The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0968-5227.htm

IMCS
14,1

Information security:
managements effect on
culture and policy

24

Kenneth J. Knapp
US Air Force Academy, Colorado Springs, Colorado, USA, and

Thomas E. Marshall, R. Kelly Rainer and F. Nelson Ford

Department of Management, College of Business, Auburn University, Auburn,
Alabama, USA
Abstract
Purpose This study proposes to put forward and test a theoretical model that demonstrates the
influence of top management support on an organizations security culture and level of security policy
enforcement.
Design/methodology/approach The project used a combination of qualitative and quantitative
techniques. The grounded theory approach was used to analyze responses to open-ended questions
answered by 220 certified information system security professionals. Using these responses, a survey
instrument was developed. Survey results were analyzed using structural equation modeling.
Findings Evidence suggests that top management support is a significant predictor of an
organizations security culture and level of policy enforcement.
Research limitations/implications During instrument validation, a special effort removed
survey items that appeared overly intrusive to the respondents. In this endeavor, an expert panel of
security practitioners evaluated all candidate items on a willingness-to-answer scale. While especially
helpful in security, this scale may be used in other research domains.
Practical implications Practitioners should understand the impact of top management support
on achieving security effectiveness. Based on the findings of this study, low levels of executive support
will produce an organizational culture less tolerant of good security practices. Low levels of support
will diminish the level of enforcement of existing security policies.
Originality/value Researchers developed original scales to measure levels of top management
support, policy enforcement, and organizational culture. The scales demonstrated acceptable
reliability and validity scores.
Keywords Information control, Management effectiveness, Organizational culture, Surveys
Paper type Research paper

Introduction
Information security is a critical issue threatening organizations worldwide. With
modern national economies and businesses fully dependent upon information
technology for survival (President, 2003), the need to protect information is more
paramount than ever before. Multiple national surveys confirm a high number of
Information Management &
Computer Security
Vol. 14 No. 1, 2006
pp. 24-36
q Emerald Group Publishing Limited
0968-5227
DOI 10.1108/09685220610648355

The authors would like to gratefully acknowledge these individuals for their substantial
assistance in this research project: Ann Marie Overen, Lloyd Taylor, Claudia N. Lukas, T.C.
Chen, Alan C. Proctor, Jr, Milo Doyle, Joseph B. Baugh, Alexis J. Monaco, Mansoor Khan, Paul
S. Powenski, Timothy H. Lacey, Wallace Coy, and Bennie Sanford. The authors especially thank
Dorsey Morrow and the (ISC)2 organization for their thorough support of this project.

attacks against organizational information resources (Bagchi and Udo, 2003; Computer
Emergency Response Team (CERT), 2004; Gordon et al., 2004). Between 1998 and 2003,
the number of reported incidents to the US CERT nearly doubled each year with
137,529 reported incidents in 2003 alone. According to an Ernst and Young survey,
security incidents can cost companies between $17 and 28 million for each occurrence
(Garg et al., 2004). Because incidents are frequent and costly, management must take
security seriously to protect critical organizational information.
For decades, security authorities recognized that solving security problems requires
managerial attention (Allen, 1968; Parker, 1981; Van Tassel, 1972). Even so, managers
often did not regard security as important and many permitted their information
systems (IS) to be either lightly protected or wholly unprotected (Straub, 1990). In some
IS key issue studies during the 1990s, the security issue dropped entirely off the top
20 list (Brancheau et al., 1996). Since 2000, even with increased media attention about
e-mail viruses, internet worms, and software vulnerabilities, managerial attention to
security still appears to be insufficient. A 2004 key issues study of 874 certified
information security professionals showed that top management support was ranked
number one from a list of 25 security issues (Knapp et al., 2004). In the same study,
organizational culture ranked sixth and policy-related issues ranked seventh.
Few studies have developed and empirically-tested theoretical models that apply
these managerial constructs to information security (Kankanhalli et al., 2003; Straub,
1990). Some IS scholars even perceive a serious lack of empirically based information
security research altogether (Kotulic and Clark, 2004). Considering the general lack of
empirical research, this study seeks to explore, develop, and empirically test a
theoretical model in information security.
The lack of empirical research and theory in information security caused us to
organize this paper differently than most articles reporting the results from empirical
studies. The next section of this paper describes the research methodology we used to
produce the theoretical model and the survey instrument that tested the model. This
methodology section describes each phase of the study from qualitative data collection
to the results of the quantitative data analysis. Following the methodology section, we
conclude with a discussion of implications for research and practice.
Research methodology
This research study involved six major steps combining qualitative and quantitative
techniques. Such an approach can provide a richer, contextual basis for interpreting
and validating results (Kaplan and Duchon, 1988). The qualitative portion of the
methodology relied on the grounded theory research strategy (Glaser and Strauss,
1967) in order to analyze open-ended question responses from 220 certified information
system security professionals (CISSPs) who are constituents of the International
Information Systems Security Certification Consortium ((ISC)2). This analysis enabled
us to develop measurement scales by extracting questionnaire items from the content
of the open-ended question responses. An expert panel of 12 CISSPs then evaluated the
extracted items for meaningfulness and readability.
One research objective was to create an instrument that exhibits not only high
validity and reliability, but also minimizes the respondents perception of instrument
intrusiveness. Instruments with intrusively worded questions that cover sensitive
organizational issues may cause respondents to be less than forthright in their

Information
security

25

IMCS
14,1

26

answers. For this reason, development of a non-intrusive instrument is important to

encourage respondents to participate thoroughly and candidly in the research. Thus,
one of the key roles of the expert panel was to identify potentially intrusive
questionnaire items.
After multiple rounds of expert evaluation and a pre-test by nine CISSPs and nine
academics, quantitative data was collected through a web survey version of the
developed instrument. The subsequent results were analyzed using structural equation
modeling (SEM). We now describe each of the qualitative and quantitative
methodological steps of this study.
Qualitative data collection: open-ended questions
In September 2003, an announcement was placed on the (ISC)2 home page (www.isc2.
org) requesting that interested CISSPs participate in this research project. (ISC)2 is a
non-profit organization that manages the CISSP program. Among the requirements to
earn a CISSP designation, candidates must pass a comprehensive exam and possesses
a minimum of four years of professional experience in the security field or three years
experience plus a college degree.
In all, 348 individuals responded to the web posting and we sent them two
open-ended questions. The first asked for the top five information security issues
facing organizations today. Three weeks later, a second question asked for the top five
policy-related issues in information security. Respondents answered both questions
using a word processing form that provided a space both for a short title and an
accompanying rationale for each issue. Ten CISSPs separately pre-tested each form. In
all, 220 of the 348 CISSPs participated. Responses to the questions provided the
qualitative data for this research.
While the sample was exclusively from the (ISC)2 constituency, a wide range of
geographic regions and industries were represented (Table I). Respondents came from
23 countries with industry participation reflective of the types of organizations that
hire information security professionals. Fifteen percent of the sample identified
themselves as consultants. This group provided a valuable perspective because many
of them support different-sized companies from multiple industries.
The sample is notable for several reasons. First, the qualitative phase of the
research project benefited from a large number of open-ended question responses. The
first question provided 1,100 comments (220 usable responses at five issues each) and
the second provided 990 comments (198 usable responses at five issues each). Second,
the sample of practicing security professionals allowed us to acquire data from those
who are most knowledgeable about current organizational security issues. Third, use
Country
Industry

Job position
Table I.
Sample characteristics

23 represented including USA (72 percent), Canada (5 percent), India (4 percent),

Hong Kong (3 percent), and the UK (3 percent)
Largest representations include government (21 percent), consulting (15 percent)
finance and banking (15 percent), information technology (12 percent),
manufacturing (11 percent), telecommunications (8 percent), healthcare (7 percent),
and energy (4 percent)
Top management and business owners (11 percent), middle management
(34 percent), professional/administrative (32 percent), and other management
(23 percent)

of the (ISC)2 constituency ensured a minimum level of professional credentials. Finally,

the (ISC)2 constituency includes a wide variety of job types within a representative
cross-section of several industries. Respondent comments thus provide a rich set of
data containing a variety of organizational views.
Qualitative data analysis: grounded theory
Grounded theory entails a series of highly structured steps involving the systematic
comparison of units of data (i.e. the question responses) and the gradual construction of
a system of categories describing the observed phenomena. This approach involves the
generation of emergent theory from qualitative, empirical data (Strauss and Corbin,
1998).
Grounded theory uses a form of content analysis where the data are categorized into
concepts that originate from the data, rather than using constructs imposed from an
outside source. Specifically, the respondents short titles of each issue along with a
frequency analysis of key words and phrases in the responses were the primary means
of category identification. With this approach, we identified 25 issue categories from the
text of the 1,100 comments with three foundational issues comprising the constructs of
this study: top management support, organizational culture, and policy issues1.
While rereading the responses from the two open-ended questions and looking for
theoretical relationships among the issues, a model was developed. The model
suggests that top management support is a significant predictor of an organizations
security culture (H1) and level of security policy enforcement (H2). Table II provides
examples of respondent statements that support the research model and formal
statements of the hypotheses.
Scale development
Considering the limited empirical studies in information security (Kotulic and Clark,
2004), the scarcity of existing scales, and the substantial content obtained from the
qualitative data, we began development of new measurement scales. The scales were
developed through an iterative process of extracting candidate questionnaire items
directly from the responses to the open-ended questions. This approach assured that
both the content and the language of the questionnaire items would be familiar to the
likely sample. Careful construction of the initial scale items helps to assure they will
representatively cover the specified domain of interest, and thus possess content
validity (Nunnally, 1978).
While it is impossible to specify how many items should be included in an item pool
(DeVellis, 2003), researchers should anticipate that one-half of the extracted items will
be retained in the final scales (Hinkin, 1998). Using this approach, we generated items
until adding new ones contributed little to the scales. Using various word combinations
from the existing items, we then doubled the size of the item pool (Hinkin, 1998) to
ensure that an adequate number of items would be available in the final scales after
instrument refinement. Once we were satisfied with the quality and quantity of the
item pool, we analyzed the instrument for construct validity.
Expert panel and instrument refinement
This step had two major focus areas. The first concerned the construct validity of the
candidate survey items. The second concerned the perceived sensitive nature, or

Information
security

27

IMCS
14,1

H1. Top management support is positively

associated with a security culture

28

H2. Top management support is positively

associated with policy enforcement

Table II.
Examples of respondent
statements leading to
hypotheses

[T]he senior leadership example . . . can foster an

institutional culture that recognizes the
importance of information to the survival of the
organization and the criticality of protecting this
information.
In most enterprises cultures, the idea of security
or risk management is not included in the normal
training process with any depth or impact. The
primary cause of this is little or no senior
management recognition, support or sponsorship
of the idea of protecting assets and resources.
From senior managers to the receptionist at the
front desk . . . everyone must agree that security
is important and each person has a critical role in
promoting a security-aware culture.
If senior management makes information
security a known priority, and ingrains security
practices in the culture of the organization, the
company will reap the benefits of that heightened
awareness.
Obviously, without top management support
and involvement, the creation, training and
enforcement of the organizations security
policies would not occur or would not be taken
seriously by the employees. Top management
support must happen first if the other issues are
to be handled effectively.
Without executive level support, even a robust,
comprehensive documented security policy does
not guarantee enforcement . . . across the
enterprise. Corporate executive management
needs the revelation that failing to enforce
information security policy is just as dangerous
as failing to enforce human resources corporate
policy, i.e. law suits.
Policies must either emanate or be prominently
endorsed by executive management to be truly
effective. Executive management must take an
active role in the . . . enforcement of all corporate
policies. Without this support from the
organizations leadership, any policies that do get
distributed will not be totally effective.
Policy development, enforcement, and
ultimately support, is too often relegated to
lower-level management where it sits in the
queue . . . ultimately diminishing the . . .
effectiveness of the security organization.

intrusiveness, of the questions asked. A panel of 12 experts evaluated each candidate

item from these two perspectives (construct validity and intrusiveness). We
handpicked the 12 panelists from the 220 CISSP participants based on their high
quality answers and their professional credentials.

For construct validity, the expert panelists matched each item to one of seven
constructs in two separate evaluation rounds. The construct scales evaluated by the
expert panel included the three in this study (top management support, organizational
culture, and policy enforcement) plus four alternative selections (training awareness,
organizational structure, policy development, and policy maintenance). Instructions
provided definitions of each construct for the panelists to reference during the
evaluation. The panelists were encouraged to comment and make suggests for
improvement of the items. In total, the 12 expert panelists provided over 50 comments
on specific items.
Items that obtained at least a 75 percent agreement rate among the panelists
were retained for the survey (Hinkin, 1998). Any item with less than 75 percent
agreement was dropped or modified. In the first round, 65 percent of the items
produced the required panelist agreement. While the first round produced a
sufficient number of items for the top management support and policy enforcement
constructs, it did not produce sufficient items for the security culture construct. To
refine the security culture construct and formulate new items, the open-ended
responses and literature were again consulted (Detert et al., 2000; Klein et al., 1995).
In the second round, 84 percent of the new and refined questions produced the
required 75 percent agreement and included a sufficient number of items for the
security culture construct.
Although the item-to-construct process is not a guarantee of construct validity, this
refinement effort produced a list of 33 content-oriented questionnaire items that
exhibited strong preliminary evidence of construct validity (Segars, 1998) for the
constructs in this study.
The second focus area addressed the problem of the perceived sensitive nature of
security-related questions. Because of the intrusive nature of the subject, many
previous studies in information security experienced poor response rates (Kotulic and
Clark, 2004). Some consider information security an extremely sensitive topic (Straub
and Welke, 1998) and recommend a cautious approach when attempting studies
because of a general suspicion of attempts to gain data about the behaviors of security
practitioners (Kotulic and Clark, 2004).
To minimize this problem of unacceptably high levels of perceived intrusiveness,
the same expert panel evaluated each item using a willingness-to-answer scale
(Table III) developed by the researchers. While a certain level of perceived
intrusiveness is unavoidable, only items with acceptable intrusive scores were
retained. This step is critical especially in the domain of security because items
perceived to be unacceptably intrusive might discourage survey completion. We
established the following guidelines to help evaluate the perceived intrusiveness of
each item. An acceptable item should:

1
2
3
4

Scale

Definition

Unacceptably intrusive
Moderately intrusive
Slightly intrusive
Not intrusive

Many respondents may be unwilling to answer; a problem question

Some respondents may be unwilling to answer
A small number of respondents may be unwilling to answer
Respondents should be willing to answer; the question is OK

Information
security

29

Table III.
Willingness-to-answer
scale

IMCS
14,1

30

be rated as either slightly (3) or not intrusive (4) by at least 75 percent of the
panelists and have
a mean score from all the panelists of at least a 2.75.

Perceived intrusiveness problems did not surface with two of the three constructs. All
of the initial items developed to measure the top management support and
organizational culture constructs met the above two guidelines. However, 22 percent of
the initial policy enforcement items did not. Table IV contains the 12 panelists
intrusiveness scores for all the policy enforcement questions from the initial item pool.
We established a final guideline that the overall instrument may be judged
acceptable if each item passes the above two conditions and the mean of the all the
items on the instrument exceeds 3.50. The mean score of the remaining questions, after
removal of intrusive questions, was a 3.64, suggesting that the survey instrument is
not overly intrusive.
The willingness-to-answer scale was not the only measure considered when
determining perceived intrusiveness. Other factors may influence a potential
respondents participation more than simply perceived intrusiveness of the
questionnaires items. Some of these possible factors include the visible sponsorship
of a research project by a reputable organization such as (ISC)2, approval of a

Proposed survey question

(item)

Table IV.
Intrusiveness scores
for initial policy
enforcement items

Security policies have no teeth. (RC) dropped

There is conflict between security staff and employees
regarding policy enforcement. (RC) dropped
Policies are selectively enforced. (RC) dropped
Computer security abuses often go unpunished. (RC) dropped
Policies are consistently enforced on senior management
Employees caught violating important security policies
are appropriately corrected
Security policies are properly monitored for violations
Security staff has adequate automated tools to enforce policy
Security officers have the necessary authority to enforce policy
Information security policies are appropriately enforced on
external parties (contractors, suppliers, etc.)
Employee computer practices are properly monitored for
policy violations
Information security policy is properly enforced
Employees clearly understand the ramifications for violating
security policies
Policies are consistently enforced across the organization
Discovered security policy violations are reported to the
proper authority
Information security rules are enforced by sanctioning the
employees who break them
Repeat security offenders are appropriately disciplined
Termination is a consideration for employees who repeatedly
break security rules

Rated as slightly
or not intrusive
(percent)

Mean score

50

2.75

67
67
67
75

3.00
3.00
2.75
3.17

92
92
92
92

3.50
3.42
3.67
3.58

92

3.58

92
100

3.42
3.67

100
100

3.67
3.50

100

3.58

100
100

3.75
3.58

100

3.75

university human subjects office, implementation of secure sockets layer encryption at

the survey web site, a posted privacy policy, and a general impression of
professionalism. We addressed all these factors in this study.
Using the results from the expert panel from the content analysis, we developed the
web-based questionnaire. To reduce the potential for order bias, the content items
appeared in random order for each respondent. Nine CISSPs and nine academics
pre-tested the survey, resulting in minor format changes to the web survey to enhance
readability.

Information
security

31

Quantitative data collection: web-based survey

A convenience sample of 68 CISSPs, who did not participate in the open-ended
questions, tested the instrument. The characteristics of the sample are contained in
Tables V and VI.
Quantitative data analysis structural equation modeling
SEM techniques using the Amos 5.0 software program tested for construct fit.
Tables VII and VIII list the measurement scales and goodness-of-fit indicators for each
construct, respectively. The most fundamental measure of overall fit is the x 2 statistic.
A large x 2 value relative to the degrees of freedom signifies that the observed and
estimated matrices differ. Thus, we are looking for a non-significant p-value to indicate
that the proposed model fits the observed covariances and correlations adequately
(Hair et al., 1998). An acceptable cutoff value for adjusted x 2 is 2.0 (Im and Grover,
2004). Goodness of fit (GFI) values close to 1.0 indicate an overall good fit of the data to
the proposed model. Root mean square error of approximation (RMSEA) should be
below 0.08. The comparative fit index (CFI) takes sample size into account with a
recommended cut-off of 0.95 to suggest adequate fit (Byrne, 2001; Hair et al., 1998).
Country
United States
Canada
Othera
Germany
India
Brazil
Finland
Hong Kong
New Zealand
United Kingdom
Australia
Korea (South)
Malaysia
Portugal
Saudi Arabia
South Africa
Sweden
Turkey
Total

Count

Percent

34
5
5
3
3
2
2
2
2
2
1
1
1
1
1
1
1
1
68

50.0
7.4
7.4
4.4
4.4
2.9
2.9
2.9
2.9
2.9
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
100

Note: aCountries with fewer than ten CISSPs are listed as other

Table V.
Country demographics

IMCS
14,1

32

Table VI.
Industry demographics

Table VII.
Measurement scale

Industry
Government (federal, local, military, police, etc.)
Consulting
Info tech-security-telecomm
Finance, banking and insurance
Manufacturing
Medical/healthcare public or private
Consumer products/retail/wholesale
Professional services (legal, marketing, etc.)
Other
Industrial tech
Utilities
Education/training
Energy
Travel/hospitality
Entertainment
Non-profit
Real estate
Total

Count

Percent

23
21
21
10
8
6
5
4
4
3
3
2
2
2
1
1
1
117a

19.7
17.9
17.9
8.5
6.8
5.1
4.3
3.4
3.4
2.6
2.6
1.7
1.7
1.7
0.9
0.9
0.9
100

Note: aRespondents could select more than more industry. For instance, consultants also selected the
industry where they primarily provide consulting services

Item code

Item

TM1
TM2
TM3
TM4
TM5
TM6
C1
C2
C3
C4
C5
C6
PE1
PE2
PE3
PE4

Top management considers information security an important organizational priority

Top executives are interested in security issues
Top management takes security issues into account when planning corporate strategies
Senior leaderships words and actions demonstrate that security is a priority
Visible support for security goals by senior management is obvious
Senior management gives strong and consistent support to the security program
Employees value the importance of security
A culture exists that promotes good security practices
Security has traditionally been considered an important organizational value
Practicing good security is the accepted way of doing business
The overall environment fosters security-minded thinking
Information security is a key norm shared by organizational members
Employees caught violating important security policies are appropriately corrected
Information security rules are enforced by sanctioning the employees who break them
Repeat security offenders are appropriately disciplined
Termination is a consideration for employees who repeatedly break security rules

The acceptable fit statistics provide evidence supporting construct validity.

Additionally, the scales demonstrated acceptable reliability as evidenced by the
Cronbach a scores.
Figure 1, the structural model, shows the three constructs in the hypothesized
network with standardized regression weights. All factor loadings and path
relationships are significant ( p , 0.001). The data suggests that higher levels of top
management support will result in higher levels of a security culture within
an organization (H1) as well as higher levels of security policy enforcement (H2).

x2

Construct

Df

Information
security

Adj x 2

GFI

RMSEA

CFI

Cronbach a

# 2.0

$ 0.90

#0.08

$0.95

$ 0.70

1.134

0.95

0.045

0.99

0.94

0.660

0.97

0.000

1.0

0.94

33

0.484

0.99

0.000

1.0

0.91

Table VIII.
Construct fit indices

Acceptable cutoff
NA NA Non-significant
values
p-value
Top mgt support
10.20 9
0.334
(six items)
Security culture
5.94
9
0.746
(six items)
Policy enforcement 0.969 2
0.616
(four items)

Figure 1.
Path model

The associated fit measures are provided in Table IX. The measures suggest
acceptable levels of model fit. The exception is the GFI value of 0.83, which suggests
only a marginal fit.
Discussion and conclusion
As noted, some researchers urge caution when engaging in information security
research because of the intrusive nature of the topic. Kotulic and Clark (2004)
recommended a careful methodology to minimize this problem. We acted on this advice
and attempted to minimize the problem of perceived intrusiveness in our study. The
willingness-to-answer scale was critical in this endeavor. Inviting a panel of certified
security professionals to rate every candidate item for levels of intrusiveness prevented
inclusion of questions in the survey that respondents might be uncomfortable or
unwilling to answer. Researchers engaged in topics where perceived intrusiveness
might represent a problem may consider using this scale to help identify potentially
intrusive questionnaire items.
x2

Df

Adj x 2

GFI

RMSEA

CFI

112.9

102

0.216

1.11

0.83

0.040

0.99

Table IX.
Model fit indices

IMCS
14,1

34

This study combined qualitative and quantitative research methods. Qualitative data
can help the quantitative side of a study during design by adding to the studys
conceptual development and instrumentation. Qualitative data can also help
quantitative analysis by confirming and illustrating quantitative findings (Miles and
Huberman, 1994). The combination of these methods in this study contributed to
establishing the credibility of the results.
Although exploratory, the studys results indicate that top management support
positively impacts security culture and policy enforcement. These findings are
consistent with the qualitative statements from the open-ended questions as well as
literature on the topic. Dutta and McCrohan (2002), for instance, stated that it is
incumbent on senior management to provide the leadership to break down cultural and
organizational barriers to force collaboration on security. This finding is consistent
with statements found in our data such as, If theres no management support, real or
perceived, all information security programs will fail and technology is great, but
without the culture change that embraces security and managements backing all the
bits in the world wont help.
A factor limiting the model to three constructs was the small sample size of the
study. Future use of the instrument may benefit from a larger sample size more
appropriate for SEM. Follow-on studies should also enhance the methodological rigor
by minimizing common method variance through, for example, the introduction of time
lags between the data collection of independent and dependent variables (Whitman
and Woszczynski, 2004).
Future research may also build upon the model by introducing other managerial
constructs. For instance, during the grounded theory portion of the methodology, the
axial coding phase produced a list of 25 categories developed along the theme of critical
issues. Researchers may want to consider adding some of these constructs, such as
Training Awareness, into an expanded model.
Implications exist for the security profession. By providing evidence that a
significant relationship exists between important managerial issues in information
security, this study highlights the role of such issues in helping to protect mission critical
information and systems. Security practitioners should understand the impact of top
management support on achieving security effectiveness. Without managements
visible support, running an effective security program will be an uphill battle. Based on
the findings of this study, low levels of executive support will produce an organizational
culture less tolerant of good security practices. Low levels of support will also diminish
the level of enforcement of existing security policies. As one CISSP stated:
Enforcement is without a doubt the most critical information security policy issue. While an
organization can include whatever it wants in its security policy, this content is next to
useless unless it is enforced.

References
Allen, B. (1968), Danger ahead! Safeguard your computer, Harvard Business Review, pp. 97-101,
November/December.
Bagchi, K. and Udo, G. (2003), An analysis of the growth of computer and internet security
breaches, Communications of the Association for Information Systems, Vol. 12 No. 46,
pp. 1-29.

Brancheau, J.C., Janz, B.D. and Wetherbe, J.C. (1996), Key issues in information systems
management: 1994-95 SIM results, Management Information Systems Quarterly, Vol. 20
No. 2, pp. 225-42.

Information
security

Byrne, B.M. (2001), Structural Equation Modeling with Amos, Erlbaum, Mahwah, NJ.
Computer Emergency Response Team (CERT) (2004), CERT statistics, available at: www.cert.
org/stats/cert_stats.html#incidents (accessed May 2004).
Detert, J.R., Schroeder, R.G. and Mauriel, J.J. (2000), A framework for linking culture and
improvement in organizations, Academy of Management Review, Vol. 25 No. 4, pp. 850-63.
DeVellis, R.F. (2003), Scale Development. Theory and Applications, 2nd ed.,Vol. 26, Sage,
Thousand Oaks, CA.
Dutta, A. and McCrohan, K. (2002), Managements role in information security in a cyber
economy, California Management Review, Vol. 45 No. 1, pp. 67-87.
Garg, A., Curtis, J. and Halper, H. (2004), Quantifying the financial impact of IT security
breaches, Information Management & Computer Security, Vol. 11 No. 2, pp. 74-83.
Glaser, B.G. and Strauss, A.L. (1967), The Discovery of Grounded Theory: Strategies for
Qualitative Research, Aldine Publishing, New York, NY.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004), 2004 CSI/FBI Computer
Crime and Security Survey, Computer Security Institute, San Francisco, CA.
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998), Multivariate Analysis, 5th ed.,
Pearson Education, Delhi.
Hinkin, T.R. (1998), A brief tutorial on the development of measures for use in survey
questionnaires, Organizational Research Methods, Vol. 1 No. 1, pp. 104-21.
Im, K.S. and Grover, V. (2004), The use of structural equation modeling in IS research: review
and recommendations, in Whitman, M.E. and Woszczynski, A.B. (Eds), The Handbook of
Information Systems Research, Idea Group Publishing, Hershey, PA.
Kankanhalli, A., Hock-Hai, T., Bernard, C.Y.T. and Kwok-Kee, W. (2003), An integrative study
of information systems security effectiveness, International Journal of Information
Management, Vol. 23, pp. 139-54.
Kaplan, B. and Duchon, D. (1988), Combining qualitative and quantitative methods in
information systems research: a case study, Management Information Systems Quarterly,
Vol. 12 No. 4, pp. 571-87.
Klein, A.S., Masi, R.J. and Weidner, C.K. (1995), Organization culture, distribution, and amount
of control and perceptions of quality, Group & Organization Management, Vol. 20 No. 2,
pp. 122-48.
Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2004), Top Ranked Information
Security Issues: The 2004 International Information Systems Security Certification
Consortium (ISC)2 Survey Results, Auburn University, Auburn, AL.
Kotulic, A.G. and Clark, J.G. (2004), Why there arent more information security research
studies?, Information & Management, Vol. 41 No. 5, pp. 597-607.
Miles, M.B. and Huberman, A.M. (1994), Qualitative Data Analysis, Sage, Thousand Oaks, CA.
Nunnally, J. (1978), Psychometric Theory, McGraw-Hill, New York, NY.
Parker, D.B. (1981), Computer Security Management, Reston Publishing Company, Reston, VA.
President (2003), National strategy to secure cyberspace, available at: www.whitehouse.gov/
pcipb (accessed May 2004).

35

IMCS
14,1

36

Segars, A.H. (1998), Strategic information systems planning success: an investigation of the
construct and its measurement, Management Information Systems Quarterly, Vol. 22
No. 2, pp. 139-63.
Straub, D.W. (1990), Effective IS security: an empirical study, Information Systems Research,
Vol. 1 No. 3, pp. 255-76.
Straub, D.W. and Welke, R.J. (1998), Coping with systems risk: security planning models for
management decision making, Management Information Systems Quarterly, Vol. 22 No. 4,
pp. 441-69.
Strauss, A. and Corbin, J. (1998), Basics of Qualitative Research. Techniques and Procedures for
Developing Grounded Theory, 2nd ed., Sage, Thousand Oaks, CA.
Van Tassel, D. (1972), Computer Security Management, Prentice-Hall, Englewood Cliffs, NJ.
Whitman, M.E. and Woszczynski, A.B. (2004), The problem of common method variance in IS
research, in Whitman, M.E. and Woszczynski, A.B. (Eds), The Handbook of Information
Systems Research, Idea Group Publishing, Hershey, PA.
About the authors
Kenneth J. Knapp is a doctoral candidate in Management Information Systems at Auburn
University. He has a BS in Computer Science from DeSales University and an MBA from Auburn
University. He has published in Communications of the Association for Information Systems.
Kenneth J. Knapp is the corresponding author and can be contacted at: Knappkj@auburn.edu
Thomas E. Marshall is an Associate Professor of Management Information Systems at
Auburn University, Auburn, Alabama. He has published in journals such as Omega and
Information & Management. His research interests include information security and database
management.
R. Kelly Rainer, Jr is George Privett Professor of Management Information Systems at
Auburn University, Auburn, Alabama. He is co-author, with Efrain Turban and Richard Potter,
of Introduction to Information Technology (3rd ed.), Wiley.
F. Nelson Ford is an Associate Professor of Management Information Systems at Auburn
University, Auburn, Alabama. He has published in journals such as MIS Quarterly, Journal of
Management Information Systems, and Information & Management. His research interests
include decision support systems and the principles of scholarship.

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints