Research of information system security (ISS) usually conceives of security models on the basis of positive, strategic benefits, such as planning or developing a security baseline. However, ISS works only when it enables an organization to protect against attacks, so managers seldom adopt positively based new security measures. By theorising ISS as a technology cluster that consists of distinguishable but interrelated countermeasures, this study analyses managers’ security concerns on the basis of two forces – technology-push (TP) and need-pull (NP) – traditionally applied to technology diffusion. Both TP, which entails managers’ perceived security threats, and NP, or requirements associated with the industry, organisational readiness, and security incidents, forces may prompt organisational ISS diffusion. The empirical findings suggest this conceptualisation effectively explains organisational ISS diffusion, though NP forces appear dominant. In general, organisations are less likely to adopt new security measures unless compelled to do so by industry or security gaps or if they are large enough and technically prepared for security innovations. Therefore, organisations should adjust their security plans to align with the threats facing their industries.
Keywords: information system security, ISS, technology cluster, technology-push, TP, need-pull, NP, information system security diffusion, ISS diffusion, technology management