The acceptance and effectiveness of federal and state information security regulations in multi-branch community banks: A phenomenological analysis conducted in central California

The effectiveness of technology and its implementation factors vis-a-vis organizations arguably depends upon the degree to which these factors are accepted by said organizations' users. The most widely applied model for this behavior in information technology theory is the Davis technology acceptance model (TAM). TAM postulated that the acceptance of applied and environmental aspects of technology is primarily a function of the facility (ease-of-use) and utility (usefulness) of the technology in question. This project involved a three-phase, multi-method study of the effectiveness of the current scheme of information security regulation in California community banks, assessing the acceptance of such federal and state mandates by those banks and potential improvement of such regulation to the end of enhanced information system security. The initial qualitative phase involved a series of directed interviews which, through open coding, assessed the potential for bias of both the researcher and participants, bank officers charged with responsibility for such security, and found such bias effects to be minimal; the second phase, a quantitative survey of factors which resulted from phase one by way of axial coding, was designed to test two null hypotheses---the facility (ease-of-use) of the information security regulatory scheme is acceptable and the utility (usefulness) of the information regulatory scheme is beneficial---with statistical analyses of the data produced indicating that neither of these null hypotheses could be rejected at 95% confidence levels; and, the third qualitative phase consisting of a set of follow-up open interviews, the selectively coded results of which investigated the participants' views on changes which could contribute to enhanced information security regulation, fostering better information security at their banking organizations. These changes included greater examiner/auditor expertise; more specific remedial recommendations by regulators and auditors; consolidation of diverse regulatory agencies; and, greater professional input by the regulated community in the process of regulatory procedure development. Summarily, implications of these findings and resultant recommendations are discussed.