Toward a better understanding of SMB CEOs' Information Security Behavior: Insights from Threat or Coping appraisal

Authors

  • Yves Barlette Montpellier Business School Author
  • Katherine Gundolf Montpellier Business School Author
  • Annabelle Jaouen Montpellier Business School Author

DOI:

https://doi.org/10.37380/jisib.v5i1.109

Keywords:

Protection Motivation Theory, Coping, CEO, SMB, Behavior, Information Security

Abstract

This study presents an empirical investigation of factors affecting SMB CEOs decision to improve or not their company's information security (ISS). We developed a research model by adopting the protection motivation theory (PMT) to investigate the effect of threat and coping appraisal on protective actions. We conducted a questionnaire-based survey with SMB CEOs. Prior studies using PMT have never been focused on SMB CEOs behavior, and we postulate that in SMBs where there is no CIO or even IT people, CEO’s actions are of utmost importance for achieving a satisfying ISS.

References

Anderson, C.L. and Agarwal, R., (2010). "Practicing safe computing: a multimethod empirical examination of computer user security behavioral intentions", MIS Quarterly, Vol. 34, n°3, p. 613-643. DOI: https://doi.org/10.2307/25750694

Anderson, E.E. and Choobineh J. (2008). Enterprise information security strategies, Computers & Security, n°27, p. 22-29. DOI: https://doi.org/10.1016/j.cose.2008.03.002

Ashenden, D. (2008). "Information security management: A human challenge?", Information security technical report, n°13, p. 195-201. DOI: https://doi.org/10.1016/j.istr.2008.10.006

Avolio, F.M. (2000). "Best practices in network security: as the networking landscape changes, so must the policies that govern its use. Don’t be afraid of imperfection when it comes to developing those for your group." Network Computing Vol. 60, n°20, p. 60-72.

Bandura, A. (1994). Self-efficacy. In V.S. Ramachaudran (Ed.), Encyclopedia of human behavior, Vol. 4, p. 71-81, New York, NY: Academic Press.

Barlette, Y. (2012). "Implication et action des dirigeants : quelles pistes pour améliorer la sécurité de l'information en PME", Systèmes d'Information et Management, Vol. 17, n°2, p. 115-149. DOI: https://doi.org/10.3917/sim.122.0115

Boss, S.R., Kirsh, L.J., Angermeier, I., Shingler, R.A. and Boss, R.W. (2009). "If someone is watching, I'll do what I'm asked: mandatoriness, control and information security", European Journal of Information Systems, n°18, p. 151-164. DOI: https://doi.org/10.1057/ejis.2009.8

Bruce, G. and Dempsey R. (1997). Security in Distributed Computing - Did You Lock the Door? Hewlett Packard Company, Palo Alto, USA.

Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010). "Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness", MIS Quarterly, Vol. 34, n°3, p. 523-548. DOI: https://doi.org/10.2307/25750690

Chu, A. M. Y. and Chau, P. Y. K. (2014). "Development and validation of instruments of information security deviant behavior", Decision Support Systems, Vol. 66, p. 93-101. DOI: https://doi.org/10.1016/j.dss.2014.06.008

Dong, L. (2008). "Exploring the impact of top management support of enterprise systems implementations outcomes", Business Process Management Journal, Vol. 14, n°2, p. 204-218. DOI: https://doi.org/10.1108/14637150810864934

Dong, L., Neufeld, D. and Higgins, C. (2009). "Top management support of enterprise systems implementations", Journal of Information technology, n°24, p. 55-80. DOI: https://doi.org/10.1057/jit.2008.21

Dutta, A. and McCrohan, K. (2002). "Management's role in information security in cyber economy". California Management Review, Vol. 45, n°1, p. 67-87. DOI: https://doi.org/10.2307/41166154

European Commission, (2014), Annual report on European SMEs 2013-2014, EU publication office, 124p.

Forcht, K.A. and Ayers, W.C. (2000). "Developing a computer security policy for organizational use and implementation", Journal of Computer Information Systems, Vol. 41, n°2, p. 52-57. DOI: https://doi.org/10.1080/08874417.2002.11646992

Friend, M. and Pagliari, L.R. (2000). "Establishing a safety culture: getting started", Professional Safety, Vol. 45, n°5, p. 30-32.

Grover, V. (1993). "Empirically derived model for the adoption of customer-based inter-organizational systems", Decision Sciences, Vol. 24, n°3, p. 603-639. DOI: https://doi.org/10.1111/j.1540-5915.1993.tb01295.x

Gupta, A. and Hammond, R. (2005). "Information systems security issues and decisions for small businesses: an empirical examination", Information Management and Computer Security, Vol. 13, n°4, p. 297-310. DOI: https://doi.org/10.1108/09685220510614425

Herath, T. and Rao, H.R. (2009). "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness", Decision Support Systems, Vol. 47, n°2, p. 154-165. DOI: https://doi.org/10.1016/j.dss.2009.02.005

Hofstede, G., Neuijen, B., Daval-Ohayv, D. and Sanders, G. (1990). "Measuring organizational cultures: a qualitative and quantitative study across twenty cases", Administrative science quarterly, Vol. 35, p. 286-316, Cornell university. DOI: https://doi.org/10.2307/2393392

Ifinedo, P. (2012), "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory", Computers & Security, Vol. 31, p. 83-95. DOI: https://doi.org/10.1016/j.cose.2011.10.007

Jarvenpaa, S.L. and Ives, B. (1991). "Executive involvement and participation in the management of information technology". MIS Quarterly, Vol. 15, n°2, p. 205-227. DOI: https://doi.org/10.2307/249382

Johnston, A.C. and Hale, R. (2009). "Improved Security through Information Security Governance", Communications of the ACM, Vol. 52, n°1, p. 126-129. DOI: https://doi.org/10.1145/1435417.1435446

Johnston, A.C., Warkentin, M. and Siponen, M. (2015). "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the human Asset Through Sanctioning Rhetoric”, MIS Quarterly, Vol. 39, n°1, p. 113-134. DOI: https://doi.org/10.25300/MISQ/2015/39.1.06

Kankanhalli, A., Teo, H.-H., Tan, B.C.Y. and Wei, K.-K. (2003). "An integrative study of information systems security effectiveness", International Journal of Information Management, n°23, p. 139-154. DOI: https://doi.org/10.1016/S0268-4012(02)00105-6

Knapp, K.J., Marshall, T.E., Kelly Rainer, R. and Nelson Ford, F. (2006). "Information security: management's effect on culture and policy". Information Management and Computer Security, Vol. 14, n°16, p. 24-36. DOI: https://doi.org/10.1108/09685220610648355

Kotulic, A. and Clark, J.G. (2004). "Why there aren't more information security research studies". Information and Management, Vol. 41, n°5, p. 597-607. DOI: https://doi.org/10.1016/j.im.2003.08.001

Kyobe, M. (2008). "The impact of entrepreneur behaviours on the quality of e-commerce security: A comparison of urban and rural findings", Journal of global information technology management, Vol. 11, n°2, p. 58-79. DOI: https://doi.org/10.1080/1097198X.2008.10856467

Labodi, C. and Michelberger, P. (2010). "Necessity or challenge – Information Security for small and Medium Enterprises", Annals of the university of Petrosani, Economics, Vol. 10, n°3, p. 207-216.

Lazarus, R. S. (1991). Emotion and adaptation, Oxford University Press, NY. DOI: https://doi.org/10.1093/oso/9780195069945.001.0001

Lee, Y. and Larsen, K. R. (2009). "Threat or coping appraisal: determinants of SMB executives' decision to adopt anti-malware software", European Journal of Information Systems, Vol. 18, p. 177-187. DOI: https://doi.org/10.1057/ejis.2009.11

Liang, H. and Xue, Y. (2010). "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective", Journal of the AIS, Vol. 11, n°7, p. 394-413. DOI: https://doi.org/10.17705/1jais.00232

Longeon, R. and Archimbaud, J.L. (1999). Guide de la sécurité des S.I. à l'usage des directeurs, CNRS, Paris.

Loonam, J.A. and McDonagh, J. (2005). "Exploring Top Management Support for the introduction of Enterprise Information Systems: A Literature Review", The Irish Journal of Management, Vol. 26, n°1, p. 163-178.

Lucas, H.C. Jr. (1981). Implementation: the key to successful information systems, New York, NY: Columbia University Press.

Markus, M.L. (1983). "Power, politics, and MIS implementation", Communications of the ACM, Vol. 26, n°6, p. 430-444. DOI: https://doi.org/10.1145/358141.358148

Mitchell, R.C., Marcella, R. and Baxter, G. (1999). "Corporate information security management". New Library World Vol. 100, n°1150, p. 213-227. DOI: https://doi.org/10.1108/03074809910285888

Monnoyer, M.C. (2003). Le manager confronté à la décision d'investissement en TIC, in Boutary, TIC et PME: des usages aux stratégies, Paris: l'Harmattan.

Pahnila, S., Siponen, M. and Mahmood, A. (2007). "Employees' behavior towards IS security policy compliance", 40th Hawaii International Conference on Systems Science (HICSS), January 3-6, IEEE, Los Alamitos. DOI: https://doi.org/10.1109/HICSS.2007.206

Pinto, J.K. and Slevin, D.P. (1987). "Critical factors in successful project implementation". IEEE Transactions on Engineering Management, Vol. EM-34, n°1, p. 22-27. DOI: https://doi.org/10.1109/TEM.1987.6498856

Podsakoff, P.M., MacKenzie S.B., Lee J.Y. and Podsakoff NP. (2003). Common method biases in behavioral research: a critical review of the literature and recommended remedies, Journal of Applied Psychology, Vol. 88, n°5, p. 879-903. DOI: https://doi.org/10.1037/0021-9010.88.5.879

Pritchard, S. (2010). "Navigating the black hole of small business security", Infosecurity, Sept. Oct., p. 18-21. DOI: https://doi.org/10.1016/S1754-4548(10)70085-1

Ragu-Nathan, B.S., Apigian, C.H., Ragu-Nathan, T.S. and Tu, Q. (2004). "A path analytic study of the effect of top management support for information systems performance", Omega, Vol. 32, p. 459-471. DOI: https://doi.org/10.1016/j.omega.2004.03.001

Rainer, R.K., Marshall T.E., Knapp, K.J. and Montgomery, G.H. (2007). "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Systems Security, n°16, p. 100-108. DOI: https://doi.org/10.1080/10658980701260579

Rees, J. (2010). "Information security for small and medium-sized business", Computer Fraud & Security, Vol. 9, p. 18-19. DOI: https://doi.org/10.1016/S1361-3723(10)70123-8

Reid, R.C. and Gilbert, A.H. (2009). "Cognitive Support for Senior Manager's Decision Making In Information Systems Security". Proceedings of the Academy of Information and Management Sciences, Vol. 13, n°1, p. 58-62.

Robinson, S. and Volonino, L. (2004). Principles and practices of information security, Pearson Prentice Hall, New Jersey.

Rockart, J.F. and Crescenzi, A.D. (1984). "Engaging top management in information technology". Sloan Management Review, Vol. 25, n°4, p. 3-16.

Rogers, R. (1983). "Cognitive and psychological processes in fear-based attitude change: a revised theory of protection motivation", in Social Psychophysiology: a sourcebook, J. Cacioppo & R. Petty (Eds.), Guilford Press, NY, p. 153-176.

Rondeau, P. J., Ragu-Nathan, T. S. and Vonderembse, M. A. (2006). "How involvement, IS management effectiveness, and end-user computing impact IS performance in manufacturing firms", Information & Management, Vol. 43, n°1, p. 93-107. DOI: https://doi.org/10.1016/j.im.2005.02.001

Ross, J. and Weill, P. (2002). "Six decisions your IT people shouldn't make", Harvard Business Review, November, p. 85-91.

Ryan, J. (2004). "Information security tools and practices: What works?", IEEE Transactions on Computers, n°53, p. 1060-1064. DOI: https://doi.org/10.1109/TC.2004.45

Siponen, M., Mahmood, M. A, and Pahnila, S. (2014). "Employees' adherence to information security policies: An exploratory field study", Information & Management, Vol. 51, p. 217-224. DOI: https://doi.org/10.1016/j.im.2013.08.006

Stemberger, M.I., Manfreda, A. and Kovacic, A. (2011). "Achieving top management support with business knowledge and role of IT/IS personnel", International Journal of Information Management, Vol. 31, p. 428-436. DOI: https://doi.org/10.1016/j.ijinfomgt.2011.01.001

Stevens, J.M., Beyer, J.M. and Trice, M.H. (1978). "Assessing personal role and organizational predictors of managerial commitment", Academy of Management Journal, n°21, p. 380-396. DOI: https://doi.org/10.2307/255721

Vance, A., Siponen, M. and Pahnila, S. (2012). "Motivating IS security compliance: Insights from habit and Protection Motivation Theory", Information & Management, Vol. 49, p. 190-198. DOI: https://doi.org/10.1016/j.im.2012.04.002

Venkatesh, V., Morris, M.G., Davis, G.B. and Davis, F.D. (2003). "User acceptance of information technology: Toward a unified view", MIS Quarterly, Vol. 27, n°3, p. 425-478. DOI: https://doi.org/10.2307/30036540

Vermeulen, C. and von Solms, R. (2002). "The information security management toolbox: Taking the pain out of security management", Information Management & Computer Security, Vol. 10, n°3, p. 119-125. DOI: https://doi.org/10.1108/09685220210431872

Williams, P. (2007). "Executive and board roles in information security", Network Security, n°8, p. 11-14. DOI: https://doi.org/10.1016/S1353-4858(07)70073-9

Wolcott, P., Kamal, M., Qureshi, S. (2008). "Meeting the challenges of ICT adoption by micro-enterprises", Journal of Enterprise Information Management, Vol. 21, n°6, p. 616-632. DOI: https://doi.org/10.1108/17410390810911212

Workman, M., Bommer, W. H. and Straub, D. (2008). "Security lapses and the omission of information security measures: A threat control model and empirical test", Computers in Human Behavior, Vol. 24, p. 2799-2816. DOI: https://doi.org/10.1016/j.chb.2008.04.005

Yoon, C. and Kim, H. (2013). “Understanding computer security behavioral intention in the workplace”, Information Technology & People, Vol. 26, n°4, p. 401-419. DOI: https://doi.org/10.1108/ITP-12-2012-0147

Zwikael, O. (2008). "Top management involvement in project management: Exclusive support practices for different project scenarios", International Journal of Managing Projects in Business, Vol. 1, n°3, p. 387-403. DOI: https://doi.org/10.1108/17538370810883837

Downloads

Published

2015-06-05

How to Cite

Barlette, Y., Gundolf, K., & Jaouen, A. (2015). Toward a better understanding of SMB CEOs’ Information Security Behavior: Insights from Threat or Coping appraisal. Journal of Intelligence Studies in Business, 5(1), 5-17. https://doi.org/10.37380/jisib.v5i1.109