Toward a better understanding of SMB CEOs' Information Security Behavior: Insights from Threat or Coping appraisal
DOI:
https://doi.org/10.37380/jisib.v5i1.109Keywords:
Protection Motivation Theory, Coping, CEO, SMB, Behavior, Information SecurityAbstract
This study presents an empirical investigation of factors affecting SMB CEOs decision to improve or not their company's information security (ISS). We developed a research model by adopting the protection motivation theory (PMT) to investigate the effect of threat and coping appraisal on protective actions. We conducted a questionnaire-based survey with SMB CEOs. Prior studies using PMT have never been focused on SMB CEOs behavior, and we postulate that in SMBs where there is no CIO or even IT people, CEO’s actions are of utmost importance for achieving a satisfying ISS.References
Anderson, C.L. and Agarwal, R., (2010). "Practicing safe computing: a multimethod empirical examination of computer user security behavioral intentions", MIS Quarterly, Vol. 34, n°3, p. 613-643.
Anderson, E.E. and Choobineh J. (2008). Enterprise information security strategies, Computers & Security, n°27, p. 22-29.
Ashenden, D. (2008). "Information security management: A human challenge?", Information security technical report, n°13, p. 195-201.
Avolio, F.M. (2000). "Best practices in network security: as the networking landscape changes, so must the policies that govern its use. Don’t be afraid of imperfection when it comes to developing those for your group." Network Computing Vol. 60, n°20, p. 60-72.
Bandura, A. (1994). Self-efficacy. In V.S. Ramachaudran (Ed.), Encyclopedia of human behavior, Vol. 4, p. 71-81, New York, NY: Academic Press.
Barlette, Y. (2012). "Implication et action des dirigeants : quelles pistes pour améliorer la sécurité de l'information en PME", Systèmes d'Information et Management, Vol. 17, n°2, p. 115-149.
Boss, S.R., Kirsh, L.J., Angermeier, I., Shingler, R.A. and Boss, R.W. (2009). "If someone is watching, I'll do what I'm asked: mandatoriness, control and information security", European Journal of Information Systems, n°18, p. 151-164.
Bruce, G. and Dempsey R. (1997). Security in Distributed Computing - Did You Lock the Door? Hewlett Packard Company, Palo Alto, USA.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010). "Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness", MIS Quarterly, Vol. 34, n°3, p. 523-548.
Chu, A. M. Y. and Chau, P. Y. K. (2014). "Development and validation of instruments of information security deviant behavior", Decision Support Systems, Vol. 66, p. 93-101.
Dong, L. (2008). "Exploring the impact of top management support of enterprise systems implementations outcomes", Business Process Management Journal, Vol. 14, n°2, p. 204-218.
Dong, L., Neufeld, D. and Higgins, C. (2009). "Top management support of enterprise systems implementations", Journal of Information technology, n°24, p. 55-80.
Dutta, A. and McCrohan, K. (2002). "Management's role in information security in cyber economy". California Management Review, Vol. 45, n°1, p. 67-87.
European Commission, (2014), Annual report on European SMEs 2013-2014, EU publication office, 124p.
Forcht, K.A. and Ayers, W.C. (2000). "Developing a computer security policy for organizational use and implementation", Journal of Computer Information Systems, Vol. 41, n°2, p. 52-57.
Friend, M. and Pagliari, L.R. (2000). "Establishing a safety culture: getting started", Professional Safety, Vol. 45, n°5, p. 30-32.
Grover, V. (1993). "Empirically derived model for the adoption of customer-based inter-organizational systems", Decision Sciences, Vol. 24, n°3, p. 603-639.
Gupta, A. and Hammond, R. (2005). "Information systems security issues and decisions for small businesses: an empirical examination", Information Management and Computer Security, Vol. 13, n°4, p. 297-310.
Herath, T. and Rao, H.R. (2009). "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness", Decision Support Systems, Vol. 47, n°2, p. 154-165.
Hofstede, G., Neuijen, B., Daval-Ohayv, D. and Sanders, G. (1990). "Measuring organizational cultures: a qualitative and quantitative study across twenty cases", Administrative science quarterly, Vol. 35, p. 286-316, Cornell university.
Ifinedo, P. (2012), "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory", Computers & Security, Vol. 31, p. 83-95.
Jarvenpaa, S.L. and Ives, B. (1991). "Executive involvement and participation in the management of information technology". MIS Quarterly, Vol. 15, n°2, p. 205-227.
Johnston, A.C. and Hale, R. (2009). "Improved Security through Information Security Governance", Communications of the ACM, Vol. 52, n°1, p. 126-129.
Johnston, A.C., Warkentin, M. and Siponen, M. (2015). "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the human Asset Through Sanctioning Rhetoric”, MIS Quarterly, Vol. 39, n°1, p. 113-134.
Kankanhalli, A., Teo, H.-H., Tan, B.C.Y. and Wei, K.-K. (2003). "An integrative study of information systems security effectiveness", International Journal of Information Management, n°23, p. 139-154.
Knapp, K.J., Marshall, T.E., Kelly Rainer, R. and Nelson Ford, F. (2006). "Information security: management's effect on culture and policy". Information Management and Computer Security, Vol. 14, n°16, p. 24-36.
Kotulic, A. and Clark, J.G. (2004). "Why there aren't more information security research studies". Information and Management, Vol. 41, n°5, p. 597-607.
Kyobe, M. (2008). "The impact of entrepreneur behaviours on the quality of e-commerce security: A comparison of urban and rural findings", Journal of global information technology management, Vol. 11, n°2, p. 58-79.
Labodi, C. and Michelberger, P. (2010). "Necessity or challenge – Information Security for small and Medium Enterprises", Annals of the university of Petrosani, Economics, Vol. 10, n°3, p. 207-216.
Lazarus, R. S. (1991). Emotion and adaptation, Oxford University Press, NY.
Lee, Y. and Larsen, K. R. (2009). "Threat or coping appraisal: determinants of SMB executives' decision to adopt anti-malware software", European Journal of Information Systems, Vol. 18, p. 177-187.
Liang, H. and Xue, Y. (2010). "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective", Journal of the AIS, Vol. 11, n°7, p. 394-413.
Longeon, R. and Archimbaud, J.L. (1999). Guide de la sécurité des S.I. à l'usage des directeurs, CNRS, Paris.
Loonam, J.A. and McDonagh, J. (2005). "Exploring Top Management Support for the introduction of Enterprise Information Systems: A Literature Review", The Irish Journal of Management, Vol. 26, n°1, p. 163-178.
Lucas, H.C. Jr. (1981). Implementation: the key to successful information systems, New York, NY: Columbia University Press.
Markus, M.L. (1983). "Power, politics, and MIS implementation", Communications of the ACM, Vol. 26, n°6, p. 430-444.
Mitchell, R.C., Marcella, R. and Baxter, G. (1999). "Corporate information security management". New Library World Vol. 100, n°1150, p. 213-227.
Monnoyer, M.C. (2003). Le manager confronté à la décision d'investissement en TIC, in Boutary, TIC et PME: des usages aux stratégies, Paris: l'Harmattan.
Pahnila, S., Siponen, M. and Mahmood, A. (2007). "Employees' behavior towards IS security policy compliance", 40th Hawaii International Conference on Systems Science (HICSS), January 3-6, IEEE, Los Alamitos.
Pinto, J.K. and Slevin, D.P. (1987). "Critical factors in successful project implementation". IEEE Transactions on Engineering Management, Vol. EM-34, n°1, p. 22-27.
Podsakoff, P.M., MacKenzie S.B., Lee J.Y. and Podsakoff NP. (2003). Common method biases in behavioral research: a critical review of the literature and recommended remedies, Journal of Applied Psychology, Vol. 88, n°5, p. 879-903.
Pritchard, S. (2010). "Navigating the black hole of small business security", Infosecurity, Sept. Oct., p. 18-21.
Ragu-Nathan, B.S., Apigian, C.H., Ragu-Nathan, T.S. and Tu, Q. (2004). "A path analytic study of the effect of top management support for information systems performance", Omega, Vol. 32, p. 459-471.
Rainer, R.K., Marshall T.E., Knapp, K.J. and Montgomery, G.H. (2007). "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Systems Security, n°16, p. 100-108.
Rees, J. (2010). "Information security for small and medium-sized business", Computer Fraud & Security, Vol. 9, p. 18-19.
Reid, R.C. and Gilbert, A.H. (2009). "Cognitive Support for Senior Manager's Decision Making In Information Systems Security". Proceedings of the Academy of Information and Management Sciences, Vol. 13, n°1, p. 58-62.
Robinson, S. and Volonino, L. (2004). Principles and practices of information security, Pearson Prentice Hall, New Jersey.
Rockart, J.F. and Crescenzi, A.D. (1984). "Engaging top management in information technology". Sloan Management Review, Vol. 25, n°4, p. 3-16.
Rogers, R. (1983). "Cognitive and psychological processes in fear-based attitude change: a revised theory of protection motivation", in Social Psychophysiology: a sourcebook, J. Cacioppo & R. Petty (Eds.), Guilford Press, NY, p. 153-176.
Rondeau, P. J., Ragu-Nathan, T. S. and Vonderembse, M. A. (2006). "How involvement, IS management effectiveness, and end-user computing impact IS performance in manufacturing firms", Information & Management, Vol. 43, n°1, p. 93-107.
Ross, J. and Weill, P. (2002). "Six decisions your IT people shouldn't make", Harvard Business Review, November, p. 85-91.
Ryan, J. (2004). "Information security tools and practices: What works?", IEEE Transactions on Computers, n°53, p. 1060-1064.
Siponen, M., Mahmood, M. A, and Pahnila, S. (2014). "Employees' adherence to information security policies: An exploratory field study", Information & Management, Vol. 51, p. 217-224.
Stemberger, M.I., Manfreda, A. and Kovacic, A. (2011). "Achieving top management support with business knowledge and role of IT/IS personnel", International Journal of Information Management, Vol. 31, p. 428-436.
Stevens, J.M., Beyer, J.M. and Trice, M.H. (1978). "Assessing personal role and organizational predictors of managerial commitment", Academy of Management Journal, n°21, p. 380-396.
Vance, A., Siponen, M. and Pahnila, S. (2012). "Motivating IS security compliance: Insights from habit and Protection Motivation Theory", Information & Management, Vol. 49, p. 190-198.
Venkatesh, V., Morris, M.G., Davis, G.B. and Davis, F.D. (2003). "User acceptance of information technology: Toward a unified view", MIS Quarterly, Vol. 27, n°3, p. 425-478.
Vermeulen, C. and von Solms, R. (2002). "The information security management toolbox: Taking the pain out of security management", Information Management & Computer Security, Vol. 10, n°3, p. 119-125.
Williams, P. (2007). "Executive and board roles in information security", Network Security, n°8, p. 11-14.
Wolcott, P., Kamal, M., Qureshi, S. (2008). "Meeting the challenges of ICT adoption by micro-enterprises", Journal of Enterprise Information Management, Vol. 21, n°6, p. 616-632.
Workman, M., Bommer, W. H. and Straub, D. (2008). "Security lapses and the omission of information security measures: A threat control model and empirical test", Computers in Human Behavior, Vol. 24, p. 2799-2816.
Yoon, C. and Kim, H. (2013). “Understanding computer security behavioral intention in the workplace”, Information Technology & People, Vol. 26, n°4, p. 401-419.
Zwikael, O. (2008). "Top management involvement in project management: Exclusive support practices for different project scenarios", International Journal of Managing Projects in Business, Vol. 1, n°3, p. 387-403.
Downloads
Published
Issue
Section
License
Copyright (c) 2015 Journal of Intelligence Studies in Business
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).