THE ACCEPTANCE AND EFFECTIVENESS OF FEDERAL AND STATE
INFORMATION SECURITY REGULATIONS IN MULTI-BRANCH COMMUNITY
BANKS: A PHENOMENOLOGICAL ANALYSIS CONDUCTED IN CENTRAL
CALIFORNIA

by

Charles I. McClain



JELENA VUCETIC, Ph.D, Faculty Member and Chair

STEVEN BROWN, Ph.D, Committee Member

TAPAN MUNROE, Ph.D, Committee Member



Kurt Linberg, Ph.D., Dean, School of Business and Technology



A Dissertation Presented in Partial Fulfillment
Of the Requirements for the Degree
Doctor of Philosophy

Capella University

June 2008

3307974

3307974

2008

























© Charles McClain, 2008



ABSTRACT

The effectiveness of technology and its implementation factors vis-à-vis
organizations arguably depends upon the degree to which these factors are accepted by said
organizations’ users. The most widely applied model for this behavior in information
technology theory is the Davis technology acceptance model (TAM). TAM postulated that
the acceptance of applied and environmental aspects of technology is primarily a function of
the facility (ease-of-use) and utility (usefulness) of the technology in question. This project
involved a three-phase, multi-method study of the effectiveness of the current scheme of
information security regulation in California community banks, assessing the acceptance of
such federal and state mandates by those banks and potential improvement of such regulation
to the end of enhanced information system security. The initial qualitative phase involved a
series of directed interviews which, through open coding, assessed the potential for bias of
both the researcher and participants, bank officers charged with responsibility for such
security, and found such bias effects to be minimal; the second phase, a quantitative survey
of factors which resulted from phase one by way of axial coding, was designed to test two
null hypotheses – the facility (ease-of-use) of the information security regulatory scheme is
acceptable and the utility (usefulness) of the information regulatory scheme is beneficial –
with statistical analyses of the data produced indicating that neither of these null hypotheses
could be rejected at 95% confidence levels; and, the third qualitative phase consisting of a set
of follow-up open interviews, the selectively coded results of which investigated the
participants’ views on changes which could contribute to enhanced information security

regulation, fostering better information security at their banking organizations. These
changes included greater examiner/auditor expertise; more specific remedial
recommendations by regulators and auditors; consolidation of diverse regulatory agencies;
and, greater professional input by the regulated community in the process of regulatory
procedure development. Summarily, implications of these findings and resultant
recommendations are discussed
.



DEDICATION

This dissertation is dedicated to (ISC)
2
, my professional information security
organization, whose generous research grant has enabled use of the best research tools to
conduct this study; County Bank, my employer, which has given me every
encouragement in pursuit of my doctoral program; and, finally, my loving wife, Gay
Parker, whose unstinting support and encouragement kept this work focused and on track.


ACKNOWLEDGEMENTS

With my heartfelt thanks, I acknowledge the gracious support of my mentor, Dr.
Jelena Vucetic, and my other committee members, Drs. Steven Brown and Tapan
Munroe. I’d also like to express my gratitude to Drs. Don Stengel, James Henson,
Ojoung Kwon, and Sasan Rhamatian, who provided invaluable assistance in validation
and correction of my research instrument. I also extend my complete appreciation to Mr.
Tom Hawker, Chief Executive Officer of Capital Corp. of the West, whose introduction
of this project to the banks invited to participate provided vital encouragement to the

involvement of those organizations which took part. Finally, to all the participants who
patiently and thoroughly responded to all phases of this project, my thanks for your
thoughtful contributions.

i


























(Page intentionally left blank)

ii

TABLE OF CONTENTS

ACKNOWLEDGEMENTS i
LIST OF FIGURES………………………………………… …………………………viii
LIST OF TABLES ix
LIST OF ABBREVIATIONS x
CHAPTER 1 - INTRODUCTION 1
Introduction to the Problem 1
Background of the Study 2
Statement of the Problem 2
Purpose of the Study 3
Rationale 3
Research Questions 4
Significance of the Study 5
Definition of Terms 5
Assumptions and Limitations 6
Theoretical and Conceptual Framework 7
Organization of the Remainder of the Study 10
CHAPTER 2 – LITERATURE REVIEW 11
CHAPTER 3 – METHODOLOGY 22
Research Design 22
Sample……………………………………………………………………………… 22
Instrumentation 23
Data collection 25

iii


Data management plan 25
Computer application strategy 26
Treatment (Coding System) 27
Open Coding 27
Axial Coding 28
Selective Coding 29
Data Analysis 30
Validity and Reliability 33
Generalizability 33
Bias and Validity 34
Ethical Considerations 34
CHAPTER 4 – RESULTS 36
Instrument Design 36
Instrument Validation 44
Phase I 57
Participant Solicitation Process 57
Results of Solicitation 59
PROF (0) 64
ENV (1) 65
ENV/EXP (1.1) 66
ENV/KNOW (1.2) 67
ENV/KNOW/GLB (1.2.1) 67
ENV/KNOW/SOX 67

iv

ENV/KNOW/FFIEC (1.2.3) 68
ENV/KNOW/PATRIOT 68
ENV/KNOW/FACT 69

ENV/KNOW/SB1386 (1.2.6) 70
OVER 71
OVER/RISK 71
OVER/SIZE 72
OVER/COMPLEX (2.3) 72
OVER/STAFF_EXP 73
OVER/EXAM_EXP 73
STRAT 74
STRAT/CAT 75
STRAT/REL 75
PROC 76
PROC/RISK_PROC 77
PROC/AUDIT 78
PROC/BCDRP 78
PROC/GLB_COMPL 79
Coding and Bias Analysis 80
Phase II 82
Questionnaire 89
Statistical Evaluation 92
Hypothesis Testing 100

v

Phase III 101
Bank 90 102
Bank 78 103
Bank 44 103
Bank 16 104
Bank 76 105
Bank 62 106

Evaluation and Analysis 107
CHAPTER 5 - DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 114
Discussion 115
Implications 117
Recommendations 118
REFERENCES 120
APPENDIX A – INTRODUCTORY LETTER 134
APPENDIX B – PHASE I – GUIDED INTERVIEWS – CODED 136
APPENDIX C – TOPIC CROSS-TABULATED PARTICIPANT COMMENTS 137
APPENDIX D – SCORING MATRICES – WEIGHT CODING 138
Bank 90 139
Bank 78 140
Bank 44 141
Bank 16 142
Bank 76 143
Bank 62 144

vi

APPENDIX E – PHASE II SURVEY RESULTS 145
Bank 90 145
Bank 78 145
Bank 44 146
Bank 16 147
Bank 76 148
Bank 62 149
APPENDIX F – SPSS RELIABILITY COMPUTATION 150
APPENDIX G – SPSS CORRELATION COMPUTATION 151
APPENDIX H – PARTIAL LEAST SQUARES COMPUTATION 152



vii

LIST OF FIGURES

Figure 1. Conceptual Framework Flowchart……………………………….………… 9
Figure 2. Greimas signification model(1987)………………………………………….18


Figure 3. Corea-based application of Greimas’ model to Online Customer Service (CS)
(2006) .……………………………………………………………………………….…18
Figure 4 . TAM Axial Coding … …………………………………………………….29
Figure 5. Guided Interview Sample ……………………………………………………43
Figure 6. AtlasTI
®
Axial Coding Diagram …………………………….………………63
Figure 7. Scatter Plot …………………………………………………….…………….95
Figure 8. Kurtosis Chart … ………………………………………………………… 96
Figure 9. Pearson Correlation Coefficients Chart ………………………… ……… 98
Figure 10. Chin’s Partial Least Square – Correlation Coefficients and Multiple R2 100

viii

LIST OF TABLES

Table 1. Instrumentation……………………… ………………………………………23
Table 2. Data Analysis Strategy Table………………………………………………….32
Table 3. Participant Code and Characteristics …………………………………………60
Table 4. Guided Interview Coding Summary ……….……………………………… 81
Table 5. SUMI Validation

… 88
Table 6. Questionnaire Structure ……………………………………………………….89
Table 7. Questionnaire …………………………………………………………………91
Table 8. Data Compilation .…………………………………………………………… 93
Table 9. Descriptive Statistics ………………………………………………………….94
Table 10. Pearson Correlation Coefficients …………………………………………….97

ix

LIST OF ABBREVIATIONS

ASQ After Scenario Questionnaire
CAQDAS Computer Assisted Qualitative Data Analysis Software
CISA Certified Information Security Auditor
CISM Certified Information Security Manager
CISSP Certified Information Systems Security Professional
CIO Chief Information Officer
CUSI Computer User Satisfaction Inventory
FACT Fair and Accurate Credit Transactions Act
FFIEC Federal Financial Institution Examination Council
GLB/GLBA Gramm-Leach-Bliley Act
HFRG Human Factors Research Group
ISACA Information Systems Audit and Control Association
(ISC)
2
International Information Systems Security Certification
Consortium
ISSAP Information Systems Security Architecture Professional
ISO Information Security Officer
QUSI Questionnaire for User Interaction Satisfaction

USA PATRIOT Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act
PLS Partial Least Squares
SANS SysAdmin, Audit, Network, Security Institute
SB1386 Senate Bill 1386 (California)
SOX Sarbanes-Oxley Act

x

SUMI Software Utility Maintenance Index
SUS System Usability Scale
TAM Technology Acceptance Model


xi

CHAPTER 1. INTRODUCTION
Introduction to the Problem

In the early spring of 2007, the Estonian government decided to move a World
War II commemorative statue of a Russian soldier from the central square in Tallinn, the
nation’s capital, to a Russian military cemetery on the outskirts of the city. This statue
was viewed by native Estonians as an obtrusive reminder of foreign domination of the
nation during the Soviet era. It’s removal was followed by vehement reaction from both
Russo-Estonian residents and the Russian government, leading to what the New York
Times (2007) referred to as the first “cyber-war” in history. Since re-gaining
independence with the withdrawal of Russian troops in 1994, Estonia has aggressively
pursued the Internet-based virtualization of ministerial and critical commercial services,
including central banking, to the extent that the country proudly describes its paperless
government as “E-stonia”. On April 27

th
, a series of coordinated distributed denial of
service computer attacks overloaded and took down critical government servers,
beginning with those of the President and Prime Minister, and quickly followed by
national press and television services, schools, public health ministries, and finally, the
national banking system. The attacks were continuous, spiking on May 8
th
and 9
th
,
coincidentally the days on which Europe celebrates the victory of the Allies over Nazi
Germany. Gradually, with the help of NATO security experts, critical systems were
restored through identification and inhibition of the attack sources, most of which
originated inside Russia. Servers which had normal traffic of 1,000 to 2,000 messages

1

per day, had been inundated with traffic upwards of 2,000 messages per second. While
the authoritative on-line computer security journal SearchSecurity.com reported the
attacks could not be traced to the Russian government (2007), Russian hackers were
evidently involved, associated with computers in the United States, Canada, Brazil, and
Vietnam, most of which had been surreptitiously co-opted to transmit the huge message
volume necessary for the attack.
Background of the Study
While this virtual assault discussed above has apparently been thwarted, its
broader implications are extremely troubling for global financial systems increasingly
dependent on the Internet and virtual electronic banking. In the United States, federal
government concern over this situation has led to increasing regulatory attention to the
issue of information security for the nation’s banking system. The effectiveness of such
efforts is the central theme of this study.

Statement of the Problem
The problem of information systems security regulatory compliance by federally
chartered banks is particularly critical. This characterization is justified by the extreme
importance of the financial stability of the banking industry in our capitalistic society.
The author of this study is an information security officer (ISO) for such a bank, and thus
has a unique perspective, as compliance with such regulation is his primary job
responsibility. This presents an opportunity for substantive research to be based on
professional expertise, as opposed to relatively uniformed opinion, reflected in an
extensive base of information security practice and experience reflected in the vocational
activities of the participants in this research study.

2

Purpose of the Study
The purpose of this research is to evaluate the a representative segment of the
banking industry’s perceptions regarding effectiveness of the current information security
regulatory scheme and to focus on either marginal bases for improvement of the present
approach or exploration of possible alternatives to the current scheme if a significant
threshold of dissatisfaction is revealed in the findings.
Rationale
Structurally, this study will be conducted with the intent of revealing and
investigating factors which may lead to improved bank information security, based on
affected organizational acceptance reflected in critical user perception. Beginning with
this objective, the research methodology is construed to the express purpose of limiting
bias, both of the researcher and the study’s participants, in focusing on the current
banking information security regulatory approach, defined by the Federal Financial
Institution Examination Council (FFIEC) guidelines (2006), which are predominantly
dominated by the legislative mandates of Gramm-Leach-Bliley, Sarbanes-Oxley, and
other pertinent laws and regulations, including the USA Patriot Act (2001), the FACT
Act (2003), and various State legislation, such as California’s Security Breach

Information Act (2003), commonly known as SB (Senate Bill) 1386. As discussed in the
research review, the theoretical basis of this study rests on the technology acceptance
model (TAM), originally developed by Davis (1986) and continuously validated,
augmented (TAM2) and critiqued over the past twenty years (1989; 1989; 1993; 2003;
1989; 1995; 1996; 2000; 2005; 2007a; 2007b), arguably constituting the principle
explanatory model in the field of information technology for the organizational “buy-in”

3

to the employment and environment of such technology. While TAM’s instant theoretical
premise, that the acceptance of technological initiatives and their respective
environmental aspects by their users is primarily predicated on two factors, the perceived
ease-of-use, or facility, of such technology and its environment, and its perceived
usefulness, or utility, is deceptively simple, its extensive application history provides a
rich empirical foundation for this research project, where the aforementioned theoretical
explanation of the acceptance/effectiveness of bank information security regulation,
defined as a mandatory aspect of the particular technological environment, will be
inferred from analogous measurement of the perceptions of the professional participants
of this research relative to median thresholds of utility (usefulness) and facility
(organizational ease-of-use, convenience) at which reasonable organizational “buy-in”
will be implicitly confirmed or rejected. If this threshold is met, further enquiry will
solicit informed suggestions for marginal improvements to the existing schema; or, if
rejected, rational alternatives to the present ministerial regime will be explored. In either
case, the follow-on investigation will be conducive to the intent of enhanced bank
information security. This process is reflected in the following five research questions.
Research Questions

In applying TAM and its antecedents to the general acceptance, ergo
effectiveness, of contemporary bank information security regulation, this research project
will pose the following questions:

1) What is the professionally perceived facility to contemporary bank information
security regulation?

4

2) What is the professionally perceived utility of contemporary bank information
security regulation?
3) Do the perceived facility and utility of bank information security regulation lead to an
acceptable level of security of critical banking information?
4) In what ways might the existing regulatory scheme be improved?
5) What alternatives might provide more effective bank information security?
Significance of the Study

If banking customers and the securities markets where ownership equities in
banking corporations are traded were to lack confidence in the essential integrity of
confidential banking information, the results could be catastrophic (Author note: See
extensive discussion and theoretical justification for this statement in Monks and Sykes
(2002)), as my be noted with the recent experiences of Bear Stearns and UBS Warburg.
Thus, from a historical perspective and ongoing necessity, banking is arguably, and
perhaps justifiably, the most thoroughly regulated industry in the United States. As such,
compliance with pertinent federal and state information security regulation (e.g., Section
501c of Gramm-Leach-Bliley (1999) and Section 404b of Sarbanes-Oxley (2002), and
several others) consumes very substantial human and capital resources.

Definition of Terms

Such special terms as are used in this dissertation are defined in both context
throughout the document and in the List of Abbreviations when an acronym is are
commonly used in place of the terminology.


5

Assumptions and Limitations
From an ontological perspective, this researcher is a Rawlsian, most strongly
influenced by the philosophical propositions of John Rawls (1971; 1999; 2001), who
argued that as our fundamental cultural, social, and economic predispositions are largely
the result of the accident of our births, we thus must view human behavior in terms of the
direct and indirect effect of our actions upon one another. Thus, he is primarily
motivated by a desire to analyze human nature in light of what is actually occurring at the
time of the incidents in question. In his view one of the major potential pitfalls of
qualitative research is the imposition of personal preference or bias, often in unconscious
fashion, on explanation of the causative aspects of human activities. In terms of this
analyst’s personal, or epistemological, assumptions regarding human nature, his
preferences for research orientation are thus pragmatic in nature. In the work of Creswell
(2003), we read that pragmatism reflects a view that knowledge arises out of actions,
situations, and consequences of actions, rather than their antecedents. This view has
strong roots in American thought, stemming from the work of such intellectual leaders as
Ambrose Pierce, Henry James, George Mead, and John Dewey and has been synopsized
in many works, such as that of Cherryholmes (1992). Other scholars, such as Patton
(1990) and Tashakori, and Teddlie (1998), have argued that pragmatism is the underlying
intellectual driver for mixed methods research, which will be employed in this
dissertation project, and is built on the following suppositions:
1) Pragmatism exists independently of individual views of reality or philosophy,
thus it allows mixed methods research to use the most situationally appropriate
qualitative and quantitative tools;
2) This view gives researchers great freedom of action;

6

3) Pragmatism does not have a unified world-view;

4) Truth is what works;
5) The focus of pragmatic research is consequential;
6) Pragmatic research recognizes the effects cultural, social, and economic factors
surrounding the issues of research; and,
7) Questions should focus on what’s happening rather than reinterpreting the laws of
reality and nature.
Limitations of this research include a variety of economic, geographical, and job-
related factors. First, the study is specific to a narrow range of financial institutions,
federally chartered banks, publicly traded corporations traded on national exchanges,
regulated by the FRB, as opposed to alternative federal agencies (Federal Deposit
Insurance Corporation, Comptroller of the Currency, National Credit Union Association,
etc), and of moderate economic scale (approximately $1-10 billion in deposit size). The
banks are also primarily located in the Western United States, mostly in Central
California. The study participants will all be information security professionals, whose
perceptions may markedly differ from other officers in their organizations. In
aggregation, these factors focus on specific industrial, regional, and focused perceptions
of information systems security regulation. Lessons learned are thus confined to this
unique slice of the organizational universe.
Theoretical and Conceptual Framework
The structure of this proposed research may be viewed as an integrated continuum
from research topic to research question, evaluated by a bias-limiting, mixed research
method which employs the Davis Technology Acceptance Model (1986; 1989; 1989;

7


8
2000) as a theoretical research basis to address the questions posed, as depicted in the
following flowchart:




9

Research Topic Research Question
Research Method
Objective

Improved bank InfoSec
Null Hypotheses
(H
n
)
H
n1
: Current banking InfoSec
regulation compliance is
acceptably facile.
H
n2
: Current banking InfoSec
regulation is acceptably useful in
securing IT systems.
Evaluation of
current
bank
InfoSec schema
Alternative or improved
banking information security
regulation

More Effective
Bank Information
Security
Current federal and state
banking information security
regulation
Research Model
Research Hypotheses
(H
r
)
H
r1
: (In the event of acceptance of the null
hypotheses)
What aspects of the current banking information security
regulation do you find most productive? How might the
be improved?
H
r2
: (In the event of rejection of the null hypotheses)
What alternatives to current banking information
security regulation, e.g. investment tax credits and
penalties, might be easier to comply with and more cost-
effective? Why?
Davis Technology Acceptance
Model (TAM)
Independent Variables

• Facility of current bank InfoSec

regulation
• Utility of current bank InfoSec
regulation
Dependent Variable

Success of current federal and state
regulatory scheme
Research Instrument
Kirakowski’s Software Utility
Measurement Index (SUMI)
+
(1)
Qualitative

Case studies (phenomenology) -
bank information security officers
(ISOs)
(2)
Quantitative

Develop and administer SUMI
Survey of TAM to to accept/reject
null hypothesis
Mixed Method
Accept H
nn

Reject H
nn


or
(3)
Qualitative

If null hypotheses accepted, use Delphi
method triangulation to drive 2nd
phenomenological interview of ISOs to
address research hypothesis – What’s
good about current regulation? How is
it improvable?
If null hypotheses rejected, use Delphi
method triangulation to drive 2
nd

phenomenological interview of ISOs to
address research hypotheses – potential
alternative federal and/or regulation.
Figure 1. Conceptual framework flowchart