THE ACCEPTANCE AND EFFECTIVENESS OF FEDERAL AND STATE INFORMATION SECURITY REGULATIONS IN MULTI-BRANCH COMMUNITY BANKS: A PHENOMENOLOGICAL ANALYSIS CONDUCTED IN CENTRAL CALIFORNIA by Charles I. McClain JELENA VUCETIC, Ph.D, Faculty Member and Chair STEVEN BROWN, Ph.D, Committee Member TAPAN MUNROE, Ph.D, Committee Member Kurt Linberg, Ph.D., Dean, School of Business and Technology A Dissertation Presented in Partial Fulfillment Of the Requirements for the Degree Doctor of Philosophy Capella University June 2008 3307974 3307974 2008 © Charles McClain, 2008 ABSTRACT The effectiveness of technology and its implementation factors vis-à-vis organizations arguably depends upon the degree to which these factors are accepted by said organizations’ users. The most widely applied model for this behavior in information technology theory is the Davis technology acceptance model (TAM). TAM postulated that the acceptance of applied and environmental aspects of technology is primarily a function of the facility (ease-of-use) and utility (usefulness) of the technology in question. This project involved a three-phase, multi-method study of the effectiveness of the current scheme of information security regulation in California community banks, assessing the acceptance of such federal and state mandates by those banks and potential improvement of such regulation to the end of enhanced information system security. The initial qualitative phase involved a series of directed interviews which, through open coding, assessed the potential for bias of both the researcher and participants, bank officers charged with responsibility for such security, and found such bias effects to be minimal; the second phase, a quantitative survey of factors which resulted from phase one by way of axial coding, was designed to test two null hypotheses – the facility (ease-of-use) of the information security regulatory scheme is acceptable and the utility (usefulness) of the information regulatory scheme is beneficial – with statistical analyses of the data produced indicating that neither of these null hypotheses could be rejected at 95% confidence levels; and, the third qualitative phase consisting of a set of follow-up open interviews, the selectively coded results of which investigated the participants’ views on changes which could contribute to enhanced information security regulation, fostering better information security at their banking organizations. These changes included greater examiner/auditor expertise; more specific remedial recommendations by regulators and auditors; consolidation of diverse regulatory agencies; and, greater professional input by the regulated community in the process of regulatory procedure development. Summarily, implications of these findings and resultant recommendations are discussed . DEDICATION This dissertation is dedicated to (ISC) 2 , my professional information security organization, whose generous research grant has enabled use of the best research tools to conduct this study; County Bank, my employer, which has given me every encouragement in pursuit of my doctoral program; and, finally, my loving wife, Gay Parker, whose unstinting support and encouragement kept this work focused and on track. ACKNOWLEDGEMENTS With my heartfelt thanks, I acknowledge the gracious support of my mentor, Dr. Jelena Vucetic, and my other committee members, Drs. Steven Brown and Tapan Munroe. I’d also like to express my gratitude to Drs. Don Stengel, James Henson, Ojoung Kwon, and Sasan Rhamatian, who provided invaluable assistance in validation and correction of my research instrument. I also extend my complete appreciation to Mr. Tom Hawker, Chief Executive Officer of Capital Corp. of the West, whose introduction of this project to the banks invited to participate provided vital encouragement to the involvement of those organizations which took part. Finally, to all the participants who patiently and thoroughly responded to all phases of this project, my thanks for your thoughtful contributions. i (Page intentionally left blank) ii TABLE OF CONTENTS ACKNOWLEDGEMENTS i LIST OF FIGURES………………………………………… …………………………viii LIST OF TABLES ix LIST OF ABBREVIATIONS x CHAPTER 1 - INTRODUCTION 1 Introduction to the Problem 1 Background of the Study 2 Statement of the Problem 2 Purpose of the Study 3 Rationale 3 Research Questions 4 Significance of the Study 5 Definition of Terms 5 Assumptions and Limitations 6 Theoretical and Conceptual Framework 7 Organization of the Remainder of the Study 10 CHAPTER 2 – LITERATURE REVIEW 11 CHAPTER 3 – METHODOLOGY 22 Research Design 22 Sample……………………………………………………………………………… 22 Instrumentation 23 Data collection 25 iii Data management plan 25 Computer application strategy 26 Treatment (Coding System) 27 Open Coding 27 Axial Coding 28 Selective Coding 29 Data Analysis 30 Validity and Reliability 33 Generalizability 33 Bias and Validity 34 Ethical Considerations 34 CHAPTER 4 – RESULTS 36 Instrument Design 36 Instrument Validation 44 Phase I 57 Participant Solicitation Process 57 Results of Solicitation 59 PROF (0) 64 ENV (1) 65 ENV/EXP (1.1) 66 ENV/KNOW (1.2) 67 ENV/KNOW/GLB (1.2.1) 67 ENV/KNOW/SOX 67 iv ENV/KNOW/FFIEC (1.2.3) 68 ENV/KNOW/PATRIOT 68 ENV/KNOW/FACT 69 ENV/KNOW/SB1386 (1.2.6) 70 OVER 71 OVER/RISK 71 OVER/SIZE 72 OVER/COMPLEX (2.3) 72 OVER/STAFF_EXP 73 OVER/EXAM_EXP 73 STRAT 74 STRAT/CAT 75 STRAT/REL 75 PROC 76 PROC/RISK_PROC 77 PROC/AUDIT 78 PROC/BCDRP 78 PROC/GLB_COMPL 79 Coding and Bias Analysis 80 Phase II 82 Questionnaire 89 Statistical Evaluation 92 Hypothesis Testing 100 v [...]... participants, in focusing on the current banking information security regulatory approach, defined by the Federal Financial Institution Examination Council (FFIEC) guidelines (2006), which are predominantly dominated by the legislative mandates of Gramm-Leach-Bliley, Sarbanes-Oxley, and other pertinent laws and regulations, including the USA Patriot Act (2001), the FACT Act (2003), and various State. .. the validity of public financial statements Specific to the area of banking regulation, a number of studies have examined the centrality of acceptance in evaluation the success of such mandates Freixas and Gabillon (1999) mathematically analyzed the derivation of ideal levels of deposit insurance 12 requirement, based on the Pareto optimization in the insurance theory work of Merton (1997) Their findings... government mandated policy lies in the abortive attempts at “metrication” of US standards and measures Smith (1998) recounted the establishment and ultimate failure of the US Metric Board, established by Act of Congress (1975) and abolished by the Reagan administration in 1982, leaving the United States, Liberia, and Myanmar as the only nations in the world which have yet to fully adopt the metric standard,... Questionnaire CAQDAS Computer Assisted Qualitative Data Analysis Software CISA Certified Information Security Auditor CISM Certified Information Security Manager CISSP Certified Information Systems Security Professional CIO Chief Information Officer CUSI Computer User Satisfaction Inventory FACT Fair and Accurate Credit Transactions Act FFIEC Federal Financial Institution Examination Council GLB/GLBA Gramm-Leach-Bliley... value of customer holdings In an overall review of the effectiveness of banking regulation, Freixas and Santomero (2005) contended that effective bank regulation must accommodate asymmetrical information theory, describing the imperfect nature of customer regulatory information acceptance, as opposed to classical rational actor theory which assumed perfect information and rational decision-making Finally,... evaluated is the inherent parsimony of the TAM, in terms of relative ease of application in different research settings TAM scholars such as Venkatesh (2000) have opined that the very ease of application of TAM to a variety of research milieu may be a source of limitation of the theory’s efficacy Matheison (1991) argued early on that the predictive power of TAM at its inception may not provide adequate... international context, using it to evaluate the effect of national culture on IT acceptance Tomita (2000) evaluated the success of IT innovation in the education of health professionals using TAM Rashed (2001) further extended TAM analysis to the results of IT introduction in developing countries Featherman (2002) applied TAM to perceptions of risk and its effects on the 15 acceptance of on-line banking... perception of IT intrusiveness on people’s lives using TAM, and the resultant impact on success of related IT adoption Donnelly (2004) started with TAM, and correlated other factors, such as age, gender, education, and national origin in a study of enhancement of the original criteria of ease -of- use and utility Hsu and Lu (2004) positively applied the TAM to on-line gaming with the addition of social and. .. which the author encountered was found in the work of Legris, Ingham, and Collerette (2003), who persuasively argued that a rigorous evaluation of the success of TAM and TAM2 in factorial accounting for the effectiveness of IT implementation was less than 50%, based on statistical analysis of available correlation coefficients of research projects employing TAM, to determine the homogeneity of data Based... central theme of this study Statement of the Problem The problem of information systems security regulatory compliance by federally chartered banks is particularly critical This characterization is justified by the extreme importance of the financial stability of the banking industry in our capitalistic society The author of this study is an information security officer (ISO) for such a bank, and thus . THE ACCEPTANCE AND EFFECTIVENESS OF FEDERAL AND STATE INFORMATION SECURITY REGULATIONS IN MULTI-BRANCH COMMUNITY BANKS: A PHENOMENOLOGICAL ANALYSIS CONDUCTED IN CENTRAL CALIFORNIA by. three-phase, multi-method study of the effectiveness of the current scheme of information security regulation in California community banks, assessing the acceptance of such federal and state mandates. laws and regulations, including the USA Patriot Act (2001), the FACT Act (2003), and various State legislation, such as California s Security Breach Information Act (2003), commonly known as