data analysis

The researcher received IRB approval to conduct the study on October 18, 2017. The survey was distributed on November 20, and only 153 respondents completed the survey within the first 2 months. The first reminder was sent by SurveyMonkey. After the first reminder, 33 participants completed the survey within the next 3 weeks. The second reminder was sent on February 11, and 18 participants completed the survey. The third reminder was sent on March 4, and two participants completed the survey. On March 18,the survey closed with a final sample size of 206 respondents.

With regard to the sample demographics, respondent profiles varied widely and are presented in this section. The survey covered seven demographic variables (i.e., gender, age, level of education, years of experience, position in the organization, security certificate, and organization’s primary industry). The distributions of the sample in this research according to demographic variables are shown in the following tables.

A total of 206 respondents participated in this study. Respondents were initially asked to identify their gender. The majority weremen (73%) and the remaining 27% were women. The summary of the distribution of gender is shown in Table 1.

Table 1

Next, respondents were asked to identify their age group. People age 31 to 45 years appeared to dominate the sample, representing nearly two-thirds of the sample. Young adults (i.e., 18 to 25 years old) accounted for only 3% of the sample. A total of 12% of the respondents identified as members of the 26 to 30 age group, 6% identified as members of the 46 to 50 age group, and 13% identified as over 50 years old. The summary of the distribution of age group is shown in Table 2.

Table 2

Respondents were also asked to describe their highest completed level of education. All respondents possessed at least a highschool education with the vast majority holding abachelor’s degree (67%), about 14% holding a master’s degree, and 7% holding a doctorate. Approximately 8% of the respondents completed high school and only 4% completed a 2-year community college. The summary of the distribution of education level is shown in Table 3.

Table 3

Respondents were also asked about their years of work experience. The majority had moderate experience; over two-thirds had less than 6 years of working experience (69%), 14% responded with 7 to 9 years of work experience, 10% responded with 10 to 12 years of work experience, 2% responded with 13 to 15 years of work experience, and 5% responded with more than 15 years of work experience. The summary of work experience is shown in Table 4.

Table 4

Respondents were also asked about their current position in their company. The majority responded they worked as IT professionals (36%). About 29% werebusiness managers, 7% werenetwork administrators, 5% were security officers, 4% were system administrators, 2% were system security administrators, 1% were security and business continuity consultants, and 0.5% were IT auditors. The distribution of current position is presented in Table 5.

Table 5

Respondents were also asked about the type of security certificate they had earned. Many respondents said they did not have certificates (70%) and the remaining 30% mentioned different security certificates, such as SANS (13%), CISSP (5%), CISA (3%), CFE (2%), CDRP (1%), CCP (0.5%), CIA (0.5%), CPP (0.5%), and CIAC (0.5%). The summary of security certificate earned is presented in Table 6.

Table 6

Finally, respondents were asked to identify their organization’s primary industry. The majority of the respondents stated their organizations belonged to IT (46%). About 15% stated their organizations belonged to education, 9% stated their organizations belonged to health care, 7% stated their organizations belonged to banking, 5% stated their organizations belonged to financial services, 2.5% stated their organizations belonged to insurance, 2% stated their organizations belonged to manufacturing, another 2.5% stated their organizations belonged to retail, and 1% stated their organizations belonged to pharmaceutical. The summary of primary industry is shown in Table 7.

Table 7

The survey used in this study consisted of questions designed to evaluate respondents’ perceptions of policy awareness, enforcement, and maintenance in their organizations. All questions were measured on a 5-point Likert scale from 1 (strongly disagree) to 5 (strongly agree).

Information security policy awareness was measured with five items. The distribution of responses and summary statistics for these five items are presented in Table 8. The results indicatedrespondents perceived a high level of security awareness within their organizations, as the average scores were all above 4. The item related to the understanding of the ramifications of violating securities policies was rated the highest with a mean score of 4.41. Items related to good communication of information security awareness and efforts to educate employees about new security policies followed with mean scores of 4.39 and 4.37, respectively. A continuous security awareness program was rated the lowest with a mean score of 4.25.

Table 8

*SD = Strongly Disagree, D = Disagree, N = Neutral, A = Agree, SA = Strongly Agree

Four items were used to measure information security policy enforcement and their corresponding distribution of responses and summary statistics are presented in Table 9. The results support that respondentsperceived a high level of policy enforcement in their organizations, with over half strongly agreeing to the four survey items provided. “In your organization, termination is a consideration for employees who repeatedly break security rules” received the highest mean score of 4.51. Following in the second and third places were “In your organization, employees caught violating important security policies are appropriately corrected” (M= 4.47) and “In your organization, repeat security offenders are appropriately disciplined” (M = 4.46).

Table 9

*SD = Strongly Disagree, D = Disagree, N = Neutral, A = Agree, SA = Strongly Agree

Table 10 shows the distribution of responses and summary statistics for the four survey items regarding respondents’ perceptions of information security policy maintenance. Similar to security awareness and enforcement, respondents perceived a high level of security maintenance within their organizations. The statement about information security policy being consistently updated on a periodic basis was rated the highest with a mean score of 4.38. The next highest rated item was the statement about security policy being properly updated on a regular basis, with a mean score of 4.35.

Table 10

*SD = Strongly Disagree, D = Disagree, N = Neutral, A = Agree, SA = Strongly Agree

The dependent variables used in this research consisted of the three objectives of the CIA triad (i.e., confidentiality, integrity, and availability). All questions related to the information security CIA triad were measured on a 5-point Likert scale from 1 (strongly disagree) to 5 (strongly agree).

Nine items were used to measure information security confidentiality in this research. The distributions of the responses and summary statistics for these items are provided in Table 11. Respondents’ perceptions toward information security confidentiality were very high, as demonstrated by mean scores of over 4 and at least 70% of respondents strongly agreeing to all security confidentiality statements. The three survey items with the highest mean scoreswere: “In your organization, all connections through the secured access point(s) is logged” (M= 4.58), “In your organization, logging all access attempts of confidential files is mandatory” (M = 4.57), and “In your organization, all confidential data transfers use an authentication system to identify users” (M = 4.55).

Table 11

*SD = Strongly Disagree, D = Disagree, N = Neutral, A = Agree, SA = Strongly Agree

Seven survey items were used to measure information security integrity in this study. The distributions of the responses and summary statistics for these items are provided in Table 12. Respondents’ perceptionsof information security integrity were also very high, asseen in the mean scores of over 4.5 and at least 70% of respondents strongly agreeing to all security integrity statements. The three survey items with the highest mean scoreswere: “In your organization, information is protected or secured from unauthorized use” (M= 4.67), “In your organization, information is reliable” (M = 4.66), and “In your organization, all systems are accessible by properly authorized persons” (M = 4.63).

Table 12

*SD = Strongly Disagree, D = Disagree, N = Neutral, A = Agree, SA = Strongly Agree

Four survey items were used to measure information security availability in this study. The distributions of the responses and summary statistics for these items are provided in Table 13. Similar to information security confidentiality and integrity, respondents’ perceptionsof information security availability were very high. This can be seen from the mean scoresbeing greater than 4.5 and at least two-thirds of the respondents strongly agreeing to all security availability statements. Respondents rated the statement about all servers being continuously available to their clients the highest, with a mean score of 4.52. Systems being accessible when needed was rated the second highest with a mean score of 4.51. The company having redundancy hardware to tolerate hardware failure and the availability of backups were rated the third highest with mean scores of 4.50.

Table 13

*SD = Strongly Disagree, D = Disagree, N = Neutral, A = Agree, SA = Strongly Agree

To ascertain the inter-item consistency of the survey instrument, the researcher used Cronbach’s alpha to measure its reliability. This was important for further analysis when measuring the relationship between the variables. Cronbach’s alpha () is used to test how well the survey items in each scale are related. If the test is unreliable, the results would be meaningless as the survey instrument would not measure what it is purported to measure. Cronbach’s alpha ranges from 0 to 1. A value close to 1 suggests high reliability. A reliable scale should have a Cronbach’s alpha coefficient above 0.7 (Cronbach, 1951).

Three main constructs were used to measure information security policies (i.e., awareness, enforcement, and maintenance). The security awareness subscale consisted of five items with a calculated Cronbach’s alpha of 0.885, the security enforcement subscale consisted of four items with a calculated Cronbach’s alpha of 0.887, and the security maintenance subscale consisted of four items with a calculated Cronbach’s alpha of 0.878. The resulting Cronbach’s alphasrepresenting the internal consistency for the three dimensions of information security policies were satisfactory and demonstrated strong internal consistency as all exceeded the recommended value.

Three main constructs were also used to measure the objectives of the CIA triad (i.e., confidentiality, integrity, and availability). The security confidentiality subscale consisted of nine items with a calculated Cronbach’s alpha of 0.973, the security integrity subscale consisted of seven items with a calculated Cronbach’s alpha of 0.977, and the security availability subscale consisted of four items with a calculated Cronbach’s alpha of 0.958. The resulting Cronbach’s alphasrepresenting the internal consistency for the three objectives of the CIA triad support that there was acceptable reliability among the items tested. In other words, the design model in this research demonstrated very high internal consistency through Cronbach’s alpha. Table 14 contains the Cronbach’s alpha reliability coefficients.

Table 14

Table 15 contains the descriptive statistics for the dependent and independent variables. The average score for security awareness within the organization was 4.36 with a standard deviation of 0.64. The average score for security enforcement within the organization was 4.45 with a standard deviation of 0.67. The average score for security maintenance within the organization was 4.34 with a standard deviation of 0.65. For the dependent variables, the average scores for confidentiality and availability were similar (M = 4.51), but the latter had smaller variability (0.84 vs. 0.79, respectively). The average score for security integrity was 4.62 with a standard deviation of 0.71.

Table 15

Table 16 presents the Pearson correlation coefficients between the dependent and independent variables. The researcher calculated these values as part of exploratory data analysis before fitting the multiple linear regression model to investigate how the variables were related to each other. The independent and dependent variables had a relatively high and positive correlation. These correlation coefficients were significant at the 5% level. Security confidentialitywas highly correlated with security maintenance with a correlation coefficient of 0.705 (p<0.001). Security integrity was also highly correlated with security maintenance with a correlation coefficient of 0.758. Security availability was strongly related to security enforcement with a correlation coefficient of 0.719. These results support an initial judgement of a possible relationship between the dependent and independent variables as stated in the research hypotheses. To further confirm these relationships, the researcher performed multiple linear regression analysis as discussed in the next section.

Table 16

Based on the research problem and research model as formulated in Chapter 1, the researcher tested nine hypotheses in this study using multiple linear regression analysis. Regression analysis is used to assess how well the independent variables explain the dependent variable. Regression models were also used to predict values on the objectives of the CIA triad (dependent variable) based on information from the information security policy (independent variable). The researcher considered three different regression models in this study to address the research problems. These models were expressed as follows:

Model 2: Integrity = β0 + β1 Awareness + β2 Enforcement + β3 Maintenance + ε

Model 3: Availability = β0 + β1 Awareness + β2 Enforcement + β3 Maintenance + ε

where:

β0is the intercept of the regression model; β1,β2, and β3 are the slopes or the regression coefficients for the effect of awareness, enforcement, and maintenance, respectively; andεis the residual or error term that is normally distributed with mean 0 and variance .

To test the overall fit of the regression model, the researcher used theF-test to test the null hypothesis that all of the regression coefficients would be equal to 0 against the alternative hypothesis that at least one regression coefficient would be different from 0.

A significant regression model indicates the regression model provides a better fit than a model that does not include the independent variables. A well-fitting regression model can be ascertained from the p-value associated with the F-test. If the p-value is less than 0.05, there is strong evidence to reject the null hypothesis and conclude that at least one regression coefficient is not equal to 0, or that at least one independent variable has a significant effect to the dependent variable. Another important output from regression analysis is the coefficient of determination, or R-squared (R2). The R-squared reflects how well the regression equation fits the observed data, with values ranging from 0 to 1. The closer the R-squared to 1, the better the fitted regression model.

Model 1 was used to assess the relationship between information security policy (i.e., awareness, enforcement, and maintenance) and security confidentiality:

Confidentiality = β0 + β1 Awareness + β2 Enforcement + β3 Maintenance + ε

Table 17

Table 18

The regression coefficient of security awareness was positive and significant in predicting security confidentiality as the p-value was less than 0.05 (β1 = 0.292, t = 2.275, p = 0.024).Thus, there was enough evidence to reject the null hypothesis of no impact and accept the alternative in favor of the effect of security policy awareness on security confidentiality beingstatistically significant. This supports the hypothesis that security awareness would have a significant impact on security confidentiality.

The estimated regression coefficient of security awareness was 0.292. This means a one-unit increase in the score of security awareness will lead to an increase in security confidentiality by 0.292 when the other variables are held constant.

H40: Information systems security policy enforcement is not significantly related to information systems security confidentiality (β2= 0).

H4a: Information systems security policy enforcement is significantly related to information security confidentiality (β2≠ 0).

The regression coefficient of security enforcement was positive and significant in predicting security confidentiality as the corresponding p-value was less than 0.05 (β2 = 0.389, t = 4.056, p = 0.001). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security policy enforcement on security confidentiality was statistically significant. This supports the hypothesis that security enforcement would have a significant impact on security confidentiality; to be more specific, security enforcement had a significant effect on security confidentiality.

The estimated regression coefficient of security enforcement was 0.389. This means a one-unit increase in the score of security enforcement will lead to an increase in security confidentiality by 0.389 when the other variables are held constant.

H70: Information systems security policy maintenance is not significantly related to information systems security confidentiality (β3 = 0).

H7a: Information systems security policy maintenance is significantly related to information systems security confidentiality (β3 ≠ 0).

The regression coefficient of security maintenance was positive and significant in predicting security confidentiality as the p-value was less than 0.05 (β3 = 0.349, t = 2.767, p = 0.006). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security policy maintenance on security confidentiality was statistically significant. This supports the hypothesis that security maintenance would have a significant impact on security confidentiality; to be more specific, security maintenance had a significant impact on security confidentiality.

The estimated regression coefficient of security awareness was 0.349. This means a one-unit increase in the score of security maintenance will lead to an increase in security confidentiality by 0.349 when the other variables are held constant.

Model 2 was used to assess the relationship between information security policy (i.e., awareness, enforcement, and maintenance) and security integrity:

Integrity = β0 + β1 Awareness + β2 Enforcement + β3 Maintenance + ε

The regression model fit the observed data asthe results of the F-test weresignificant at the 5% level (F[3,200] = 112.29, p<0.001). This led to the rejection of the null hypothesis as at least one independent variable had a significant effect on security integrity. The calculated R-squared was 0.627, which means 62.7% of the variability of security integrity can be explained collectively by security awareness, enforcement, and maintenance. The remaining 37.3% can be explained by other variables not included in the regression equation. The R coefficient for this model was 0.792, showing there was a very high and positive relationship between security integrity and information security policies. The findings are summarized in Table 19.

Table 19

As the regression model showed a significant fit to the data, the next step was to test whether each regression coefficient had a significant effect on the dependent variable (i.e., security integrity). The estimated regression coefficients presented in Table 20 can be used to answer the second research questionand thethree research hypotheses(i.e., H2, H5, and H8)as stated in Chapter 1.

Table 20

H20: Information systems security policy awareness is not significantly related to information systems security integrity (β1 = 0).

H2a: Information systems security policy awareness is significantly related to information systems security integrity (β1 ≠ 0).

The regression coefficient of security awareness was positive and significant in predicting security integrity as the p-value was less than 0.05 (β1 = 0.315, t = 3.128, p = 0.002). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security policy awareness on security integrity was statistically significant. This supports the hypothesis that security awareness would have a significant impact on security integrity.

The estimated regression coefficient of security awareness was 0.315. This means a one-unit increase in the score of security awareness will lead to an increase in security integrity by 0.292 when the other variables are held constant.

H50: Information systems security policy enforcement is not significantly related to information systems security integrity (β2 = 0).

H5a: Information systems security policy enforcement is significantly related to information systems security integrity (β2 ≠ 0).

The regression coefficient of security enforcement was positive and significant in predicting security integrity as the p-value was less than 0.05 (β2 = 0.231, t = 3.070, p = 0.002). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security policy enforcement on security integrity was statistically significant. This supports the hypothesis that security enforcement would have a significant impact on security integrity; to be more specific, security enforcement had a significant impact on security integrity.

The estimated regression coefficient of security enforcement was 0.231. This means a one-unit increase in the score of security enforcement will lead to an increase in security integrity by 0.231 when the other variables are held constant.

H80: Information systems security policy maintenance is not significantly related to information systems security integrity (β3 = 0).

H8a: Information systems security policy maintenance is significantly related to information systems security integrity (β3 ≠ 0).

The regression coefficient of security maintenance was positive and significant in predicting security integrity as the p-value was less than 0.05 (β3 = 0.376, t = 3.790, p = 0.001). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security policy maintenance on security integrity was statistically significant. This supports the hypothesis that security maintenance would have a significant impact on security integrity; to be more specific, security maintenance had a significant impact on security integrity.

The estimated regression coefficient of security maintenance was 0.376. This means a one-unit increase in the score of security maintenance will lead to an increase in security integrity by 0.376 when the other variables are held constant.

The researcher also performeda diagnostic analysis of Model 2. The histogram (see Figure 5) appears to be quite normal and the PP plot (see Figure 6) shows no severe violation of normality as many of the points fall on the diagonal line. Thus, the normality assumption was satisfied. Looking at the residual versus the fitted value graph (see Figure 7), the residuals satisfy the assumption of homoscedasticity or constant variance as there is no obvious pattern and the data points are scattered randomly.

Model 3 was used to assess the relationship between information security policy (awareness, enforcement, and maintenance) and security availability:

Availability = β0 + β1 Awareness + β2 Enforcement + β3 Maintenance + ε

Table 21

As the regression model showed a significant fit to the data, the next step was to test whether each regression coefficient had a significant effect on the dependent variable (i.e., security availability). The estimated regression coefficients presented in Table 22 were used to answer the third research question and related research hypotheses (i.e., H3, H6, and H9) as stated in Chapter 1.

Table 22

H30: Information systems security policy awareness is not significantly related to information systems security availability (β1 = 0).

H3a: Information systems security policy awareness is significantly related to information systems security availability (β1 ≠ 0).

The regression coefficient of security awareness was positive and significant in predicting security availability as the p-value was less than 0.05 (β1 = 0.257, t = 2.153, p = 0.033). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security policy awareness on information security availability was statistically significant. This supports the hypothesis that security awareness would have a significant impact on information security availability; to be more specific, security awareness had a significant impact on information security availability.

The estimated regression coefficient of security awareness was 0.257. This means a one-unit increase in the score of security awareness will increase security availability by 0.257 when the other variables are held constant.

H60: Information systems security policy enforcement is not significantly related to information systems security availability (β2 = 0).

H6a: Information systems security policy enforcement is significantly related to information systems security availability (β2 ≠ 0).

The regression coefficient of security enforcement was positive and significant in predicting security availability as the p-value was less than 0.05 (β2 = 0.475, t = 5.317, p < 0.001). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security enforcement on information security availability was statistically significant. This supports the hypothesis that security enforcement would have a significant impact on information security availability; to be more specific, security enforcement had a significant impact on information security availability.

The estimated regression coefficient of security enforcement was 0.457. This means a one-unit increase in the score of security enforcement will increase security availability by 0.457 when the other variables are held constant.

H90: Information systems security policy maintenance is not significantly related to information systems security availability (β3 = 0).

H9a: Information systems security policy maintenance is significantly related to information systems security availability (β3 ≠ 0).

The regression coefficient of security maintenance was positive and significant in predicting security availability as the p-value was less than 0.05 (β3 = 0.248, t = 2.105, p < 0.037). Thus, there was enough evidence to reject the null hypothesis of no impact in favor of the alternative that the effect of security maintenance on information security availability was statistically significant. This supports the hypothesis that security maintenance would have a significant impact on information security availability; to be more specific, security maintenance had a significant impact on information security availability.

The estimated regression coefficient of security maintenance was 0.248. This means a one-unit increase in the score of security maintenance will increase security availability by 0.248 when the other variables are held constant.

The researcher also performed a diagnostic analysis of Model 3. The histogram (see Figure 8) appears to be quite normal and the PP plot (see Figure 9) shows no severe violation of normality as many of the points fall on the diagonal line. Thus, the normality assumption was held. Looking at the residual versus the fitted value graph (see Figure 10), the residuals satisfied the assumption of homoscedasticity or constant variance as there is no obvious pattern and the data points are scattered randomly.

The researcher conducted tests of mean differences on the dependent variables. The tests involved all demographic variables collected in this study to determine whether there were any effects on the three dependent variables.

For security confidentiality, the average score among male respondents was 4.768 (SD = 0.514) and among female respondents was 3.809 (SD = 1.118). The Levene’s test indicated the variances of security confidentiality were different between male and female respondents as the p-value was less than 0.05 (F = 82.54, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent ttest. The results showed there was a significant difference in security confidentiality between male and female respondents because the p-value was less than 0.05 (t[61] = 6.08, p<0.001).

For security integrity, the average score among male respondents was 4.815 (SD = 0.391) and among female respondents was 4.077 (SD = 1.051). The Levene’s test indicated the variances of security integrity were different between male and female respondents as the p-value was less than 0.05 (F = 91.54, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent ttest. The results showed there was a significant difference in security integrity between male and female respondentsas the p-value was less than 0.05 (t[58] = 5.04, p<0.001).

For security availability, the average score among male respondents was 4.762 (SD = 0.438) and among female respondents was 3.815 (SD = 1.087). The Levene’s test indicated the variances of security availability were different between male and female respondents as the p-value was less than 0.05 (F = 108.232, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent ttest. The results showed there was a significant difference in security availability between male and female respondents as the p-value was less than 0.05 (t[59] = 6.22, p<0.001).

The results support the presence of a significant gender effect on the objectives of the CIA triad of information security as male respondents gavesignificantly higher scores on security confidentiality, integrity, and availability compared to female respondents.

Table 23

Table 24 presents the mean scores for security confidentiality, integrity, and availability by security certificate earned. The researcher narrowed down the long list of security certificates into two categories of those who earned a certificate (yes) and those who did not (no). This was necessary because the sample sizes for some categories were very small and to simplify the interpretations. The mean scores were different between those who earned certificates and those who did not. This might be an indication of a significant difference, but the variability of the data required further testing. To confirm whether the difference was statistically significant, the researcher conducted formal testing using an independent sample t test.

For security confidentiality, the average score among those who earned certificateswas 4.667 (SD = 0.559) and among those who did not earn certificateswas 4.446 (SD = 0.922). The Levene’s test indicated the variances of security confidentiality were different between those who earned certificates and those who did not as the p-value was less than 0.05 (F = 18.67, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent t test. The results showed there was a significant difference in security confidentiality between those who earned certificates and those who did not as the p-value was less than 0.05 (t[176] = 2.19, p = 0.030).

For security integrity, the average score among those who earned certificateswas 4.706 (SD = 0.490) and among those who did not earn certificateswas 4.583 (SD = 0.785). The Levene’s test indicated the variances of security integrity were different between those who earned certificates and those who did not as the p-value was less than 0.05 (F = 9.44, p = 0.002). Thus, the researcher assumed unequal variances to conduct the independent t test. The results showed there was no significant difference in security integrity between those who earned certificates and those who did not as the p-value was not less than 0.05 (t[172] = 1.35, p = 0.178).

For security availability, the average score among those who earned certificateswas 4.667 (SD = 0.585) and among those who did not earn certificateswas 4.444 (SD = 0.855). The Levene’s test indicated the variances of security availability were different between those who earned certificates and those who did not as the p-value was less than 0.05 (F = 8.72, p = 0.004). Thus, the researcher assumed unequal variances to conduct the independent t test. The results showed there was a significant difference in security availability between those who earned certificates and those who did not as the p-value was less than 0.05 (t[159] = 2.14, p = 0.034).

The results support the presence of a significant effect of certificate earned on the objectives of the CIA triad of information security. Specifically, those who earned security certificatesgavesignificantly higher scores for security confidentiality and availability than those who did not earn security certificates.

Table 24

Table 25 presents the mean scores for security confidentiality, integrity, and availability by the primary industry of the respondents’ organizations. The researcher narrowed down the long list of primary industry into two categories of IT and non-IT. This was done because the sample sizes for some categories were very small and to simplify the interpretations. The mean scores were different between IT industry and non-IT industry. This might be an indication of a significant difference, but the variability of the data required further testing. To confirm whether the difference was statistically significant, the researcher conducted formal testing using an independent sample t test.

For security confidentiality, the average score among IT industry was 4.957 (SD = 0.169) and among non-IT was 4.135 (SD = 0.983). The Levene’s test indicated the variances of security confidentiality were different between IT and non-IT as the p-value was less than 0.05 (F = 176.17, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent t test. The results showed there was a significant difference in security confidentiality between IT and non-IT as the p-value was less than 0.05 (t[117] = 8.63, p<0.001).

For security integrity, the average score among IT industry was 4.968 (SD = 0.143) and among non-IT was 4.322 (SD = 0.856). The Levene’s test indicated the variances of security integrity were different between IT and non-IT as the p-value was less than 0.05 (F = 118.64, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent t test. The results showed there was a significant difference in security integrity between IT and non-IT as the p-value was less than 0.05 (t[116] = 7.78, p<0.001).

For security availability, the average score among IT industry was 4.891 (SD = 0.261) and among non-IT was 4.191 (SD = 0.934). The Levene’s test indicated the variances of security availability were different between IT and non-IT as the p-value was less than 0.05 (F = 114.38, p<0.001). Thus, the researcher assumed unequal variances to conduct the independent t test. The results showed there was a significant difference in security availability between IT and non-IT as the p-value was less than 0.05 (t[130] = 7.55, p<0.001).

The results support the presence of a significant industry effect on the objectives of the CIA triad of information security. Specifically, those who worked in the IT industry gave significantly higher scores to security confidentiality, integrity, and availability than those who worked in a non-IT industry.

Table 25

The researcher examined whether there was an effect of age on the CIA triad of information security. Table 26 presents the mean scores for security confidentiality, integrity, and availability for the four age groups. The mean scores differed among age groups. This might be an indication of a significant difference, but the variability of the data required further testing. To confirm whether the difference was statistically significant, the researcher conducted formal testing using an ANOVA,as there were more than two groups to be tested. Before conducting the ANOVA, it was important to check the assumption of equal variances. Results of the Levene’s test (see Table 27) support that the assumption of homogeneity variances for confidentiality, integrity, and availability did not hold as the p-value was less than 0.05. In this case, the researcher performed robust Welch ANOVA.

The ANOVA results showed there were significant differences in security confidentiality (F[3,67] = 16.80,p<0.001), integrity (F[3,65] = 5.14,p = 0.003), and availability (F[3,66] = 8.60,p<0.001) between age groups. The p-values for the three ANOVA tests were less than 0.05, leading to a rejection of the null hypothesis of no differences between the four age groups as at least one age group was significantly different.

Table 26

Table 27

As the results showed a statistically significant difference in this case, the researcher needed to further conduct post hoc comparisons. A planned comparison using Tukey’s test was considered in this study to examine which groups differed in the sample. The post hoc Tukey’s test revealed the mean scores of confidentiality, integrity, and availability were significantly different between the younger and older age groups; to be more specific, significant differences were found between age group <30 and 51+ (p<0.001), between age group 31to40 and 51+ (p<0.001), and between age group 41to50 and 51+ (p<0.001; see Table 28).

Table 28

Table 28 (continued)

Post Hoc Test: CIA Triad of Information Security by Age

The researcher examined whether there was an effect of work experience on the CIA triad of information security. Table 29shows the mean scores for security confidentiality, integrity, and availability weredifferent between the three groups. This might be an indication of a significant difference, but the variability of the data required further testing. To confirm whether the difference was statistically significant, the researcher conducted formal testingusing ANOVA,as there were more than two groups to be tested. Before conducting the ANOVA, it was important to check the assumption of equal variances. Results of the Levene’s test (see Table 30) support that the assumption of homogeneity variances for confidentiality, integrity, and availability did not hold as the p-value was less than 0.05. In this case, the researcher performed robust Welch ANOVA.

The ANOVA results showed there were significant differences in security confidentiality (F[2,103] = 24.95,p<0.001), integrity (F[2,106] = 17.17,p<0.001), and availability (F[2,106] = 15.88,p<0.001) between work experience groups. The p-values for the three ANOVA tests were less than 0.05, leading to a rejection of the null hypothesis of no differences between the three groups as at least one group made a significant different.

Table 29

Table 30

As the results showed a statistically significant difference in this case, the researcher needed to conduct post hoc comparisons using Tukey’s test. The post hoc Tukey’s test revealed the mean scores ofsecurityconfidentiality were significantly different between those with 1 to 3 years and 4 to 6 years of experience (p<0.001), between those with 1 to 3 years and 7+ years of experience (p = 0.001), and those with between 4 and 6 years and 7+ years of experience (p<0.001).For security integrity, a significant difference was found between those with 1 to 3 years and 4 to 6 years of experience (p<0.001) and between those with 1 to 3 years and 7+ years of experience (p = 0.005).For security availability, a significant difference was found between those with experience 1 to 3 years and 4 to 6 years of experience (p<0.001) and between those with between 4 and 6 years and 7+ years of experience(p = 0.036; see Table 31).

Table 31

The researcher examined whether there was an effect of education on the CIA triad of information security. Table 32shows the mean scores for security confidentiality, integrity, and availability weredifferent between highschool/2-year community college, undergraduate, and postgraduate (i.e., master’s or doctorate). This might be an indication of a significant difference, but the variability of the data required further testing. To confirm whether the difference was statistically significant, the researcher conducted formal testing using ANOVA, as there were more than two groups to be tested. Before conducting the ANOVA, it was important to check the assumption of equal variances. Results of the Levene’s test (see Table 33) showed the assumption of homogeneity variances for confidentiality (F = 5.177, p = 0.006) and integrity (F = 4.521, p = 0.012) did not hold as the p-value was less than 0.05. In this case, the researcher performed robust Welch ANOVA. Meanwhile, the assumption of equal variances for security availability was satisfied as the p-value was not less than 0.05 (F = 2.975, p = 0.053). In this case, the researcher performed a one-way ANOVA.

The ANOVA results showed there were significant differences in security confidentiality (F[2,49] = 17.07,p<0.001), integrity (F[2,49] = 10.83,p<0.001), and availability (F[2,202] = 10.88,p<0.001) between education groups. The p-values for the three ANOVA tests were less than 0.05, leading to a rejection of thenull hypothesis of no differences between the three groups as at least one group made a significant difference.

Table 32

*test was conducted using ordinary one-way ANOVA

Table 33

As the results showed a statistically significant difference in this case, the researcher needed to conduct post hoc comparisons using Tukey’s test. The results in Table 34 shows the mean scores of security confidentiality were significantly different between highschool and undergraduate (p<0.001) and between undergraduate and postgraduate (p<0.001). For security integrity, a significant difference was found between high school and undergraduate (p = 0.003) and between undergraduate and postgraduate (p<0.001).For security availability, a significant difference was found between high school and undergraduate (p = 0.002) and between undergraduate and postgraduate (p = 0.001).

Table 34

To test the research hypotheses in this study, the researcher fit three different regression models. The results showed information security policies (i.e., awareness, enforcement, and maintenance) had the highest correlation with security integrity (R = 0.792) and were able to explain the greatest amount of variability in the dependent variable (i.e., security integrity), at nearly two-thirds of the total variance (62.7%). The three independent variables had a significant effect on security integrity with security enforcement being the most important factor in driving security integrity, followed by security maintenance and security awareness.

Information security policies also had a high correlation with security availability (R = 0.759) and were able to explain 57.6% of the total variability in security availability. The three independent variables also significantly affected security availability with enforcement being the most important factor driving security availability, followed by security awareness and security maintenance.

Information security policies had the least correlation with security confidentiality (R = 0.751). However, the three independent variables still showed a significant effect on security confidentiality with enforcement being the most important driver.

The results of the t tests and ANOVAs showed there were significant demographic effects on the CIA triad of information security. Male participants, IT professionals, undergraduate, adulthood (<40 years old), those who earned security certificates, and those who worked in the IT industry gave significantly higher scorestothe CIA triad of information security.