The Implementation Challenges to Bring Your Own Device Concept (BYOD) in Relation to Information Assurance and Security

Table of Contents

List of Tables

List of Figures

Section 1: Foundation of the Study
Background of the Problem
Problem Statement
Purpose Statement
Nature of the Study
Research Question and Hypotheses
Theoretical Framework
Operational Definitions
Assumptions, Limitations, and Delimitations
Assumptions
Limitations
Delimitations
Significance of the Study
Contribution to Information Technology Practice
Implications for Social Change
A Review of the Professional and Academic Literature
Systems Theory
Evolution of Systems Theory
Application of Systems Theory
Supporting Theories
Contrasting Theories
Bring Y our Own Device Implementation
Bring Your Own Device Overview
Benefits of Bring Your Own Device
Security Challenges of Bring Your Own Device Implementation
Compliance
The Need for a Bring Your Own Device Policy
Employees’ Compliance with Policies
Security
Information Security Risk Management
Potential Impact to an Organization
Bring Your Own Device Security Challenges
Bring Your Own Device Security Framework
Gap in the Literature
Transition and Summary

Section 2: The Project
Purpose Statement
Role of the Researcher
Participants
Research Method and Design
Method
Research Design
Population and Sampling
Ethical Research
Data Collection
Instruments
Data Collection Technique
Data Organization Techniques
Data Analysis Techniques
Reliability and Validity
Reliability
Validity
Transition and Summary

Section 3: Application to Professional Practice and Implications for Change
Overview of Study
Presentation of the Findings
Data Management Procedures
Reliability Analysis
Descriptive Statistics
Analysis
Assumptions
Summary
Theoretical Conversation on Findings
Applications to Professional Practice
Implications for Social Change
Recommendations for Action
Recommendations for Further Study
Reflections
Summary and Study Conclusions

References

Appendix B: Permission for Use and Publishing of Survey Instruments

Appendix C: Survey Instrument

Appendix D: E-mail Invitation to Participate in Research

Acknowledgments

First, I want to give thanks to Jesus, the Christ, for making all of this possible. I would like to thank Dr. Sue Talley for her mentorship, support, and guidance during the course of my doctoral study. Without his guidance and encouragement, it would have been very difficult to complete this journey. Especially during the times I was tired and simply wanted to give up. I would also like to thank my second committee member, Dr. Vernon Czelusniak, and my reviewer, Dr. Eileen Dittmar for their valuable comments and feedback into making my study complete.

I would like to thank my father, Isaac Munyoki, my mum Jane Kamene and family members for their steadfast encouragement and financial support, and my uncle, the late Leonard Mengo and friends for their support over the course of this journey. Finally, I would like to thank my organizational leaders, Dr Isaac Kalua and Rajinder Singh, for their tremendous support and encouragement throughout this journey. You helped to make this possible in more ways than you could imagine.

List of Tables

Table 1. Previous Studies on BYOD

Table 2. Reliability Statistics

Table 3. Frequencies and Percentages of Demographic Characteristics

Table 4. Means and Standard Deviations for Study Variables

Table 5. Results of the Regression Analysis

Table 6. Pearson Correlation Matrix

List of Figures

Figure 1. Power as a function of sample size

Figure 2. Normal P-P plot of the residuals

Figure 3. Scatterplot of the residuals

Section 1: Foundation of the Study

The use of personal mobile devices in the workplace is gaining prominence and acceptance as many people are using their personal devices to conduct certain aspects of their work (Waterfill and Dilworth, 2014). A bring your own device (BYOD) policy affordsthe opportunity of using a single personal device for (a) anything, personal and businessuse; (b) anywhere, mobile use through the Internet or wireless LAN (WLAN); and (c) anytime, working hours and off-duty hours (Disterer & Kleiner, 2013). BYOD benefitssuch as cost savings, increased productivity, and improved efficiency are factors in its’ gaining popularity and acceptance (Fiorenza, 2013).

While BYOD affords several opportunities and benefits, there are also challenges. The issues of managing security for BYOD, defining what is acceptable use for employees and organizations, and data retrieval from personal devices are key concerns for organizations that have implemented BYOD or are contemplating implementation (Waterfill and Dilworth, 2014; de las Cuevas et al., 2015) Privacy and legal concerns are also issues that need to be addressed from a strategic perspective to ensure a successful BYOD program as BYOD involves both organizational data and employees’ private data residing on a personal device (Peretti & Sarkisian, 2014). A comprehensive BYOD security framework that encompasses people, policy, management, and technology should be developed to address security concerns and ensure organizations can realize the benefits afforded by BYOD (Zahadat, Blessner, Blackburn, & Olson, 2015).

Background of the Problem

The proliferation and use of mobile devices along with the many features they offer have given rise to the phenomenon called BYOD (Disterer & Kleiner, 2013). BYOD allows the use of personal devices for business purposes and reflects a blurring of the line between personal and business use on the same device (Gaff, 2015). Many organizations are adopting a BYOD strategy due to employees’ increased desire to use their mobile devices for both personal and work related tasks (Astani, Ready, & Tessema, 2013).

BYOD presents several benefits for organizations. Employees’ satisfaction, improved productivity, cost effectiveness, and flexibility are some of the reasons for BYOD adoption (Vignesh & Asha, 2015; Stone, 2014; Harris, Ives, & Junglas, 2012). Many organizations are integrating a BYOD strategyinto their business processes due to its’ emerging prominence (Waterfill & Dilworth, 2014).

There are some challenges associated with BYOD adoption. Adequate security, protection of corporate data on personal devices, legal/privacy concerns, and employees’ compliance with BYOD policies are some of the challenges to be considered (Garba, Armarego, & Murray, 2015). The lack of a comprehensive framework or strategy from which to implement BYOD further complicates its’ adoption. The goal ofthis study was to examine the challenges of BY OD implementation.

Problem Statement

The BYOD phenomenon is a fast growing trend that is transforming the business processes of many organizations and institutions (Ansaldi, 2013). Eighty-nine percent of students and faculty in the United States and United Kingdom use personal mobile devices for academic purposes (De Kock & Futcher, 2012). The general information technology (IT) problem is that IT professionals lack a comprehensive strategy for BYOD implementation. The specific IT problem is that IT leaders often lack the knowledge of the relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation.

Purpose Statement

The purpose of this quantitative correlation study was to examine the relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation. The implementation of organizational BYOD programs without fully addressing the risks and challenges or offering countermeasures as to how they could be mitigated implies a lack of knowledge on the part of IT leaders who are typically tasked with implementing BYOD. Past studies (Semer, 2013; Ansaldi, 2013) have highlighted the benefits of BYOD without fully addressing the risks and challenges or offering countermeasures as to how they could be mitigated. The independent variables are security and compliance. The dependent variable is BYOD implementation. The targeted population of this study consisted of information security managers of small to medium sized organizations in Kenya who are

Certified Information Security Managers (CISMs). The study targeted those who had implemented BYOD and were facing risks and challenges and those who were considering the implementation of BYOD but were unsure of how to address the risks and challenges associated with BYOD. The results of this study have the potential to help IT leaders develop strategies or a framework from which to implement BYOD successfully. The results might also provide employees and consumers with best business practices on how to protect their personal devices and reduce costs associated with security and data breaches.

Nature of the Study

A quantitative research method was the chosen approach for this doctoral study. Quantitative research explains phenomena using numerical data that can be analyzed statistically (Yilmaz, 2013). This study’s goal was to examine the correlation between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation. I chose a quantitative method over a qualitative method because of my desire to examine the relationship between variables by extracting and comparing data utilizing a statistical approach that allows for hypotheses testing rather than individual perceptions (McCusker & Gunaydin, 2015). A qualitative method takes an exploratory approach toward the causes and consequences of a phenomenon through the eyes of others (Bernard, 2013). A mixed methods approach combines elements of both quantitative and qualitative methods; empirical data and participants’ experience, to examine relationships and differences between variables (Yin, 2013). A qualitative or mixed methods approach was not suitable for this study as the purpose was 5 to examine the relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation.

A non-experimental correlational design was selected as it allows for the measureof variables without manipulation from which analysis can be conducted to determine whether the variables are related. An experimental design is used to infer causality (Spector & Meier, 2014). I aimed this study toward examining relationships, thereby rendering true experiments and quasi-experiments inappropriate.

Research Question and Hypotheses

The research question and hypotheses posed for this study were:

RQ: What is the relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation?

H 0: There is not a relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation.

H1: There is a relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation.

Theoretical Framework

The theory used for this study was system theory, which is described as an interdisciplinary theory about the nature of complex systems in nature, society, and science and is a framework by which researchers can investigate and/or describe any group of objects that work together to produce some result. Bertalanffy (1968) developed the general system theory from which system theory has its origin. Key tenets of this theory are (a) objects, the variables within the system; (b) the attributes of the system and its objects; (c) the interrelationship between objects in a system; and (d) the existence of a system within an environment. Adams, Hester, Bradley, Meyers, and Keating (2014) expanded the definition of systems theory as a unified group of propositions that are linked with the aim of achieving understanding of systems.

System theory is applicable to this study. The constructs align with mobile devices and enterprises as objects; security and compliance as attributes; mobile devices connected to an enterprise network depict interrelationships; BYOD implementation within an enterprise indicates the existence of a system within an environment. Systems theory provides a framework from which to examine the relationship between security, compliance, and BYOD implementation.

Operational Definitions

Bring Your Own Device (BYOD): BYOD is a fast growing concept in which employees may use their personally owned devices to access corporate networks and resources (Chang, Ho, & Chang, 2014; Totten & Hammock, 2014; Castro-Leon, 2014).

Compliance: Compliance refers to adherence to established policies and controls to protect an organization’s intellectual property and information assets in the context of BYOD adoption (Crossler, Long, Lorass, & Trinkle (2014).

Countermeasures: Countermeasures constitute comprehensive approaches to address potential risks and security threats (Malandrino & Scarano, 2013).

Information Security: Information security refers to the preservation of data to ensure business continuity and minimal business damage by limiting the impact of security incidents (von Solms & van Niekerk, 2013).

IT consumerization: IT consumerization is ihe orientation of IT products and services towards consumers (Yevseyeva et al., 2014).

Mobile device: Mobile devices are portable devices such as smartphones and tablets that offer a variety of advantages for personal and work use (Raptis, Papachristos, Kjeldskov, Skov, & Avouris, 2014).

Mobile device management: Mobile device management refers to systems and solutions designed to enhance the security of mobile devices (Rhee, Won, Jang, Chae, & Park, 2013).

Information technology (IT) leaders: IT leaders are management executives who are typically in charge of IT governance practices in their organizations. These leaders typically have an IT background (Karanja & Zaveri, 2012).

Policy: In the context of this study, a policy consists of rules and guidelines employees must comply with to gain access to organizational resources (Silva, de Gusmäo, Poleto, Silva, & Costa, 2014).

Risk: Risk is the technical, security, and legal concerns associated with BYOD as it relates to this study (Disterer & Kleiner, 2013).

Risk management: Risk management is the precautionary measures implemented to protect organizations from loss of data, intellectual property, or any other risks that could impact the organization (Beckett, 2014).

Assumptions, Limitations, and Delimitations Assumptions

Assumptions are unverifiable facts that are taken for granted as true (Jansson, 2013). Researchers consider assumptions important to their research although they are unverified (Lips-Wiersma & Mills, 2014). The first assumption of this study was that participants would provide accurate responses concerning the lack of a comprehensive strategy for BYOD implementation, as they would be IT professionals. The second assumption of the study was that participants would have a vested interest in understanding the challenges associated with BYOD implementation due to its fast growing trend and influence on the transformation of organizational business processes. Limitations

Limitations are potential weaknesses in a study that may limit a researchers’ ability to answer social, behavioral, and relational questions (Yeatman, Trinitapoli, & Hayford, 2013). A limitation of the study was that the sample population of IT professionals would be limited to information security managers who have obtained the CISM certification.

Delimitations

Delimitations refer to the boundaries or scope of the study (Thomas, Silverman, & Nelson, 2015). The scope of the study was limited to small and medium organizations in Kenya. The boundaries of the study included conducting a survey of information security managers that have obtained the CISM certification.

Significance of the Study

Contribution to Information Technology Practice

The results of this correlation study produced options and suggestions from which IT leaders may be able to address some of the challenges associated with BYOD implementation. The use of technology in organizations presents both opportunities and challenges (McNaughton & Light, 2013). The increasing use and acceptance of mobile devices has been a factor in organizations’ consideration of the benefits and challenges of allowing their employees to participate in a BYOD program (Marshall, 2014)

This study provides a comprehensive strategy for organizations’ information security staff that will enable them to address the challenges associated with BYOD implementation. Studies have shown that BYOD presents several security risks that must be addressed for a successful implementation (Kiernan, 2015; de las Cuevas et al., 2015). Data results from this study contribute to the existing literature on BYOD and help provide decision makers with some options when considering BYOD implementation. Implications for Social Change This study will have implications for societal change as consumers will be able to take advantage of best business practices that might be developed from this study to protect their personal devices and reduce costs associated with security and data breaches. Employees will gain an understanding of their role in protecting organizational and private data when participating in a BYOD program. The knowledge gained by employees could be beneficial for family members as employees apply the same best practices and security measures from a BYOD program to securing the personal devices of family members, thereby reducing the potential risks to their devices, including loss of personal data.

A Review of the Professional and Academic Literature

The literature review presented a collection of resources that examined the relationship between security, compliance and BYOD implementation. For example Rhee, Ryu, and Kim (2012) conducted a study related to information security based on the phenomenon that increased vulnerability to information security breaches correlates with a low level of managerial awareness and commitment regarding information security threats. Rhee et al. (2012) noted the need for more security awareness training in organizations and systematic approaches in dealing with security threats. Another example is a study in which Hovav and Putri (2015) examined employees’ intent to comply with organizational BYOD security policies using a research model derived from reactance, protection motivation, and organizational justice theories.

The review consisted of peer-reviewed articles from journals, reports, articles, theses, and seminal books with a focus on research conducted within the past 5 years. I used 215 resources with 186 (86.51%) published between 2013 and 2015. One hundred eleven (85.59%) of the resources were used in the literature review of which 100 (90.91%) were peer-reviewed. They were acquired from databases such as EBSCOhost, Google Scholar, SAGE Journals Online, and Researchgate. The resources included seminal works that supported the theoretical framework applicable to this study. The strategy employed for searching the literature included the use of key words during database searches, incorporating key words related to the theoretical framework. Key words used during database searches included BYOD, BYOD strategies, risks, compliance, security, policies, countermeasures, security awareness, privacy, legal challenges, system theory, BYOD benefits, alternating theories, and mobile devices. The review of the professional and academic literature was focused on the following themes: (a) systems theory, (b) BYOD implementation, (c) compliance, and (d) security. I chose to organize the professional and academic literature around these themes because the goal of this study was to examine the relationship between security, compliance, and BYOD implementation. Systems theory, as a theoretical framework, allows for the examination of the independent and dependent variables from an interrelated perspective.

Systems Theory

Von Bertalanffy (1972) defined systems theory as the interdisciplinary study of systems and the interrelationships between their separate components. It has been described as the theory underlying the study of systems (Yawson, 2013). Von Bertalanffy’s (1950) theoretical viewpoint was that it is necessary to investigate a system not only by its parts but also as a whole due to the relationship and dynamic interactions of the individual parts. Systems theory looks at a system in its entirety and the interactions and interrelationships of its various subsystems (Von Bertalanffy, 1968).

Systems theory’s premise is based on the study of the whole system and not its individual elements (Karniouchina, Carson, Short, & Ketchen, 2013).

Key tenets of this theory are (a) objects, the variables within the system; (b) the attributes of the system and its objects; (c) the interrelationship between objects in a system; and (d) the existence of a system within an environment (Bertalanffy, 1968). As it relates to the constructs of systems theory, mobile devices and enterprises are objects; security and compliance are attributes; mobile devices connected to an enterprise network depict interrelationships; BYOD implementation within an enterprise indicates the existence of a system within an environment. According to Kivipöld and Vadi (2013), wholeness has to be viewed from the interactions of its parts and how they impact each other in the context of systems theory.

Systems theory is the chosen theoretical framework for this study to examine the relationship between information security managers’ intentions, perceptions of security, and compliance regarding BYOD implementation. Researchers use this framework as a foundational basis for the examination of relationships between variables. In the context of this study, security, compliance, and BYOD implementation are separate components that are interrelated.

Evolution of Systems Theory

Bertalanffy (1968) developed the general system theory from which systems theory has its origin. He further expanded the theory in 1972 (Pouvreau, 2014). Von Bertalanffy (1972) theorized that a system is composed of separate subsystems that function as a whole. A core premise is the basic characteristic of all living things is organization; the analysis and rationalization of the organization cannot be limited to the individual entities of the organization but must consider the organization as a whole (Von Bertalanffy, 1968). As an analogy to this premise, the human body is a system; however, the individual parts of the body do not define it as a system, the body working as a whole defines the system (Von Bertalanffy, 1968). Von Bertalanffy (1972) stated that a holistic approach should be used to define a system rather than the analysis of the individual subsystems (Von Bertalanffy, 1972).

According to Laszlo and Krippner (1998), the term system connotes a complex of interacting components together with the relationships among them that permit the identification of a boundary-maintaining entity or process. Skoko (2013) described a complex system as a collection of individual agents with latitude to act in ways that are not always totally predictable but whose actions, however, are interrelated. According to Hughes, Newstead, Anund, Shu, and Falkmer (2015), system theory challenges reductionist views and analysis, which attempt to draw information and conclusions of certain sections in isolation from other parts of a system. Wilson (2014) described systems theory as the existence of systems with interdependent but related components that have a preset objective, purpose or function. Yawson (2013) further described systems theory as a framework by which elements acting together to produce some result could be studied.

Seminal thinkers Rapoport and Buckley (1968) have expanded Bertalanfiy’s (1968) body of work and made evolutionary contributions to system theory. Schwaninger’s (2007) contribution to systems theory was overcoming the isolation of specialized disciplines and cultivating dialogue across them. Laszlo’s (1987) contribution was the development of evolution systems theory, which is a merger of system theory and evolution theory. Sturmberg, Martin, and Katemdahl’s (2014) contribution was further analysis of general systems theory that determined factors such as dynamics in systems, science of network and evolution, complexity science, and adaptation were components of systems theory.

Application of Systems Theory

Systems theory is typically applied to qualitative studies, although researchers have applied this theory to quantitative studies. It is suitable for examining, analyzing, and understanding complex adaptive systems (Montgomery & Oladapo, 2014). Systems theory is used to address more complex software intensive systems today in comparison to less complex systems from years past. An example is the use of systems theory as the foundation for an integrated approach to security and safety for various systems such as nuclear power plants, spacecraft, and aircraft (Young & Leveson, 2014). Systems theory has been used to examine businesses and their functionalities from the perspective of a network of interdependent parts functioning as a whole (Gehlert, 2013). Systems theory allows for the examination of the interrelated parts of a system in order to understand the complexities (Kast & Rosenzweig, 1972). Systems theory does not reduce an entity to its individual components or subsystems for examination but instead views the interrelationship and interaction of the individual components or subsystems that encompass the whole system (Kast & Rosenzweig, 1972).

Adams, Hester et al. (2014) conducted a study in which they sought to propose systems theory as the theoretical foundation for understanding systems. The study incorporated the use of the internationally accepted classification for the 42 individual fields of science as the source for the propositions in the study. The goal of the study was to present a construct for systems theory incorporating the propositions put forth in the study to present systems theory as the theoretical foundation for understanding multidisciplinary systems (Adams, Hester et al., 2014). The 42 individual fields of science were viewed as complex adaptive systems in the context of systems theory.

Systems theory was the theoretical foundation used in a psychotherapy study by Trop, Burke, and Trop (2013) to examine the complex interactions at work within individuals. Systems theory was the chosen theoretical framework for a study to identify and articulate interrelated components that positively or negatively impacted the effectiveness of health care interventions or programs (Adams, Jones et al., 2014). In the context of systems theory, these studies focused on interactions and interrelationships between components of systems.

An article by Nobles and Schiff (2012) examined the ability of systems theory to address the intricate issues of legal pluralism. The researchers examined the relationship between state law and violence, the issue of translation between disparate legal orders, and how systems theory constructs the differences between modern and pre modern societies in relations to legal pluralism. Using systems theory as a foundation, Nobles and Schiff (2012) posited that modern society consists of separate subsystems of communication such as the political system, economic system, legal system, and education system that are interrelated. In the context of systems theory as defined by Von Bertalanffy (1972), the various systems mentioned were viewed as separate components with interrelationships between each system.

Mangal (2013) utilized systems theory as the theoretical foundation to examine social media in the context of systems, as all online websites can be considered systems. The study examined whether self-organization, resilience, and hierarchy, as individual components, improved the functionality of websites. The result of the study showed that websites functionality and users’ experience were impacted if self-organization, resilience, or hierarchy were affected. As it relates to systems theory, websites were considered systems and self-organization, resilience, and hierarchy considered separate interrelated components giving credence to Von Bertalanffy (1972) definition of systems theory.

Kivipöld and Vadi (2013) used the systems theory framework as the theoretical foundation of their study that explored the relationship between organizational leadership capability and organizational performance in the context of market orientation in financial services organizations, specifically in Estonia. The study’s findings demonstrated a relationship between specific organizational leadership capabilities and organizational performance. The results showed that the interaction between the main behavioral principles of an organization has a direct relationship with organizational performance (Kivipöld & Vadi, 2013). In the context of systems theory, it is being used to examine interactions and interrelationship between variables and to establish relationship between variables.

Skoko (2013) employed the systems theory framework in conjunction with the qualitative-comparative analysis model to gain a better understanding of risk management in the context of developing countries. Systems theory was used to evaluate and improve the assessment and management of environmental and health risk in the complex world of developing countries. Environmental and health risk were considered a complex adaptive system with interacting and interrelated factors (Skoko, 2013). In the context of this study, systems theory was used as a theoretical framework to examine a complex system with individual interrelated and interacting components.

A core principle of systems theory is that a system consists of independent parts that are interrelated and interact to form a whole. The aforementioned studies highlight systems theory as a theoretical framework used to examine complex systems and the interrelationships and interactions between their various components or subsystems. In the context of this study, systems theory is applicable in examining the relationship between the variables of security, compliancy, and BYOD implementation.

Supporting Theories

There are multiple theories that could be used to conduct research on the BYOD technological concept from several perspectives. Theories such as agency theory and protection motivation theory have been utilized as the theoretical framework for various BYOD related research. Systems theory is the chosen theoretical framework for this study to examine the relationship between the variables of security, compliance, and BYOD implementation. The supporting theories presented highlight their constructs and how they relate to BYOD although not chosen as the theoretical framework for this study.

Unified theory of acceptance and use of technology. The unified theory of acceptance and use of technology (UTAUT) is considered the most prominent method used for technology acceptance analysis consisting of four key constructs that influence behavioral intention to use a technology (Lescevica, Ginters, & Mazza, 2013). These four constructs are (a) performance expectancy - the degree to which a technology provides benefits to consumers in performing certain activities, (b) effort expectancy - the degree of ease associated with consumers’ technology usage, (c) social influence - the extent to which consumers perceive that others believe they should use a particular technology, and (d) facilitating conditions - consumers’ perceptions of the resources and support available to perform a behavior (Lescevica et al., 2013). Researchers Martins, Oliveira, and Popovic (2014), used the UTAUT in a research study undertaken to explain customers’ intention to adopt and use Internet banking. The results of this study supported a relationship between the constructs of UTAUT. Similarly, researchers Magsamen-Conrad, Upadhyaya, Joa, and Dowd (2015) used the UTAUT to determine users behavioral intention to use tablets. Maillet, Mathieu, and Sicotte, (2015) also used this theory to explain the acceptance and use of an Electronic Patient Record (EPR), as a new technology by nurses. As it relates to BYOD implementation and the constructs of UTAUT, increased productivity within organizations (performance expectancy), familiarity and ease of use (effort expectancy), status (social influence), and the proliferation of mobile devices (facilitating conditions) are contributing factors to the gaining prominence and acceptance of BYOD as a new technological concept.

Technology evolution theory. The technology evolution theory argues that technologies should not be viewed in isolation but as a dynamic system or ecosystem encompassing various interrelated technologies (Adomavicius, Bockstedt, Gupta, & Kauffman, 2007). The constructs of this technology ecosystem are (a) components, (b) products and applications, and (c) support and infrastructure wherein technologies interact and impact each other’s evolution (Adomavicius et al., 2007). The evolutions of technology provide opportunities such as the demand and proliferation of mobile devices, more robust applications, and the development of the necessary support and infrastructure required to sustain new technologies. BYOD implementation is an example of the evolution of a technological concept.

Socio-technical systems theory. The socio-technical systems theory is viewed as consisting of two interdependent systems. These systems are a technical system - comprising of equipment and processes, and a social system - comprising of people and tasks (Davis, Challenger, Jayewardene, & Clegg, 2014; Belanger, Watson-Manheim, & Swan, 2013). Dalpiaz, Giorgini, and Mylopoulos (2013) further described this theory as consisting of an interplay of humans, organizations, and technical systems. The socio- technical systems theory was developed by researchers to study the impact of new technologies on social behavior (Kull, Ellis, & Narasimhan, 2013). As it relates to BYOD implementation and the constructs of the socio-technical theory, mobile devices and their acceptable use illustrate the technical system component (equipment and processes) and users and their adherence to BYOD policies illustrate the social system component (people and tasks).

Theory of planned behavior. The theory of planned behavior (TPB) is a theoretical framework that has been used to understand, predict, and assess behavior from an action or inaction perspective (Ajzen & Sheikh, 2013). It has been the basis in the examination of users’ acceptance of IT (Hung, Chang, & Kuo, 2013). It describes intention as the immediate antecedent of behavior rooted in the constructs of attitude, subjective norm, and the perceived behavioral control (Ajzen & Sheikh, 2013). Researchers have used the theory of planned behavior in multiple studies to examine intentions and predict behaviors (Wang & Wang, 2015; Hasking & Schofield, 2015). As it relates to BYOD, this framework can be used to provide insight as to why BYOD acceptance is prevalent in some organizations and not so prevalent in others as it relates to users’ acceptance of BYOD implementation.

Technology acceptance model. The technology acceptance model (TAM) is an information systems theory that assumes an individual's acceptance of a technology is determined by two major factors: perceived usefulness and perceived ease of use (Huang & Martin-Taylor, 2013). TAM is one of many theoretical frameworks used by researchers to examine and predict the adoption of technology by individuals. The attitude towards anew technology is a critical factor that influences the intention to use it (Cheung & Vogel, 2013). According to Lo (2014) different personality traits and attitudes toward innovations have the potential of influencing an individual’s acceptance of technology.

As an extension to TAM, additional research have identified the perception of resources and support as another major external factor that affects the adoption of new technologies (Wallace & Sheetz, 2014). In the context of this study, the TAM can be used to examine the acceptance and use of BYOD as a new technological concept.

Theory of reasoned action. The theory of reasoned action (TRA) is a theoretical model used to examine human behavior; it’s a predictive model that is used in multiple fields to include IT (Mishra, Akman, & Mishra, 2014). The premise of the TRA is to investigate the relationship between attitude and behavior based on two core concepts: principles of compatibility and behavioral intention. The TRA constructs are attitude, subjective norms, behavior intentions, and actual behavior (Mishra et al., 2014). Researchers have used this framework to examine and understand behaviors (Kim, Jeong, & Hwang, 2013). As it relates to BYOD, the TRA could be used to examine why users and organizations are adopting BYOD and also users’ behavior and intent toward BYOD compliance.

Contrasting Theories

While there are multiple supporting theories that could have been selected to conduct research on the BYOD technological concept, there do also exist theories that are in contrast to the chosen theoretical framework. Systems theory is the applicable theoretical framework chosen for this study. The contrasting theories presented highlight their constructs and why they would be inappropriate theoretical frameworks in the context of this study.

Constructivism theory. Although associated with the qualitative research method, the constructivism theory states that individuals construct their own concept and understanding of the world through learned experiences (Enonbun, 2010). According to Duane and Satre (2014), constructivism expresses the notion that knowledge is created socially through communication. Constructivism contends that reality is the product of human intellects and changes as the individual constructor evolves (Hall, Griffiths, & McKenna, 2013). According to Lee (2012), constructivism is considered one of many paradigms in the field of qualitative research with a presupposition that constructivism’s beliefs are internally consistent. Constructivism theory also contends that truth or knowledge are not absolute and knowledge occurs in an iterative specific to its environment (Naidu & Patel, 2013). As it relates to the ontology and epistemology of constructivism, the paradigmatic beliefs are internally in tension (Lee, 2012). This is in direct contrast to systems theory where components are interrelated and work together to form a relationship without internal tension (Von Bertalanffy, 1972).

Grey systems theory. Julong Deng developed the grey systems theory in 1982 to study problems and systems for which partial information is known and partial information is unknown. Yin (2013) described this theory as an emerging multiple attribute decision-making tool requiring limited knowledge and understanding of a system to solve problems, make good estimations or predictions. According to Manouchehr, Seyyed Morteza, and Hossein (2015), fault tree analysis (FTA) using grey numbers is a useful risk assessment tool. In the context of thisstudy, an effective system is described as one in which all-separate but interrelated components function together in alignment as a whole (Adams, Hester et al., 2014).

Within this context, the grey systems theory stands in contrast to systems theory, as analysis of the relationship between interrelated components of a system could not adequately take place if there is incomplete or inaccurate system information.

Bring Your Own Device Implementation

Bring Your Own Device Overview

BYOD is a fast growing concept that allows employees to bring and utilize their personal devices at work to access company data and resources. It is a growing trend and is fast becoming the rule rather than the exception in organizations. Although, BYOD is gaining prominence, this concept dates back to when individuals started bringing and using personal USB flash drives and installing personally preferred programs on organizational assets to accomplish their work related tasks (Zahadat et al., 2015). This is similar to the employee driven IT revolution from several years ago when employees started using Commodore Pet, Apple 1, and TRS personal computers in corporate offices to accomplish work related tasks (Harris et al., 2012).

The proliferation of mobile devices and their ever-increasing advanced capabilities have had a significant impact within the workplace (Waterfill & Dilworth, 2014). As a result, organizations have been introduced to the BYOD concept that has become a phenomenon in both the private and public sectors and have highlighted the importance of mobile devices such as tablets and smartphones (Ansaldi, 2013). Within the public sector, federal regulations, mandates, and executive orders are driving the adoption of BYOD as a strategic tool for the delivery of services (Fiorenza, 2013). Within the private sector, the acquisition of a startup software company by Google for its software that allows for the separation of personal and corporate data and technology giant Apple redesign of its IOS to address the BYOD phenomenon clearly demonstrate the widespread popularity and acceptance of the BYOD concept (Beckett, 2014).

This phenomenon presents several benefits and challenges to consider when contemplating a BYOD implementation (Waterfill & Dilworth, 2014). Technology expansion and the desire to cut cost is a driving factor for organizations’ acceptance of BYOD within the corporate and enterprise environment (Utter & Rea, 2015). BYOD benefits include increased mobility, flexibility, productivity, and employee satisfaction (Zahadat, Blessner, Blackburn & Olson, 2015). Organizations are faced with the challenge of exploring new options to secure data and networks as many employees are now using their personal mobile devices in the workplace (Leavitt, 2013).

Benefits of Bring Your Own Device

Waterfill and Dilworth (2014) and Ansaldi (2013) have reached a similar conclusion when describing the benefits of BYOD. That is the benefits of BYOD have triggered changes within organizations and their business processes. Vignesh and Asha (2015) noted a survey conducted on several organizations by Intel on the benefits of BYOD within their organizations which indicated 28% improved efficiency and productivity, 22% improved workers’ mobility, 17% savings on investing in new machines, 9% job satisfaction, and 6% reduced IT management/troubleshooting. Benefits that are commonly referenced are those of cost savings, employee satisfaction improved productivity, and benefits to higher education.

Cost savings. The potential for cost savings is a contributing factor toward BYOD implementation. Fiscal challenges in both the private and public sectors present BYOD as a viable option. Stone (2014) reported that a 2013 study by Cisco revealed results indicating that employers could net an annual return of $3,150 per employee on device expenses through BYOD implementation. Organizations that choose to transfer some or all of devices procurement and usage cost from the organization to the employees could see a potential benefit in cost savings (Gaff, 2015). According to Vignesh and Asha(2015), Intel Company employees’ use of personal devices was afactor in organizational cost savings.

The health and hospitality industries provide some evidence of cost savings.

From the perspective of health providers, BYOD implementation offers a reduction in overhead and cost for IT infrastructures and facilitation of patient care (Munroe, 2013). BYOD has enabled the hospitality industry to improve its’ supply chain management process. Mobile devices are being used to deliver goods and services to the right place in a timely manner with the least cost (Car, Pilepic, & Simunic, 2014). A recent survey conducted by GovLoop in partnership with Cisco Systems Inc. of federal, state, and local government employees found that 55% believe that cost savings is a benefit of BYOD (Fiorenza, 2013). Organizations can redirect the savings obtained from BYOD implementation to other purposes (Rose, 2013). According to Marshall (2014), organizations are encouraging employees to participate in a BYOD program in an effort to cut costs.

Employee satisfaction. Harris et al. (2012) conducted a study on IT consumerization. The findings categorized the benefits of IT consumerization into three categories; innovation, productivity, and employee satisfaction. The results for employee satisfaction revealed that 11% of older employees over age 45 and 13% of younger employees under age 35 valued the freedom and independence of being able to choose and utilize their device of choice. Employees’ satisfaction has been positively associated with telework (Bosua, Gloet, Kurnia, Mendoza, & Yong, 2013). Telework is an option that is strategically used at times to recruit and retain a highly qualified workforce. It is typically a fringe benefit that is offered to employees (Beham, Baierl, & Poelmans, 2014; Nijland & Dijst, 2015). Employees select and purchase the personal devices they desire for a reason. According to Waterfill and Dilworth (2014), employees are more efficient and satisfied when they are allowed to use devices and applications they are familiar with than unfamiliar devices and applications provided by organizations.

Improved productivity. According to Gaff (2015), the underlying theory as to why BYOD improves productivity is that employees tend to be more accustomed to their personal devices and will use them more efficiently in the workplace and after hours. Gaff (2015) also noted that employees’ personal devices tend to be more advanced than organization owned devices and that most employees prefer working with newer advanced technology. Examples of improved productivity benefits to be obtained through BYOD adoption are employees being able to access corporate databases to complete real-time inquiries; eliminate onsite requirements to conduct functions such as dispatch, inventory, management, field sales and technical support; attend real-time company video conferences; and leverage bigger, high resolution smartphone screens and tablets to display graphics, medical charts, presentations, video feeds, and x-rays/MRIs (Waterfill & Dilworth, 2014). As reported by Harris et al. (2012), the results of their IT consumerization study related to productivity benefits revealed that 14% of employees access corporate resources after regular work hours and 22% consistently used their personal mobile phone to check corporate emails before going to bed while outside the physical boundaries of the organization and after hours, thereby, increasing and improving productivity as a result of being able to utilize personal mobile devices to access corporate resources.

The hospitality industry has benefitted from the BYOD concept. Logistic managers are able to use personal mobile devices to determine the location of employees, goods, or services, thereby, leveraging access to information in the supply chain management process in real time (Car, Pilepic, & Simunic, 2014). Fiorenza (2013) noted from a research survey of federal, local, and state employees that 58% responded that they considered improved productivity to be the second greatest benefit of BYOD following 71% respondents who indicated that allowing employees to work on their device of choice was the greatest benefit. Williams (2014) reported that the results of a couple of surveys revealed that 91% of healthcare workers own a mobile phone with 87% actually using it during clinical applications. 98% of physicians are already using smartphones while another 68% are using tablets for workflow processes. These devices have the potential to improve productivity and efficiency as they can facilitate faster access to patients’ information by healthcare workers (Williams, 2014).

Security Challenges of Bring Your Own Device Implementation

Several literatures exist that highlight the benefits of BYOD implementation. It’s equally important to note the existence of literatures that highlight the associated risks and challenges. Security concerns have been on the rise, simultaneously, with the rapid increase of smartphones and tablets (Zahadat et al., 2015). According to Weiß and Leimeister (2014), mobile devices are infiltrating companies and creating challenges for Chief Information Officers (CIOs). As a result BYOD implementation increases security risks. The lack of a comprehensive strategy for BYOD implementation further increases this risk.

There are several areas of concern that should be addressed prior to BYOD implementation. Waterfill and Dilworth (2014) identified three areas of concern that traditionally fall under the control of IT departments however this model and focus has changed with the prominence of BYOD adoption. These areas are managing security, controlling acceptable use, and retrieving data. Privacy is another area of concern to be considered in an organization’s BYOD program; the employer’s and employee’s rights must be protected. The revelation and exposure of the PRISM programby Edward Snowden has been a factor in the increased awareness of privacy self- protection (Preibusch, 2015). The use of personal devices for personal and work purposes blurs the boundaries between personal and work domains thereby presenting many security challenges (Jovanovikj, Gabrijelcic, & Klobucar, 2014). According to Beckett (2014), organizations that do not address BYOD concerns put themselves at riskfor data loss, loss of control, employees violations of industry regulations and company rules, breach of trust between employer and employee, exposure of organizations’ intellectual property, and intentional or unintentional undermining of critical business obligations.

Harris et al. (2012) reported that 36% of employees ignore organization IT policy and utilize the device of their choice to do work while 46% of employees think their device of choice and available software applications are more useful than devices provided by organizations. Young tech-savvy employees consider using their own devices at work a right instead of a privilege (Leclercq-Vandelannoitte, 2015). The introduction of personal mobile devices to an organization’s network increases the potential for security problems as too often security responsibilities are left to the competences of device owners (Jones, Chin, & Aiken, 2014).

IT organizations are expected to maintain a certain level of service while supporting a variety of devices and operating systems (Astani et al., 2013). Organizations must investment in the various operating systems and platforms in their BYOD portfolio (Rose, 2013). With the many available options for mobile devices, IT departments should be responsible for managing, configuring and enforcing technical security controls to mitigate the risks of data loss associated with BYOD adoption (Garba et al., 2015).

BYOD adoption presents legal and policy issues such as privacy, fourth amendment concerns, ownership concerns, liability, and other legalities (Utter & Rea, 2015). Some legal issues centered around BYOD that impacts both organizations and employees are: (a) maintaining and storing data, (b) BYOD security, (c) BYOD and employee privacy, (d) breach response, notification, and investigation, (e) remote wiping and blocking, and (f) secure destruction of corporate data (Vignesh and Asha, 2015). According to Walker-Osborn, Mann, and Mann (2013), organizations are responsible for the protectionof personal data that reside on their systems under the 1998 Data Protection Act (DPA). In the context of BYOD, adherence to the DPA is important as mobile devices can be easily lost or stolen. Organizations must craft the appropriate BYOD policies and implement appropriate technical and organizational security measures (Walker-Osborn, Mann, & Mann, 2013). Organizations must ensure they have the legal right to access employees’ personal devices or the data on these devices when they become the subject of an investigation to ensure there are no privacy violations (Peretti & Sarkisian, 2014). Organizations must ensure employees are trained on the importance of risk management, intellectual property, and the organization’s right to access an employee’s personal device to remove organization proprietary data (Beckett, 2015).

Compliance

Compliance in the context of BYOD is important. Employees own the devices that are use to access organizational resources thereby introducing added risks to the organization (Vignesh and Asha 2015). Compliance policies are the established rules, instructions, and actions that define organizational acceptable security levels and provide information security to organizational assets (Silva et al., 2014). Employees’ non­ compliance to security policies is the largest information systems security threat to organizations (Siponen, Adam Mahmood, & Pahnila, 2014).

The Need for a Bring Your Own Device Policy

The increased popularity of BYOD is the reason organizations are establishing BYOD polices to address the inherent risks associated with allowing personal devices to access organizational resources (Crossler et al., 2014). Vignesh and Asha, 2015) referenced a survey conducted by SAANS Analyst Program of several organizations about the criticality of mobile security policies. The results revealed that 37.1% believed a mobile security policy was critical, 40% believed extremely important, 19.7% believed important, 0.7% believed unimportant, and 2.6% didn’t know. The survey also revealed that 36% of organizations do not have a formal BYOD policy. The adoption of corporate policies governing BYOD is the common response in addressing security and data privacy issues posed by BYOD (Crossler et al., 2014).

According to Dhingra (2015), an effective and efficient BYOD policy must have clear objectives and constraints related to the usage of personal devices on organizational networks. A BYOD policy should be well constructed, include penalties, understood and accepted by all users, and enforceable (Coates, 2014). At a minimum, a BYOD policy should clearly define the mobile devices allowed to participate in an organization’s BYOD program (Gaff, 2015). Users adherence to a policy is highly influenced when they feel personal responsibility for their policy related actions (Yazdanmehr & Wang, 2014). According to Semer (2013), a BYOD policy should also include a mobile device management (MDM) solution to mitigate data security, compliance, and privacy risks. IT and security stakeholders like CIOs, CISOs, and CTOs should be able to articulate approaches for handling the risks associated with BYOD and capture these articulations in an information security policy document (Saha & Sanyal, 2015). BYOD policies require a philosophical change for both employees and management (Jackson, 2013). Munroe (2013) reported that a Gartner Group report revealed that 30% of midsize and large companies utilized MDM software while 80% utilized Microsoft Exchange ActiveSync to enforce BYOD polices on mobile devices.

[...]