Toward a better understanding of SMB CEOs' Information Security Behavior: Insights from Threat or Coping appraisal
DOI:
https://doi.org/10.37380/jisib.v5i1.109Keywords:
Protection Motivation Theory, Coping, CEO, SMB, Behavior, Information SecurityAbstract
This study presents an empirical investigation of factors affecting SMB CEOs decision to improve or not their company's information security (ISS). We developed a research model by adopting the protection motivation theory (PMT) to investigate the effect of threat and coping appraisal on protective actions. We conducted a questionnaire-based survey with SMB CEOs. Prior studies using PMT have never been focused on SMB CEOs behavior, and we postulate that in SMBs where there is no CIO or even IT people, CEO’s actions are of utmost importance for achieving a satisfying ISS.References
Anderson, C.L. and Agarwal, R., (2010). "Practicing safe computing: a multimethod empirical examination of computer user security behavioral intentions", MIS Quarterly, Vol. 34, n°3, p. 613-643. DOI: https://doi.org/10.2307/25750694
Anderson, E.E. and Choobineh J. (2008). Enterprise information security strategies, Computers & Security, n°27, p. 22-29. DOI: https://doi.org/10.1016/j.cose.2008.03.002
Ashenden, D. (2008). "Information security management: A human challenge?", Information security technical report, n°13, p. 195-201. DOI: https://doi.org/10.1016/j.istr.2008.10.006
Avolio, F.M. (2000). "Best practices in network security: as the networking landscape changes, so must the policies that govern its use. Don’t be afraid of imperfection when it comes to developing those for your group." Network Computing Vol. 60, n°20, p. 60-72.
Bandura, A. (1994). Self-efficacy. In V.S. Ramachaudran (Ed.), Encyclopedia of human behavior, Vol. 4, p. 71-81, New York, NY: Academic Press.
Barlette, Y. (2012). "Implication et action des dirigeants : quelles pistes pour améliorer la sécurité de l'information en PME", Systèmes d'Information et Management, Vol. 17, n°2, p. 115-149. DOI: https://doi.org/10.3917/sim.122.0115
Boss, S.R., Kirsh, L.J., Angermeier, I., Shingler, R.A. and Boss, R.W. (2009). "If someone is watching, I'll do what I'm asked: mandatoriness, control and information security", European Journal of Information Systems, n°18, p. 151-164. DOI: https://doi.org/10.1057/ejis.2009.8
Bruce, G. and Dempsey R. (1997). Security in Distributed Computing - Did You Lock the Door? Hewlett Packard Company, Palo Alto, USA.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010). "Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness", MIS Quarterly, Vol. 34, n°3, p. 523-548. DOI: https://doi.org/10.2307/25750690
Chu, A. M. Y. and Chau, P. Y. K. (2014). "Development and validation of instruments of information security deviant behavior", Decision Support Systems, Vol. 66, p. 93-101. DOI: https://doi.org/10.1016/j.dss.2014.06.008
Dong, L. (2008). "Exploring the impact of top management support of enterprise systems implementations outcomes", Business Process Management Journal, Vol. 14, n°2, p. 204-218. DOI: https://doi.org/10.1108/14637150810864934
Dong, L., Neufeld, D. and Higgins, C. (2009). "Top management support of enterprise systems implementations", Journal of Information technology, n°24, p. 55-80. DOI: https://doi.org/10.1057/jit.2008.21
Dutta, A. and McCrohan, K. (2002). "Management's role in information security in cyber economy". California Management Review, Vol. 45, n°1, p. 67-87. DOI: https://doi.org/10.2307/41166154
European Commission, (2014), Annual report on European SMEs 2013-2014, EU publication office, 124p.
Forcht, K.A. and Ayers, W.C. (2000). "Developing a computer security policy for organizational use and implementation", Journal of Computer Information Systems, Vol. 41, n°2, p. 52-57. DOI: https://doi.org/10.1080/08874417.2002.11646992
Friend, M. and Pagliari, L.R. (2000). "Establishing a safety culture: getting started", Professional Safety, Vol. 45, n°5, p. 30-32.
Grover, V. (1993). "Empirically derived model for the adoption of customer-based inter-organizational systems", Decision Sciences, Vol. 24, n°3, p. 603-639. DOI: https://doi.org/10.1111/j.1540-5915.1993.tb01295.x
Gupta, A. and Hammond, R. (2005). "Information systems security issues and decisions for small businesses: an empirical examination", Information Management and Computer Security, Vol. 13, n°4, p. 297-310. DOI: https://doi.org/10.1108/09685220510614425
Herath, T. and Rao, H.R. (2009). "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness", Decision Support Systems, Vol. 47, n°2, p. 154-165. DOI: https://doi.org/10.1016/j.dss.2009.02.005
Hofstede, G., Neuijen, B., Daval-Ohayv, D. and Sanders, G. (1990). "Measuring organizational cultures: a qualitative and quantitative study across twenty cases", Administrative science quarterly, Vol. 35, p. 286-316, Cornell university. DOI: https://doi.org/10.2307/2393392
Ifinedo, P. (2012), "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory", Computers & Security, Vol. 31, p. 83-95. DOI: https://doi.org/10.1016/j.cose.2011.10.007
Jarvenpaa, S.L. and Ives, B. (1991). "Executive involvement and participation in the management of information technology". MIS Quarterly, Vol. 15, n°2, p. 205-227. DOI: https://doi.org/10.2307/249382
Johnston, A.C. and Hale, R. (2009). "Improved Security through Information Security Governance", Communications of the ACM, Vol. 52, n°1, p. 126-129. DOI: https://doi.org/10.1145/1435417.1435446
Johnston, A.C., Warkentin, M. and Siponen, M. (2015). "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the human Asset Through Sanctioning Rhetoric”, MIS Quarterly, Vol. 39, n°1, p. 113-134. DOI: https://doi.org/10.25300/MISQ/2015/39.1.06
Kankanhalli, A., Teo, H.-H., Tan, B.C.Y. and Wei, K.-K. (2003). "An integrative study of information systems security effectiveness", International Journal of Information Management, n°23, p. 139-154. DOI: https://doi.org/10.1016/S0268-4012(02)00105-6
Knapp, K.J., Marshall, T.E., Kelly Rainer, R. and Nelson Ford, F. (2006). "Information security: management's effect on culture and policy". Information Management and Computer Security, Vol. 14, n°16, p. 24-36. DOI: https://doi.org/10.1108/09685220610648355
Kotulic, A. and Clark, J.G. (2004). "Why there aren't more information security research studies". Information and Management, Vol. 41, n°5, p. 597-607. DOI: https://doi.org/10.1016/j.im.2003.08.001
Kyobe, M. (2008). "The impact of entrepreneur behaviours on the quality of e-commerce security: A comparison of urban and rural findings", Journal of global information technology management, Vol. 11, n°2, p. 58-79. DOI: https://doi.org/10.1080/1097198X.2008.10856467
Labodi, C. and Michelberger, P. (2010). "Necessity or challenge – Information Security for small and Medium Enterprises", Annals of the university of Petrosani, Economics, Vol. 10, n°3, p. 207-216.
Lazarus, R. S. (1991). Emotion and adaptation, Oxford University Press, NY. DOI: https://doi.org/10.1093/oso/9780195069945.001.0001
Lee, Y. and Larsen, K. R. (2009). "Threat or coping appraisal: determinants of SMB executives' decision to adopt anti-malware software", European Journal of Information Systems, Vol. 18, p. 177-187. DOI: https://doi.org/10.1057/ejis.2009.11
Liang, H. and Xue, Y. (2010). "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective", Journal of the AIS, Vol. 11, n°7, p. 394-413. DOI: https://doi.org/10.17705/1jais.00232
Longeon, R. and Archimbaud, J.L. (1999). Guide de la sécurité des S.I. à l'usage des directeurs, CNRS, Paris.
Loonam, J.A. and McDonagh, J. (2005). "Exploring Top Management Support for the introduction of Enterprise Information Systems: A Literature Review", The Irish Journal of Management, Vol. 26, n°1, p. 163-178.
Lucas, H.C. Jr. (1981). Implementation: the key to successful information systems, New York, NY: Columbia University Press.
Markus, M.L. (1983). "Power, politics, and MIS implementation", Communications of the ACM, Vol. 26, n°6, p. 430-444. DOI: https://doi.org/10.1145/358141.358148
Mitchell, R.C., Marcella, R. and Baxter, G. (1999). "Corporate information security management". New Library World Vol. 100, n°1150, p. 213-227. DOI: https://doi.org/10.1108/03074809910285888
Monnoyer, M.C. (2003). Le manager confronté à la décision d'investissement en TIC, in Boutary, TIC et PME: des usages aux stratégies, Paris: l'Harmattan.
Pahnila, S., Siponen, M. and Mahmood, A. (2007). "Employees' behavior towards IS security policy compliance", 40th Hawaii International Conference on Systems Science (HICSS), January 3-6, IEEE, Los Alamitos. DOI: https://doi.org/10.1109/HICSS.2007.206
Pinto, J.K. and Slevin, D.P. (1987). "Critical factors in successful project implementation". IEEE Transactions on Engineering Management, Vol. EM-34, n°1, p. 22-27. DOI: https://doi.org/10.1109/TEM.1987.6498856
Podsakoff, P.M., MacKenzie S.B., Lee J.Y. and Podsakoff NP. (2003). Common method biases in behavioral research: a critical review of the literature and recommended remedies, Journal of Applied Psychology, Vol. 88, n°5, p. 879-903. DOI: https://doi.org/10.1037/0021-9010.88.5.879
Pritchard, S. (2010). "Navigating the black hole of small business security", Infosecurity, Sept. Oct., p. 18-21. DOI: https://doi.org/10.1016/S1754-4548(10)70085-1
Ragu-Nathan, B.S., Apigian, C.H., Ragu-Nathan, T.S. and Tu, Q. (2004). "A path analytic study of the effect of top management support for information systems performance", Omega, Vol. 32, p. 459-471. DOI: https://doi.org/10.1016/j.omega.2004.03.001
Rainer, R.K., Marshall T.E., Knapp, K.J. and Montgomery, G.H. (2007). "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Systems Security, n°16, p. 100-108. DOI: https://doi.org/10.1080/10658980701260579
Rees, J. (2010). "Information security for small and medium-sized business", Computer Fraud & Security, Vol. 9, p. 18-19. DOI: https://doi.org/10.1016/S1361-3723(10)70123-8
Reid, R.C. and Gilbert, A.H. (2009). "Cognitive Support for Senior Manager's Decision Making In Information Systems Security". Proceedings of the Academy of Information and Management Sciences, Vol. 13, n°1, p. 58-62.
Robinson, S. and Volonino, L. (2004). Principles and practices of information security, Pearson Prentice Hall, New Jersey.
Rockart, J.F. and Crescenzi, A.D. (1984). "Engaging top management in information technology". Sloan Management Review, Vol. 25, n°4, p. 3-16.
Rogers, R. (1983). "Cognitive and psychological processes in fear-based attitude change: a revised theory of protection motivation", in Social Psychophysiology: a sourcebook, J. Cacioppo & R. Petty (Eds.), Guilford Press, NY, p. 153-176.
Rondeau, P. J., Ragu-Nathan, T. S. and Vonderembse, M. A. (2006). "How involvement, IS management effectiveness, and end-user computing impact IS performance in manufacturing firms", Information & Management, Vol. 43, n°1, p. 93-107. DOI: https://doi.org/10.1016/j.im.2005.02.001
Ross, J. and Weill, P. (2002). "Six decisions your IT people shouldn't make", Harvard Business Review, November, p. 85-91.
Ryan, J. (2004). "Information security tools and practices: What works?", IEEE Transactions on Computers, n°53, p. 1060-1064. DOI: https://doi.org/10.1109/TC.2004.45
Siponen, M., Mahmood, M. A, and Pahnila, S. (2014). "Employees' adherence to information security policies: An exploratory field study", Information & Management, Vol. 51, p. 217-224. DOI: https://doi.org/10.1016/j.im.2013.08.006
Stemberger, M.I., Manfreda, A. and Kovacic, A. (2011). "Achieving top management support with business knowledge and role of IT/IS personnel", International Journal of Information Management, Vol. 31, p. 428-436. DOI: https://doi.org/10.1016/j.ijinfomgt.2011.01.001
Stevens, J.M., Beyer, J.M. and Trice, M.H. (1978). "Assessing personal role and organizational predictors of managerial commitment", Academy of Management Journal, n°21, p. 380-396. DOI: https://doi.org/10.2307/255721
Vance, A., Siponen, M. and Pahnila, S. (2012). "Motivating IS security compliance: Insights from habit and Protection Motivation Theory", Information & Management, Vol. 49, p. 190-198. DOI: https://doi.org/10.1016/j.im.2012.04.002
Venkatesh, V., Morris, M.G., Davis, G.B. and Davis, F.D. (2003). "User acceptance of information technology: Toward a unified view", MIS Quarterly, Vol. 27, n°3, p. 425-478. DOI: https://doi.org/10.2307/30036540
Vermeulen, C. and von Solms, R. (2002). "The information security management toolbox: Taking the pain out of security management", Information Management & Computer Security, Vol. 10, n°3, p. 119-125. DOI: https://doi.org/10.1108/09685220210431872
Williams, P. (2007). "Executive and board roles in information security", Network Security, n°8, p. 11-14. DOI: https://doi.org/10.1016/S1353-4858(07)70073-9
Wolcott, P., Kamal, M., Qureshi, S. (2008). "Meeting the challenges of ICT adoption by micro-enterprises", Journal of Enterprise Information Management, Vol. 21, n°6, p. 616-632. DOI: https://doi.org/10.1108/17410390810911212
Workman, M., Bommer, W. H. and Straub, D. (2008). "Security lapses and the omission of information security measures: A threat control model and empirical test", Computers in Human Behavior, Vol. 24, p. 2799-2816. DOI: https://doi.org/10.1016/j.chb.2008.04.005
Yoon, C. and Kim, H. (2013). “Understanding computer security behavioral intention in the workplace”, Information Technology & People, Vol. 26, n°4, p. 401-419. DOI: https://doi.org/10.1108/ITP-12-2012-0147
Zwikael, O. (2008). "Top management involvement in project management: Exclusive support practices for different project scenarios", International Journal of Managing Projects in Business, Vol. 1, n°3, p. 387-403. DOI: https://doi.org/10.1108/17538370810883837
Downloads
Published
Issue
Section
License
Copyright (c) 2015 Journal of Intelligence Studies in Business

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).