Advanced search
Publication Cover
European Journal of Information Systems Volume 32, 2023 - Issue 6
Submit an article Journal homepage
886
Views
1
CrossRef citations to date
0
Altmetric
Research Article

Continuous improvement of information security management: an organisational learning perspective

Fereshteh Ghahramania School of Computing, Jarvis College of Computing and Digital Media, DePaul UniversityCorrespondence[email protected]
View further author information
,
Adel Yazdanmehrb Paul H. Chook Department of Information Systems and Statistics, Zicklin School of Business, Baruch College, The City University of New YorkORCID Iconhttps://orcid.org/0000-0001-6815-2965View further author information
ORCID Icon,
Daniel Chenc Information Systems and Supply Chain Management Department, Neeley School of Business, Texas Christian UniversityView further author information
&
Jingguo Wangd Information Systems & Operations Management Department, College of Business Administration, University of Texas at ArlingtonView further author information
Pages 1011-1032 | Received 25 Mar 2021, Accepted 23 Jun 2022, Published online: 14 Jul 2022

References

  • Abraham, C., Chatterjee, D., & Sims, R. R. (2019). Muddling through cybersecurity: Insights from the U.S. healthcare industry. Business Horizons, 62(4), 539–548. 10.1016/j.bushor.2019.03.010
  • Adner, R., & Helfat, C. E. (2003). Corporate effects and dynamic managerial capabilities. Strategic Management Journal, 24(10), 1011–1025. https://doi.org/10.1002/smj.331
  • Anand, G., Ward, P. T., Tatikonda, M. V., & Schilling, D. A. (2009). Dynamic capabilities through continuous improvement infrastructure. Journal of Operations Management, 27(6), 444–461. https://doi.org/10.1016/j.jom.2009.02.002
  • Aragón-Correa, J. A., & Sharma, S. (2003). A Contingent Resource-Based View of Proactive Corporate Environmental Strategy. Academy of Management Review, 28(1), 71–88. https://doi.org/10.2307/30040690
  • Argyris, C., & Schon, D. (1978). Organizational learning: A theory of action approach. Addision Wesley.
  • Audia, P. G., Locke, E. A., & Smith, K. G. (2000). The Paradox of Success: An Archival and a Laboratory Study of Strategic Persistence Following Radical Environmental Change. Academy of Management Journal, 43(5), 837–853. https://doi.org/10.5465/1556413.
  • Bansal, P., & Roth, K. (2000). Why Companies Go Green: A Model of Ecological Responsiveness. Academy of Management Journal, 43(4), 717–736. https://journals.aom.org/doi/10.5465/1556363.
  • Barreto, I. (2009). Dynamic Capabilities: A Review of Past Research and an Agenda for the Future. Journal of Management, 36(1), 256–280. https://doi.org/10.1177/0149206309350776
  • Basadur, M., Gelade, G., & Basadur, T. (2014). Creative Problem-Solving Process Styles, Cognitive Work Demands, and Organizational Adaptability. The Journal of Applied Behavioral Science, 50(1), 80–115. https://doi.org/10.1177/0021886313508433
  • Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138–151. https://doi.org/10.1016/j.im.2013.11.004
  • Beer, M., Voelpel, S. C., Leibold, M., & Tekie, E. B. (2005). Strategic Management as Organizational Learning: Developing Fit and Alignment through a Disciplined Process. Long Range Planning, 38(5), 445–465. https://doi.org/10.1016/j.lrp.2005.04.008
  • Benz, M., & Chatterjee, D. (2020). Calculated risk? A cybersecurity evaluation tool for SMEs. Business Horizons, 63(4), 531–540. https://doi.org/10.1016/j.bushor.2020.03.010
  • Bessant, J., Caffyn, S., Gilbert, J., Harding, R., & Webb, S. (1994). Rediscovering continuous improvement. Technovation, 14(1), 17–29. https://doi.org/10.1016/0166-4972(94)90067-1
  • Bhatt, G. D., & Grover, V. (2005). Types of Information Technology Capabilities and Their Role in Competitive Advantage: An Empirical Study. Journal of Management Information Systems, 22(2), 253–277. https://doi.org/10.1080/07421222.2005.11045844
  • Boer, H., Berger, A., Chapman, R., & Gertsen, F. (2017). CI Changes from Suggestion Box to Organisational Learning: Continuous Improvement in Europe and Australia. Routledge.
  • Boone, J. (2000). Competitive Pressure: The Effects on Investments in Product and Process Innovation. The RAND Journal of Economics, 31(3), 549. https://doi.org/10.2307/2601000
  • Boshell, C. (2021) What Motivates Cyber Criminals? Retrieved October 30, 2021. SEGMENTECH INC. https://www.segmentech.com/what-motivates-cyber-criminals/
  • Boynton, B. C. (2007) Identification of process improvement methodologies with application in information security. In Proceedings of the 4th annual conference on Information security curriculum development - InfoSecCD ’07 p 1, ACM Press, New York, New York, USA.
  • Carr, J. (2010) The Four Minute Malware: Aurora, Stuxnet, and Beyond. [Online]. Forbes. (Retrieved 21 July 2019). from: https://www.forbes.com/sites/firewall/2010/12/27/the-four-minute-malware-aurora-stuxnet-and-beyond/#55a0c6b42c54
  • Cepeda, G., & Vera, D. (2007). Dynamic capabilities and operational capabilities: A knowledge management perspective. Journal of Business Research, 60(5), 426–437. https://doi.org/10.1016/j.jbusres.2007.01.013
  • Chin, W. W., & Marcolin, B. L. (1995). The holistic approach to construct validation in IS research: Examples of the interplay between theory and measurement. Administrative Sciences Association of Canada - 23rd Annual Conference, IS Proceedings, 16(4), 33–43.
  • Chin, W. W. (1998). Commentary: Issues and Opinion on Structural Equation Modeling. MIS Quarterly, 22(1), vii–xvi. https://www.jstor.org/stable/249674.
  • Chin, W. W., Marcolin, B. L., & Newsted, P. R. (2003). A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic-Mail Emotion/Adoption Study. Information Systems Research, 14(2), 189–217. https://doi.org/10.1287/isre.14.2.189.16018
  • Clauss, T., Abebe, M., Tangpong, C., & Hock, M. (2021). Strategic Agility, Business Model Innovation, and Firm Performance: An Empirical Investigation. IEEE Transactions on Engineering Management, 68(3), 767–784. https://doi.org/10.1109/TEM.2019.2910381
  • Cohen, J. (1988). Statistical Power Analysis for the Behavioral Sciences (2nd ed.). Routledge.
  • Cohen, W. M., & Levinthal, D. A. (1989). Innovation and Learning: The Two Faces of R&D. The Economic Journal, 99(397), 569. https://doi.org/10.2307/2233763
  • Cohen, W. M., & Levinthal, D. A. (1990). Absorptive Capacity: A New Perspective on Learning and Innovation.Administrative Science Quarterly, 35(1), 128–152. https://doi.org/10.2307/2393553.
  • Cohen, W. M., & Levinthal, D. A. (1994). Fortune Favors the Prepared Firm. Management Science, 40(2), 227–251. https://doi.org/10.1287/mnsc.40.2.227
  • Colwell, S. R., & Joshi, A. W. (2013). Corporate Ecological Responsiveness: Antecedent Effects of Institutional Pressure and Top Management Commitment and Their Impact on Organizational Performance. Business Strategy and the Environment, 22(2), 73–91. https://doi.org/10.1002/bse.732
  • Combe, I. A., Rudd, J. M., Leeflang, P. S. H., & Greenley, G. E. (2012). Antecedents to strategic flexibility: Management cognition, firm resources and strategic options. European Journal of Marketing, 46(10), 1320–1339. https://doi.org/10.1108/03090561211248053
  • Cooper, V., & Molla, A. (2017). Information systems absorptive capacity for environmentally driven IS-enabled transformation. Information Systems Journal, 27(4), 379–425. https://doi.org/10.1111/isj.12109
  • Cram, W. A., Proudfoot, J. G., & D’arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605–641. https://doi.org/10.1057/s41303-017-0059-9
  • Cram, A. W., D’arcy, J., & Proudfoot, J. G. (2019). Seeing the forest and the trees. MIS Quarterly, 43(2), 525–554. https://doi.org/10.25300/MISQ/2019/15117
  • Dai, J., Chan, H. K., & Yee, R. W. Y. (2018). Examining moderating effect of organizational culture on the relationship between market pressure and corporate environmental strategy. Industrial Marketing Management, 74, 227–236. https://doi.org/10.1016/j.indmarman.2018.05.003
  • Dalziel, M. (2009). Forgoing the Flexibility of Real Options: When and Why Firms Commit to Investment Decisions*. British Journal of Management, 20(3), 401–412. https://doi.org/10.1111/j.1467-8551.2008.00601.x
  • Darai, D., Sacco, D., & Schmutzler, A. (2010). Competition and innovation: An experimental investigation. Experimental Economics, 13(4), 439–460. https://doi.org/10.1007/s10683-010-9250-8
  • Darby, M. (2018) Planning the business case for an Information Security Management System. Alliantist Ltd. Retrieved 23 January 2020 from: https://www.isms.online/information-security-management-system-isms/planning-the-business-case-for-an-isms-whitepaper/
  • De Jong, A., & De Ruyter, K. (2004). Adaptive versus Proactive Behavior in Service Recovery: The Role of Self-Managing Teams. Decision Sciences, 35(3), 457–491. https://doi.org/10.1111/j.0011-7315.2004.02513.x
  • Deephouse, D. L. (1996). Does Isomorphism Legitimate? Academy of Management Journal, 39(4), 1024–1039. https://doi.org/10.2307/256722
  • Delmas, M. A., & Toffel, M. W. (2008). Organizational responses to environmental demands: Opening the black box. Strategic Management Journal, 29(10), 1027–1055. https://doi.org/10.1002/smj.701
  • Dixon, S., Meyer, K., & Day, M. (2014). Building dynamic capabilities of adaptation and innovation: A study of micro-foundations in a transition economy. Long Range Planning, 47(4), 186–205. https://doi.org/10.1016/j.lrp.2013.08.011
  • Dubois, É., Heymans, P., Mayer, N., & Matulevičius, R. (2010). A Systematic Approach to Define the Domain of Information System Security Risk Management. In Selmin, Nurcan., Camille, Salinesi., Carine, Souveyet., Jolita, Ralyté., Intentional Perspectives on Information Systems Engineering (pp. 289–306). Springer Berlin Heidelberg.
  • Edwards, J. R., & Lambert, L. S. (2007). Methods for integrating moderation and mediation: A general analytical framework using moderated path analysis. Psychological Methods, 12(1), 1–22. https://doi.org/10.1037/1082-989X.12.1.1
  • Eisenhardt, K. M., & Martin, J. A. (2000). Dynamic capabilities: what are they? Strategic Management Journal Strategic Management Journal, 21(10–11), 1105–1121. https://doi.org/10.1002/1097-0266(200010/11)21:10/11<1105::AID-SMJ133>3.0.CO;2-E
  • Esteves, J., Ramalho, E., & De Haro, G. (2017). To improve cybersecurity, think like a hacker. MIT Sloan Management Review, 58(3), 71. https://sloanreview.mit.edu/article/to-improve-cybersecurity-think-like-a-hacker/.
  • Falk, R., & Miller, N. (1992). A Primer for Soft Modeling. University of Akron Press.
  • Fiol, C. M., & Lyles, M. A. (1985). Organizational Learning. Academy of Management Review, 10(4), 803–813. https://doi.org/10.2307/258048
  • Floyd, S. W., & Lane, P. J. (2000). Strategizing throughout the organization: Managing role conflict in strategic renewal. Academy of Management Review, 25(1), 154–177. https://doi.org/10.5465/amr.2000.2791608
  • Fogalin, K. (2009) Improving the Management of Information Security in Canadian Government Departments: Taking Lessons from the ISO/IEC 27001 Standard to Make Continuous, Incremental, and Enduring Improvements. SANS. Retrieved 14 April 2018) from: https://www.sans.org/reading-room/whitepapers/leadership/improving-management-information-security-canadian-government-departments-33063
  • Fornell, C., & Larcker, D. F. (1981). Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of Marketing Research, 18(1), 39–50. https://doi.org/10.1177/002224378101800104
  • Freeman, E. (2010). Strategic Management: A Stakeholder Approach. Cambridge university press.
  • Gao, S., Yeoh, W., Wong, S. F., & Scheepers, R. (2017). A literature analysis of the use of Absorptive Capacity construct in IS research. International Journal of Information Management, 37(2), 36–42. https://doi.org/10.1016/j.ijinfomgt.2016.11.001
  • Garvin, D. A. (1993). Building a Learning Organization. Harvard Business Review, 71(4), 78–91. Retrieved October 29, 2020 from https://hbr.org/1993/07/building-a-learning-organization
  • Gefen, D., Straub, D. W., Boudreau, M.-C., Gefen, D., Straub, D. W., & Boudreau, M.-C. (2000). Structural equation modeling and regression: Guidelines for research practice. Communications of the Association for Information Systems, 4(7), 1–70. https://doi.org/10.17705/1CAIS.00407
  • Gelnaw, A. (2019) The Importance of Continuous Improvement in Security Performance Management. [Online]. BitSight Technologies. Retrieved 17 September 2021 from: https://www.bitsight.com/blog/importance-continuous-improvement-security-performance-management
  • General, A. A. (2002) ACT Auditor General’s office performance audit report V8 car races in Canberra–costs and benefits. (ACT Audit Office).
  • Ghahramani, F., & Wang, J. (2017) Adoption of an Authentication System: Is Security the Only Consideration? In ICIS 2017 Proceedings.
  • Golden, W., & Powell, P. (2000). Towards a definition of flexibility: In search of the Holy Grail? Omega, 28(4), 373–384. https://doi.org/10.1016/S0305-0483(99)00057-2
  • Gonzalez, R. V. D., & Martins, M. F. (2016). Capability for continuous improvement. The TQM Journal, 28(2), 250–274. https://doi.org/10.1108/TQM-07-2014-0059
  • Grandon, E. E., & Pearson, J. M. (2004). Electronic commerce adoption: An empirical study of small and medium US businesses. Information & Management, 42(1), 197–216. https://doi.org/10.1016/j.im.2003.12.010
  • Grewal, R., & Tansuhaj, P. (2001). Building Organizational Capabilities for Managing Economic Crisis: The Role of Market Orientation and Strategic Flexibility. Journal of Marketing, 65(2), 67–80. https://doi.org/10.1509/jmkg.65.2.67.18259
  • Hair, J. F., Anderson, R. E., Tatham, R. L., & Black, W. C. (1995). Multivariate Data Analysis with Readings (4th ed.). Prentice Hall.
  • Harrington, S. J., & Guimaraes, T. (2005). Corporate culture, absorptive capacity and IT success. Information and Organization, 15(1), 39–63. https://doi.org/10.1016/j.infoandorg.2004.10.002
  • Hayes, A. F. (2009). Beyond Baron and Kenny: Statistical Mediation Analysis in the New Millennium. Communication Monographs, 76(4), 408–420. https://doi.org/10.1080/03637750903310360
  • Hayes, A. F. (2013). Introduction to Mediation, Moderation, and Conditional Process Analysis. Guilford Press.
  • Helfat, C. E., Finkelstein, S., Mitchell, W., Peteraf, M., Singh, H., Teece, D., & Winter, S. G. (2007). Dynamic capabilities: Understanding strategic change in organizations. Blackwell Pub.
  • Hoffman, D. L., Novak, T. P., & Peralta, M. (1999). Building consumer trust online. Communications of the ACM, 42(4), 80–85. https://doi.org/10.1145/299157.299175
  • Hsu, C., Lee, J.-N., & Straub, D. W. (2012). Institutional Influences on Information Systems Security Innovations. Information Systems Research, 23(3–part–2), 918–939. https://doi.org/10.1287/isre.1110.0393
  • Hu, L. T., & Bentler, P. (1999). Cutoff Criteria for Fit Indexes in Covariance Structure Analysis: Conventional Criteria Versus New Alternatives, Structural Equation Modeling. Structural Equation Modeling: A Multidisciplinary Journal, 6(1), 1–55. https://doi.org/10.1080/10705519909540118
  • Hui, K. L., Vance, A., & Zhdanov, D. (2016) Securing Digital Assets. [Online]. MIS Quarterly. Retrieved September 4, 2021. from: https://www.misqresearchcurations.org/blog/2017/5/10/securing-digital-assets-1
  • Hyatt, D. E., & Ruddy, T. M. (1997). An examination of the relationship between work group characteristics and performance: Once more into the breech. Personnel Psychology, 50(3), 553–585. https://doi.org/10.1111/j.1744-6570.1997.tb00703.x
  • Itgovernance (2018) Information Security and ISO 27001 – An introduction. Retrieved 23 January 2020 from: https://www.itgovernance.co.uk/green-papers/information-security-and-iso-27001-an-introduction
  • Iyengar, K., Sweeney, J. R., & Montealegre, R. (2015). Information technology use as a learning mechanism: The impact of IT use on knowledge transfer effectiveness, absorptive capacity, and franchisee performance. MIS Quarterly, 39(3), 615–641. https://doi.org/10.25300/MISQ/2015/39.3.05
  • Jansen, J. J. P., Van Den Bosch, F. A. J., & Volberda, H. W. (2005). Managing Potential and Realized Absorptive Capacity: How do Organizational Antecedents Matter? Academy of Management Journal, 48(6), 999–1015. https://doi.org/10.5465/amj.2005.19573106
  • Jouini, M., Rabai, L. B. A., Aissa, A., & Ben. (2014). Classification of Security Threats in Information Systems. Procedia Computer Science, 32, 489–496. https://doi.org/10.1016/j.procs.2014.05.452
  • Kim, L. (1997). The Dynamics of Samsung’s Technological Learning in Semiconductors. California Management Review, 39(3), 86–100. https://doi.org/10.2307/41165900
  • Ko, D. G., Kirsch, L. J., & King, W. R. (2005). Antecedents of knowledge transfer from consultants to clients in enterprise system implementations. MIS Quarterly: Management Information Systems, 29(1), 59–85. https://doi.org/10.2307/25148668
  • Kock, N., & Lynn, G. S. (2012). Lateral Collinearity and Misleading Results in Variance-Based SEM: An Illustration and Recommendations. Journal of the Association for Information Systems, 13(7), 546–580. https://doi.org/10.17705/1jais.00302
  • Kock, N. (2015). Common method bias in PLS-SEM: A full collinearity assessment approach. International Journal of e-Collaboration, 11(4), 1–10. https://doi.org/10.4018/ijec.2015100101.
  • Kohlbacher, M. (2013). The Impact of Dynamic Capabilities through Continuous Improvement on Innovation: The Role of Business Process Orientation. Knowledge and Process Management, 20(2), 71–76. https://doi.org/10.1002/kpm.1405
  • Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies. Information & Management, 41(5), 597–607. https://doi.org/10.1016/j.im.2003.08.001
  • Kwon, J., & Johnson, M. E. (2014). Proactive Versus Reactive Security Investments in the Healthcare Sector. MIS Quarterly, 38(2), 451–471. https://doi.org/10.25300/MISQ/2014/38.2.06
  • Lane, P. J., & Lubatkin, M. (1998). Relative absorptive capacity and interorganizational learning. Strategic Management Journal, 19(5), 461–477. https://doi.org/10.1002/(SICI)1097-0266(199805)19:5<461::AID-SMJ953>3.0.CO;2-L
  • Lane, P. J., Salk, J. E., & Lyles, M. A. (2001). Absorptive capacity, learning, and performance in international joint ventures. Strategic Management Journal, 22(12), 1139–1161. https://doi.org/10.1002/smj.206
  • Lane, P. J., Koka, B. R., & Pathak, S. (2006). The Reification of Absorptive Capacity: A Critical Review and Rejuvenation of the Construct. Academy of Management Review, 31(4), 833–863. https://doi.org/10.5465/amr.2006.22527456
  • Lee, C. Y. (2009). Competition favors the prepared firm: Firms’ R&D responses to competitive market pressure. Research Policy, 38(5), 861–870. https://doi.org/10.1016/j.respol.2009.01.005
  • Lei, D., Hitt, M. A., & Goldhar, J. D. (1996). Advanced Manufacturing Technology: Organizational Design and Strategic Flexibility. Organization Studies, 17(3), 501–523. https://doi.org/10.1177/017084069601700307
  • Levinthal, D. A., & March, J. G. (1993a). The myopia of learning. Strategic Management Journal, 14(S2), 95–112. http://wiley.com/10.1002/smj.4250141009. doi:10.1002/smj.4250141009
  • Levinthal, D. A., & March, J. G. (1993b). The myopia of learning. Strategic Management Journal, 14(S2), 95–112. https://doi.org/10.1002/smj.4250141009
  • Lifars (2020) Motivations Behind Cyber-Attacks . Retrieved 16 December 2020 from: https://lifars.com/2020/03/motivations-behind-cyber-attacks/
  • Lillrank, P., Shani, A. B., Rami, & Lindberg, P. (2001). Continuous improvement: Exploring alternative organizational designs. Total Quality Management, 12(1), 41–55. https://doi.org/10.1080/09544120020010084
  • Lin, H.-F. (2006). Interorganizational and organizational determinants of planning effectiveness for Internet-based interorganizational systems. Information & Management, 43(4), 423–433. https://doi.org/10.1016/j.im.2005.10.004
  • Lindell, M. K., & Whitney, D. J. (2001). Accounting for common method variance in cross-sectional research designs. Journal of Applied Psychology, 86(1), 114–121. https://doi.org/10.1037/0021-9010.86.1.114
  • Linderman, K., Schroeder, R. G., Zaheer, S., Liedtke, C., & Choo, A. S. (2004). Integrating quality management practices with knowledge creation processes. Journal of Operations Management, 22(6), 589–607. https://doi.org/10.1016/j.jom.2004.07.001
  • Liu, H., Ke, W., Wei, K. K., Gu, J., & Chen, H. (2010). The role of institutional pressures and organizational culture in the firm’s intention to adopt internet-enabled supply chain management systems. Journal of Operations Management, 28(5), 372–384. https://doi.org/10.1016/j.jom.2009.11.010
  • Liu, H., Ke, W., Kk, W. E. I., & Hua, Z. (2013). The impact of IT capabilities on firm performance: The mediating roles of absorptive capacity and supply chain agility. Decision Support Systems, 54(3), 1452–1462. https://doi.org/10.1016/j.dss.2012.12.016
  • Liu, C.-W., Huang, P., & Jr, H. C. L. (2020). Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions.
  • Lowry, P. B., D’arcy, J., Hammer, B., & Moody, G. D. (2016). Cargo Cult” science in traditional organization and information systems survey research: A case for using nontraditional methods of data collection, including Mechanical Turk and online panels. The Journal of Strategic Information Systems, 25(3), 232–240. https://doi.org/10.1016/j.jsis.2016.06.002
  • Lumpkin, G. T., & Lichtenstein, B. B. (2005). The Role of Organizational Learning in the Opportunity-Recognition Process. Entrepreneurship Theory and Practice, 29(4), 451–472. https://doi.org/10.1111/j.1540-6520.2005.00093.x
  • Mackenzie, S. B., Podsakoff, P. M., & Podsakoff, N. P. (2011). Construct measurement and validation procedures in MIS and behavioral research: Integrating new and existing techniques. MIS Quarterly, 35(2), 293–334. https://doi.org/10.2307/23044045
  • Mackinnon, D. P. (2008). Introduction to statistical mediation analysis. Routledge.
  • Magni, M., Ahuja, M. K., & Maruping, L. M. (2018). Distant but Fair: Intra-Team Justice Climate and Performance in Dispersed Teams. Journal of Management Information Systems, 35(4), 1031–1059. https://doi.org/10.1080/07421222.2018.1522909
  • Malhotra, A., Gosain, S., & Sawy Oa, E. (2005). Absorptive Capacity Configurations in Supply Chains: Gearing for Partner-Enabled Market Knowledge Creation. MIS Quarterly, 29(1), 145. https://doi.org/10.2307/25148671
  • March, J. G. (1991). Exploration and Exploitation in Organizational Learning. Organization Science, 2(1), 71–87. https://doi.org/10.1287/orsc.2.1.71
  • Mark, C. (2020) Understanding cyber attacker motivations to best apply controls | AT&T Cybersecurity. [Online] (Retrieved 30 October 2021 from: https://cybersecurity.att.com/blogs/security-essentials/understanding-cyber-attacker-motivations-to-best-apply-controls
  • Maruping, L., & Magni, M. (2012). What’s the weather like? the effect of team learning climate, empowerment climate, and gender on individuals’ technology exploration and use. Journal of Management Information Systems, 29(1), 79–114. https://doi.org/10.2753/MIS0742-1222290103
  • Maruping, L. M., Venkatesh, V., Thong, J. Y. L., & Zhang, X. (2019). A Risk Mitigation Framework for Information Technology Projects: A Cultural Contingency Perspective. Journal of Management Information Systems, 36(1), 120–157. https://doi.org/10.1080/07421222.2018.1550555
  • Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices. Pearson Education.
  • Miroshnychenko, I., Strobl, A., Matzler, K., & De Massis, A. (2021). Absorptive capacity, strategic flexibility, and business model innovation: Empirical evidence from Italian SMEs. Journal of Business Research, 130, 670–682. https://doi.org/10.1016/j.jbusres.2020.02.015
  • Moeini, M., & Rivard, S. (2019). Responding—or not—to information technology project risks: An integrative model. MIS Quarterly: Management Information Systems, 43(2), 475–500. https://doi.org/10.25300/MISQ/2019/14505
  • Muller, D., Judd, C. M., & Yzerbyt, V. Y. (2005). When moderation is mediated and mediation is moderated. Journal of Personality and Social Psychology, 89(6), 852–863. https://doi.org/10.1037/0022-3514.89.6.852
  • Neter, J., Wasserman, W., & Kutner, M. H. (1989). Applied linear regression models. Irwin.
  • Ni, W., & Sun, H. (2009). The relationship among organisational learning, continuous improvement and performance improvement: An evolutionary perspective. Total Quality Management and Business Excellence, 20(10), 1041–1054. https://doi.org/10.1080/14783360903247312
  • Nowak, R. (2021). Strategic Flexibility And Performance: Effects Of Potential And Realised Absorptive Capacity. International Journal of Innovation Management, 25(7), 2150077. https://doi.org/10.1142/S1363919621500778
  • Nunnally, J. C., & Bernstein, I. (1994). Psychometric Theory. McGraw-Hill.
  • O’reilly, C. A., & Tushman, M. L. (2008). Ambidexterity as a dynamic capability: Resolving the innovator’s dilemma. Research in Organizational Behavior, 28, 185–206. https://doi.org/10.1016/j.riob.2008.06.002
  • Patel, P. C., Terjesen, S., & Li, D. (2012). Enhancing effects of manufacturing flexibility through operational absorptive capacity and operational ambidexterity. Journal of Operations Management, 30(3), 201–220. https://doi.org/10.1016/j.jom.2011.10.004
  • Pavlou, P. A., & El Sawy, O. A. (2006). From IT Leveraging Competence to Competitive Advantage in Turbulent Environments: The Case of New Product Development. Information Systems Research, 17(3), 198–227. https://doi.org/10.1287/isre.1060.0094
  • Peng, D. X., Schroeder, R. G., & Shah, R. (2008). Linking routines to operations capabilities: A new perspective. Journal of Operations Management, 26(6), 730–748. https://doi.org/10.1016/j.jom.2007.11.001
  • Phillips, P. A. (1999). Hotel performance and competitive advantage: A contingency approach. International Journal of Contemporary Hospitality Management, 11(7), 359–365. https://doi.org/10.1108/09596119910293268
  • Podsakoff, P. M., Mackenzie, S. B., Lee, J.-Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903. https://doi.org/10.1037/0021-9010.88.5.879
  • Porter, M., & Millar, V. (1985). How information gives you competitive advantage. Harvard Business Review. https://hbr.org/1985/07/how-information-gives-you-competitive-advantage.
  • Preacher, K. J., Rucker, D. D., & Hayes, A. F. (2007). Addressing Moderated Mediation Hypotheses: Theory, Methods, and Prescriptions. Multivariate Behavioral Research, 42(1), 185–227. https://doi.org/10.1080/00273170701341316
  • Purser, R. E., & Petranker, J. (2005). Unfreezing the Future: Exploring the dynamic of time in organizational change. The Journal of Applied Behavioral Science, 41(2), 182–203. https://doi.org/10.1177/0021886304268157
  • Radware. (2017). Global Application & Network Security Report.
  • Rai, A., & Tang, X. (2010). Leveraging IT capabilities and competitive process capabilities for the management of interorganizational relationship portfolios. Information Systems Research, 21(3), 516–542. https://doi.org/10.1287/isre.1100.0299
  • Roberts, N., Galluch, P. S., Dinger, M., & Grover, V. (2012). Absorptive Capacity and Information Systems Research: Review, Synthesis, and Directions for Future Research. MIS Quarterly, 36(2), 625–648. https://doi.org/10.2307/41703470
  • Safi, R., Browne, G. J., & Jalali Naini, A. (2021). Mis-spending on information security measures: Theory and experimental evidence. International Journal of Information Management, 57, 102291. https://doi.org/10.1016/j.ijinfomgt.2020.102291
  • Sanchez, R. (1995). Strategic flexibility in product competition. Strategic Management Journal, 16(S1), 135–159. https://doi.org/10.1002/smj.4250160921
  • Santos-Vijande, M. L., López-Sánchez, J. Á., & Trespalacios, J. A. (2012). How organizational learning affects a firm’s flexibility, competitive strategy, and performance. Journal of Business Research, 65(8), 1079–1089. https://doi.org/10.1016/j.jbusres.2011.09.002
  • Setia, P., & Patel, P. C. (2013). How information systems help create OM capabilities: Consequents and antecedents of operational absorptive capacity. Journal of Operations Management, 31(6), 409–431. https://doi.org/10.1016/j.jom.2013.07.013
  • Shrout, P. E., & Bolger, N. (2002). Mediation in experimental and nonexperimental studies: New procedures and recommendations. Psychological Methods, 7(4), 422–445. https://doi.org/10.1037/1082-989X.7.4.422
  • Simsek, Z. (2009). Organizational Ambidexterity: Towards a Multilevel Understanding. Journal of Management Studies, 46(4), 597–624. https://doi.org/10.1111/j.1467-6486.2009.00828.x.
  • Sirmon, D. G., Hitt, M. A., & Ireland, R. D. (2007). Managing Firm Resources in Dynamic Environments to Create Value: Looking Inside the Black Box. Academy of management review, 32(1): 273–292. https://doi.org/10.5465/amr.2007.23466005
  • Smadi, S. (2009). Kaizen strategy and the drive for competitiveness: Challenges and opportunities. Competitiveness Review, 19(3), 203–211. https://doi.org/10.1108/10595420910962070
  • Smit, J. (2015). The Innovation Value Chain and Adaptability of Organizations. Journal of International Technology and Information Management, 24(3). https://scholarworks.lib.csusb.edu/jitim/vol24/iss3/4.
  • Spender, J.-C. (1996). Making knowledge the basis of a dynamic theory of the firm. Strategic Management Journal, 17(S2), 45–62. https://doi.org/10.1002/smj.4250171106
  • Spiro, R. L., & Weitz, B. A. (1990). Adaptive Selling: Conceptualization, Measurement, and Nomological Validity. Journal of Marketing Research, 27(1), 61. https://doi.org/10.1177/002224379002700106
  • Steelman, Z. R., Hammer, B. I., & Limayem, M. (2014). Data collection in the digital age: Innovative alternatives to student samples. MIS Quarterly, 38(2), 355–378. https://doi.org/10.25300/MISQ/2014/38.2.02
  • Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems, 800(30), Nist special publication, 800–30 .
  • Straub, D., Boudreau, M.-C., Gefen, D., Straub, D., Boudreau, M., & Gefen, D. (2004). Validation Guidelines for IS Positivist Research. Communications of the Association for Information Systems, 13(13), 380–427. https://doi.org/10.17705/1CAIS.01324
  • Sun, P. Y. T., & Anderson, M. H. (2010). An examination of the relationship between absorptive capacity and organizational learning, and a proposed integration. International Journal of Management Reviews, 12(2), 130–150. https://doi.org/10.1111/j.1468-2370.2008.00256.x
  • Szulanski, G. (1996). Exploring internal stickiness: Impediments to the transfer of best practice within the firm. Strategic Management Journal, 17(S2), 27–43. https://doi.org/10.1002/smj.4250171105
  • Tanriverdi, H., & Uysal, V. B. (2011). Cross-business information technology integration and acquirer value creation in corporate mergers and acquisitions. Information Systems Research, 22(4), 703–720. https://doi.org/10.1287/isre.1090.0250
  • Teece, D. J., Pisano, G., & Shuen, A. (1997). Dynamic capabilities and strategic management. Strategic Management Journal, 18(7), 509–533. https://doi.org/10.1002/(SICI)1097-0266(199708)18:7<509::AID-SMJ882>3.0.CO;2-Z
  • Tiwana, A., & Mclean, E. R. (2005). Expertise integration and creativity in information systems development. Journal of Management Information Systems, 22(1), 13–43. https://doi.org/10.1080/07421222.2003.11045836
  • Tsai, W. (2001). Knowledge Transfer in Intraorganizational Networks: Effects of Network Position and Absorptive Capacity on Business Unit Innovation and Performance. Academy of Management Journal, 44(5), 996–1004. https://doi.org/10.5465/3069443.
  • Tu, Q., Vonderembse, M. A., Ragu-Nathan, T. S., & Sharkey, T. W. (2006). Absorptive capacity: Enhancing the assimilation of time-based manufacturing practices. Journal of Operations Management, 24(5), 692–710. https://doi.org/10.1016/j.jom.2005.05.004
  • Uhl-Bien, M., & Arena, M. (2018). Leadership for organizational adaptability: A theoretical synthesis and integrative framework. Leadership Quarterly, 29(1), 89–104. https://doi.org/10.1016/j.leaqua.2017.12.009
  • Van Den Bosch, F. A. J., Volberda, H. W., & De Boer, M. (1999). Coevolution of Firm Absorptive Capacity and Knowledge Environment: Organizational Forms and Combinative Capabilities. Organization Science, 10(5), 551–568. https://doi.org/10.1287/orsc.10.5.551
  • Vasudeva, G., & Anand, J. (2011). Unpacking Absorptive Capacity: A Study of Knowledge Utilization from Alliance Portfolios. Academy of Management Journal, 54(3), 611–623. https://doi.org/10.5465/amj.2011.61968108
  • Wang, C. L., & Ahmed, P. K. (2007). Dynamic capabilities: A review and research agenda. International Journal of Management Reviews, 9(1), 31–51. https://doi.org/10.1111/j.1468-2370.2007.00201.x
  • Wang, J., Chaudhury, A., & Rao, H. R. (2008). A value-at-risk approach to information security investment. Information Systems Research, 19(1), 106–120. https://doi.org/10.1287/isre.1070.0143
  • Wang, C.-H., Chen, K.-Y., & Chen, S.-C. (2012). Total quality management, market orientation and hotel performance: The moderating effects of external environmental factors. International Journal of Hospitality Management, 31(1), 119–129. https://doi.org/10.1016/j.ijhm.2011.03.013
  • Wang, J., Xiao, N., & Rao, H. R. (2015). Research note—An exploration of risk characteristics of information security threats and related public information search behavior. Information Systems Research, 26(3), 619–633. https://doi.org/10.1287/isre.2015.0581
  • Weick, K. E., & Quinn, R. E. (1999). Organizational Change and Development. Annual Review of Psychology, 50(1), 361–386. https://doi.org/10.1146/annurev.psych.50.1.361
  • Wheeler, B. C. (2002). NEBIC: A Dynamic Capabilities Theory for Assessing Net-Enablement. Information Systems Research, 13(2), 125–146. https://doi.org/10.1287/isre.13.2.125.89
  • Windeler, J. B., Maruping, L., & Venkatesh, V. (2017). Technical systems development risk factors: The role of empowering leadership in lowering developers’ stress. Information Systems Research, 28(4), 775–796. https://doi.org/10.1287/isre.2017.0716
  • Yazdanmehr, A., Wang, J., & Yang, Z. (2020). Peers matter: The moderating role of social influence on information security policy compliance. Information Systems Journal, 30(5), 791–844. https://doi.org/10.1111/isj.12271
  • Yazdanmehr, A., & Wang, J. (2021) Can peers help reduce violations of information security policies? The role of peer monitoring. European Journal of Information Systems, 1–21.
  • Zahra, S. A., & George, G. (2002). Absorptive capacity: A review, reconceptualization, and extension. Academy of Management Review, 27(2), 185–203. https://doi.org/10.2307/4134351
  • Zangwill, W. I., & Kantor, P. B. (1998). Toward a theory of continuous improvement and the learning curve. Management Science, 44(7), 910–920. https://doi.org/10.1287/mnsc.44.7.910
  • Zhu, K., & Kraemer, K. L. (2005). Post-Adoption Variations in Usage and Value of E-Business by Organizations: Cross-Country Evidence from the Retail Industry. Information Systems Research, 16(1), 61–84. https://doi.org/10.1287/isre.1050.0045
  • Zollo, M., & Winter, S. G. (2002). Deliberate learning and the evolution of dynamic capabilities. Organization science. 13(3): 339–351. https://doi.org/10.1287/orsc.13.3.339.2780

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.