Information Security Effectiveness: Conceptualization and Validation of a Theory

Taking a sequential qualitative-quantitative methodological approach, we propose and test a theoretical model that includes four variables through which top management can positively influence security effectiveness: user training, security culture, policy relevance, and policy enforcement. During the qualitative phase of the study, we generated the model based on textual responses to a series of questions given to a sample of 220 information security practitioners. During the quantitative phase, we analyzed survey data collected from a sample of 740 information security practitioners. After data collection, we analyzed the survey responses using structural equation modeling and found evidence to support the hypothesized model. We also tested an alternative, higher-order factor version of the original model that demonstrated an improved overall fit and general applicability across the various demographics of the sampled data. We then linked the finding of this study to existing top management support literature, general deterrence theory research, and the theoretical notion of the dilemma of the supervisor.

[1]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[2]  David P. MacKinnon,et al.  Mediating Mechanisms in a Program to Reduce Intentions to Use Anabolic Steroids and Improve Exercise Self-Efficacy and Dietary Behavior , 2001, Prevention Science.

[3]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[4]  Timothy R. Hinkin A Brief Tutorial on the Development of Measures for Use in Survey Questionnaires , 1998 .

[5]  John Leach Improving user security behaviour , 2003, Comput. Secur..

[6]  Hamid R. Nemati International Journal of Information Security and Privacy , 2007 .

[7]  Izak Benbasat,et al.  Empirical Research in Information Systems: The Practice of Relevance , 1999, MIS Q..

[8]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[9]  L. Strickland Surveillance and trust1 , 1958 .

[10]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[11]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[12]  Joseph A. Cote,et al.  Lack of method variance in self-reported affect and perceptions at work: Reality or artifact? , 1989 .

[13]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[14]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[15]  Wanda J. Orlikowski,et al.  CASE Tools as Organizational Change: Investigating Incremental and Radical Changes in Systems Development , 1993, MIS Q..

[16]  Dennis F. Galletta,et al.  Integrating National Culture into IS Research: The Need for Current Individual Level Measures , 2005, Commun. Assoc. Inf. Syst..

[17]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[18]  D. Campbell,et al.  Convergent and discriminant validation by the multitrait-multimethod matrix. , 1959, Psychological bulletin.

[19]  Joey F. George,et al.  Computer-Based Monitoring: Common Perceptions and Empirical Results , 1996, MIS Q..

[20]  S. Ghoshal Bad Management Theories Are Destroying Good Management Practices , 2005 .

[21]  G. Hofstede Cultural constraints in management theories , 1993 .

[22]  K. E. Barron,et al.  Testing Moderator and Mediator Effects in Counseling Psychology Research. , 2004 .

[23]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[24]  Steven L. Alter 18 Reasons Why IT-Reliant Work Systems Should Replace "The IT Artifact" as the Core Subject Matter of the IS Field , 2003, Commun. Assoc. Inf. Syst..

[25]  David Gefen,et al.  Assessing Unidimensionality Through LISREL: An Explanation and an Example , 2003, Commun. Assoc. Inf. Syst..

[26]  Albert H. Segars,et al.  Strategic Information Systems Planning Success: An Investigation of the Construct and Its Measurement , 1998, MIS Q..

[27]  Paul E. Spector Using self‐report questionnaires in OB research: A comment on the use of a controversial method , 1994 .

[28]  Blake Ives,et al.  Executive Involvement and Participation in the Management of Information Technology , 1991, MIS Q..

[29]  Ashish Garg,et al.  The Financial Impact of IT Security Breaches: What Do Investors Think? , 2003, Inf. Secur. J. A Glob. Perspect..

[30]  Ananth Srinivasan,et al.  Alternative Measures of Systems Effectiveness: Associations and Implications , 1985, MIS Q..

[31]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[32]  Raj Sharman,et al.  Handbook of Research on Social and Organizational Liabilities in Information Security , 2008 .

[33]  G. Dobbins,et al.  The influence of General Perceptions of the Training Environment on Pretraining Motivation and Perceived Training Transfer , 1995 .

[34]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[35]  Richard Baskerville,et al.  Special issue on action research in information systems: making is research relevant to practice--foreword , 2004 .

[36]  G H Galal,et al.  From contexts to constructs: the use of grounded theory in operationalising contingent process models , 2001 .

[37]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[38]  Rajeev Sharma,et al.  The Contingent Effects of Management Support and Task Interdependence on Successful Information Systems Implementation , 2003, MIS Q..

[39]  Sonny S. Ariss,et al.  Computer monitoring: benefits and pitfalls facing management , 2002, Inf. Manag..

[40]  Brian S. Butler,et al.  Power and Information Technology Research: A Metatriangulation Review , 2002, MIS Q..

[41]  Detmar W. Straub,et al.  Measuring System Usage: Implications for IS Theory Testing , 1995 .

[42]  N. Venkatraman,et al.  Measurement of Business Economic Performance: An Examination of Method Convergence , 1987 .

[43]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[44]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..