted of a group of 120 users from IBM, who responded to a survey to rate the ease
of use and usefulness of their email system. The second study involved 40 students from
a Boston University MBA program, whose task it was to evaluate two new graphical
systems and respond to a survey. The results of the studies concluded that perceived ease
of use and perceived usefulness have a significant impact on the usage of the system. In
both studies perceived usefulness rated higher than perceived ease of use, as more users
were motivated to use a system if it provides more functionality, regardless of the
difficulty.
In the past decade, there have been over 100 studies that have implemented the
TAM as a theoretical framework for the acceptance of new technology. Of these studies,
the majority have been performed in the United States. Based on a review of the
literature, the results are somewhat conflicting in terms of the key components of
technology acceptance. Only a few studies fully implemented all five constructs that
were from the original TAM model (Davis, 1989). The majority of the studies found that
perceived ease of use and perceived usefulness were the most important variables in
predicting intentions to use new technology (Jiang, Chen, & Lai, 2010).
Mutlu and Efeoglu (2013) investigated email usage by using the Extended
Technology Acceptance Model (TAM2) (Mutlu & Efeoglu, 2013) and tested the effects
of cultural values between subjective norm and behavioral intention/perceived usefulness.
The improvements in communication technologies have become widespread in many
companies. The research questions of this study were: How is the usage of email
evaluated by TAM2 and what are the moderating effects of cultural values between
subjective norm and behavioral intention/perceived usefulness?

41
Field research was used in the study as a research strategy. The survey was
conducted with 321 participants that had access to email during business hours and
worked in a Turkish bank. The scales used in this research measured TAM2 and
Espoused Natural Cultural Values. These scales were originally developed by Davis
(1989) and extended by Venkatesh and Davis (2000). The scale developed by Dorfmann
and Howell (1988) was used to measure espoused national cultural values. SEM was
used for the analysis of the data. Perceived usefulness was both a dependent and
independent variable in the research. The results of the study indicated that perceived
usefulness and perceived ease of use had positive effects on email usage behavioral
intentions. Perceived ease of use and subjective norm had positive effects on perceived
usefulness. Subjective norm affected perceived usefulness stronger than perceived ease
of use. The limitations of the study included that the sample originated from only a
single organization. The fact that only email was examined reduced the ability to apply
the findings to other communication products. Due to the fact that easy usage of
communication technologies affected perceived usefulness and behavioral intention, it
was considered that user friendly technologies should be prioritized. The original TAM
included attitude toward using a system as shown in Figure 3.

42
Figure 3. Technology Acceptance Model Diagram (Venkatesh & Davis, 1996)
During the first 10 years of the TAM, perceived usefulness has been a strong
determinant of usage intention, with regression coefficients typically around β =.06.
Since perceived ease of use has less of an effect on behavioral intention, Davis and
Venkatesh (2000) looked to find the antecendents of percieved usefulness and how it
varied with time and experience using technology. While some researchers have studied
the determinants of perceived ease of use, more often than not the determinants of
perceived usefulness have been overlooked. Because of this oversight, Venkatesh and
Davis extended the TAM to what is referred to as TAM2 as shown in Figure 4.
Figure 4. TAM2 Diagram (Venkatesh & Davis, 2000)

43
Using the TAM as a model, for TAM2, additional theoretical constructs
consisting of social influence and cognitive instrumental processes were incorporated.
Additionally, Venkatesh and Davis discovered that extending TAM2 showed that
subjective norm exerted a direct effect on behavioral intentions.
TAM and Information Security
New challenges continue to emerge in the process of protecting data in networked
information systems as more users and organizations reap the benefits from the adoption
of information technologies (Sun, Ahluwalia, & Koong, 2011). Many of these challenges
arise because of the ease of which data can be duplicated and deployed by distributed
data sources, resulting in an increase of unauthorized access by cyber-terrorism. Existing
literature suggests that individuals are concerned about their privacy and want to have
complete control over their own data (Norberg, Horne, & Horne, 2007)). Organizations
face challenges as more individuals have access to data that is stored on interconnected
data networks. A study in 2003 found that over 29 percent of those interviewed had
experienced a breach of unauthorized data (Schwartz & Treanor, 2003). Organizations
employ various security measures to protect their data, the most widely used method is
through the use of a username and password. In recent years more advanced techniques
such as biometrics have been proposed, such systems require the authentication of users
through fingerprint matching, facial recognition, or voice recognition techniques.
Aurigemma (2013) performed a study that provided a theoretical framework that
discovered key factors that impact employee behavioral intention to comply with security
policies. The theoretical framework was tested in a real-world environment using a well-
defined set of security policies. The study also evaluated how behavior intent to obey

44
security policies is a varying target for employees for both specific guidelines and general
compliance policies. The study found that the primary factors that affect behavioral
intent (SN, attitude, perceived behavioral control, self-efficacy, and organizational
commitment) had strong relationships with the intent to comply with information security
policies. However, when the various factors that affect behavior intent and attitude were
evaluated for a specific security threat, individual factor significance and importance
varied significantly. The results of the study indicated that threat is an essential factor in
the identification of roles for specific behavior antecedents.
Hernandez, Jimenez, and Martin (2008) performed a study to analyze current
and future organizational use of new technologies, such as management software, using
the TAM optimized with experience from other Internet based technologies. The study
examined the relationship among companies to see if there exists a moderating effect
within the industry. The study had two objectives: (a) to extend the TAM model to the
business environment, and (b) to analyze if the model displays differences among
economic sectors. Two hundred and fifty seven participants were selected from a sample
of companies in the Spanish technology sector. A questionnaire was distributed via
email, the items were selected using a 7-point Likert scale. To measure reliability and
validity, a confirmatory factor analysis (CFA) that contains all of the constructs was
estimated using EQS (Bentler, 1995). Eight hypotheses were defined that emphasized the
constructs: perceived ease of use, perceived usefulness, intensity of use, and future use.
The results from the study verified that the moderating effect of industry can be observed
in two relationships: (a) the influence of ease of use on intensity of use, and (b) the
influence of intensity on future use. The results have important implications for

45
managers. The significance of information technological compatibility means that
organizations should be aware the relationships between interrelated technologies.
User behavior and Information Technology
The TRA (Ajzen & Fishbein, 1980) and the TAM (Davis, 1989) are two of the
most popular models for the study of information technology and user behavior. Since
TAM derives from TRA, TAM is generally applied to the principles of user behavior
where the user has control. Individualism is an important variable that affects new
technology acceptance by users (Jiang et al., 2010). Computer knowledge and self-
efficacy have often been used to explain differences among individuals. In a study by
Davis and Venkatesh (1996), the researchers concluded that perceived ease of use of
users to use the information technology system was significantly affected by their self-
efficacy. TAM suggests that the SN is a critical factor that affects user attitude and
intention. SN is generally defined as the acceptance based on the support by supervisors,
colleagues, and top management (Jones et al., 2010).
The TRA theory posits that individuals give higher evaluation scores, not because
of the technological characteristics of the system, but because of how the system fulfills
the needs of the user in performing their job. TRA is a theory that relates individual
behavior and attitude while performing an activity. TRA is the basis for TAM, the
psychological theory that explains individual attitude of information systems that are
based on attitudes, beliefs, and user relationships. Goodhue and Thomson ((1995)
proposed a model of technology compatibility between task and technology in an effort
to identify user needs, time lines to complete work, data access times, ease of use of the
operating system, and reliability of the technology. Jogiyanto (2007) explained that

46
information technology needs to be continually developed to increase effectiveness for
users, since the user needs change over time.
In a study by Hariyanto and Suyono (2012), the relationship between perceptions
of usefulness, the perception of ease of use, user attitudes, and behavior among user
intentions to using a new accounting information system, was examined. The successful
development of accounting information systems is dependent on user satisfaction
(Hariyanto & Suyono, 2012). Many government agencies have purchased new
accounting systems, but have not implemented them because of time constraints and user
willingness to accept a new technology. Successful system development not only
depends on the technical ability of an organization, but also depends on user behavior
(Bodnar & Hopwood, 2010). Behavioral aspects of individuals consist of motivation
factors, perceptions of use, perceptions of ease of use, and behaviors surrounding the
relationship between user attitudes and intentions. The successful implementation of new
technology depends on how well the system runs, the ease of use of the system, and the
benefits to the user (Ajzen, 2011).
The population of the study was users of accounting systems at a regional water
company in Indonesia. The research design used an exploratory study using a survey
method. The sampling technique used was purposive sampling, with the criteria that the
individuals were employees of the regional water company in a district that uses
accounting software to generate financial reports. Data had been collected by observing
workers during office hours, and distributing questionnaires to respondents. The
hypotheses testing utilized SEM with partial least squares. The results of the study
yielded that user’s intentions were affected by perceptions of usefulness, attitudes, and

47
user relationships, while user attitudes were affected by perceptions of usefulness and
ease of use.
Limitations of the study included the participant sample, since there was only a
subset of participants from one region of Indonesia it was difficult to assume research
conclusions about other parts of Indonesia. Another limitation of the study was that the
survey method was self-reported during observation periods. Self-reported data suffers
from social pressure ethics which often results in biased data that may conform to the
norm.
Organizational information assets are now exposed to a growing number of
vulnerabilities and threats. The threats come from both external and internal sources.
Normally, external threats are easier to detect compared to internal threats. According to
Hall, Sarkani, and Mazzuchi (2011), internal threats have the capability of causing
considerably more damage to an organization than that of an outside hacker. Insider
threats have more opportunities to access valuable information within an organization.
They also have the knowledge on how to gather information, while at the same time
covering their tracks. Unfortunately, most companies put an emphasis on external
threats, and often ignore the possibility of internal breaches. According to Nicho and
Hendy (2013), many organizations emphasize less protection and control from insider
security threats rather than external ones. Ninety percent of security controls is focused
on external threats. In the Nicho and Hendy (2013) research, it was found that 70% of
fraud was caused by internal threats.
Jaafar and Ajis (2013) found that four factors affect Information Security
Compliance Behavior (ISCB). These four factors include: (a) co-worker socialization;

48
(b) information security perception; (c) computer self-efficacy; and (d) personal
innovativeness. The study determined that information security perception was the
strongest determinant of information security compliance behavior. One of the other
primary findings of the study are that detailed information security plans should be
implemented by top management. Despite the roles and responsibilities within an
organization, all users use the information systems they produce. This study provided
evidence on how the theory of social behavior is combined with individual and
organizational factors.
Organizations and individuals utilize authentication procedures to help protect
their data. Some of the most widely used authentication methods identify a user using a
unique username and password combination. In recent years, more sophisticated
techniques such as biometrics have been proposed and implemented to protect systems
from unauthorized users. The existing literature in user acceptance points to the tension
between users non-compliance with more sophisticated password techniques. Previous
studies have demonstrated that is an organization has no password constraints, users will
select easy to remember user names and passwords (Shafi, Sattar, & Reddy, 2011).
Employee trust in the integrity of information is related to its perceived privacy and
security (Marcelo, Laroche, Marie-Odile, & Eggert, 2012). Because of this relationship,
organizations seek to increase the complexity of their security infrastructure. Sun,
Ahluwalia, and Koong (2011) studied the factors that influence user attitudes toward
various level of security measures that are used to protect data of varying importance. To
capture user attitude, a construct called “information security readiness” (ISR) was
developed. Observations were collected from a laboratory experiment that was based on

49
a 2 by 3 factorial design, utilizing data criticality and security levels as the treatment
variables. The results revealed a nonlinear relationship between security level and ISR.
For high security data, increasing the security level had a positive impact on the ISR, but
only to a level that was perceived appropriate by the participants. For non-sensitive data,
the increase in security protection was perceived as unnecessary.
McDaniel (2011) performed a study on the comparison of the impact of
acceptance on motivation to use information systems. Prior research has investigated
technology acceptance and intrinsic motivation; however, there exists little or no research
on how user’s acceptance will affect their motivation to use information systems. The
theoretical background of the study includes three different types of well-established
research theories. These theories include: (a) motivation dimension; (b) technology
acceptance model; and (c) end user technology support. Motivation was used to control
human action and behavior (Vallerand, 2012). An unmotivated employee has no reason
to use an information security system, however if they are engaged through the use of
training and reinforcement methods they are considered motivated. Prior research in
motivation suggests that individuals may have varying amounts of motivation, as well as
different tendencies toward motivation (Rahman, Mondol, & Ali, 2013). In the
McDaniel’s study, the constructs are: (a) user’s acceptance of system utility; (b) support
for information system use; and (c) personal motivation to use a system. The participants
in the study included employees from a state university. A survey of 288 respondents
was collected and a path analysis was used to test the proposed research model.
Acceptance and support were found to be significant indicators of user’s motivation to
use information security systems.

50
Effects of Perceived Ease of Use
The original TAM developed by Davis (1989), and derived from the TRA, which
formulated that an individual’s decision-making, willingness, attitude, and SN affects
their Behavioral Intentions (BI). According to the TRA, attitude and SN independently
affect intentions, where in the TAM, PU and PEOU are believed to affect an individual’s
attitude. Davis (1989) wrote a foundation paper on TAM that determined there are
various external factors such as situational constraints, managerial interventions, and
individual differences that affect behavior. The impact of external variables on behavior
intention is measured by two beliefs of technology: perceived ease of use and perceived
usefulness. Even though the perceived ease of use construct has been used extensively in
user acceptance research, Davis and Venkatesh (1996) believed that in an effort to
enhance programs that are designed for technology acceptance, it is important that the
antecedents be understood for perceived ease of use. Perceived ease of use has a direct
impact on intention, and an indirect effect on perceived usefulness. Perceived ease of use
is an obstacle that users need to overcome for adoption, acceptance, and usage of
technology systems. The model for perceived ease of use is displayed in Figure 5.

Carroll_Tim

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (16)

Similar to Carroll_Tim

Similar to Carroll_Tim (18)

Carroll_Tim