Information system security commitment: A study of external influences on senior management

This paper investigated how senior management is motivated to commit to information system (IS) security. Research shows senior management participation is critical to successful IS security, but has not explained how senior managers are motivated to participate in IS security. Information systems research shows pressures external to the organization have greater influence on senior managers than internal pressures. However, research has not fully examined how external pressures motivate senior management participation in IS security. This study addressed that gap by examining how external pressures motivate senior management participation in ISS through the lens of neo-institutional theory. The research design was survey research. Data collection was through an online survey, and PLS was used for data analysis. Sample size was 167 from a study population of small- and medium-sized enterprises (SMEs) in a mix of industries in the south-central United States. Results supported three of six hypotheses. Mimetic mechanisms were found to influence senior management belief in IS security, and senior management belief in IS security was found to increase senior management participation in IS security. Greater senior management participation in IS security led to greater IS security assimilation in organizations. Three hypotheses were not supported. Correlation was not found between normative influences and senior management belief, normative influences and senior management participation, and coercive influences and senior management participation. This study shows IS security-related mimetic influences have greater impact on senior leaders of SMEs than coercive or normative influences, which may be explained by the absorptive capacity of SMEs. Absorptive capacity refers to the ability of an organization to assimilate a technology. However, absorptive capacity may affect more than just technology assimilation, and may extend to how senior management responds to external influences.

[1]  M. Lane,et al.  EXAMINING CLIENT PERCEPTIONS OF PARTNERSHIP QUALITY AND ITS DIMENSIONS IN AN IT OUTSOURCING RELATIONSHIP , 2010 .

[2]  Cliff Bowman,et al.  Top management ownership of the strategy problem , 1997 .

[3]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[4]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[5]  Daniel A. Levinthal,et al.  ABSORPTIVE CAPACITY: A NEW PERSPECTIVE ON LEARNING AND INNOVATION , 1990 .

[6]  D. Straub,et al.  Editor's comments: a critical look at the use of PLS-SEM in MIS quarterly , 2012 .

[7]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[8]  Frank L. Greitzer,et al.  Predicting Insider Threat Risks through Linguistic Analysis of Electronic Communication , 2013, 2013 46th Hawaii International Conference on System Sciences.

[9]  Bernd Carsten Stahl,et al.  The professionalisation of information security: Perspectives of UK practitioners , 2015, Comput. Secur..

[10]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[11]  Kah-Hin Chai,et al.  Network closure's impact on firms' competitive advantage: The mediating roles of knowledge processes , 2011 .

[12]  Roger Seeholzer,et al.  Information Security Strategy: In Search of a Role , 2012, AMCIS.

[13]  Judy A. Siguaw,et al.  Formative versus Reflective Indicators in Organizational Measure Development: A Comparison and Empirical Illustration , 2006 .

[14]  Mikko T. Siponen,et al.  A Critical Assessment of IS Security Research between 1990-2004 , 2007, ECIS.

[15]  Lois A. Ritter,et al.  Conducting Online Surveys , 2011 .

[16]  Guido Nassimbeni,et al.  Security risks in service offshoring and outsourcing , 2012, Ind. Manag. Data Syst..

[17]  Vallabh Sambamurthy,et al.  Shaping UP for E-Commerce: Institutional Enablers of the Organizational Assimliation of Web Technologies , 2002, MIS Q..

[18]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[19]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[20]  Detmar W. Straub,et al.  An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research , 2011 .

[21]  G. Manimaran,et al.  Cyber Attack Exposure Evaluation Framework for the Smart Grid , 2011, IEEE Transactions on Smart Grid.

[22]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[23]  William J. Doll,et al.  Avenues for Top Management Involvement in Successful MIS Development , 1985, MIS Q..

[24]  Izak Benbasat,et al.  Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[25]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[26]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[27]  Julia H. Allen,et al.  Governing for Enterprise Security , 2005 .

[28]  Yajiong Xue,et al.  Punishment, Justice, and Compliance in Mandatory IT Settings , 2011, Inf. Syst. Res..

[29]  A Pingsmann,et al.  Sample size and statistical power. , 2000, The Journal of bone and joint surgery. American volume.

[30]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[31]  Quey-Jen Yeh,et al.  On security preparations against possible IS threats across industries , 2006, Inf. Manag. Comput. Secur..

[32]  Ravi Patnayakuni,et al.  Information Security in Value Chains: A Governance Perspective , 2014, AMCIS.

[33]  Mario Piattini,et al.  Managing Security and its Maturity in Small and Medium-sized Enterprises , 2009, J. Univers. Comput. Sci..

[34]  Qing Chang,et al.  How Low Should You Go? Low Response Rates and the Validity of Inference in IS Questionnaire Research , 2006, J. Assoc. Inf. Syst..

[35]  Alice M. Johnson Business and Security Executives Views of Information Security Investment Drivers: Results from a Delphi Study , 2009 .

[36]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[37]  James Y. L. Thong,et al.  An Integrated Model of Information Systems Adoption in Small Businesses , 1999, J. Manag. Inf. Syst..

[38]  Paul T. Jaeger,et al.  Identifying the security risks associated with governmental use of cloud computing , 2010, Gov. Inf. Q..

[39]  James M. Anderson,et al.  Why we need a new definition of information security , 2003, Comput. Secur..

[40]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[41]  Detmar W. Straub,et al.  Institutional Influences on Information Systems Security Innovations , 2012, Inf. Syst. Res..

[42]  Izak Benbasat,et al.  Predicting Intention to Adopt Interorganizational Linkages: An Institutional Perspective , 2003, MIS Q..

[43]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[44]  Jean-Noël Ezingeard,et al.  Information Assurance and Corporate Strategy: A Delphi Study of Choices, Challenges, and Developments for the Future , 2011, Inf. Syst. Manag..

[45]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[46]  Grover S. Kearns,et al.  The impact of industry contextual factors on IT focus and the use of IT for competitive advantage , 2004, Inf. Manag..

[47]  Robert W. Zmud,et al.  Measuring the Extent of EDI Usage in Complex Organizations: Strategies and Illustrative Examples , 1996, MIS Q..

[48]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[49]  Albert L. Lederer,et al.  CEO/CIO mutual understanding, strategic alignment, and the contribution of IS to the organization , 2010, Inf. Manag..

[50]  Ned Kock,et al.  Lateral Collinearity and Misleading Results in Variance-Based SEM: An Illustration and Recommendations , 2012, J. Assoc. Inf. Syst..

[51]  Ned Kock,et al.  Advanced Mediating Effects Tests, Multi-Group Analyses, and Measurement Model Assessments in PLS-Based SEM , 2014, Int. J. e Collab..

[52]  U. Sekaran Research Methods for Business , 1999 .

[53]  Steven Furnell,et al.  Making security usable: Are things improving? , 2007, Comput. Secur..

[54]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..

[55]  Blake Ives,et al.  Executive Involvement and Participation in the Management of Information Technology , 1991, MIS Q..

[56]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[57]  Paolo Guenzi,et al.  The impact of strategic account managers' behaviors on relational outcomes: An empirical study , 2009 .

[58]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[59]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[60]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[61]  Gregory A. Witte,et al.  Framework for Improving Critical Infrastructure Cybersecurity | NIST , 2014 .

[62]  Sid L. Huff,et al.  CIO lateral influence behaviors: gaining peers' commitment to strategic information systems , 2000, ICIS.

[63]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[64]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[65]  J. Dutton,et al.  SELLING ISSUES TO TOP MANAGEMENT , 1993 .

[66]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[67]  C. Lawrence Meador,et al.  Setting Priorities for DSS Development , 1984, MIS Q..

[68]  L. Cronbach Coefficient alpha and the internal structure of tests , 1951 .

[69]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[70]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[71]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[72]  F. Bjorck,et al.  Institutional theory: a new perspective for research into IS/IT security in organisations , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[73]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[74]  Terry L. Wiant,et al.  Information security policy's impact on reporting security incidents , 2005, Comput. Secur..

[75]  Ray Bernard,et al.  Information Lifecycle Security Risk Assessment: A tool for closing security gaps , 2007, Comput. Secur..

[76]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[77]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[78]  Insu Park,et al.  How does leadership affect information systems success? The role of transformational leadership , 2011, Inf. Manag..

[79]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[80]  Jan H. P. Eloff,et al.  An Information Security Governance Framework , 2007, Inf. Syst. Manag..

[81]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[82]  J. Hair Multivariate data analysis , 1972 .

[83]  Juhee Kwon,et al.  Proactive Versus Reactive Security Investments in the Healthcare Sector , 2014, MIS Q..

[84]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[85]  Nico Martins,et al.  Improving the information security culture through monitoring and implementation actions illustrated through a case study , 2015, Comput. Secur..

[86]  William Lewis,et al.  PLS, Small Sample Size, and Statistical Power in MIS Research , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[87]  Marko Sarstedt,et al.  PLS-SEM: Indeed a Silver Bullet , 2011 .

[88]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[89]  Gregory White,et al.  An Empirical Study on the Effectiveness of Common Security Measures , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[90]  Ritu Agarwal,et al.  Technological Frames, Organizational Capabilities, and IT Use: An Empirical Investigation of Electronic Procurement , 2010, Inf. Syst. Res..

[91]  Carol W. Hsu,et al.  Frame misalignment: interpreting the implementation of information systems security certification in an organization , 2009, Eur. J. Inf. Syst..

[92]  Bharat K. Bhargava,et al.  Incorporating attacker capabilities in risk estimation and mitigation , 2015, Comput. Secur..

[93]  Florian Skopik,et al.  Combating advanced persistent threats: From network event correlation to incident detection , 2015, Comput. Secur..

[94]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[95]  Jiqiang Liu,et al.  Selecting a trusted cloud service provider for your SaaS program , 2015, Comput. Secur..

[96]  E. Vanlommel,et al.  The Organization of Electronic Data Processing (EDP) Activities and Computer Use , 1975 .

[97]  Katherine A. Lawrence,et al.  Moves that matter: Issue selling and organizational change. , 2001 .

[98]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[99]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[100]  Gurpreet Dhillon,et al.  Identifying Governance Dimensions to Evaluate Information Systems Security in Organizations , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[101]  Ernesto Damiani,et al.  From Security to Assurance in the Cloud , 2015, ACM Comput. Surv..

[102]  Susan P. Williams,et al.  Information Security Governance: Investigating Diversity in Critical Infrastructure Organizations , 2012, Bled eConference.

[103]  Rossouw von Solms,et al.  Information Security Governance: A model based on the Direct-Control Cycle , 2006, Comput. Secur..

[104]  Detmar W. Straub,et al.  Validating Instruments in MIS Research , 1989, MIS Q..

[105]  Rossouw von Solms,et al.  Information security governance: Due care , 2006, Comput. Secur..

[106]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[107]  D. Hambrick,et al.  Upper Echelons: The Organization as a Reflection of Its Top Managers , 1984 .

[108]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[109]  Ronald T. Cenfetelli,et al.  Interpretation of Formative Measurement in Information Systems Research , 2009, MIS Q..

[110]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[111]  Laura Corriss Information security governance: integrating security into the organizational culture , 2010, GTIP '10.

[112]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[113]  Murray R. Barrick,et al.  Ceo Transformational Leadership: The Role of Goal Importance Congruence in Top Management Teams , 2008 .

[114]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[115]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[116]  Ned Kock,et al.  Using WarpPLS in E-collaboration Studies: An Overview of Five Main Analysis Steps , 2010, Int. J. e Collab..

[117]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[118]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[119]  Hennie A. Kruger,et al.  Value-focused assessment of ICT security awareness in an academic environment , 2007, Comput. Secur..

[120]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[121]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[122]  Edgar Erdfelder,et al.  G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences , 2007, Behavior research methods.

[123]  Antonio Carlos Gastaud Maçada,et al.  Measuring user satisfaction with information security practices , 2015, Comput. Secur..