Background

Strategic management of an organizational environment needs an understanding of the isomorphism. Isomorphism puts a constraint on an organization by forcing one unit of it to adapt to the same structure of information technology as another unit assuming that they face the same environmental condition. Technology adoption has been an area of study in most academic researches done in IT communities but there only a few methodologies and theories that can explain the selection decisions of people for the adoption model.

Quantitative studies done on the isomorphic force have applied theories to the industry level but not at the organizational level. Moreover, the focus has been on the mechanisms that were used for spreading the practice of isomorphism and not on the level of its adaptation. This research involves a study of the mimetic adoption of a technology by exploring the subjective and social norms of evaluation used by early adopters. Organizations that use isomorphism, tend to work to reduce uncertainty by using the same technologies adapted in similar ways as early adopters. In the adoption process, some incompatible technologies may get introduced to an organization. With the maturity of technology and the market reaching later adopters, the mimetic isomorphism is reduced and normative isomorphism starts to dominate as out of the early adopters, those who could make their process of adoption successful start to push their best practices on later adopters.

The aim of this research is to explore how the employee behavior can affect the security posture of an organization in the cases of mimetic isomorphic adoption of an IT system.

Specific objectives of this research include:

• Understanding how mimetic isomorphism causes adoption of technology adoption
• Explore how the employee behavior can affect the security posture of an organization
• Identify ways security can be enhanced in an organization adopting software or technology through mimetic isomorphism
• Come up with the recommendations for the enhancement of the security posture of the organization in the circumstances of mimetic isomorphism

The project would involve exploration of the following areas of study:

• The need for the study of security aspects and the importance of mimetic isomorphism
• Exploration of the theories related to mimetic isomorphism and IS security
• Study of the literature on the subject of interest to identify research gaps
• Exploring the behavior of organization employees with respect to security and mimetic isomorphic adoption
• Recommendations on enhancement of the security posture of the organization

This research would answer following questions:

• Does mimetic isomorphic adopted affect the security posture of the organization as a result of adoption?
• Does behavior of employees affect the security posture of the organization?
• How can employee behavior be influenced to enhance the security posture of IS systems in the cases of mimetic isomorphic adoption?

The influential theory can be useful for understanding the concept of isomorphism in organizations. There can be two key types of isomorphism including competitive and institutional. Competitive isomorphism covers the competition between organizations for customers and resources. Institutional isomorphism refers to the search for social fitness through political power and legitimacy.

If the structuration in the organization increases then it also increases isomorphism in the practices and forms. This happens because of certain factors like increase in the interaction between different organizations increases, in the information that organization has to attend to, the emergence of the patterns of domination and coalition, and development of awareness between participants in the organization.

Isomorphic changes can happen through three mechanisms that include coercive, normative, and mimetic. Coercive isomorphism is caused by political influence and legitimacy. Normative isomorphism refers to legitimacy that achieved by the alignment with the values of the organization through credentialing. Mimetic isomorphism is achieved by seeking legitimacy and uncertainty avoidance. Organizations in which professions are heavy are more vulnerable to the isomorphic pressures.

Among the three isomorphic pressures, mimesis received the most attention of researchers as there was clear evidence of such researches. Most of these studies saw diffusion as synonymous to the isomorphism but some competing theirs like resource dependence, concept of diffusion can be explained with a different lens (Teece & Augier, 2011)

Problem

IT adoption consumes a third of the spending on a business which is a major amount and thus, this is of high importance for study. When a new technology has to be implemented, a new technology needs to be learned and applied.

Selecting between a wide number technologies that are available can be a difficult choice to make as a choice of a wrong technology can result into implications like a failure of acceptance from the market , high cost of conversion, and reduction of the competitive advantage. Moreover, the cost of switching in the case of technology is high.

Technology acquisitions are not formalized by many companies who fail to choose the selection matrices or develop evaluation criteria. This can be due to fact that costs and benefits that result from a technology adoption are difficult to quantify. Moreover, there are only a few theories and methodologies that guide the process of technology acquisition. Most teams utilize some subjective and some objective measures for acquisition. However, this type of quantitative evaluation is more procedural than effective (Lieberman & Asaba, 2004).

Researchers have found that the lead person in an organization usually has a disproportionate role in the process of decision making. However, if the selection was done is suboptimal, it a result into negative consequences. If these implications are even both at the micro and the macro level then mixed level methodologies would make an appropriate choice for an evaluation the research done on IT would largely depend on the theory of reasoned action (TRA).

TRA can be used for understanding human behavior. The theory says that an attitude (A) combined with subjective norms (SN) decide the behavior intention (BI) in a person. The technology acceptance model (TAM) uses TRA for modeling the acceptance of information system users. TAM model can be used to understand the impact of external factors on the beliefs, attitudes, and intentions of decision makers to understand the reasons behind the selection or acquisition. It is the inclusion of the norms that makes the TAM model useful for understanding the process of selection of information.

Diffusion of innovation (DOI) further expands the subjective norms to the influences from superiors, subordinates, and peers. The inclusions recognize that normative beliefs can form a complex model consisting of 5 stages including attention, interest, evaluation, trial, and adoption. In this model, several other adaptations have been formed by various researchers including initiation, adaptation, acceptance, routines, and infusion. Social pressures result from the subjective norms making people behave in a certain manner and take decisions for technology adoption.

The power of adoption models can be increased if they could be defined externally for which institutional theory can be used for exploring technology selection process such that those external influences that are less visible otherwise can also be seen. The theory utilizes normative frameworks for guiding, restricting or encouraging specific behavior. Unlike neoclassical theorists, institutionalists believe that social institutions shape preferences and thus, can be economically analyzed using pragmatic models with some utilitarian assumptions. For this, economists must understand how an economy acquires a feature or a condition that cause variances in time and place (Najeeb, 2014).

Aim

The objective of uncertainty reduction is embedded in decision models and thus, it is one of the criteria’s for management decisions. Uncertainty avoidance can be defined as the extent to which an organization would fear unexpected or unknown situations that can result from a technology selection. In a situation of technology selection, organizations take different approaches to avoid uncertainties such as waiting for more information to arrive such that better decision can be taken or implementing both technologies simultaneously to identify a superior choice. The choice of strategy would depend on certain factors like resource availability, competitive pressures, corporate strategies, technological characteristics, and management preferences. Early adopter’s choices can act as a source of information for the later adopters thereby influencing their decisions for adoption (Tingling & Parent, 2003).

Early adopters take decisions based on traditional methods of multidimensional product evaluations in which, the technology that is believed to be superior is selected. In mimetic isomorphism, the technology is not selected on the basis of the qualitative or quantitative score but on the basis of innovation or uncertainty avoidance.

The level of Innovation:  This measures the propensity of an organization to implement a new and unproven technology as compared to the tendency of mimetic isomorphism. The level of innovation is negatively correlated with the uncertainty avoidance suggesting a decrease in innovation with an increase in mimetic adoption and vice versa (Gao, 2010).

Uncertainty Avoidance: It refers to the tendency if an organization to avoid unfamiliar consequences caused by a selection of a technology. It is positively correlated to mimetic isomorphism such that high uncertainty avoidance is achieved with high mimetic isomorphism (Peterson, 2014).

Mimetic Isomorphism: The degree of the selection decisions of early adopters to which they resemble other organizations to avoid uncertainties (Li, et al., 2007).

For achieving information security, it is important to get a commitment from senior management to an organization. This commitment does not guarantee that risk management would be effective but it does increase the effectiveness of security controls thereby reducing risks to organizational information. Despite the importance of commitment from senior managers, a lack of commitment is seen in them when concerning the security of information systems. These managers are usually affected by external influences more than the internal factors (Veiga, 2015).

A study conducted on senior management supporting IS considering their participation and involvement revealed that involvement in security is more supportive to an organization than just participation (Marinos & Askoxylakis, 2013). The commitment of senior managers is a prerequisite for effective implementation of and compliance with IS security controls. However, the challenge remains as security is mostly driven from bottom-up rather than top-down approach. Managers need to have good situational awareness and the awareness of the external security landscape (Chai et al.,. IS security controls (IPC, 2015).

IS Security needs a well-developed strategy which should balance with the business strategies. Organizations must assess the value of security system and communicate the same to the management (Pahnila, et al., 2007). Risk management can be used for identification and assessment of the risks that an information system may be exposed to. It would also help mangers develop mitigation plans for managing those risks. This needs a god level of understanding of business processes of the organization and its information systems. A proper implementation of security controls can reduce risks (Schulze, 2015).

Objectives

The advances in networking technologies, sophisticated tools available to hackers, and increasing use of e-commerce have increased the complexity as well as the vulnerability of networks. Computer viruses and security breaches have become very common and the organization has globally lost trillions of dollars as consequences (Lebek, et al., 2013).

Human factors play a critical role in the reduction of security risks which is why they have been the subject of IS studies for a long time now. For understanding the issues that arise in the IS domain, an understanding of socio-organizational perspective is required (Klein & Luciano, 2016). The consideration of these factors would help ensure that the technologies used by humans foster collaboration between them through sharing of information and direct interaction.  A significant number of resources are also deployed in the development of technologies in such a way that it can help reduce security threats to the system (Tingling & Parent, 2002). However, it is often the organizational factors such as employee and organizational culture that affect the security posture of the system rather than the actual technological faults in the system.  Thus, it is critical to understanding what factors are important for information technologies or systems and how these factors shape the cognition in the employees of the organization such that they take informed actions while managing security  (AlKalbani, et al., 2015).

The possibilities of effective management of risks can improve decision makers takes only those technological solutions that receive high rating in the product evaluation process which also includes considerations of the security (Hu, et al., 2007)

This research makes use of a survey for data collection and statistical analysis for the data analysis. The section of the method has been made because this research needs an exploration of the practices and perspectives of the users and employees of organizations on how they see security and how they use the systems. This is due to the fact that their actions can affect the security of the systems. Also, the concept of mimetic adoption can also affect the security posture of the organization as the selection process of any technology or software can either have or not have the considerations for the security of the system.

For collecting data, the researcher has a prepared an objective questionnaire which would be distributed to the respondents using the data collection instrument called survey. The questionnaire would be filled by the respondents voluntarily for which their consent would be taken after telling them the significance of the study and the use of the data that would be obtained. The research takes a sample is of 50 considering the convenience sampling as the people who would know the security implications of software, decision criteria’s of the company while making selection of a system, and the systems that are installed in their respective companies need to be at higher levels of hierarchy and need to be managing the entire IT portfolio of the system. They also need to have long experience with the organization. Thus, the respondents were chosen based on their profiles in the selection criteria included age which was between 30 to 40, experience with the current organization that needed to be minimum of 4 years, knowledge of IT systems of the company which needed to be sound and the designation which included people who were either IT heads, security heads, senior security managers, senior IT managers, and IT project managers.

Scope

For the analysis of the survey data, the research would make use of the statistical procedures including descriptive analysis, correlation, and regression analysis. The descriptive analysis would be used for understanding each variable that covers the data in the research while correlation and regression would be used for exploration relationships between variables. Using the correlation and regression analysis, this hypothesis would be tested:

H1: The consideration of security aspects while making software selection affects the behavior of the employees

For this, a correlation and regression would be run between the variable implying consideration of security in software selection and the behavior of employees while using IT systems.

H2: The consideration of the security aspects while selecting software affects the security posture of the organization.

For this, a correlation and regression would be run between the variable implying consideration of security in software selection and the current security posture of the respective company’s IT systems.

The correlation was run between the variable implying consideration of security in software selection and the behavior of employees while using IT systems and between the variable implying consideration of security in software selection and the current security posture of the respective company’s IT systems.

The results obtained were as follows: 

Model Summary
Model	R	R Square	Adjusted R Square	Std. Error of the Estimate
1	.330a	.109	.090	2.48275
a. Predictors: (Constant), Company offers rewards for following security protocols

A significant but negative correlation was found between the variables reflecting how employees use the systems and the rewards the company associate with the security considerations. To understand if there exists a causal relationship between the two variables reflecting if the rewards affect the employee behavior, a regression analysis would be done on the two variables.

ANOVAa
Model	Sum of Squares	df	Mean Square	F	Sig.
1	Regression	36.125	1	36.125	5.861	.019b
Residual	295.875	48	6.164
Total	332.000	49
a. Dependent Variable: Using IT systems
b. Predictors: (Constant), Company offers rewards for following security protocols

The regression results confirmed that there exists a causal relationship between two variables such that 10.9% of the variation found in the employee behavior is influenced by the rewards given to them by the organization for secure use of IT systems.

In order to understand the behavior of the employees, frequency tables were prepared on some of the variables including use of security protocols by employees, 

Security Protocols
	Frequency	Percent	Valid Percent	Cumulative Percent
Valid	Password protection of files while sending	8	16.0	16.0	16.0
Standard Operating Procedures	8	16.0	16.0	32.0
Regular updates of software	7	14.0	14.0	46.0
Desktop Cleanup	14	28.0	28.0	74.0
Data Backup	13	26.0	26.0	100.0
Total	50	100.0	100.0

The frequency table suggested that a majority of them that is 28% used desktop cleanup while 26% of them used data backup for the security of the IT systems.  Password protection and software updates that are the most important factors of consideration in security are rarely followed by employees.

For understanding how employee behavior affected the security posture of the company, the actions that could increase the security risks were explored and managers were asked if they were done by employees.

Using IT systems
	Frequency	Percent	Valid Percent	Cumulative Percent
Valid	Download unauthorized software	4	8.0	8.0	8.0
Plug into insecure devices	7	14.0	14.0	22.0
Unauthorized system changes	4	8.0	8.0	30.0
Click email links from unknown people	7	14.0	14.0	44.0
Neglect system updates	3	6.0	6.0	50.0
Disable security features	6	12.0	12.0	62.0
Share passwords	7	14.0	14.0	76.0
Bypass corporate policy	6	12.0	12.0	88.0
Share sensitive information out of work network	6	12.0	12.0	100.0
Total	50	100.0	100.0

The frequency table prepared on employee behavior causing risks revealed that a majority of them that is 14% plugged into insecure devices, clicked links sent by unknown people and shared their passwords while 12% of them disabled security features, by passed corporate policies or shared sensitive information out of corporate network.

Managers were asked if their employees used official IT systems for their personal use and it was found that employees of 22% of the organizations used their systems for personal use several times a week while 20% never used them for personal use. 16% of companies had their employees using systems for their personal work at least once in a day. Remaining companies had their employees using systems for personal use either once a week, several times a month or once a month in equal proportions.  

Research questions

The rewards that organizations associated with the use of IT systems considering security postures affect the behavior of employees and thus, it can be said that employees can be made more security concerned if they are offered sufficient rewards for showing accountability for security.

When employee behavior was studied, it was found that most employees make use of desktop cleanup and data backup for ensuring the security of the systems. However, very few of them used strong passwords and regular software updates for ensuring the security of systems which were the important security measures as found in the literature review. Thus, there is a need for increasing the awareness of the use and importance of right security measures in employees.

Most employees were found using the systems for their personal concerns and many of them displayed inappropriate behaviour that could add security risks to the organizations such as plugging into insecure devices, clicking links from unknown people, password sharing, shared their disabling of security features, bypassing corporate policies and sharing sensitive information out of the corporate network. 

Conclusions and Recommendations

From the research, it can be concluded that a majority of employees make use of computers for their personal use and their behavior does affect the security posture of the organization in a negative way. Moreover, employees are not using the right security measures for protection and thus, there is a need to create awareness and develop strategies that encourage employees to make use of systems in a way that does not affect the security postures of the organization as well as make use of procedures that would enhance the security posture of the organization.

Based on the interpretations of the research results, some recommendations can be made for corporate to enhance ht security posture of their organizations when innovating with adopting of solutions based on mimetic isomorphism. These include:

• Security should be a part of the evaluation while an organization makes the selection of a software or IT system to implement
• As rewards affect employee behavior, it can be made as a part of company strategies for enhancing security of its IT systems
• Most employees pose risks to the organization because of their actions and thus, organizations must educate the employees on implications and should be made accountable for their actions so as to make them follow security rules strictly
• Organizations can pose strict policies for restricting personal use of the IT systems of the organization such that security risks can be reduced
• Employees must either be forced by making procedures mandatory or they can be positively encouraged with rewards for following security enhancing measures 

References 

AlKalbani, A., Deng, H. & Kam, B., 2015. ORGANISATIONAL SECURITY CULTURE AND INFORMATION SECURITY COMPLIANCE FOR E-GOVERNMENT DEVELOPMENT: THE MODERATING EFFECT OF SOCIAL PRESSURE, s.l.: RMIT University.

Gao, Y., 2010. Mimetic isomorphism, market competition, perceived benefit and bribery of firms in transitional China. Asian Journal of Management, 35(2), pp. 1-34.

Hu, Q., Hart, P. & Cooke, D., 2007. on information systems security – an on information systems security – a neo-institutional perspective. Journal of Strategic Information Systems, Volume 16, p. 153–172.

IPC, 2015. IT Security and Employee Privacy: Tips and Guidance, s.l.: IPC for British Columbia.

Klein, R. H. & Luciano, E. M., 2016. WHAT INFLUENCES INFORMATION SECURITY BEHAVIOR? A STUDY WITH BRAZILIAN USERS. JISTEM J.Inf.Syst. Technol. Manag, 13(3), pp. 1-18.

Leber, B., Uffen, J. & Breitner, M. H., 2013. Employees’ Information Security Awareness and Behavior: A Literature Review. s.l., 46th Hawaii International Conference on System Sciences.

Li, C., Lim, J.-H. & Wang, Q., 2007. Internal and external influences on IT control governance. International Journal of Accounting Information Systems, Volume 8, p. 225–239.

Lieberman, M. B. & Asaba, S., 2004. Why Do Firms Imitate Each Other? , s.l.: The Anderson School at UCLA .

Marinos, L. & Askoxylakis, I., 2013. Human Aspects of Information Security, Privacy and Trust: First International Conference, HAS 2013, Held as Part of HCI International. s.l., Springer.

Najeeb, A., 2014. Institutional theory and human resource management, s.l.: University of Wollongong.

Pahnila, S., Siponen, M. & Mahmood, A., 2007. EmployeesEmployees’ Behavior towards IS Security Policy Compliance’ Behavior towards IS Security Policy Compliance, s.l.: HICSS .

Peterson, M., 2014. Identification of Behavioral Factors within Organizations that Can Improve Information Systems Security Compliance, s.l.: Oregon State University.

Schulze, H., 2015. Insider Threat Spotlight Report, s.l.: Bitglass.

Teece, D. J. & Augier, M., 2011. The Palgrave Encyclopedia of Strategic Management. s.l.:Palgrave Macmillan Publishers.

Tingling, P. & Parent, M., 2002. Mimetic Isomorphism and Technology Evaluation: Does Imitation Transcend Judgment?. Journal of the Association for Information Systems, Volume 3, pp. 113-143.

Tingling, P. & Parent, M., 2003. Mimetic Isomorphism and Technology Evaluation: Does Imitation Transcend Judgment?. Journal of the Association for Information Systems , Volume 2, pp. 113-143.

Veiga, A. D., 2015. The Influence of Information Security Policies on Information Security Culture: Illustrated through a Case Study, s.l.: Research Gate.