Advanced search
Publication Cover
Behaviour & Information Technology Volume 37, 2018 - Issue 1
Submit an article Journal homepage
1,590
Views
23
CrossRef citations to date
0
Altmetric
Original Articles

How senior management and workplace norms influence information security attitudes and self-efficacy

Suresh CuganesanThe University of Sydney Business School, University of Sydney, Sydney, AustraliaCorrespondence[email protected]
View further author information
,
Cara SteeleAustralian Catholic University, Melbourne, AustraliaView further author information
&
Alison HartThe University of Sydney, Sydney, AustraliaView further author information
Pages 50-65 | Received 07 Feb 2016, Accepted 20 Oct 2017, Published online: 16 Nov 2017

References

  • Abawajy, J. 2014. “User Preference of Cyber Security Awareness Delivery Methods.” Behaviour & Information Technology 33 (3): 237–248. doi: 10.1080/0144929X.2012.708787
  • Ajzen, I. 1991. “Theory of Planned Behaviour.” Organizational Behavior and Human Decision Processes 50 (2): 179–211. doi: 10.1016/0749-5978(91)90020-T
  • Ajzen, I., and M. Fishbein. 1980. “Prediction of Goal-Directed Behavior: Attitudes, Intentions, and Perceived Behavioral Control.” Journal of Experimental Social Psychology 22: 453–474. doi: 10.1016/0022-1031(86)90045-4
  • Alavi, R., R. Alavi, S. Islam, S. Islam, H. Mouratidis, and H. Mouratidis. 2016. “An Information Security Risk-Driven Investment Model for Analysing Human Factors.” Information and Computer Security 24 (2): 205–227. doi: 10.1108/ICS-01-2016-0006
  • AlHogail, A. 2015. “Design and Validation of Information Security Culture Framework.” Computers in Human Behavior 49: 567–575. doi: 10.1016/j.chb.2015.03.054
  • Alhogail, A., A. Mirza, and S. H. Bakry. 2015. “A Comprehensive Human Factor Framework for Information Security in Organizations.” Journal of Theoretical and Applied Information Technology 78 (2): 201.
  • Alnatheer, M., T. Chan, and K. Nelson. 2012. Understanding and measuring information security culture.” In Proceedings of Pacific Asia Conference on Information Systems. http://aisel.aisnet.org/pacis2012/144.
  • Alvesson, M., and D. Kärreman. 2004. “Interfaces of Control. Technocratic and Socio-Ideological Control in a Global Management Consultancy Firm.” Accounting, Organizations and Society 29: 423–444. doi: 10.1016/S0361-3682(03)00034-5
  • Boss, S. R., L. J. Kirsch, I. Angermeier, R. A. Shingler, and R. W. Boss. 2009. “If Someone is Watching, I'll do What I'm Asked: Mandatoriness, Control, and Information Security.” European Journal of Information Systems 18 (2): 151–164. doi: 10.1057/ejis.2009.8
  • Bulgurcu, B., H. Cavusoglu, and I. Benbasat. 2010. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.” MIS Quarterly 34 (3): 523–548. doi: 10.2307/25750690
  • Chan, J., C. Devery, and S. Doran. 2003. Fair Cop: Learning the Art of Policing. Toronto: University of Toronto.
  • Chen, Y., K. Ramamurthy, and K. W. Wen. 2013. “Organizations’ Information Security Policy Compliance: Stick or Carrot Approach?” Journal of Management Information Systems, 29 (3): 157–188. Winter 2012–13. doi: 10.2753/MIS0742-1222290305
  • Chen, Y. A. N., K. R. A. M. Ramamurthy, and K. W. Wen. 2015. “Impacts of Comprehensive Information Security Programs on Information Security Culture.” Journal of Computer Information Systems 55 (3): 11–19. doi: 10.1080/08874417.2015.11645767
  • Chin, W. W. 1998. “The Partial Least Squares Approach for Structural Equation Modelling.” In Modern Methods for Business Research, edited by G. A. Macoulides, 295–336. Hillsdale, NJ: Lawrence Erlbaum Associates.
  • Chin, W. W. 2010. “How to Write up and Report PLS Analyses.” In Handbook of Partial Least Squares, edited by V. E. Vinzi, W. W. Chine, J. Hensler, and H. Wang, 655–690. Berlin: Springer.
  • Cohen, J. 1988. Statistical Power Analysis for the Behavioral Sciences. 2nd ed. Hillsdale, NJ: Lawrence Earlbaum Associates.
  • Dang-Pham, D., S. Pittayachawan, and V. Bruno. 2016. “Factors of People-Centric Security Climate: Conceptual Model and Exploratory Study in Vietnam.” arXiv preprint arXiv:1606.00884.
  • D'arcy, J., and T. Herath. 2011. “A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings.” European Journal of Information Systems 20: 643–658. doi: 10.1057/ejis.2011.23
  • D'arcy, J., A. Hovav, and D. Galletta. 2009. “User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach.” Information Systems Research 20 (1): 79–98. doi: 10.1287/isre.1070.0160
  • Da Veiga, A., and N. Martins. 2015. “Improving the Information Security Culture Through Monitoring and Implementation Actions Illustrated Through a Case Study.” Computers & Security 49: 162–176. doi: 10.1016/j.cose.2014.12.006
  • Dhillon, G., R. Syed, and C. Pedron. 2016. “Interpreting Information Security Culture: An Organizational Transformation Case Study.” Computers & Security 56: 63–69. doi: 10.1016/j.cose.2015.10.001
  • Flores, W., and M. Ekstedt. 2016. “Shaping Intention to Resist Social Engineering Through Transformational Leadership, Information Security Culture and Awareness.” Computers & Security 59: 26–44. doi: 10.1016/j.cose.2016.01.004
  • Fornell, C., and D. F. Larcker. 1981. “Evaluating Structural Equation Models with Unobservable Variables and Measurement Error.” Journal of Marketing Research 18: 39–50. doi: 10.2307/3151312
  • Gefen, D., and D. Straub. 2005. “A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example.” Communications of the Association for Information Systems 16: 91–109.
  • Gefen, D., D. Straub, and E. Rigdon. 2011. “An Update and Extension to SEM Guidelines for Administrative and Social Science Research.” MIS Quarterly 35 (2): iii–xiv. doi: 10.2307/23044042
  • Guo, K. H., Y. Yuan, N. P. Archer, and C. E. Connelly. 2011. “Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model.” Journal of Management Information Systems 28 (2): 203–236. doi: 10.2753/MIS0742-1222280208
  • Hair, J. F., W. C. Black, B. J. Babin, R. E. Anderson, and R. l. Tatham. 2006. Multivariate Data Analysis. New Jersey: Prentice Hall.
  • Hair, J. F., M. Sarstedt, C. M. Ringle, and J. A. Mena. 2012. “An Assessment of the use of Partial Least Squares Structural Equation Modeling in Marketing Research.” Journal of the Academy of Marketing Science 40 (3): 414–433. doi: 10.1007/s11747-011-0261-6
  • Hannah, D. R., and K. Robertson. 2015. “Why and How Do Employees Break and Bend Confidential Information Protection Rules?” Journal of Management Studies 52 (3): 381–413. doi: 10.1111/joms.12120
  • Hedström, K., E. Kolkowska, F. Karlsson, and J. P. Allen. 2011. “Value Conflicts for Information Security Management.” Journal of Strategic Information Systems 20: 373–384. doi: 10.1016/j.jsis.2011.06.001
  • Henseler, J., C. M. Ringle, and R. Sinkovics. 2009. “The Use of Partial Least Squares Path Modeling in International Marketing.” Advances in International Marketing 20: 277–319.
  • Herath, T., and H. Rao. 2009a. “Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness.” Decision Support Systems 47 (2): 154–165. doi: 10.1016/j.dss.2009.02.005
  • Herath, T., and H. Rao. 2009b. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations.” European Journal of Information Systems 18 (2): 106–125. doi: 10.1057/ejis.2009.6
  • Hu, L., and P. M. Bentler. 1999. “Cutoff Criteria for Fit Indexes in Covariance Structure Analysis: Conventional Criteria Versus New Alternatives.” Structural Equation Modeling 6 (1): 1–55. doi: 10.1080/10705519909540118
  • Hu, Q., T. Dhinev, P. Hart, and D. Cooke. 2012. “Managing Employee Compliance with Information Security Policies: The Critical Role of top Management and Organizational Culture.” Decision Sciences 43 (4): 615–660. doi: 10.1111/j.1540-5915.2012.00361.x
  • Hu, Q., P. Hart, and D. Cooke. 2007. “The Role of External Influences on Organizational Information Security Practices: An Institutional Perspective.” Journal of Strategic Information Systems 16 (2): 153–172. doi: 10.1016/j.jsis.2007.05.004
  • Hulland, J. 1999. “Use of Partial Least Squares (PLS) in Strategic Management Research: A Review of Four Recent Studies.” Strategic Management Journal 20 (2): 195–204. doi: 10.1002/(SICI)1097-0266(199902)20:2<195::AID-SMJ13>3.0.CO;2-7
  • Ifinedo, P. 2014. “Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition.” Information and Management 51: 69–79. doi: 10.1016/j.im.2013.10.001
  • ISACA. 2009. Business Model for Information Security. Rolling Meadows, IL.
  • Jarrahi, M. H., and S. Sawyer. 2015. “Theorizing on the Take-up of Social Technologies, Organizational Policies and Norms, and Consultants’ Knowledge-Sharing Practices.” Journal of the Association for Information Science and Technology 66 (1): 162–179. doi: 10.1002/asi.23161
  • Johnston, A. C., M. Warkentin, M. McBride, and L. Carter. 2016. “Dispositional and Situational Factors: Influences on Information Security Policy Violations.” European Journal of Information Systems 25 (3): 231–251. doi: 10.1057/ejis.2015.15
  • Kayworth, T., and D. Whitten. 2010. “Effective Information Security Requires a Balance of Social and Technology Factors.” MIS Quarterly Executive 9 (3): 163–175.
  • Kirsch, L., and S. Boss, 2007. “The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines.” In ICIS 2007 Proceedings. http://Aisel.Aisnet.Org/Icis2007/103.
  • Knapp, K. J., T. E. Marshall, R. K. Rainer, and F. N. Ford. 2006. “Information Security: Management’s Effect on Culture and Policy.” Information Management & Computer Security 14 (1): 24–36. doi: 10.1108/09685220610648355
  • Kreiner, Glen E., Elaine C. Hollensbe, and Mathew L. Sheep. 2006. “Where Is the ‘Me’ Among the ‘We’? Identity Work and the Search for Optimal Balance.” Academy of Management Journal 49 (5): 1031–1057. doi: 10.5465/AMJ.2006.22798186
  • Lee, H., and B. Choi. 2003. “Knowledge Management Enablers, Processes, and Organizational Performance: An Integrative View and Empirical Examination.” Journal of Management Information Systems 20 (1): 179–228. doi: 10.1080/07421222.2003.11045756
  • Lowry, P. B., and G. D. Moody. 2015. “Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies.” Information Systems Journal 25 (5): 433–463. doi: 10.1111/isj.12043
  • Marcoulides, G. A., and C. Saunders. 2006. “Editor’s Comments: PLS: A Silver Bullet?” MIS Quarterly 30 (2): Iii–IIx. doi: 10.2307/25148727
  • McGill, T., and N. Thompson. 2017. “Old Risks, New Challenges: Exploring Differences in Security Between Home Computer and Mobile Device Use.” Behaviour & Information Technology, doi:10.1080/0144929X.2017.1352028.
  • Meade, A. W., and S. B. Craig. 2012. “Identifying Careless Responses in Survey Data.” Psychological Methods 17 (3): 437–455. doi: 10.1037/a0028085
  • Merchant, K., and W. A. Van Der Stede. 2007. Management Control Systems. 2nd ed. Harlow: Prentice Hall.
  • Metalidou, E., C. Marinagi, P. Trivellas, N. Eberhagen, C. Skourlas, and G. Giannakopoulos. 2014. “The Human Factor of Information Security: Unintentional Damage Perspective.” Procedia-Social and Behavioral Sciences 147: 424–428. doi: 10.1016/j.sbspro.2014.07.133
  • Nicholson, G., G. Kiel, and S. Kiel-Chisholm. 2011. “The Contribution of Social Norms to the Global Financial Crisis: A Systemic Actor Focused Model and Proposal for Regulatory Change.” Corporate Governance: An International Review 19 (5): 471–488. doi: 10.1111/j.1467-8683.2011.00883.x
  • Nunnally, J. C. 1978. Psychometric Theory. 2nd ed. New York: McGraw-Hill.
  • Ouchi, W. 1979. “A Conceptual Framework for the Design of Organizational Control Mechanisms.” Management Science 25 (9): 833–848. doi: 10.1287/mnsc.25.9.833
  • Pahnila, S., M. Siponen, and A. Mahmood. 2007. “Which Factors Explain Employees’ Adherence to Information Security Policies? An Empirical Study.” Paper presented at the 11th Pacific Asia Conference on Information Systems, Auckland, New Zealand, July 3–6, 2007.
  • Podsakoff, P. M., S. B. Mackenzie, J. Y. Lee, and N. P. Podsakoff. 2003. “Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies.” Journal of Applied Psychology 88 (5): 879–903. doi: 10.1037/0021-9010.88.5.879
  • Porter, L. E., and T. Prenzler. 2016. “The Code of Silence and Ethical Perception.” Policing: An International Journal of Police Strategies & Management 39 (2): 370–386. doi: 10.1108/PIJPSM-10-2015-0108
  • PriceWaterhouseCoopers (PWC). 2014. Global State of Information Security® Survey.
  • Puhakainen, P., and M. Siponen. 2010. “Improving Employees” Compliance Through Information Systems Security Training: An Action Research Study.” MIS Quarterly 34 (4): 757–778. doi: 10.2307/25750704
  • Rhee, H.-S., C. Kim, and Y. Ryu. 2009. “Self-efficacy in Information Security: Its Influence on End Users” Information Security Practice Behaviour.” Computers & Security 28: 816–828. doi: 10.1016/j.cose.2009.05.008
  • Ringle, C. M., S. Wende, and J.-M. Becker. 2015. SmartPLS 3. Bönningstedt: SmartPLS. http://www.smartpls.com.
  • Safa, N., M. Sookhak, R. Von Solms, S. Furnell, N. Abdul Ghani, and T. Herawan. 2015. “Information Security Conscious Care Behaviour Formation in Organizations.” Computers & Security 53: 65–78. doi: 10.1016/j.cose.2015.05.012
  • Siponen, M., A. Mahmood, and S. Pahnila. 2014. “Employees’ Adherence to Information Security Policies: An Exploratory Field Study.” Information and Management 51 (2): 217–224. doi: 10.1016/j.im.2013.08.006
  • Siponen, M., S. Pahnila, and M. A. Mahmood. 2010. “Compliance with Information Security Policies: An Empirical Investigation.” Computer 43 (2): 64–71. doi: 10.1109/MC.2010.35
  • Soomro, Z. A., M. H. Shah, and J. Ahmed. 2016. “Information Security Management Needs More Holistic Approach: A Literature Review.” International Journal of Information Management 36 (2): 215–225. doi: 10.1016/j.ijinfomgt.2015.11.009
  • Spector, P. E. 2006. “Method Variance in Organizational Research Truth or Urban Legend?” Organizational Research Methods 9 (2): 221–232. doi: 10.1177/1094428105284955
  • Straub, D. 1990. “Discovering and Disciplining Computer Abuse in Organizations: A Field Study.” MIS Quarterly 14 (1): 45–60. doi: 10.2307/249307
  • Straub, D., and R. Welke. 1998. “Coping with Systems Risk: Security Planning Models for Management Decision Making.” MIS Quarterly 22 (4): 441–469. doi: 10.2307/249551
  • Tsohou, A., M. Karyda, and S. Kokolakis. 2015. “Analyzing the Role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs.” Computers & Security 52: 128–141. doi: 10.1016/j.cose.2015.04.006
  • Vance, A., M. Siponen, and S. Pahnila. 2012. “Motivating Information Security Compliance: Insights From Habit and Protection Motivation Theory.” Information & Management 49 (3): 190–198. doi: 10.1016/j.im.2012.04.002
  • Vinzi, V. E., L. Trinchera, and S. Amato. 2010. “PLS Path Modeling: From Foundations to Recent Developments and Open Issues for Model Assessment and Improvement.” In Handbook of Partial Least Squares, edited by V. E. Vinzi, W. W. Chine, J. Hensler, and H. Wang, 47–82. Berlin: Springer.
  • Wang, H., A. S. Tsui, and K. R. Xin. 2011. “CEO Leadership Behaviors, Organizational Performance, and Employees’ Attitudes.” The Leadership Quarterly 22: 92–105. doi: 10.1016/j.leaqua.2010.12.009
  • Warkentin, M. E., A. C. Johnston, and J. Shropshire. 2011. “The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention.” European Journal of Information Systems 20: 267–284. doi: 10.1057/ejis.2010.72
  • Workman, M., W. H. Bommer, and D. Straub. 2008. “Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test.” Computers in Human Behavior 24 (6): 2799–2816. doi: 10.1016/j.chb.2008.04.005
  • Workman, M., W. H. Bommer, and D. Straub. 2009. “The amplification effects of procedural justice on a threat control model of information systems security behaviours.” Behaviour & Information Technology 28 (6): 563–575. doi: 10.1080/01449290802556021

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Supercharge Your Next Research Paper: Research and write your next paper with Jenni AI.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.