Discussions

This section reviews the findings from previous results and discusses the possible reason from literature and practices perspectives. Hypotheses 1 to 3 are regarding the relationship between adoption intention and the characteristics of innovation (i.e., ISO

10 * significant at the alpha = 0.05 level ** significant at the alpha = 0.01 level

27001 or ISMS) from the diffusion of innovation theory.

Hypothesis 1 asserts that the greater perceived relative advantage of ISO 27001 were expected to result in higher likelihood of adoption, but the testing results showed that it did not significantly influence the adoption intention. In the meta-analysis of Tornatzky and Klein’s research (1982), they analyzed 29 studies that used the characteristic of relative advantage, and found only 11 reported statistical results directly relevant to the relationship of the relative advantage of an innovation to its adoption. Moreover, in the study of multimedia message service (MMS) adoption by Hsu et al. (2007), they found that there are existing differences between user groups, the relative advantage significantly affects intention to use for the innovators, early-adopters, early-majority, and late majority groups. However, for the laggards, there are no significant relationships were found. This may raise an indication that, for the organizations that are early adopters, the adoption of innovation are driven by the relative advantages, but for the laggards, they might driven by other factors. This might cause the relative advantages to be no significances. Another possible reason is that, in Taiwan, the government agencies, universities, hospitals, and finance industry are receiving more legal pressures; and for the large technologies and manufacturing organizations, they need to comply not only comply with regulations and customers’ of Taiwan, they also have to comply with regulations and customers abroad. Hence, for the organizations, they adopt ISO 27001 because of the coercive pressure rather then they perceived the advantages of ISO 27001.

Hypothesis 2 asserts that the greater perceived compatibility of ISO 27001 with current business processes, the more likely they will be adopted. In our study, the link between organizational compatibility with ISO 27001 and the intention of ISO 27001 adoptions was not strong enough to be significant. Even through the compatibility should

be an important factor for the adoption (Tornatzky & Klein, 1982), several studies in their analysis still showed non-significance of compatibility, and in recent studies, compatibility might not be significant (Hsu, et al., 2007; O'Callaghan, et al., 1992). We believe that compatibility of ISO 27001 was not significant, because the organizations somewhat need to ignore the incompabilities and adopt the innovation while they perceived large pressure. Moreover, there are many organizations even do not realized how the adoption and implementation of ISO 27001 will change their processes. In consideration of the significance level of compatibility (α= 0.123 ) was close to be significant, it also reveals the implications that they might not quite clear whether ISO 27001 will change the process. Hence, we suggest that the influences of compatibility should be more carefully studied in future research.

Hypothesis 3 postulates that the organizations will less likely adopt ISO 27001 while they perceived greater complexity of ISO 27001. The testing results showed the relationship between complexity and adoption intention was significant, and it was conformed with our hypothesis. That means, while the adopters consider the ISO 27001 is too complexity for their organizations, they will less likely adopt ISO 27001 and maybe seek another similar standard if an ISMS is necessary. Another notable is that we only ask the respondents whether they perceived the ISO 27001 is complex or not, we did not clarify the perceived complexity between the adoption and certification process, some organization might use the essence of ISO 27001 but did not certificate them. The complexity that potential adopter perceived is due to the adoption and implementation process, or it is due to the certification process should be discriminated in the future studies.

Hypotheses 4a to 6b are regarding the association between adoption intention and

intuitional pressures the organizations perceived.

Hypotheses 4_a and 4_b claim that the coercive pressures are positively related to the adoption intention of ISO 27001. The results indicated there was a strong relationship among coercive pressures – legal requirements and adoption intention (hypothesis 4_a).

The organizations that influenced by the laws or regulations had to adopt ISO 27001 inevitably, they could not resist such pressures. On the other hand, the coercive pressures – customers’ requirements (hypothesis 4b) was also significant, revealing that the organizations will adopt ISO 27001 in order to maintain a business relationship with their customers. The two hypotheses (4a and 4b) results indicate the coercive pressures play an important role that drive the organizations to adopt ISO 27001. The organizational decision makers have a greater tendency to comply with the laws and regulation and their customers’ requisitions. These findings are consistent with several researches of different area. For example, Khalifa and Davison (2006) found that the customers’ pressures have significant influence on the intention of small and medium-sized enterprises (SME) brokerages to adopt electronic trading systems (ETS), and Teo et al. (2003) also found the customers could influence organizational predisposition toward an information technology-based inter-organizational linkage

Hypotheses 5a and 5b anticipate that the mimetic pressures are positively related to the intention of ISO 27001 adoptions. However, only the trait-based mimicry (i.e., hypothesis 5b) was significant, representing the organizations selectively imitate practices that have been used by subset of other organizations (usually large and successful organizations) (Haunschild & Miner, 1997) and seek for acquiring higher status by imitating the leading organizations (Fombrun & Shanley, 1990). Another proposition, the frequency-based mimicry (hypothesis 5 a), has failed to be supported by the analysis.

Guler et al. (2002) have shown that the behavior of intuitional mimicry was observed in the case of ISO 9000, however, the effect may be less important at first because of the initially low number of adopter in each country of the case of ISO 14001 (Delmas, 2002).

We believe that there exists the same circumstances for ISO 27001, and the organization decision makers selectively imitate the leading companies rather the extent of the innovation.

Hypotheses 6a and 6b proposes that the greater perceived normative pressures results in higher intention to adopt ISO 27001. The hypothesis 6_b was supported but the hypothesis 6a was not supported. Actually, some of the respondents told us that they were not sure whether their organizations were actively participating the trade or professional association which promoting ISO 27001. From our collected data also showed that almost 70% of the responses of the construct items were slightly agree, neither agree nor disagree, or slightly disagree, indicating the respondents were not quite sure the attitude about ISO 27001 of the associations they participated. Another possible reason why the proposition was not hold is the organization may also be exposed to negative information (e.g., the cost or risks of adoption) through their participation in associations (Teo, et al., 2003).

The result of another proposition (H6b) comply with our assertions, exhibiting the decision makers (managers) who had security related background will more likely adopt ISO 27001. The possible reason is they know the importance of information security and regard it is crucial to their organization, and therefore they have higher intention to improve the information security management.

Overall, there was a strong empirical support for institutional-based variables as predictors of adoption intentions for ISO 27001, but for the innovation characteristics variables, only complexity showed the explanatory power. The institutional factors

exhibit a significant and high influence on intentions to adopt ISO 27001 and the legal requirement is most powerful factor that impact on the intentions. The results were consistent with institutional and innovation diffusion theories, the evidence indicated that the innovation characteristics and institutional influences (i.e., complexity, mimetic pressures, coercive pressures, and normative pressures) can be clearly distinguished conceptually and empirically in terms of their influences on organizational predisposition toward ISO 27001.