ORIGINAL ARTICLE Assessing drivers for organizational ... - aensi

1223 Advances in Natural and Applied Sciences, 6(8): 1223-1237, 2012 ISSN 1995-0772 This is a refereed journal and all articles are professionally screened and reviewed

ORIGINAL ARTICLE Assessing drivers for organizational commitment towards the security controls implementation in the Malaysian online service in computer-based accounting system 1

Dr Intan Salwani Mohamed, 2Izzatul Ussna Ridzwan, 3Dr Norzaidi Mohd Daud, 4Zakiah Baharin and 5Saidin Wan Ismail 1

Faculty of Accountancy/Accounting Research Institute Universiti Teknologi MARA 40450 Shah Alam, Selangor Malaysia. 2 College of Business Management and Accounting, UNITEN Sultan Haji Ahmad Shah campus, 26700 Bandar Muadzam Shah, Pahang, Malaysia. 3 Faculty of Business Management/Accounting Research Institute/Institute of Business Excellence, Universiti Teknologi MARA 40450 Shah Alam, Selangor Malaysia. 4 Faculty of Accountancy Universiti Teknologi MARA Johor 85009 Segamat Johor Malaysia. 5 CITU, Universiti Teknologi MARA Johor 85009 Segamat Johor Malaysia. Dr Intan Salwani Mohamed, Izzatul Ussna Ridzwan, Dr Norzaidi Mohd Daud, Zakiah Baharin and Saidin Wan Ismail; Accessing Drivers for Organizational Commitment Towards the Security Controls Implementation in the Malaysian Online Service in Computer-Based Accounting System. ABSTRACT The objective of this study is to determine the accessing drivers for organizational commitment towards security controls implementation in the Malaysian online service in computer based accounting system. Based on survey, data was collected from 63 firms in hotel/resort, financial and transportation industry, and suggested that firm size, managerial awareness, regulatory support, as well as vendor support were found to have a positive significant influence towards organizational commitment in security controls implementation. Also, the commitment to implement security controls first comes from the management itself especially senior and top management through managerial awareness as well as the need to safeguard the organization’s reputation. Moreover, regulatory support from government to encourage security controls implementation among organizations are important as it was proven that they have a significant influence towards organizational commitment in security controls implementation. Key words: Organizational commitment, security controls, online service, computer based accounting system, Malaysia. Introduction The transformation from manual system to a computer-based system however, creates a new issue on how secure is the computer-based accounting system. The security of information has become one of the most important issues of computer-based accounting information system in most organizations, since their survival and success depends on a large extent on the confidentiality, accuracy, integrity, and availability of their critical and sensitive information. There are several surveys that have been conducted with the objective to investigate how far the cyber attacks affect the security system of most organizations. Among them are surveys from http://www.securelist.com (2010), which use an antivirus product, Karpersky Security Network (KSN) to detect malware attacks within systems; CSI Computer Crime and Security Threats (2010), which investigate how respondents felt about their own cyber-security situations within their organizations; and http://www.findwhitepapers.com (2010), which focuses on the level of cyber attacks in the financial services industry. All surveys show that information security ranked high in the list of critical success factors in most organizations. Therefore, protecting computer-based accounting information system against prospective security threats has become a very important issue (Abu Musa, 2006). Adequate protections must be put in place due to the computer crime especially for those companies that used online services as their major business transactions. It has become unavoidable problems in any organizations and no longer become a local problem. The security solutions as well cannot be viewed only from a national perspective, but also to be expanded throughout the geographical boundaries. Corresponding Author: Associate Professor Dr Norzaidi Mohd Daud, Faculty of Business Management/Accounting Research Institute/Institute of Business Excellence, Universiti Teknologi MARA 40450 Shah Alam, Selangor Malaysia. E-mail: [email protected]

1224 Adv. in Nat. Appl. Sci., 6(8): 1223-1237, 2012

Given that the security controls is an important aspect that need to be explored in protecting accounting information system, the main issue that needs to be investigated is the relationship between factors under three characteristics that are technological characteristic (such as technology competence, web functionalities, accounting software usage and non-accounting software usage); organizational characteristic (such as firm size, managerial awareness and management beliefs); and environmental characteristic (such as regulatory support and vendor support) towards organizational commitment in security controls implementation specifically to those organizations that practicing online system in their everyday business operations. The questions that arise in discussing the security of computer-based accounting system are: i. Do factors under technology characteristics such as technology competence, web functionalities, accounting software usage, and non-accounting software usage have an effect on organizational commitment in security controls implementation? ii. Do factors under organizational characteristics such as firm size, management awareness, and managerial beliefs have an effect on organizational commitment in security controls implementation? iii. Do factors under environmental characteristics such as regulatory support and vendor support have an effect on organizational commitment in security controls implementation? In answering the above questions, this study focused on whether these factors which are technology competence, web functionalities, accounting software usage and non-accounting software usage (technological characteristic); firm size, managerial awareness and management beliefs (organizational characteristic); and regulatory support and vendor support (environmental characteristic) affect organizational commitment on security controls implementation in computer-based accounting system. The findings of this study should be useful for organizations to evaluate the adequacy of their security controls implementation and will also create awareness among organizations on the importance of their commitment in security controls implementation. Review of Literature: Technology Competence and Organizational Commitment in Security Controls Implementation: Ong and Ismail (2008) stated that information technology objects refer to availability of hardware, software, and personnel to support the performance of information technology operations. Bassellier et al. (2003) defined technology knowledge as the extent of technical knowledge regarding objects such as computer based systems. This knowledge is able to convert into competence when it is utilized or exploited. It also refers to the competency of personnel or employees that are responsible for managing the computer system. Thus, organizations must make sure that they have adequate technology facilities and knowledge to support their security system. Hypothesis 1 was developed to test the relationship between technology competences towards the organizational commitment in computer-based accounting system’s security controls implementation. H1: Technology competence significantly influences organizational commitment in security controls implementation: Web Functionalities and Organizational Commitment in Security Controls Implementation: According to Shah and Murtaza (2005), resolving security and reliability issues are critical in the widespread adoption of online system. Moreover, Birman (2004) stated that, today, web services miss the functional reliability because the current models do not consider ‘real world’ issues and organizations failed to accept and adopt with rapid changes of technology. Therefore, top management need to see these issues more seriously as to make sure that the website of their organization is functioning and operating well as well as preventing attacks from cyber criminals. Thus, it is hypothesized as; H2: Web functionalities significantly influence organizational commitment in security controls implementation: Accounting Software Usage and Organizational Commitment in Security Controls Implementation: Accounting software usage looks into the extent of various types of application software being used in the accounting department within organizations. Most important benefit of accounting software usage is it assists in eliminating many of most common errors made by humans, such as transposing numbers and using the wrong accounts. Thus, it contributes towards more quality financial information and increase the security of confidential information. Thus, accounting software usage is hypothesized as H3: Accounting software usage significantly influences organizational commitment in security controls implementation.


Non-accounting Software Usage and Organizational Commitment in Security Controls Implementation: The help of some additional applications software such as graphic programs (e.g. chart, graph and bar) and word processing (e.g. Microsoft Words and Text Maker) could give a better picture about the presentation of the financial statements for those who don’t have any accounting background and knowledge to understand the presentation of financial statements. Furthermore, it is used as a support or backup system for the accounting software in unpredictable situations. For organizations, by using these non-accounting software usages, most data, and information will be more manageable and structured before it is entered to the accounting software. Therefore, it is assumed that non-accounting software assist in providing more secure system in computer-based accounting system. The following hypothesis: H4: Non-accounting software usage significantly influences organizational commitment in security controls implementation. Firm Size and Organizational Commitment in Security Controls Implementation: Firm size often being used in TOE Model as it is a good predictor of IT adoption in organizations (Lippert and Govindarajulu, 2006; and Mohamed et al. 2008). In this study, firm size is measured by examining the number of employees in the analysis’s unit. It was suggested in the European E-business Report that firm size can be grouped into four categories that are micro (0-9 employees); small (10-49 employees); medium (50-249 employees) and large (250 and above employees). According to Ma and Ratnasingam (2008), large firm may have more human and technological resources available to implement a high quality security system compared to small firm that is more interested in economic returns. Small firm size reflected constraints in their resource and do not ready to adopt new technology in terms of financial or facilities as they could not handle great risk. Thus, hypothesis 5 was developed to test the relationship between firm size and organizational commitment in security controls implementation. H5: Firm size significantly influences organizational commitment in security controls implementation. Managerial Awareness and Organizational Commitment in Security Controls Implementation: Managerial awareness is very crucial as it is the key towards successful security management. Based on research done by Liao and Luo (n.d.), it was found that there is a lack of awareness concerning the security risks and employee education regarding prevention measures. Therefore, this study will examine whether managerial awareness has a relationship with organizational commitment in security controls implementation. To test the relationship, the following hypothesis is developed. H6: Managerial awareness significantly influences organizational commitment in security controls implementation. Management Belief and Organizational Commitment in Security Controls Implementation: Management beliefs reflect the factors that influence managers to put commitment in security controls implementation and how top management acts to the needs for having a high quality security system in the computer-based system. This relates to their beliefs on the ease of use and usefulness of the security system in protecting their financial information. When they believed, they would change their perceptions regarding the benefits of adopting good security system (Lippert and Govindarajulu, 2006). Therefore, it is hypothesized as; H7: Management beliefs significantly influence organizational commitment in security controls implementation. Regulatory Support and Organizational Commitment in Security Controls Implementation: Regulatory support refers to governments’ role to encourage the needs of having quality security system by establishing laws and providing incentives. By having specific guidance in developing online or web site system as well as establishing laws to highlight the punishment for cyber criminals, it is assumed that the level of security controls will be increased. Therefore, the following hypothesis is developed. H8: Regulatory support significantly influences organizational commitment in security controls implementation. Vendor Support and Organizational Commitment in Security Controls Implementation: Close relationship between vendor and customer organization influence positively the successful implementation of security software. Vendor’s role is not only to offer and supply the security software to their


customer organizations but also to transfer knowledge about the use of the software, understanding the business processes within the organization and recognizing best practice (Kouki et al. 2006). Thus, the following hypothesis H9: Vendor support significantly influence organizational commitment in security controls implementation. Theoretical Framework: In this research, all variables were measured with the aim to answer the questions that were mentioned before. In this research, there are 10 variables, which are organizational commitment in security controls implementations (OCSCI), technology competence (TC), web functionalities (WF), accounting software usage (ASU), non-accounting software usage (NASU), firm size (FS), managerial awareness (MA), management beliefs (MB), regulatory support (RS) and vendor support (VS). These variables are categorized into dependent variable and independent variable as follow: i. Dependent Variable: This study only focuses on the direct relationship. Therefore, the dependent variable is organizational commitment in security controls implementation (OCSCI). ii. Independent Variable: The independent variables are the factors or drivers listed under each TOE characteristics. There are technology competence (TC), web functionalities (WF), accounting software usage (ASU), non-accounting software usage (NASU), firm size (FS), managerial awareness (MA), management beliefs (MB), regulatory support (RS), and vendor support (VS). All these independent variables have direct relationships with organizational commitment in security controls implementation (OCSCI) (Figure 1).

Fig. 1: Theoretical Framework for this Study, Sources: Developed for the Study. Research Methodology: In this study, focus was given to accounting department since this department involves with money transactions and because of that more security threats were expected to occur in this department. According to Bank Negara Malaysia (BNM) official website, until January 2011 there were 68 financial institutions registered under BNM which consists of commercial banks (23), Islamic banks (17), international Islamic banks (4), investment banks (15), other financial institutions (2), and money brokers (7). From 68 financial institutions, there are 35 banks that have website. As for hotels and tourism sectors, based on Malaysia Association of Hotels (MAH) directory, as at January 2011 there are 548 hotels which all have their own website. On the other hand, there are 108 transportation companies in Malaysia have their own official website. Altogether, the number of


populations that have website was 691. Based on this population, a sample was selected using random sampling. The sample size was determined according to a table provided by Sekaran (2003). According to Sekaran (2003) a table “Determining Sample Size from a Given Population” provides a scientific guideline in determining the sample size. From the table, it states that for a population of 650, the sample size should be 242 and for a population of 700, the sample size should be 248. Since the population for this study is 691 which are nearest to 700, thus a sample size of 248 will be applied. This means that from the total of 691 organizations that constitutes the populations of interest, a sample of 248 organizations were selected randomly for the purpose of data collection. This sample size fulfils the rule of thumb proposed by Roscoe (1975) which stated that an appropriate sample size should be larger than 30 and less than 500 for most researches. Roscoe (1975) further explained that if a sample size is too large (more than 500), it could lead to the case of committing Type II errors which means that the findings from the data examined could be reversed from rejected to accept. In this research, the sample size is 248 which are larger than 30 and less than 500. Therefore, type II errors were avoided. Findings: In this study, from 248 distributed questionnaires, 45 organizations responded through the postal method, 10 questionnaires were taken by hand and 8 organizations responded through e-mail. In total, there were 63 responses received which represented 25.40 percent of the returned sample size. Out of 63 responded questionnaires, 5 blank responses were found on the demographic information and the rest were on section B (drivers for organizational commitment in security controls implementation in computer-based accounting system) and section C (commitment in security controls in computer-based accounting system). As mentioned in previous section, the rule of thumb by Sekaran (2003) was used in dealing with blank responses. According to Sekaran (2003), as long as the unanswered part of the questionnaire did not exceed 25 percent of the questionnaires, the data will still be included. For this study, blank responses did not exceed the 25 percent rule which means that all data was included. Based on Hussey and Hussey (1997), in order to avoid sample being bias for the mail distributed method, the responses rate received should exceed 10 percent. Since the response rate in this study was 25.40 percent, there was no sample bias and it represents the population. Based on the rules of thumb developed by Hair, Black, Babin, Anderson and Tatham (2006), the number of samples for sample size considerations should meet the minimum ratio of observations to variables is 5:1. It means that 5 observations are made for each independent variable and it should never fall below 5:1. For this study, there are 9 independent variables (5:9) which constitutes to 45 samples. Since this study collected 63 samples, thus it satisfied the rules of thumb by Hair et al. (2006). This rule of thumb was used since the response rate is small and may affect the validity of generalization of the results. Demographic Profile of Respondents: The selected respondents that answered the questionnaires were varied in demographics information such as industry sector, the starting year that their organization started doing business through web and the respondents’ position in their organization. Table 1: Sample Characteristics (N=63).

Source: Developed for this study.


Reliability Test: Computing Cronbach’s Alpha is the most popular method uses to measure reliability in terms of consistency of the test (Sekaran, 2003). In Cronbach’s Alpha, the higher the coefficient leads to better measurement and higher confident. For reliability, the value should be close to one in order to indicate higher reliability. For this study, the minimum value of Cronbach Alpha will be based on the rule of thumb suggested by Hair, Anderson, Tatham and Black (2003), where .60 as the lowest level in accepting reliability. Table 2 shows the Cronbach’s Alpha score for each of the variables. Table 2: Internal Consistency of the Construct. CONSTRUCTS Technology Competence TC1 (% employees use computer at work) TC2 (% employees have IT qualifications) Web Functionalities WF1 (Website support service catalogue) WF2 (Website support consumer customization) WF3 Website support account management) WF4 (Website support registry of online community) WF5 (Web applications electronically integrated with back-office system) WF6 (Company databases electronically integrated with suppliers) WF7 (Company databases electronically integrated with partners) Accounting Software Usage ASU1 (Audit Programs) ASU2 (Financial Accounting Software) ASU3 (Tax Application Software) ASU4 (Management Accounting Software) Non-Accounting Software Usage NASU1 (Word Processing) NASU2 (Spreadsheets) NASU3 (Database Programs) NASU4 (Graphics Programs) Managerial Awareness MAI (Organization educates employees regarding securities issues in CBAS) MA2 (Ensuring information are unchanged by unauthorized persons) MA3 (Ensuring that a system is accessible upon demand by an authorized entity) MA4 (Ensuring that a system is usable upon demand by an authorized entity) MA5 (Ensuring that the responsible person could be detected for their actions)

CRONBACH’S ALPHA

Managerial Beliefs MB1 (Security controls implementation benefit their technology investment) MB2 (Security controls implementation protect sensitivity of company's data) MB3 (Security controls implementation protect their CBAS) Regulatory Support RS1 (Government provides good incentive for companies to implement security system) RS2 (Secured transaction is required for government purchase) RS3 (Secured transaction is required for online transactions) Vendor Support VS1 (Handle the hardware issues related to application) VS2 (Handle the software issues related to application) Organizational Commitment on Security Controls Implementation AC1 (Access controls) AC2 (Physical access) AC3 (Restricting to data access) NE1 (Physical resources) NE2 (Environment) BD1 (Resources protection) DC1 (Warranted activity) LA1 (Data prevention) RLF1 (Means of recovery) MSM1 (Security Program) Firm size excluded due to single attribute of measurement (number of employees) Source: Computed data analysis.

0.620

0.806

0.806

0.662

0.932

0.899

0.696

0.789

0.949

For this study, one item has been deleted in order to increase the reliability statistics. The particular item is a sub question in “Technology Competence” that is TC3 (technology facilities used by organization prior to ebusiness implementation). Table 3 shows Cronbach’s Alpha of “Technology Competence” before TC3 was deleted. Table 4.7 shows that TC3 needs to be deleted to get the value of .620 which meet the minimum acceptable level of reliability.

1229 Adv. in Nat. Appl. Sci., 6(8): 1223-1237, 2012 Table 3: Reliability Statistics for Technology Competence. Reliability Statistics Cronbach's Alpha .426 Source: Computed data analysis.

N of Items 3

Table 4: Item-Total Statistics for Technology Competence. Scale Mean if Item Deleted TC1 .003813 TC2 -.041074 TC3 -.011934 Source: Computed data analysis.

Item-Total Statistics Scale Variance if Item Deleted Corrected Item-Total Correlation 1.262 1.746 2.155

.513 .231 .077

Cronbach's Alpha if Item Deleted -.227 .377 .620

Standard Regression Analysis: Under the regression analysis, the relationship between the independent variables from technological characteristics (such as technology competence, web functionalities, accounting software usage, and nonaccounting software usage), organizational characteristics (such as firm size, managerial awareness and management beliefs) and environmental characteristics (such as regulatory support and vendor support) towards organizational commitment in security controls implementation will be measured. As each dependent and independent variables had several sub-questions, therefore data will be measured using mean. For this study, standard regression analysis used the significant level α = .05. This means that the conclusion that was made based on statistical inference will be correct at a confidence level of 95 percent and there is only 5 percent chance that the conclusion will be wrong. Table 5: The Relationship between Dependent and Independent Variables. Model Summaryb Model R R Square Adjusted R Square 1 .784a .615 .550 a. Predictors: (Constant), TC, ASU, VS, FS, WF, MB, RS, NASU, MA b. Dependent Variable: OCSCI Key: TC : Technology Competence WF : Web Functionalities ASU: Accounting Software usage NASU: Non-Accounting Software Usage FS: Firm Size MA : Managerial Awareness MB : Management Beliefs RS : Regulatory Support VS : Vendor Support OCSCI: Organizational Commitment on Security Controls Implementation Source: Computed data analysis

Std. Error of the Estimate .46135

Based on Table 5, R square is .615. The R Square indicates that 61.5% of the variation in the organizational commitment in security controls implementation (OCSCI) is explained by four significant independent variables that are regulatory support (RS), vendor support (VS), management beliefs (MB) and firm size (FS). The balance of 38.5% is explained by other factors such as technology competence (TC), web functionalities (WF), accounting software usage (ASU), non-accounting software usage (NASU), and managerial awareness (MA). The ANOVA table (Table 6) shows that the model is significant, with the F-value of 9.404. Table 6: ANOVA Table. ANOVAb Sum of Squares Df Regression 18.014 9 Residual 11.281 53 Total 29.295 62 a. Predictors: (Constant), TC, ASU, VS, FS, WF, MB, RS, NASU, MA b. Dependent Variable: OCSCI Key: TC : Technology Competence WF : Web Functionalities ASU : Accounting Software usage NASU : Non-Accounting Software Usage FS : Firm Size MA : Managerial Awareness MB : Management Beliefs Model 1

Mean Square 2.002 .213

F 9.404

Sig. .000a

1230 Adv. in Nat. Appl. Sci., 6(8): 1223-1237, 2012 RS : Regulatory Support VS : Vendor Support OCSCI : Organizational Commitment in Security Controls Implementation Source: Computed data analysis.

Hypotheses Testing and Discussion of Findings: This research used standard regression analysis to evaluate the direct influence of independent variables (technology competence, web functionalities, accounting software usage and non-accounting software usage (technological characteristics); firm size, managerial awareness and management beliefs (organizational characteristics); and regulatory support and vendor support (environmental characteristics) towards organizational commitment in security controls implementation. In order to examine the relationship between these factors and organizational commitment in security controls implementation, nine hypotheses have been developed to be tested. Table 7 shows the result and findings of the relationship between the independent and dependent variables and the summary of hypotheses testing. Table 7: Summary of Hypothesis Testing. Hypothesis Relationship Beta T ratio H1 TC→OCSCI -.120 -1.174 H2 WF→OCSCI -.063 -.635 H3 ASU→OCSCI .097 .984 H4 NASU→OCSCI -.078 -.706 H5 FS→OCSCI .209 2.059 H6 MA→OCSCI .106 .629 H7 MB→OCSCI .338 2.312 H8 RS→OCSCI .334 2.873 H9 VS→OCSCI .269 2.765 Dependent Variable: Organizational Commitment on Security Controls Implementation Key: TC : Technology Competence WF : Web Functionalities ASU : Accounting Software usage NASU : Non-Accounting Software Usage FS : Firm Size MA : Managerial Awareness MB : Management Beliefs RS : Regulatory Support VS : Vendor Support OCSCI : Organizational Commitment on Security Controls Implementation Source: Computed data analysis.

Sig .245 .528 .329 .483 .044 .532 .025 .006 .008

Result Rejected Rejected Rejected Rejected Accepted Rejected Accepted Accepted Accepted

As a whole, looking at drivers for security implementation in computer-based accounting system, regulatory support (β = .334) is found to have the most significant influences towards organizational commitment in security controls implementation follows by vendor support (β = .269) management beliefs (β = .338) and firm size (β = .209) . The details of analysis for each of the hypothesis are further discussed next. Technology Competence: This study suggested that there is no significant relationship between technology competence and organizational commitment in security controls implementation (p > .05, ß = -.120) (Table 7). Therefore, H1 is rejected. This finding is consistent with Saad (2006) which stated that security system that can be achieved through technical means is limited. He further stated that security decisions that were based on technology competence and employees’ technical expertise were relevant in the past but due to certain factors such as financial implications in implementing and maintaining the security system, organizations’ today choose to take risks than to invest in security system. Technology competence also seems to have no relationship with organizational commitment because of management has no trust in doing online business, thus they do not concentrate in implementing technology facilities (Walter and Ritter, 2005). Shah and Murtaza (2005) also stated that organizations’ nowadays failed to accept and adopt with rapid changes of technology. Furthermore, the reason why technology competence does not influence organizational commitment is due to the fact that technology itself cannot provide all answers to security problems (Saad, 2006). Web Functionalities: The result shows that there is no significant relationship between web functionalities and organizational commitment in security controls implementation (p > .05, ß = -.063) (Table 7). Therefore, H2 is rejected. This is


supported by Birman (2004) which stated that, today, web services miss the functional reliability because the current models do not consider ‘real world’ issues and organizations failed to accept and adopt with rapid changes of technology. The reason why web functionalities do not have relationship with organizational commitment in security controls implementation could also due to the web functionalities’ problems it selves. The problems can result in missed opportunity, missing accounting data, unacceptable and incorrect accounting data, and problems of having duplicate accounting data which leads to more complicated and adding burden to organizations’ management compared to normal business operations (Wiliam, 1997). Accounting Software Usage: Accounting software usage has no relationship with organizational commitment in security controls implementation. The analysis demonstrate that accounting software usage do not effect organizational commitment in security controls implementation (p > .05, ß = .097) (Table 7). Thus, hypothesis 5 (H5) is rejected. The result from this study is similar to Intan Salwani et al. (2005). Intan Salwani and Norzaidi (2005) stated that accounting software such as UBS Accounting, One Write plus DOS Package and Peachtree has their own security controls and this accounting software does not permit unauthorized person to open or use the system. The security systems of this particular accounting software for example, required users to enter the password in order to get the accounting information stored. Since accounting software has its own security controls, management took this advantage as an opportunity for them to let go in giving commitment towards the security issues in accounting software usage. Non-Accounting Software Usage: After conducted the analysis, the result in Table 7 shows that there is no significant relationship between non-accounting software usage and organizational commitment in security controls implementation (p > .05, ß = -.078). Therefore, H4 is rejected. This result is contrary with Mohamed et al. (2009) which found that nonaccounting software has a positive relationship with organizational commitment in security controls implementation. This might be due to the reason that these types of applications’ software do not provide any controls in safeguarding the information stored and nowadays, each industry have their own unique professional software such as Ezee FrontDesk Hotel Software for tourism industry, Polaris Software for financial industry and Trucking Software for transportation industry. Therefore, management does not focused on the security controls for non-accounting software usage as they have better software that suit the unique environment of the particular industry. Firm Size: This study finds that firm size has positive significant influence towards organizational commitment in security controls implementation (p < .05, ß = .209) (Table 7). This means that when firm size goes up by 1 standard deviation, organizational commitment in security controls implementation goes up by .209 standard deviations. Thus, hypothesis 5 (H5) is not rejected. The result of this finding is contrary to Intan Salwani and Norzaidi (2005); and Intan Salwani et al. (2009). These two previous researches discovered that firm size had negative relationships towards organizational commitment in security controls implementation. For this study, one possible reason on the positive relationship between firm size and organizational commitment in security controls implementation might be related to theories by Ma and Ratnasingam (2008) which stated that large firm may have more human and technological resources available to implement a quality security system compared to small firm that is more interested in economic returns. Small firm size reflected constraints in their resource and do not ready to adopt new technology in terms of financial or facilities as they could not handle great risk. This means that the larger the firm is, the more resources available to implement a quality security system and vice versa. Furthermore, the larger the firm is, the larger the Accounting Department which may result in more complicated transactions and a lot of financial resources are needed to overcome it. This demonstrates the positive significant relationship between firm size and organizational commitment in security controls implementation. Another reason might be due to the needs to maintain a good reputation especially for large and well-known organizations. Study done by Salehi et al. (2009) stated that large firms have a reputation to safeguard and they will make sure that quality security system will be adopted. Managerial Awareness: The result shows that there is no significant relationship between managerial awareness and organizational commitment in security controls implementation (p > .05, ß = .106) (Table 7). Therefore, H6 is rejected. The reason why there is no relationship between managerial awareness and organizational commitment in security


controls implementation could be based on research done by Liao and Luo (n.d.) and Norzaidi et al (2011) which found that there is a lack of management’s awareness concerning the security risks and employee education regarding prevention measures. It could also due to the reason that most of top management does not have serious concerns about the security system in the organizations because they leave the responsibilities to the IT and Accounting Department. Management Beliefs: Management beliefs have a positive significant relationship with organizational commitment in security controls implementation (p < .05, ß = .338) (Table 7). Therefore, when management beliefs go up by 1 standard deviation, organizational commitment in security controls implementation goes up by .338 standard deviations. Thus, hypothesis 7 (H7) is not rejected. This positive relationship might be due to the management beliefs on the ease of use and usefulness of the security system in protecting their financial information. The more the top management beliefs in the importance of having quality security systems, the more commitment they will give to implement it. Thus, when they beliefs in the usefulness of having the security system, they would changed their perceptions regarding the overall benefits of adopting such security system (Lippert and Govindarajulu, 2006). Regulatory Support: Regulatory support shows the most significant positive relationship with organizational commitment in security controls implementation (p < .05, ß = .334) (Table 7). This means that when regulatory support goes up by 1 standard deviation, organizational commitment in security controls implementation goes up by .334 standard deviations. Thus, hypothesis 8 (H8) is not rejected. This finding is opposite with Intan Salwani et al. (2008) which found that there is no relationship between regulatory support and e-commerce. This can be due to the different population of interest for this study that are financial, tourism and transportation sectors compared to tourism sector by Intan Salwani et al. (2008) as the main focus of the study. The reason for this relationship might come from the awareness of the government to provide sufficient legal protection, clear business law and to safeguard organizations confidential information as it might include government’s private information. Furthermore, it has become a trend for organizations nowadays, where they will only act, follow, and behave according to rules and laws as they are bound to do so. Organizations tend to avoid in giving commitment if there are not bound in any regulations to do such actions. Thus, by having a clear rules and strong support from the government, organizations tend to give more commitment towards security controls implementation. Vendor Support: Vendor support has a positive significant relationship with organizational commitment in security controls implementation (p < .05, ß = .269) (Table 7). This demonstrates that when vendor support goes up by 1 standard deviation, organizational commitment in security controls implementation goes up by .269 standard deviations. Therefore, hypothesis 9 (H9) is not rejected. This positive relationship is supported with theories by Kouki et al. (2006) that close relationship between vendor and the customer organization influence positively the successful implementation of security software. Most of organizations tend to stick to the same vendor for such a long time thus they manage to build close relationships with one another. According to Kouki et al. (2006) and Norzaidi and Intan Salwani (2010), by having close relationships, the vendor’s role is not only to offer and supply the security software to their customer organizations but the most important duty and responsibility is to transfer knowledge about the use of the software, understanding the business processes within the organization and recognizing best practice. Based on the research findings, this study meets the general objective that is to assess the drivers for organizational commitment towards the security controls implementation in computer-based accounting system specifically in Malaysia online services. All the three specific objectives are answered as follow: i. In determining to which technology characteristics’ factors such as technology competence, web functionalities, accounting software usage, and non-accounting software usage do give impact towards the organizational commitment in the implementation of security controls, the finding found that none of the variables have significant influence towards the organizational commitment in the implementation of security controls. This means that technology competence, web functionalities, accounting software usage, and non-accounting software usage were not good predictors of organizational commitment in security controls implementation. ii. The research’s finding shows that organizational characteristic’ factors such as firm size and management beliefs are good predictors as they have influence towards the organizational commitment in the


implementation of security controls. However, managerial awareness has no relationship and is not good predictors to organizational commitment in security controls implementation. iii. In determining whether environmental characteristics’ factors such as regulatory support and vendor support do give an impact on the organizational commitment in the implementation of security controls, the finding of this research found that both regulatory support and vendor support have a significant positive relationship with organizational commitment in the implementation of security controls. This show that regulatory support and vendor support are good predictors to organizational commitment in security controls implementation. Contribution of This Study to Bridge the Gaps of Knowledge: By conducting this research, the objectives to bridge the gaps of knowledge on the following issues have been achieved. i. This study contributes in minimizing the gap by looking not only at the security controls implementation issues but also the organizational commitment towards the security controls implementation in online services focusing on the services industries. ii. This research has contributes in minimizing the gap of publish work done by developing countries such as Malaysia in organizational commitment in security controls implementation. iii. By using the TOE Model in investigating the relationship between factors on security controls and organizational commitment in security controls implementation, this study contributes in adding up one more research and bridging the gap by increasing the number of researches that used TOE Model Malaysia. Implications of the Study: Based on the research findings, firm size, managerial awareness, regulatory support, and vendor support were found to have a positive significant influence towards organizational commitment in security controls implementation. This study has revealed that the commitment to implement security controls first comes from the management itself especially senior and top management through managerial awareness as well as the need to safeguard the organization’s reputation. At the same time, regulatory support from government to encourage security controls implementation among organizations are important as it was proven that they have a significant influence towards organizational commitment in security controls implementation. This could be done by developing laws together with policies and strategic directions as it assists in encouraging the use of such technologies in a secure environment. Besides, support from vendor is also crucial as it encourages and motivates organizations towards having more secured systems. Therefore, this study have highlighted that there are four factors that could drive the security controls implementation in computer-based accounting system. Recommendations: Recommendations that can be derived from the findings of this research is that, organizations that practice and use computer-based accounting system in their business operations should evaluate their adequacy of commitment in security controls implementation. Focus should be given to the four factors that drive the security control implementations which are firm size, managerial beliefs, regulatory support, and vendor support as they have significant influences to the computer-based accounting system. Security controls is very important since it assist in ensuring the integrity of financial statement as well as increasing the quality of financial information that will be used by managers in making decision. References Abu-Musa, A.A., 2005. Investigating the perceived threats of computerized accounting information systems in developing countries: An empirical study on Saudi organizations. Journal of King Saud Univ, 18: 1-26. Abu-Musa, A.A., 2006. Evaluating the security controls of CAIS in developing countries: The case of Saudi Arabia. The International Journal of Digital Accounting Research, 6: 25- 64. Ahmad, M., 2007. Implementation of electronic government in Malaysia: The status and potential for better service to the public. Public Sector ICT Management Review, 1(1): 2-10. Ali, S. and A.M. Maloain, 2010. The changing face of accounting in the era of electronic commerce in Saudi Arabia. Global Journal of Finance and Management, 2(2): 345-359. Anderson, B.J., M.D. Holmes and E. Ostresh, 1999. Male and female delinquents' attachments and effects of attachments on severity of self-reported delinquency. Criminal Justice and Behavior, (26:4): 435-452.


Baghdadi, Y., 2005. A business model for deploying web services: A data-centric approach based on factual dependencies. Journal of Information Sciences and E-Business, 3(2): 151-173. Banerjee, J. and A. Lloyd, 1995. Management accountants and technology. Management Accounting London, pp: 12-15. Barua, A., P. Konana, A.B. Whinston and F. Yin, 2001. Driving e-business excellence. Sloan Management Review, 43(1): 36-44. Bassellier, G., I. Benbasat and B.H. Reich, 2003. The influence of business managers’ IT competence on championing IT. Information Systems Research, (14:4): 317-336. Bertschek, I. and H. Fryges, 2002. The adoption of Business to business E-commerce: Empirical evidence for German companies. (Discussion paper number 02-05). Mannheim: Centre for European Economic Research. Bharadwaj, A.S., 2000. A resource-based perspective on information technology capability and firm performance: An empirical investigation. MIS Quarterly, 24(1): 169-196. Birman, K.P., 2004. Like it or not, web services are distributed objects. Communications of the ACM, 47(12): 60-62. Bulgurcu, B., H. Cavusoglu and I. Benbasat, (n.d.) The role of information security policy fairness and organizational commitment in managing information security. University of British Columbia. Chai, T. and G. Wen, 2010. On the improvement of accounting information quality by perfecting invoice management. International Journal of Business and Management, 5(2): 194-197. Charles, P.P. and L.P. Shari, 2003. Security in computing. Third Edition, Prentice Hall. Child, J., 1972. Organizational Structute, Environment and Performance: The Role of Strategic Choice. Sociology, 6: 1-22. Choi, S.Y., D.O. Stahl and A.B. Whinston, 1997. The economics of electronic commerce. New York: Macmillan Technical Publishing. Coltman, 2003. E-Business strategy and firm performance: a latent class assessment of the drivers and impediments to success. Journal of Information Technology, 22(2): 87-101 Control Objectives for Information and Related Technology (COBIT). Retrieved January 31, 2011 from www.ithelp.com. Cooke, T.E., 1998. Regression analysis in accounting disclosure studies. Accounting and Business Research, 28: 209-224. Crook, C.W. and R.L. Kumar, 1998. Electronic data interchange: A multi-industry investigation using grounded theory. Information and Management, 34(2): 75-89. Damanpour, F., 1992. Organizational size and innovation. Organization Studies, 13(3): 375-402. Dasgupta, S., D. Agarwal, A. Ioannidis and S. Gopalakrishnan, 1999. Determinants of information technology adoption: An extension of existing models to firms in a developing country. Journal of Global Information Management, 7(3): 41-49. Davis, J.A., 1971. Elementary survey analysis. Englewood, NJ: Prentice-Hall. Deloitte’s., 2006. global security survey, Global Financial Services Industry, pp: 3-42. Retrieved January 27, 2011 from http://www.itgovernance.co.uk/files/Deloitte150606globalsecuritysurvey.pdf Dennis, B.K.H., Y. Chen and S.R. Gary, 2008. On the informationization of accounting information in China: The perspective of accounting information systems and its regulatory framework in the USA. Journal of Modern Accounting and Auditing, 4(8): 17-29. Dorasamy, M. and M. Kaliannan, 2008. Providing government services online: An empirical survey of egovernment at Majlis Perbandaran Subang Jaya (MPSJ). Public Sector ICT Management Review, 2(1): 2228. Durbhakula, V.V.K. and D.J. Kim, 2009. E-business for nations: A study of national level e-business adoption factors using CBTG (country characteristics- business- technology- government) framework. E-business for Nations, Proceedings of the Second Annual SIG GlobDev Workshop, Phoenix, USA. Federal Accounting Standards Advisory Board, 1998. Accounting for internal use software. Statement of Federal Financial Accounting Standards, 10: 1-29. Gallivan, M.J., 2001. Organizational adoption and assimilation of complex technological innovations: development and application of a new framework. ACM SIGMIS Database. Special issue on adoption, diffusion, and infusion of IT, 32(3): 51-85. George, H.B. and S.H. William, 2004. Accounting Information Systems. Ninth Edition, Upper Saddle River: Pearson Prentice Hall. Gibbs, J.L. and K.L. Kraemer, 2004. A cross-country investigation of the determinants of scope of e-commerce use: an institutional approach. Electronic Markets, 14(2): 124-137. Ginsberg, A. and N. Venkatraman, 1992. Investing in new information technology: The role of competitive posture and issue diagnosis. Strategic Management Journal, Special Issue: Strategy Process: Managing Corporate Self-Renewal, 13: 37-53.


Gokhale, G.B. and D.A. Banks, (n.d.) Organisational information security: A viable system perspective. University of South Australia. Gould, S., 2001. Sourcing successfully in China. Supply Chain Management Review, 5(4): 44. Hair, J.F., Jr., R.E. Anderson, R.L. Tatham and W.C. Black, 2003. Multivariate Data Analysis. New Delhi: Pearson Education Hall. Hair, J.F., Jr., W.C. Black, B.J. Babin, R.E. Anderson and R.L. Tatham, 2006. Multivariate Data Analysis (Sixth Edition). Upper Saddle River: Pearson Prentice Hall. Hamid, M.R.A., 2007. A comparative analysis of internet banking in Malaysia and Thailand. Journal of Internet Business, 4: 1-19. Hara, T., 2006. A review of the double-entry accounting system and accrual accounting in the public sector. Government Auditing Review, 13: 3-15. Hirschi, T., 1969. Causes of Delinquency. Berkeley, CA: University of California Press. Hollenstein, H., 2004. Determinants of the adoption of information and communication technologies (ICT): An empirical analysis based on firm-level data for the Swiss business sector. Structural Change and Economic Dynamics, 15: 315-342. Hussey, J. and R. Hussey, 1997. Business research: A practical guide for undergraduate and postgraduate student. Great Britain: Macmillan Press Ltd. Igbaria, M. N. Zinatelli and A. Cavaye, 1998. Analysis of information technology success in small firms in New Zealand. International Journal of Information Management, 18(2): 103-119. Intan Salwani, M., G. Marthandan, M.D. Norzaidi and O. Normah, 2008. E-Commerce and value creation: Empirical evidence in Malaysia tourism sector. EABR and TLC Conference Proceedings, Rothenburg Germany, pp: 1-15. Intan Salwani, M., M.D. Norzaidi, S.C. Chong and L. Binshan, 2009. Factors determining organizational commitment on security controls in accounting-based information systems. International Journal of Services and Standards, 5(1/2009): 51-66. Intan Salwani, M. and M.D. Norzaidi, 2005. Computer-based accounting system and security controls over accounting information. IPTA Research Exhibition and Competition 2005, PWTC Kuala Lumpur. Ismail, N.A., S.N. Abdullah and M. Tayib, 2003. Computer-based accounting systems: The case of manufacturing-based small and medium enterprises in the northern region of peninsular Malaysia. Jurnal Teknologi, 39: 19-36. Jenkins, P.H., 1997. School delinquency and the school social bond. Journal of Research in Crime and Delinquency, (34:3): 337. Jensen, J.R., 2005. Introductory digital image processing: A remote sensing perspective. Upper Saddle River: Prentice-Hall. Karakaya, F. and O. Khalil, 2004. Determinants of internet adoption in small and medium-sized enterprises. International Journal of Internet and Enterprise Management, 2(4): 341-365. Kenneth, J.K., E.M.R. Thomas, R.J. Kelly and W.M. Dorsey, 2006. The top information security issues facing organizations: What can government do to help?. Information Security and Risk Management, pp: 51-58. Khatibi, A., A. Haque, H. Ismail and S. Al Mahmud, 2007. Factors driving electronic commerce initiative in Malaysian’ organization. Journal of Social Science, 14(1): 1-11. Ko, M. and C. Dorantes, 2006. The impact of information security breaches on financial performance of the breached firms: An empirical investigation. Journal of Information Technology Management, 17(2): 13-22. Konings, J. and F. Roodhooft, 2002. The effect of e-business on corporate performance: Firm level evidence for Belgium. De Economist, 150(5): 569-581. Kouki, R., D. Poulin and R. Pellerin, 2006. ERP assimilation challenge: An integrative framework for a better post-implementation assimilation. Working Paper DT-2006-DP-1, Interuniversity Research Center on Enterprise Networks, Logistics and Transportation (CIRRELT), Canada. Kraemer, K.L., J. Dedrick, N. Melville and K. Zhu, 2006. Global E-Commerce: Impacts of National Environments and Policy. Cambridge, UK: Cambridge University Press. Kuan, K.K.Y. and P.Y.K. Chau, 2001. A perception-based model for EDI adoption in small businesses using a technology-organization-environment framework. Information and Management, 38(8): 507-521. Liao, Q. and X. Luo, (n.d.) Studying computer security in a mis degree program. pp: 226-235. Lippert, S.K. and C. Govindarajulu, 2006. Technological, organizational, and environmental antecedents to web services adoption. Communications of the IIMA, 6(1): 146-158. Ma, Q. and P. Ratnasingam, 2008. Factors affecting the objectives of information security management. International Conference on Information Resources Management (CONF-IRM), CONFIRM 2008 Proceedings, Paper 29. Malaysia in Focus., RM470 million investment for internet in Sarawak. Retrieved February 1, 2011 from www.malaysiainfocus.com


Malaysia Internet Usage Stats and Marketing Report, (2010). Internet World Stats. Retrieved January 12, 2011 from http://www.internetworldstats.com/asia/my.htm Mansor, N. and A.F.A. Abidin, 2010. The application of e-commerce among Malaysian small medium enterprises. European Journal of Scientific Research, 41(4): 590-604. Mark, D.L. and C. Nancy, 2010. Exploration of accounting software usage: An empirical research applied on the Pennsylvania home building industry. International Journal of Management and Information Systems, 14(1). Miles, J. and M. Shevlin, 2001. Applying regression and correlation, a guide for students and researchers. Great Britain: SAGE Publications Ltd. Muncaster, P., 2006. IT Decision-makers more concerned about security. VNU Network, Retrieved from http://www.vnunet.com/articles/2150356 Nor, K.M., (n.d.) Malay, Chinese and internet banking: An exploratory study in Malaysia. Department of Management, Faculty of Management and Human Resource Development, Universiti Teknologi Malaysia, 81310 Skudai Johor Malaysia. Norzaidi, M.D., S.C. Chong, M. Intan Salwani and L. Binshan, 2011. The indirect effects of intranet functionalities on middle managers’ performance: evidence from the maritime industry. Kybernetes, 40(½): 166-181. Norzaidi, M.D. and M. Intan Salwani, 2010. Evaluating the intranet acceptance with the extended tasktechnology fit model: empirical evidence in Malaysian maritime industry. International Journal of Arts and Sciences, 3(12): 294-306. Norzaidi, M.D., S.C. Chong, M. Intan Salwani and K. Rafidah, 2008. A study of intranet usage and resistance in Malaysia’s port industry, Journal of Computer Information Systems, 49(1): 37-47. Norzaidi, M.D., S.C. Chong, R. Murali and M. Intan Salwani, 2009. Towards a holistic model in investigating the effects of intranet usage on managerial performance: a study on Malaysian port industry, Maritime Policy and Management, 36(3): 269-289. Ong, J.W. and H. Ismail, 2008. Sustainable competitive advantage through information technology competence: Resource-based view on small and medium enterprises. Communications of the IBIMA, 1: 62-70. Online Available: Retrieved February 5, 2011 from https://www.javelinstrategy.com Online Available: Retrieved February 9, 2011 from www.findwhitepapers.com Online Available: Retrieved January 15, 2011 from www.docstoc.com Online Available: Retrieved January 27, 2011 from www.securelist.com Online Available: Retrieved January 7, 2011 from www.banknegaramalaysia.com Online Available: Retrieved January 7, 2011 from www.mah.com Online Available: Retrieved January 8, 2011 from www.mot.gov.com.my Paynter, J. and J. Lim, 2001. Drivers and impediments to e-commerce in Malaysia. Malaysian Journal of Library and Information Science, 6(2): 1-19. Peters, S., 2009. CSI Computer Crime and Security Survey. 14th Annual Executive Summary. Phocus Wright Survey, 2007. Retrieved February 1, 2011 from http://www.phocuswright.com Quinn, J.B., J.J. Baruch and K.A. Zien, 1997. Innovation explosion: Using intellect and software to revolutionized growth strategies. The Free Press. Rajagopalan, N. and G.M. Spreitzer, 1996. Toward a theory of strategic change: A multi-lens perspective and integrative framework. Academy of Management review 22(1): 48-79. Recommended Security Controls for Federal Information Systems and Organizations, 2009. National Institute of Standards and Technology, U.S Department of Commerce, NIST Special Publication 800-53, Revision 3: 1-27. Report of the working group on information security, electronic banking, technology risk management and tackling cyber frauds, (2011), Reserve Bank of India, Mumbai. Rogers, E.M., 1983. Diffusion of Innovations (3rd Edition). New York: The Free Press. Roscoe, J.T., 1975. Fundamental research statistics for the behavioral sciences. (2nd Edition.). New York: Holt, Rinehart and Winston. Saad, S.A., 2006. New approach for assessing the maturity of information security. JournalISACA, 3: 1-7. Sajady, H., M. Dastgir and N.H.M.S. Hashem, 2008. Evaluation of the effectiveness of accounting information systems. International Journal of Information Science and Technology, 6(2): 50-59. Salehi, M., A. Mansoury and R. Pirayesh, 2009. Firm size and audit regulation and fraud detection: Empirical evidence from Iran. ABAC Journal, 29(1): 53-65. Salkind, N.J., 2008. Exploring research (7, illustrated ed.). Upper Saddle River, N.J. : Prentice. Sciadas, G., 2004. International benchmarking for the information society. ITU-KADO digital bridges symposium, Asia Telecom 2004, Busan, Republic of Korea. Sekaran, U., 2003. Research Methods for Business. New York, NY: John Wiley and Sons, Inc.


Shah, J.R. and M.B. Murtaza, 2005. Effective customer relationship management through web services. The Journal of Computer Information Systems, 46(1): 98-109. The security risk management guide of California. Information Security Controls, 2006. San Francisco, California, pp: 1-3. Retrieved January 17, 2011 from http://security.arizona.edu/files/controls.pdf Tornatzky, L.G. and M. Fleischer, 1990. The processes of technological innovation. Lexington, MA: Lexington Books. Trade and Transport Facilitation. The Malaysian Experience and Milestones Services Development Division. Ministry of International Trade and Industry (MITI) Malaysia (n.d.). Turban, E. and D. King, 2003. Introduction to e-commerce. Prentice Hall. Turban, E., D. King, J.K. Lee and D. Viehland, 2004. Electronic Commerce: A Managerial Perspective. Upper Saddle River, New Jersey: Pearson Education International. Walter, A. and T. Ritter, 2005. Information technology competence and value creation in supplier-customer relationships. Journal of Relationship Marketing, 3: 45-59. Wen, H.J., B. Lim and H.L. Huang, 2003. Measuring e-commerce efficiency: A data envelopment analysis (DEA) approach. Industrial Management and Data Systems, 103(9): 703-710. William, C.S., 1997. World-wide web survey research: Benefits, potential problems and solutions. Behavior Research Methods, Instruments and Computers, 29(2): 274-279. Yasak, M.N., (n.d.) Development of ecotourism in Malaysia. Department of Wildlife and National Park Malaysia, pp: 84-87. Yeo, A.C., M.M. Rahim and L. Miri, (n.d.) Understanding factors affecting success of information security risk assessment: The case of an Australian higher educational institution. Clayton School of Information Technology, Monash University. Zaltman G., R. Duncan and J. Holbek, 1973. Innovation and Organization. United States: John Wiley and Sons. Zhu, K. and K.L. Kraemer, 2005. Post-adoption variations in usage and value of e-business by organizations: Cross-country evidence from the retail industry. Information Systems Research, (16:1): 61-84. Zhu, K., K.L. Kraemer and S. Xu, 2006. The process of innovation assimilation by firms in different countries: A technology diffusion perspective on e-business. Management Science, 52(10): 1557-1576. Zin, A.N.M. and Z. Yunos, 2005. How to make online banking secure. Published in The Star in Tech., pp: 1-5.