Advanced search
Publication Cover
Behaviour & Information Technology Volume 41, 2022 - Issue 10
Submit an article Journal homepage
528
Views
0
CrossRef citations to date
0
Altmetric
Articles

Should we wear a velvet glove to enforce Information security policies in higher education?

Hwee-Joo Kama Sykes College of Business, University of Tampa, Tampa, FL, USAORCID Iconhttps://orcid.org/0000-0002-1828-6620
ORCID Icon,
Dan J. Kimb Fulbright Sr. Scholar & Professor of Information Technology & Decision Sciences, G. Brint Ryan College of Business, University of North Texas, Denton, TX, USAORCID Iconhttps://orcid.org/0000-0002-1195-717X
ORCID Icon &
Wu Hec Department of Information Technology & Decision Sciences, Strome College of Business, Old Dominion University, Norfolk, VA, USACorrespondence[email protected]
Pages 2259-2273 | Received 08 Dec 2019, Accepted 10 Apr 2021, Published online: 25 Apr 2021

References

  • Asadi, Z., M. Abdekhoda, and H. Nadrian. 2020. “Cloud Computing Services Adoption Among Higher Education Faculties: Development of a Standardized Questionnaire.” Education and Information Technologies 25 (1): 175–191. doi:10.1007/s10639-019-09932-0.
  • Ashforth, B. E., K. M. Rogers, and K. G. Corley. 2011. “Identity in Organizations: Exploring Cross-Level Dynamics.” Organization Science 22 (5): 1144–1156.
  • Bongiovanni, I. 2019. “The Least Secure Places in the Universe? A Systematic Literature Review on Information Security Management in Higher Education.” Computers & Security 86: 350–357.
  • Boss, S., D. Galletta, P. Lowry, G. Moody, and P. Polak. 2015. “What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Security Behaviors.” MIS Quarterly 39 (4): 837–864.
  • Boss, S. R., L. J. Kirsch, I. Angermeier, R. A. Shingler, and R. W. Boss. 2009. “If Someone is Watching, I’ll Do What I’m Asked: Mandatoriness, Control, and Information Security.” European Journal of Information Systems 18 (2): 151–164.
  • Brinkhurst, M., P. Rose, G. Maurice, and J. D. Ackerman. 2011. “Achieving Campus Sustainability: top-Down, Bottom-up, or Neither?” International Journal of Sustainability in Higher Education 12 (4): 338–354.
  • Bulgurcu, B., H. Cavusoglu, and I. Benbasat. 2010. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.” MIS Quarterly 34 (3): 523–548. doi:10.2307/25750690.
  • Cameron, K., and J. Smart. 1998. “Maintaining Effectiveness Amid Downsizing and Decline in Institutions of Higher Education.” Research in Higher Education 39 (1): 65–86. JSTOR.
  • Cameron, K. S., and M. Tschirhart. 1992. “Postindustrial Environments and Organizational Effectiveness in Colleges and Universities.” The Journal of Higher Education 63 (1): 87–108.
  • Chan, M., I. Woon, and A. Kankanhalli. 2005. “Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior.” Journal of Information Privacy and Security 1 (3): 18–41.
  • Chang, E. S., and C. Lin. 2007. “Exploring Organizational Culture for Information Security Management.” Industrial Management & Data Systems 107 (3): 438–458.
  • Chatman, J. A., and K. A. Jehn. 1994. “Assessing the Relationship between Industry Characteristics and Organizational Culture: How Different Can You Be?” Academy of Management Journal 37 (3): 522–553. doi:10.5465/256699.
  • Chen, H., and W. Li. 2019. “Understanding Commitment and Apathy in is Security Extra-Role Behavior from a Person-Organization Fit Perspective.” Behaviour & Information Technology 38 (5): 454–468.
  • Chen, Y., K. Ramamurthy, (Ram), & K.-W. Wen. 2015. “Impacts of Comprehensive Information Security Programs on Information Security Culture.” Journal of Computer Information Systems 55 (3): 11–19.
  • Cheng, L., Y. Li, W. Li, E. Holm, and Q. Zhai. 2013. “Understanding the Violation of IS Security Policy in Organizations: An Integrated Model Based on Social Control and Deterrence Theory.” Computers & Security 39: 447–459. doi:10.1016/j.cose.2013.09.009.
  • Chin, W. W. 1998. “The Partial Least Squares Approach to Structural Equation Modeling.” In Modern Methods for Business Research, edited by G. A. Marcoulides, 295–336. Mahwah, NJ: Lawrence Erlbaum Associates Publishers.
  • Cohen, J. 1977. Statistical Power Analysis for the Behavioral Sciences. Mahwah, NJ: Lawrence Erlbaum Associates, Inc.
  • Cuganesan, S., C. Steele, and A. Hart. 2018. “How Senior Management and Workplace Norms Influence Information Security Attitudes and Self-Efficacy.” Behaviour & Information Technology 37 (1): 50–65. doi:10.1080/0144929X.2017.1397193.
  • Curnalia, R. M. L., and D. Mermer. 2018. “Renewing Our Commitment to Tenure, Academic Freedom, and Shared Governance to Navigate Challenges in Higher Education.” Review of Communication 18 (2): 129–139. doi:10.1080/15358593.2018.1438645.
  • D’Arcy, J., and T. Herath. 2011. “A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings.” European Journal of Information Systems 20 (6): 643–658.
  • D’Arcy, J., A. Hovav, and D. Galletta. 2009. “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach.” Information Systems Research 20 (1): 79–98. doi:10.1287/isre.1070.0160.
  • D’Arcy, J., and P. Lowry. 2019. “Cognitive-Affective Drivers of Employees’ Daily Compliance with Information Security Policies: A Multilevel, Longitudinal Study.” Information Systems Journal 29: 43–69. doi:10.1111/isj.12173.
  • Dastmalchian, A., S. Lee, and I. Ng. 2000. “The Interplay between Organizational and National Cultures: A Comparison of Organizational Practices in Canada and South Korea Using the Competing Values Framework.” The International Journal of Human Resource Management 11 (2): 388–412.
  • Denison, D. R., and G. M. Spreitzer. 1991. “Organizational Culture and Organizational Development: A Competing Values Approach.” Research in Organizational Change and Development 5 (1): 1–21.
  • Dill, D. D. 1982. “The Management of Academic Culture: Notes on the Management of Meaning and Social Integration.” Higher Education 11 (3): 303–320.
  • Dill, D. D. 2003. “An Institutional Perspective on Higher Education Policy: The Case of Academic Quality Assurance.” In Higher Education: Handbook of Theory and Research, edited by J. C. Smart, 669–699. Dordrecht: Springer Netherlands.
  • Dillman, D. A., J. D. Smyth, and L. M. Christian. 2014. Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method. 4th ed. Hoboken, NJ: Wiley.
  • dos Santos, L. M. R., and S. Okazaki. 2016. “Planned E-Learning Adoption and Occupational Socialisation in Brazilian Higher Education.” Studies in Higher Education 41 (11): 1974–1994.
  • EDUCAUSE. (2019). The EDUCAUSE Information Security Almanac [EDUCAUSE Core Data Service (CDS)]. EDUCAUSE. https://library.educause.edu/-/media/files/library/2019/4/infosecalmanac19.pdf.
  • Faerman, S. R., and R. E. Quinn. 1985. “Effectiveness: The Perspective from Organizational Theory.” The Review of Higher Education 9 (1): 83–100.
  • Feldman, M. S., and W. J. Orlikowski. 2011. “Theorizing Practice and Practicing Theory.” Organization Science 22 (5): 1240–1253. doi:10.1287/orsc.1100.0612.
  • Ferguson, C. J. 2009. “An Effect Size Primer: A Guide for Clinicians and Researchers.” Professional Psychology: Research and Practice 40 (5): 532–538.
  • Fornell, C., and D. F. Larcker. 1981. “Evaluating Structural Equation Models with Unobservable Variables and Measurement Error.” Journal of Marketing Research 18 (1): 39–50. JSTOR.
  • Gaus, N., M. Tang, and M. Akil. 2019. “Organisational Culture in Higher Education: Mapping the Way to Understanding Cultural Research.” Journal of Further and Higher Education 43 (6): 848–860.
  • Gefen, D., E. E. Rigdon, and D. Straub. 2011. “Editor’s Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research.” MIS Quarterly 35 (2): iii–xiv.
  • Gefen, D., and D. Straub. 2005. “A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example.” Communications of the Association for Information Systems 16 (1): 91–109.
  • Gherardi, S. 2019. How to Conduct a Practice-Based Study: Problems and Methods (2nd ed.). Northampton, MA: Edward Elgar Publishing.
  • Hair, J. F. Jr., G. T. M. Hult, C. Ringle, and M. Sarstedt. 2016. A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Thousand Oaks, CA: Sage Publications.
  • Hair, J. F., J. J. Risher, M. Sarstedt, and C. M. Ringle. 2019. “When to Use and How to Report the Results of PLS-SEM.” European Business Review 31 (1): 2–24. doi:10.1108/EBR-11-2018-0203
  • Hannan, M. T., and J. Freeman. 1993. Organizational Ecology. Cambridge, MA: Harvard University Press.
  • He, W., and Z. Zhang (Justin). 2019. “Enterprise Cybersecurity Training and Awareness Programs: Recommendations for Success.” Journal of Organizational Computing and Electronic Commerce 29 (4): 249–257. doi:10.1080/10919392.2019.1611528.
  • Herath, T., and H. R. Rao. 2009a. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations.” European Journal of Information Systems 18 (2): 106–125.
  • Herath, T., and H. R. Rao. 2009b. “Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness.” Decision Support Systems 47 (2): 154–165.
  • Hesterberg, T. 2011. “Bootstrap.” Wiley Interdisciplinary Reviews: Computational Statistics 3 (6): 497–526.
  • Hina, S., and P. D. D. Dominic. 2020. “Information Security Policies’ Compliance: A Perspective for Higher Education Institutions.” Journal of Computer Information Systems 60 (3): 201–211.
  • Hina, S., D. D. D. Panneer Selvam, and P. B. Lowry. 2019. “Institutional Governance and Protection Motivation: Theoretical Insights Into Shaping Employees’ Security Compliance Behavior in Higher Education Institutions in the Developing World.” Computers & Security 87: 101594.
  • Ho, S. M., M. Ocasio-Velázquez, and C. Booth. 2017. “Trust or Consequences? Causal Effects of Perceived Risk and Subjective Norms on Cloud Technology Adoption.” Computers & Security 70: 581–595.
  • Hogg, M. A., and S. A. Reid. 2006. “Social Identity, Self-Categorization, and the Communication of Group Norms.” Communication Theory 16 (1): 7–30.
  • Hooper, V., and C. Blunt. 2020. “Factors Influencing the Information Security Behaviour of IT Employees.” Behaviour & Information Technology 39 (8): 862–874.
  • Hu, Q., T. Dinev, P. Hart, and D. Cooke. 2012. “Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture.” Decision Sciences 43 (4): 615–660.
  • Hu, Q., P. Hart, and D. Cooke. 2007. “The Role of External and Internal Influences on Information Systems Security – a neo-Institutional Perspective.” The Journal of Strategic Information Systems 16 (2): 153–172. doi:10.1016/j.jsis.2007.05.004.
  • Ifinedo, P. 2012. “Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory.” Computers & Security 31 (1): 83–95. doi:10.1016/j.cose.2011.10.007.
  • Ju, P.-H., H.-L. Wei, and C.-C. Tsai. 2016. “Model of Post-Implementation User Participation within ERP Advice Network.” Asia Pacific Management Review 21 (2): 92–101.
  • Kam, H.-J., and P. Katerattanakul. 2014. “Information Security in Higher Education: A Neo-Institutional Perspective.” Journal of Information Privacy and Security 10 (1): 28–43.
  • Kam, H.-J., T. Mattson, and S. Goel. 2020. “A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness.” Information Systems Frontiers 22 (5): 1241–1264. doi:10.1007/s10796-019-09927-9.
  • Kezar, A., and P. D. Eckel. 2002. “The Effect of Institutional Culture on Change Strategies in Higher Education: Universal Principles or Culturally Responsive Concepts?” The Journal of Higher Education 73 (4): 435–460.
  • Kezar, A. J., and E. M. Holcombe. 2017. Shared Leadership in Higher Education: Important Lessons from Research and Practice. Washington, DC: American Council on Education.
  • Kim, B., D.-Y. Lee, and B. Kim. 2019. “Deterrent Effects of Punishment and Training on Insider Security Threats: A Field Experiment on Phishing Attacks.” Behaviour & Information Technology 0 (0): 1–20.
  • Knapp, K. J., M. R. Franklin, T. E. Marshall, and T. A. Byrd. 2009. “Information Security Policy: An Organizational-Level Process Model.” Computers & Security 28 (7): 493–508.
  • Kostova, T. 1999. “Transnational Transfer of Strategic Organizational Practices: A Contextual Perspective.” Academy of Management Review 24 (2): 308–324.
  • Kostova, T., and K. Roth. 2002. “Adoption of an Organizational Practice by Subsidiaries of Multinational Corporations: Institutional and Relational Effects.” Academy of Management Journal 45 (1): 215–233.
  • Lejeune, C., and A. Vas. 2009. “Organizational Culture and Effectiveness in Business Schools: A Test of the Accreditation Impact.” Journal of Management Development 28 (8): 728–741.
  • Levina, N., and E. Vaast. 2005. “The Emergence of Boundary Spanning Competence in Practice: Implications for Implementation and Use of Information Systems.” MIS Quarterly 29 (2): 335–363.
  • Levina, N., and E. Vaast. 2006. “Turning a Community Into a Market: A Practice Perspective on Information Technology Use in Boundary Spanning.” Journal of Management Information Systems 22 (4): 13–37.
  • Li, Y., T. Pan, and N. Zhang, (Andy). 2019. “From Hindrance to Challenge: How Employees Understand and Respond to Information Security Policies.” Journal of Enterprise Information Management 33 (1): 191–213. doi:10.1108/JEIM-01-2019-0018.
  • Lowry, P., and G. Moody. 2015. “Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies.” Information Systems Journal 25: 433–463. doi:10.1111/isj.12043.
  • Maassen, P. 2017. “The University’s Governance Paradox.” Higher Education Quarterly 71 (3): 290–298.
  • Manning, K. 2017. Organizational Theory in Higher Education. 2nd ed. New York, NY: Routledge.
  • Markus, M. L., and J.-Y. Mao. 2004. “Participation in Development and Implementation—Updating an Old, Tired Concept for Today’s IS Contexts.” Journal of the Association for Information Systems 5: 514–544.
  • Masland, A. T. 1985. “Organizational Culture in the Study of Higher Education.” The Review of Higher Education 8 (2): 157–168. doi:10.1353/rhe.1985.0026.
  • McKenzie, L. 2020, June 11. “Colleges Face Evolving Cyber Extortion Threat.” INSIDE HIGHER ED. https://www.insidehighered.com/news/2020/06/11/colleges-face-evolving-cyber-extortion-threat.
  • McKnight, C. P., and B. N. Martin. 2013. “Examining the Leadership of Off-Campus Center Administrators Through the Lens of Invitational Leadership.” The Journal of Continuing Higher Education 61 (2): 83–93. doi:10.1080/07377363.2013.796250.
  • McLendon, M. K. 2003. “Setting the Governmental Agenda for State Decentralization of Higher Education.” The Journal of Higher Education 74 (5): 479–515.
  • Merchan-Lima, J., F. Astudillo-Salinas, L. Tello-Oquendo, F. Sanchez, G. Lopez-Fonseca, and D. Quiroz. 2021. “Information Security Management Frameworks and Strategies in Higher Education Institutions: A Systematic Review.” Annals of Telecommunications 76 (3): 255–270. doi:10.1007/s12243-020-00783-2.
  • Meyer, J., F. Ramirez, D. Frank, and E. Schofer. 2007. “Higher Education as an Institution.” In Sociology of Higher Education: Contributions and Their Contexts, edited by P. J. Gumport, 187–221. The John Hopkins University Press. doi:10.5860/choice.45-3325.
  • Nicolini, D. 2012. Practice Theory, Work, and Organization: An Introduction. Oxford: Oxford University Press.
  • Niemimaa, E., and M. Niemimaa. 2017. “Information Systems Security Policy Implementation in Practice: From Best Practices to Situated Practices.” European Journal of Information Systems 26 (1): 1–20.
  • Park, R. 2015. “Employee Participation and Outcomes: Organizational Strategy Does Matter.” Employee Relations 37 (5): 604–622. doi:10.1108/ER-09-2014-0107.
  • Podsakoff, P. M., S. B. MacKenzie, J.-Y. Lee, and N. P. Podsakoff. 2003. “Common Method Biases in Behavioural Research: A Critical Review of the Literature and Recommended Remedies.” Journal of Applied Psychology 88 (5): 879–903.
  • Podsakoff, P. M., S. B. MacKenzie, and N. P. Podsakoff. 2012. “Sources of Method Bias in Social Science Research and Recommendations on How to Control It.” Annual Review of Psychology 63 (1): 539–569.
  • Posey, C., T. L. Roberts, and P. B. Lowry. 2015. “The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets.” Journal of Management Information Systems 32 (4): 179–214. doi:10.1080/07421222.2015.1138374.
  • Quinn, R. E., and J. Rohrbaugh. 1983. “A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis.” Management Science 29 (3): 363–377.
  • Rahman, M. S., A. M. Osmangani, N. M. Daud, and F. A. M. AbdelFattah. 2016. “Knowledge Sharing Behaviors Among Non-Academic Staff of Higher Learning Institutions: Attitude, Subjective Norms and Behavioral Intention Embedded Model.” Library Review 65 (1/2): 65–83.
  • Rajab, M., and A. Eydgahi. 2019. “Evaluating the Explanatory Power of Theoretical Frameworks on Intention to Comply with Information Security Policies in Higher Education.” Computers & Security 80: 211–223. doi:10.1016/j.cose.2018.09.016.
  • Ramayah, T., J. A. L. Yeap, and J. Ignatius. 2013. “An Empirical Inquiry on Knowledge Sharing Among Academicians in Higher Learning Institutions.” Minerva 51 (2): 131–154.
  • Sawang, S., Y. Sun, and S. A. Salim. 2014. “It’s Not Only What I Think but What They Think! The Moderating Effect of Social Norms.” Computers & Education 76: 182–189.
  • Shadur, M. A., R. Kienzle, and J. J. Rodwell. 1999. “The Relationship between Organizational Climate and Employee Perceptions of Involvement.” Group & Organization Management 24 (4): 479–503. doi:10.1177/1059601199244005.
  • Siponen, M., and A. Vance. 2010. “Neutralization: New Insights Into the Problem of Employee Information Systems Security Policy Violations.” MIS Quarterly 34 (3): 487–502.
  • Siponen, M., and A. Vance. 2014. “Guidelines for Improving the Contextual Relevance of Field Surveys: The Case of Information Security Policy Violations.” European Journal of Information Systems 23 (3): 289–305. doi:10.1057/ejis.2012.59.
  • Smart, J. C., and E. P. St. John. 1996. “Organizational Culture and Effectiveness in Higher Education: A Test of the “Culture Type” and “Strong Culture” Hypotheses.” Educational Evaluation and Policy Analysis 18 (3): 219–241. doi:10.2307/1164261.
  • Smith, W. K., and M. W. Lewis. 2011. “Toward a Theory of Paradox: A Dynamic Equilibrium Model of Organizing.” Academy of Management Review 36 (2): 381–403.
  • Spears, J. L., and H. Barki. 2010. “User Participation in Information Systems Security Risk Management.” MIS Quarterly 34 (3): 503–522. doi:10.2307/25750689.
  • Strohm, C. 2018, March. “U.S. Indicts Iranians in Data Theft from Colleges, Companies.” Bloomberg.Com. https://www.bloomberg.com/news/articles/2018-03-23/u-s-indicts-iranian-hacker-network-over-widespread-data-theft.
  • Tierney, W. G. 1988. “Organizational Culture in Higher Education: Defining the Essentials.” The Journal of Higher Education 59 (1): 2–21. doi:10.2307/1981868.
  • Titah, R., and H. Barki. 2009. “Nonlinearities between Attitude and Subjective Norms in Information Technology Acceptance: A Negative Synergy?” MIS Quarterly 33 (4): 827–844.
  • Vallett, C. M. 2010. “Exploring the Relationship between Organizational Virtuousness and Culture in Continuing Higher Education.” The Journal of Continuing Higher Education 58 (3): 130–142.
  • Vance, A., M. T. Siponen, and D. W. Straub. 2020. “Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations Across Cultures.” Information & Management 57 (4): 103212. doi:10.1016/j.im.2019.103212.
  • Warkentin, M., A. C. Johnston, J. Shropshire, and W. D. Barnett. 2016. “Continuance of Protective Security Behavior: A Longitudinal Study.” Decision Support Systems 92: 25–35.
  • Whittington, R. 2014. “Information Systems Strategy and Strategy-as-Practice: A Joint Agenda.” The Journal of Strategic Information Systems 23 (1): 87–91.
  • Wilkinson, L. 1999. “Statistical Methods in Psychology Journals: Guidelines and Explanations.” American Psychologist 54 (8): 594–604. doi:10.1037/0003-066X.54.8.594.
  • Yanosky, R., and J. B. Caruso. 2008. Process and Politics: IT Governance in Higher Education, 1–10 [ECAR Key Findings]. Educase Center for Applied Research. https://www.memphis.edu/its/governance/docs/2008_it_governance.pdf.
  • Yazdanmehr, A., and J. Wang. 2016. “Employees’ Information Security Policy Compliance: A Norm Activation Perspective.” Decision Support Systems 92: 36–46.
  • Yazdanmehr, A., J. Wang, and Z. Yang. 2020. “Peers Matter: The Moderating Role of Social Influence on Information Security Policy Compliance.” Information Systems Journal.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.