Abstract
The adoption of new cybersecurity capabilities in an organization can be seen as an example of the adoption of technological innovations. While regulators use rules, standards, and codes of practice to influence the state of cybersecurity in regulated organizations—other factors, such as technological complexity, organizational size, and management support have been shown to influence technological adoption. Limited empirical research exists on factors influencing cybersecurity implementation in organizations. Existing models have focused on productivity or leisure applications—adoption of security innovations is fundamentally different because their adoption is founded on the intention to prevent incidents in the future with a limited direct positive gain. A systematic literature review on existing research on adoption of security innovations is presented and suggestions for further research in more quantitative measures for the drivers of organizational cybersecurity technology adoption is suggested.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Rogers, E.M.: Diffusion of Innovations. Free Press, New York, NY (2003)
Hameed, M.A., Counsell, S., Swift, S.: A conceptual model for the process of IT innovation adoption in organizations. J. Eng. Technol. Manag. 29(3), 358–390 (2012). https://doi.org/10.1016/j.jengtecman.2012.03.007
Davis, F.D., Bagozzi, R.P., Warshaw, P.R.: User acceptance of computer technology: a comparison of two theoretical models. Manag. Sci. 35(8), 982–1003 (1989)
Venkatesh, V., Davis, F.D.: A theoretical extension of the technology acceptance model: four longitudinal field studies. Manag. Sci. 46(2), 186–204 (2000). https://doi.org/10.1287/mnsc.46.2.186.11926
Ajzen, I., Fishbein, M.: Understanding Attitudes and Predicting Social Behavior, Pbk Prentice-Hall, Englewood Cliffs, N.J. (1980)
Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process.Behav. Hum. Decis. Process. 50(2), 179–211 (1991). https://doi.org/10.1016/0749-5978(91)90020-T
Venkatesh, V., Bala, H.: Technology Acceptance Model 3 and a Research Agenda on Interventions (2008). https://doi.org/10.1111/j.1540-5915.2008.00192.x
Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: toward a unified view. MIS Q. 27(3), 425–478 (2003). https://doi.org/10.2307/30036540
Venkatesh, V., Thong, J.Y.L., Xu, X.: Consumer acceptance and use of information technology: extending the unified theory of acceptance and use of technology. MIS Q. 36(1), 157–178 (2012). https://doi.org/10.2307/41410412
Tornatzky, L.G., Fleischer, M., Chakrabarti, A.K.: The processes of technological innovation. In: Issues in Organization and Management Series. Lexington Books, Lexington, Mass (1990)
Baker, J.: The technology–organization–environment framework. In: Information Systems Theory: Explaining and Predicting Our Digital Society, vol. 1; Dwivedi, Y.K., Wade, M.R., Schneberger, S.L. (Eds.) Integrated Series in Information Systems. Springer, New York, NY, pp. 231–245 (2012). https://doi.org/10.1007/978-1-4419-6108-2_12
Johnston, A.C., Warkentin, M.: Fear Appeals and information security behaviors: an empirical study. MIS Q. 34(3), 549–566 (2010)
Dinev, T., Hu, Q.: The centrality of awareness in the formation of user behavioral intention toward protective information technologies. JAIS 8(7), 386–408 (2007). https://doi.org/10.17705/1jais.00133
West, R.: The psychology of security. Commun. ACM 51(4), 34–40 (2008). https://doi.org/10.1145/1330311.1330320
Maddux, J.E., Rogers, R.W.: Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. J. Exp. Soc. Psychol. 19(5), 469–479 (1983). https://doi.org/10.1016/0022-1031(83)90023-9
Rosenstock, I.M.: Historical origins of the health belief model. Health Educ. Monogr. Monogr. 2(4), 328–335 (1974). https://doi.org/10.1177/109019817400200403
Wynn, D., Williams, C., Karahanna, E., Madupalli, R.: Preventive adoption of information security behaviors. In: ICIS 2013 Proceedings (2013). https://aisel.aisnet.org/icis2013/proceedings/SecurityOfIS/5
Pickering, B., Boletsis, C., Halvorsrud, R., Phillips, S., Surridge, M.: It’s Not My Problem: How Healthcare Models Relate to SME Cybersecurity Awareness. In: HCI for Cybersecurity, Privacy and Trust; Moallem, A (Ed.) Lecture Notes in Computer Science, vol. 12788. Springer International Publishing, Cham, pp. 337–352. (2021). https://doi.org/10.1007/978-3-030-77392-2_22
Vedadi, A., Warkentin, M.: Can secure behaviors be contagious? a two-stage investigation of the influence of herd behavior on security decisions. J. Assoc. Inf. Syst. 21(2) (2020). https://aisel.aisnet.org/jais/vol21/iss2/3
Ayyagari, R., Lim, J., Hoxha, O.: Why do not we use password managers? a study on the intention to use password managers. CMR 15(4), 227–245 (2019). https://doi.org/10.7903/cmr.19394
Ho, K.K.W., Au, C.H., Chiu, D.K.W.: Home computer user security behavioral intention: a replication study from guam. AIS Trans. Replication Res. 7(1) (2021). https://aisel.aisnet.org/trr/vol7/iss1/4
Sonnenschein, R., Loske, A., Buxmann, P.: Gender Differences in Mobile Users’ IT Security Appraisals and Protective Actions: Findings from a Mixed-Method Study (2016). https://aisel.aisnet.org/icis2016/ISSecurity/Presentations/12
Smith, C., Agarwal, R.: Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions. MIS Q. 34(3), 613–643 (2010)
Wang, P.A.: Information security knowledge and behavior: an adapted model of technology acceptance. In: 2010 2nd International Conference on Education Technology and Computer. IEEE, Shanghai, China, pp. V2-364–V2-367 (2010). https://doi.org/10.1109/ICETC.2010.5529366
Hameed, M.A., Arachchilage, N.A.G.: A model for the adoption process of information system security innovations in organisations: a theoretical perspective. In: ACIS 2016 Proceedings (2016). https://aisel.aisnet.org/acis2016/45
Vafaei-Zadeh, A., Thurasamy, R., Hanifah, H.: Modeling anti-malware use intention of university students in a develo** country using the theory of planned behavior, vol. 48, no. 8, pp. 1565–1585 (2019). https://doi.org/10.1108/K-05-2018-0226
Dinev, T., Hu, Q.: The centrality of awareness in the formation of user behavioral intention toward preventive technologies in the context of voluntary use. In: SIGHCI 2005 Proceedings (2005). https://aisel.aisnet.org/sighci2005/10
Ng, B.Y., Rahim, M.: A socio-behavioral study of home computer users’ intention to practice security. In: PACIS 2005 Proceedings (2005). https://aisel.aisnet.org/pacis2005/20
Dinev, T., Goo, J., Hu, Q., Nam, K.: User behavior toward preventive technologies—cultural differences between the United States and South Korea. In: ECIS 2006 Proceedings (2006) https://aisel.aisnet.org/ecis2006/9
Liang, H., Xue, Y.: Avoidance of information technology threats: a theoretical perspective. MIS Q. 33(1), 71–90 (2009)
Young, D.K., Carpenter, D., McLeod, A.: Malware avoidance motivations and behaviors: a technology threat avoidance replication. AIS Trans. Replication Res. 2(1) (2016). https://aisel.aisnet.org/trr/vol2/iss1/8
McLeod, A., Dolezel, D.: Toward Security Capitulation Theory (2020). https://aisel.aisnet.org/amcis2020/info_security_privacy/info_security_privacy/2
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., Rao, H.R.: Security services as co** mechanisms: an investigation into user intention to adopt an email authentication service: security services as co** mechanisms. Inf. Syst. J. 24(1), 61–84 (2014). https://doi.org/10.1111/j.1365-2575.2012.00420.x
Samtani, S., Zhu, H., Yu, S.: Fear appeals and information security behaviors: an empirical study on mechanical turk. AIS Trans. Replication Res. 5(1) (2019). https://aisel.aisnet.org/trr/vol5/iss1/5
Groner, R., Brune, P.: Towards an empirical examination of it security infrastructures in SME. In: Secure IT Systems; Jøsang, A., Carlsson, B. (Eds.) Lecture Notes in Computer Science, vol. 7617. Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 73–88 (2012). https://doi.org/10.1007/978-3-642-34210-3_6
Tafokeng Talla, L., Kala Kamdjoug, J.R.: Factors influencing adoption of information security in information systems projects. In: New knowledge in information systems and technologies; Rocha, A., Adeli, H., Reis, L.P., Costanzo, S. (Eds.) Advances in Intelligent Systems and Computing, vol. 931. Springer International Publishing, Cham, pp. 890–899 (2019). https://doi.org/10.1007/978-3-030-16184-2_84
Seuwou, P., Banissi, E., Ubakanma, G.: User acceptance of information technology: a critical review of technology acceptance models and the decision to invest in information security. In: Global Security, Safety and Sustainability—The Security Challenges of the Connected World; Jahankhani, H., Carlile, A., Emm, D., Hosseinian-Far, A., Brown, G., Sexton, G., Jamal, A. (Eds.) Communications in Computer and Information Science, vol. 630, pp. 230–251. Springer International Publishing, Cham (2016). https://doi.org/10.1007/978-3-319-51064-4_19
Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Comput. Secur.. Secur. 49, 177–191 (2015). https://doi.org/10.1016/j.cose.2015.01.002
Lui, S.M., Hui, W.: The effects of knowledge on security technology adoption: Results from a quasi-experiment. In: The 5th International Conference on New Trends in Information Science and Service Science, pp. 328–333 (2011)
Shropshire, J.D., Warkentin, M., Johnston, A.C.: Impact of negative message framing on security adoption. J. Comput. Inf. Syst.Comput. Inf. Syst. 51(1), 41–51 (2010). https://doi.org/10.1080/08874417.2010.11645448
Warkentin, M., Shropshire, J., Johnston, A.: The IT security adoption conundrum: an initial step toward validation of applicable measures. In: AMCIS 2007 Proceedings (2007). https://aisel.aisnet.org/amcis2007/276
Ho, G., Stephens, G., Jamieson, R.: Biometric authentication adoption issues. In: ACIS 2003 Proceedings (2003). https://aisel.aisnet.org/acis2003/11
Wallace, S., Green, K.Y., Johnson, C., Cooper, J., Gilstrap, C.: An extended TOE framework for cybersecurity-adoption decisions. Commun. Assoc. Inf. Syst. 47(1) (2020). https://aisel.aisnet.org/cais/vol47/iss1/51
Lidster, W.W., Rahman, S.S.M.: Identifying influences to information security framework adoption: applying a modified UTAUT. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 2605–2609. IEEE, Atlanta, GA, USA (2020). https://doi.org/10.1109/BigData50022.2020.9378283.
Alqahtani, M., Braun, R.: Reviewing influence of UTAUT2 factors on cyber security compliance: a literature review. JIACS 2021, 1–15 (2021). https://doi.org/10.5171/2021.666987
Maclean, R., Ophoff, J.: Determining key factors that lead to the adoption of password managers. In: 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC), pp. 1–7. IEEE, Plaine Magnien (2018). https://doi.org/10.1109/ICONIC.2018.8601223.
Appari, A., Johnson, M.E., Anthony, D.L.: HIPAA compliance: an institutional theory perspective. In: AMCIS 2009 Proceedings (2009). https://aisel.aisnet.org/amcis2009/252
Farooq, A., Dubinina, A., Virtanen, S., Isoaho, J.: Understanding dynamics of initial trust and its antecedents in password managers adoption intention among young adults. Procedia Comput. Sci. 184, 266–274 (2021). https://doi.org/10.1016/j.procs.2021.03.036
Sari, P.K., Nurshabrina, N., Candiwan (2016) Factor analysis on information security management in higher education institutions. In: 2016 4th International Conference on Cyber and IT Service Management, pp. 1–5. IEEE, Bandung, Indonesia (2016). https://doi.org/10.1109/CITSM.2016.7577518
Das, S., Kramer, A.D.I., Dabbish, L.A., Hong, J.I.: The role of social influence in security feature adoption. In: Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing, pp 1416–1426. ACM, Vancouver BC Canada. https://doi.org/10.1145/2675133.2675225
Heidt, M., Gerlach, J., Buxmann, P.: A Holistic View on Organizational IT Security: The Influence of Contextual Aspects During IT Security Decisions (2019). https://aisel.aisnet.org/hicss-52/os/information_security/5
Mirtsch, M., Pohlisch, J., Blind, K.: International diffusion of the information security management system standard ISO/IEC 27001: exploring the role of culture. In: ECIS 2020 Research Papers (2020). https://aisel.aisnet.org/ecis2020_rp/88
Alkhalifah, A., D’Ambra, J.: Applying task-technology fit to the adoption of identity management systems. In: ACIS 2011 Proceedings (2011). https://aisel.aisnet.org/acis2011/31
Egorova, K.S., Adoption of information security as decision-making under uncertainty: a behavioural economics approach. In: ECIS 2015 Research-in-Progress Papers (2015). https://aisel.aisnet.org/ecis2015_rip/21
Loukis, E., Kokolakis, S., Anastasopoulou, K.: Factors of PKI adoption in European firms. In: MCIS 2011 Proceedings (2011). https://aisel.aisnet.org/mcis2011/29
Dong, K., Lin, R., Yin, X., **e, Z.: How does overconfidence affect information security investment and information security performance? Enterp. Inf. Syst. 15(4), 474–491 (2021). https://doi.org/10.1080/17517575.2019.1644672
Bagozzi, R. P.: The legacy of the technology acceptance model and a proposal for a paradigm shift. J. Assoc. Inf. Syst. 8(4) (2007). https://doi.org/10.17705/1jais.00122
McKnight, D.H., Choudhury, V., Kacmar, C.: Develo** and validating trust measures for e-commerce: an integrative typology. Inf. Syst. Res. 13(3), 334–359 (2002). https://doi.org/10.1287/isre.13.3.334.81
Goodhue, D.L., Thompson, R.L.: Task-technology fit and individual performance. MIS Q. 19(2), 213–236 (1995). https://doi.org/10.2307/249689
Gallivan, M.J.: Organizational adoption and assimilation of complex technological innovations: development and application of a new framework. SIGMIS Database 32(3), 51–85 (2001). https://doi.org/10.1145/506724.506729
Acknowledgements
This work has received funding from the Research Council of Norway through the SFI Norwegian Centre for Cybersecurity in Critical Sectors (NORCICS) project no. 310105.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Vestad, A., Yang, B. (2024). Adoption of Cybersecurity Innovations—A Systematic Literature Review. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. CYBER SCIENCE 2023. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-99-6974-6_16
Download citation
DOI: https://doi.org/10.1007/978-981-99-6974-6_16
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-6973-9
Online ISBN: 978-981-99-6974-6
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)