Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources

Organizations invest in three types of information security control resources (ISCR).Internal security needs assessment (ISNA) affects the level of ISCR in organizations.Key activities of ISNA are security investment rationale and risk analysis.Institutional pressures affect ISCR directly and indirectly through ISNA.Coercive and normative pressures are two critical institutional pressures. To offer theoretical explanations of why differences exist in the level of information security control resources (ISCR) among organizations, we develop a research model by applying insights obtained from resource-based theory of the firm and institutional theory. The results, based on data collected through a survey of 241 organizations, generally support our research model. Institutional pressures and internal security needs assessment (ISNA) significantly explain the variation in organizational investment in ISCR. Specifically, coercive and normative pressures are found to have not only a direct impact but also an indirect impact through ISNA on organizational investment in ISCR.

[1]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[2]  Robert N. Stern,et al.  The External Control of Organizations: A Resource Dependence Perspective. , 1979 .

[3]  M. Wade,et al.  Review: the resource-based view and information systems research: review, extension, and suggestions for future research , 2004 .

[4]  F. Bjorck,et al.  Institutional theory: a new perspective for research into IS/IT security in organisations , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[5]  Arie Segev,et al.  Internet Security , 1998 .

[6]  M. Eric Johnson,et al.  Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm , 2005, WEIS.

[7]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[8]  M. E. Johnson,et al.  Institutionalizing HIPAA Compliance , 2014, Journal of health and social behavior.

[9]  R. Grant Contemporary Strategy Analysis , 2005 .

[10]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[11]  M. Peter Adler A Unified Approach to Information Security Compliance. , 2006 .

[12]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[13]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[14]  Dale Goodhue,et al.  Develop Long-Term Competitiveness through IT Assets , 1996 .

[15]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[16]  Yolande E. Chan,et al.  Theoretical Explanations for Firms' Information Privacy Behaviors , 2005, J. Assoc. Inf. Syst..

[17]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[18]  Izak Benbasat,et al.  Predicting Intention to Adopt Interorganizational Linkages: An Institutional Perspective , 2003, MIS Q..

[19]  Vallabh Sambamurthy,et al.  Shaping UP for E-Commerce: Institutional Enablers of the Organizational Assimliation of Web Technologies , 2002, MIS Q..

[20]  Peter Walgenbach,et al.  Technical Efficiency or Adaptation to Institutionalized Expectations? The Adoption of ISO 9000 Standards in the German Mechanical Engineering Industry , 2005 .

[21]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[22]  M. Whitman,et al.  Management Of Information Security , 2004 .

[23]  C. Oliver STRATEGIC RESPONSES TO INSTITUTIONAL PROCESSES , 1991 .

[24]  William L. Fuerst,et al.  Information technology and sustained competitive advantage: a resource-based analysis , 1995 .

[25]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[26]  Lawrence Loh,et al.  Diffusion of Information Technology Outsourcing: Influence Sources and the Kodak Effect , 1992, Inf. Syst. Res..

[27]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[28]  John E. Mathieu,et al.  Clarifying conditions and decision points for mediational type inferences in Organizational Behavior , 2006 .

[29]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[30]  T. C. Powell,et al.  Information technology as competitive advantage: the role of human , 1997 .

[31]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[32]  Heng Xu,et al.  Understanding the Drivers and Outcomes of Healthcare Organizational Privacy Responses , 2011, ICIS.

[33]  Peter W. Roberts,et al.  Integrating Transaction Cost and Institutional Theories: Toward a Constrained-Efficiency Framework for Understanding Organizational Design Adoption , 1997 .

[34]  Robert H. Courtney,et al.  Security risk assessment in electronic data processing systems , 1977, AFIPS '77.

[35]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[36]  Teppo Felin,et al.  Perspective - Finding the Organization in Organizational Theory: A Meta-Theory of the Organization as a Social Actor , 2010, Organ. Sci..

[37]  Pamela S. Tolbert Institutional Environments and Resource Dependence: Sources of Administrative Structure in Institutions of Higher Education. , 1985 .

[38]  S. Mezias An Institutional Model of Organizational Practice: Financial Reporting at the Fortune 200 , 1990 .

[39]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[40]  Eva Boxenbaum,et al.  Isomorphism, Diffusion and Decoupling , 2008 .

[41]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[42]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[43]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[44]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[45]  Sten Jönsson Institutions and Organizations , 1997 .

[46]  Kenneth L. Kraemer,et al.  Review: Information Technology and Organizational Performance: An Integrative Model of IT Business Value , 2004, MIS Q..

[47]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[48]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[49]  Jan H. P. Eloff,et al.  Special Features: A Framework for the Implementation of Socio-ethical Controls in Information Security , 2001 .

[50]  Raj Mehta,et al.  An Investigation into the Antecedents of Organizational Participation in Business-to-Business Electronic Markets , 2001 .

[51]  Anandhi S. Bharadwaj,et al.  A Resource-Based Perspective on Information Technology Capability and Firm Performance: An Empirical Investigation , 2000, MIS Q..

[52]  Heather A. Haveman Follow the leader: Mimetic isomorphism and entry into new markets , 1993 .

[53]  Janine L. Spears Institutionalizing information security risk management: a multi-method empirical study on the effects of regulation , 2007 .

[54]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[55]  Raghu Garud,et al.  Institutional Entrepreneurship as Embedded Agency: An Introduction to the Special Issue , 2007 .