Professional Documents
Culture Documents
26 - 22323 - Kenneth J. Knapp Thomas E. Marshall R. Kelly Rainer F. Nelson Ford (2006)
26 - 22323 - Kenneth J. Knapp Thomas E. Marshall R. Kelly Rainer F. Nelson Ford (2006)
www.emeraldinsight.com/0968-5227.htm
IMCS
14,1
Information security:
managements effect on
culture and policy
24
Kenneth J. Knapp
US Air Force Academy, Colorado Springs, Colorado, USA, and
Introduction
Information security is a critical issue threatening organizations worldwide. With
modern national economies and businesses fully dependent upon information
technology for survival (President, 2003), the need to protect information is more
paramount than ever before. Multiple national surveys confirm a high number of
Information Management &
Computer Security
Vol. 14 No. 1, 2006
pp. 24-36
q Emerald Group Publishing Limited
0968-5227
DOI 10.1108/09685220610648355
The authors would like to gratefully acknowledge these individuals for their substantial
assistance in this research project: Ann Marie Overen, Lloyd Taylor, Claudia N. Lukas, T.C.
Chen, Alan C. Proctor, Jr, Milo Doyle, Joseph B. Baugh, Alexis J. Monaco, Mansoor Khan, Paul
S. Powenski, Timothy H. Lacey, Wallace Coy, and Bennie Sanford. The authors especially thank
Dorsey Morrow and the (ISC)2 organization for their thorough support of this project.
attacks against organizational information resources (Bagchi and Udo, 2003; Computer
Emergency Response Team (CERT), 2004; Gordon et al., 2004). Between 1998 and 2003,
the number of reported incidents to the US CERT nearly doubled each year with
137,529 reported incidents in 2003 alone. According to an Ernst and Young survey,
security incidents can cost companies between $17 and 28 million for each occurrence
(Garg et al., 2004). Because incidents are frequent and costly, management must take
security seriously to protect critical organizational information.
For decades, security authorities recognized that solving security problems requires
managerial attention (Allen, 1968; Parker, 1981; Van Tassel, 1972). Even so, managers
often did not regard security as important and many permitted their information
systems (IS) to be either lightly protected or wholly unprotected (Straub, 1990). In some
IS key issue studies during the 1990s, the security issue dropped entirely off the top
20 list (Brancheau et al., 1996). Since 2000, even with increased media attention about
e-mail viruses, internet worms, and software vulnerabilities, managerial attention to
security still appears to be insufficient. A 2004 key issues study of 874 certified
information security professionals showed that top management support was ranked
number one from a list of 25 security issues (Knapp et al., 2004). In the same study,
organizational culture ranked sixth and policy-related issues ranked seventh.
Few studies have developed and empirically-tested theoretical models that apply
these managerial constructs to information security (Kankanhalli et al., 2003; Straub,
1990). Some IS scholars even perceive a serious lack of empirically based information
security research altogether (Kotulic and Clark, 2004). Considering the general lack of
empirical research, this study seeks to explore, develop, and empirically test a
theoretical model in information security.
The lack of empirical research and theory in information security caused us to
organize this paper differently than most articles reporting the results from empirical
studies. The next section of this paper describes the research methodology we used to
produce the theoretical model and the survey instrument that tested the model. This
methodology section describes each phase of the study from qualitative data collection
to the results of the quantitative data analysis. Following the methodology section, we
conclude with a discussion of implications for research and practice.
Research methodology
This research study involved six major steps combining qualitative and quantitative
techniques. Such an approach can provide a richer, contextual basis for interpreting
and validating results (Kaplan and Duchon, 1988). The qualitative portion of the
methodology relied on the grounded theory research strategy (Glaser and Strauss,
1967) in order to analyze open-ended question responses from 220 certified information
system security professionals (CISSPs) who are constituents of the International
Information Systems Security Certification Consortium ((ISC)2). This analysis enabled
us to develop measurement scales by extracting questionnaire items from the content
of the open-ended question responses. An expert panel of 12 CISSPs then evaluated the
extracted items for meaningfulness and readability.
One research objective was to create an instrument that exhibits not only high
validity and reliability, but also minimizes the respondents perception of instrument
intrusiveness. Instruments with intrusively worded questions that cover sensitive
organizational issues may cause respondents to be less than forthright in their
Information
security
25
IMCS
14,1
26
Job position
Table I.
Sample characteristics
Information
security
27
IMCS
14,1
28
Table II.
Examples of respondent
statements leading to
hypotheses
For construct validity, the expert panelists matched each item to one of seven
constructs in two separate evaluation rounds. The construct scales evaluated by the
expert panel included the three in this study (top management support, organizational
culture, and policy enforcement) plus four alternative selections (training awareness,
organizational structure, policy development, and policy maintenance). Instructions
provided definitions of each construct for the panelists to reference during the
evaluation. The panelists were encouraged to comment and make suggests for
improvement of the items. In total, the 12 expert panelists provided over 50 comments
on specific items.
Items that obtained at least a 75 percent agreement rate among the panelists
were retained for the survey (Hinkin, 1998). Any item with less than 75 percent
agreement was dropped or modified. In the first round, 65 percent of the items
produced the required panelist agreement. While the first round produced a
sufficient number of items for the top management support and policy enforcement
constructs, it did not produce sufficient items for the security culture construct. To
refine the security culture construct and formulate new items, the open-ended
responses and literature were again consulted (Detert et al., 2000; Klein et al., 1995).
In the second round, 84 percent of the new and refined questions produced the
required 75 percent agreement and included a sufficient number of items for the
security culture construct.
Although the item-to-construct process is not a guarantee of construct validity, this
refinement effort produced a list of 33 content-oriented questionnaire items that
exhibited strong preliminary evidence of construct validity (Segars, 1998) for the
constructs in this study.
The second focus area addressed the problem of the perceived sensitive nature of
security-related questions. Because of the intrusive nature of the subject, many
previous studies in information security experienced poor response rates (Kotulic and
Clark, 2004). Some consider information security an extremely sensitive topic (Straub
and Welke, 1998) and recommend a cautious approach when attempting studies
because of a general suspicion of attempts to gain data about the behaviors of security
practitioners (Kotulic and Clark, 2004).
To minimize this problem of unacceptably high levels of perceived intrusiveness,
the same expert panel evaluated each item using a willingness-to-answer scale
(Table III) developed by the researchers. While a certain level of perceived
intrusiveness is unavoidable, only items with acceptable intrusive scores were
retained. This step is critical especially in the domain of security because items
perceived to be unacceptably intrusive might discourage survey completion. We
established the following guidelines to help evaluate the perceived intrusiveness of
each item. An acceptable item should:
1
2
3
4
Scale
Definition
Unacceptably intrusive
Moderately intrusive
Slightly intrusive
Not intrusive
Information
security
29
Table III.
Willingness-to-answer
scale
IMCS
14,1
30
be rated as either slightly (3) or not intrusive (4) by at least 75 percent of the
panelists and have
a mean score from all the panelists of at least a 2.75.
Perceived intrusiveness problems did not surface with two of the three constructs. All
of the initial items developed to measure the top management support and
organizational culture constructs met the above two guidelines. However, 22 percent of
the initial policy enforcement items did not. Table IV contains the 12 panelists
intrusiveness scores for all the policy enforcement questions from the initial item pool.
We established a final guideline that the overall instrument may be judged
acceptable if each item passes the above two conditions and the mean of the all the
items on the instrument exceeds 3.50. The mean score of the remaining questions, after
removal of intrusive questions, was a 3.64, suggesting that the survey instrument is
not overly intrusive.
The willingness-to-answer scale was not the only measure considered when
determining perceived intrusiveness. Other factors may influence a potential
respondents participation more than simply perceived intrusiveness of the
questionnaires items. Some of these possible factors include the visible sponsorship
of a research project by a reputable organization such as (ISC)2, approval of a
Table IV.
Intrusiveness scores
for initial policy
enforcement items
Rated as slightly
or not intrusive
(percent)
Mean score
50
2.75
67
67
67
75
3.00
3.00
2.75
3.17
92
92
92
92
3.50
3.42
3.67
3.58
92
3.58
92
100
3.42
3.67
100
100
3.67
3.50
100
3.58
100
100
3.75
3.58
100
3.75
Information
security
31
Count
Percent
34
5
5
3
3
2
2
2
2
2
1
1
1
1
1
1
1
1
68
50.0
7.4
7.4
4.4
4.4
2.9
2.9
2.9
2.9
2.9
1.5
1.5
1.5
1.5
1.5
1.5
1.5
1.5
100
Note: aCountries with fewer than ten CISSPs are listed as other
Table V.
Country demographics
IMCS
14,1
32
Table VI.
Industry demographics
Table VII.
Measurement scale
Industry
Government (federal, local, military, police, etc.)
Consulting
Info tech-security-telecomm
Finance, banking and insurance
Manufacturing
Medical/healthcare public or private
Consumer products/retail/wholesale
Professional services (legal, marketing, etc.)
Other
Industrial tech
Utilities
Education/training
Energy
Travel/hospitality
Entertainment
Non-profit
Real estate
Total
Count
Percent
23
21
21
10
8
6
5
4
4
3
3
2
2
2
1
1
1
117a
19.7
17.9
17.9
8.5
6.8
5.1
4.3
3.4
3.4
2.6
2.6
1.7
1.7
1.7
0.9
0.9
0.9
100
Note: aRespondents could select more than more industry. For instance, consultants also selected the
industry where they primarily provide consulting services
Item code
Item
TM1
TM2
TM3
TM4
TM5
TM6
C1
C2
C3
C4
C5
C6
PE1
PE2
PE3
PE4
x2
Construct
Df
Information
security
Adj x 2
GFI
RMSEA
CFI
Cronbach a
# 2.0
$ 0.90
#0.08
$0.95
$ 0.70
1.134
0.95
0.045
0.99
0.94
0.660
0.97
0.000
1.0
0.94
33
0.484
0.99
0.000
1.0
0.91
Table VIII.
Construct fit indices
Acceptable cutoff
NA NA Non-significant
values
p-value
Top mgt support
10.20 9
0.334
(six items)
Security culture
5.94
9
0.746
(six items)
Policy enforcement 0.969 2
0.616
(four items)
Figure 1.
Path model
The associated fit measures are provided in Table IX. The measures suggest
acceptable levels of model fit. The exception is the GFI value of 0.83, which suggests
only a marginal fit.
Discussion and conclusion
As noted, some researchers urge caution when engaging in information security
research because of the intrusive nature of the topic. Kotulic and Clark (2004)
recommended a careful methodology to minimize this problem. We acted on this advice
and attempted to minimize the problem of perceived intrusiveness in our study. The
willingness-to-answer scale was critical in this endeavor. Inviting a panel of certified
security professionals to rate every candidate item for levels of intrusiveness prevented
inclusion of questions in the survey that respondents might be uncomfortable or
unwilling to answer. Researchers engaged in topics where perceived intrusiveness
might represent a problem may consider using this scale to help identify potentially
intrusive questionnaire items.
x2
Df
Adj x 2
GFI
RMSEA
CFI
112.9
102
0.216
1.11
0.83
0.040
0.99
Table IX.
Model fit indices
IMCS
14,1
34
This study combined qualitative and quantitative research methods. Qualitative data
can help the quantitative side of a study during design by adding to the studys
conceptual development and instrumentation. Qualitative data can also help
quantitative analysis by confirming and illustrating quantitative findings (Miles and
Huberman, 1994). The combination of these methods in this study contributed to
establishing the credibility of the results.
Although exploratory, the studys results indicate that top management support
positively impacts security culture and policy enforcement. These findings are
consistent with the qualitative statements from the open-ended questions as well as
literature on the topic. Dutta and McCrohan (2002), for instance, stated that it is
incumbent on senior management to provide the leadership to break down cultural and
organizational barriers to force collaboration on security. This finding is consistent
with statements found in our data such as, If theres no management support, real or
perceived, all information security programs will fail and technology is great, but
without the culture change that embraces security and managements backing all the
bits in the world wont help.
A factor limiting the model to three constructs was the small sample size of the
study. Future use of the instrument may benefit from a larger sample size more
appropriate for SEM. Follow-on studies should also enhance the methodological rigor
by minimizing common method variance through, for example, the introduction of time
lags between the data collection of independent and dependent variables (Whitman
and Woszczynski, 2004).
Future research may also build upon the model by introducing other managerial
constructs. For instance, during the grounded theory portion of the methodology, the
axial coding phase produced a list of 25 categories developed along the theme of critical
issues. Researchers may want to consider adding some of these constructs, such as
Training Awareness, into an expanded model.
Implications exist for the security profession. By providing evidence that a
significant relationship exists between important managerial issues in information
security, this study highlights the role of such issues in helping to protect mission critical
information and systems. Security practitioners should understand the impact of top
management support on achieving security effectiveness. Without managements
visible support, running an effective security program will be an uphill battle. Based on
the findings of this study, low levels of executive support will produce an organizational
culture less tolerant of good security practices. Low levels of support will also diminish
the level of enforcement of existing security policies. As one CISSP stated:
Enforcement is without a doubt the most critical information security policy issue. While an
organization can include whatever it wants in its security policy, this content is next to
useless unless it is enforced.
References
Allen, B. (1968), Danger ahead! Safeguard your computer, Harvard Business Review, pp. 97-101,
November/December.
Bagchi, K. and Udo, G. (2003), An analysis of the growth of computer and internet security
breaches, Communications of the Association for Information Systems, Vol. 12 No. 46,
pp. 1-29.
Brancheau, J.C., Janz, B.D. and Wetherbe, J.C. (1996), Key issues in information systems
management: 1994-95 SIM results, Management Information Systems Quarterly, Vol. 20
No. 2, pp. 225-42.
Information
security
Byrne, B.M. (2001), Structural Equation Modeling with Amos, Erlbaum, Mahwah, NJ.
Computer Emergency Response Team (CERT) (2004), CERT statistics, available at: www.cert.
org/stats/cert_stats.html#incidents (accessed May 2004).
Detert, J.R., Schroeder, R.G. and Mauriel, J.J. (2000), A framework for linking culture and
improvement in organizations, Academy of Management Review, Vol. 25 No. 4, pp. 850-63.
DeVellis, R.F. (2003), Scale Development. Theory and Applications, 2nd ed.,Vol. 26, Sage,
Thousand Oaks, CA.
Dutta, A. and McCrohan, K. (2002), Managements role in information security in a cyber
economy, California Management Review, Vol. 45 No. 1, pp. 67-87.
Garg, A., Curtis, J. and Halper, H. (2004), Quantifying the financial impact of IT security
breaches, Information Management & Computer Security, Vol. 11 No. 2, pp. 74-83.
Glaser, B.G. and Strauss, A.L. (1967), The Discovery of Grounded Theory: Strategies for
Qualitative Research, Aldine Publishing, New York, NY.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004), 2004 CSI/FBI Computer
Crime and Security Survey, Computer Security Institute, San Francisco, CA.
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998), Multivariate Analysis, 5th ed.,
Pearson Education, Delhi.
Hinkin, T.R. (1998), A brief tutorial on the development of measures for use in survey
questionnaires, Organizational Research Methods, Vol. 1 No. 1, pp. 104-21.
Im, K.S. and Grover, V. (2004), The use of structural equation modeling in IS research: review
and recommendations, in Whitman, M.E. and Woszczynski, A.B. (Eds), The Handbook of
Information Systems Research, Idea Group Publishing, Hershey, PA.
Kankanhalli, A., Hock-Hai, T., Bernard, C.Y.T. and Kwok-Kee, W. (2003), An integrative study
of information systems security effectiveness, International Journal of Information
Management, Vol. 23, pp. 139-54.
Kaplan, B. and Duchon, D. (1988), Combining qualitative and quantitative methods in
information systems research: a case study, Management Information Systems Quarterly,
Vol. 12 No. 4, pp. 571-87.
Klein, A.S., Masi, R.J. and Weidner, C.K. (1995), Organization culture, distribution, and amount
of control and perceptions of quality, Group & Organization Management, Vol. 20 No. 2,
pp. 122-48.
Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2004), Top Ranked Information
Security Issues: The 2004 International Information Systems Security Certification
Consortium (ISC)2 Survey Results, Auburn University, Auburn, AL.
Kotulic, A.G. and Clark, J.G. (2004), Why there arent more information security research
studies?, Information & Management, Vol. 41 No. 5, pp. 597-607.
Miles, M.B. and Huberman, A.M. (1994), Qualitative Data Analysis, Sage, Thousand Oaks, CA.
Nunnally, J. (1978), Psychometric Theory, McGraw-Hill, New York, NY.
Parker, D.B. (1981), Computer Security Management, Reston Publishing Company, Reston, VA.
President (2003), National strategy to secure cyberspace, available at: www.whitehouse.gov/
pcipb (accessed May 2004).
35
IMCS
14,1
36
Segars, A.H. (1998), Strategic information systems planning success: an investigation of the
construct and its measurement, Management Information Systems Quarterly, Vol. 22
No. 2, pp. 139-63.
Straub, D.W. (1990), Effective IS security: an empirical study, Information Systems Research,
Vol. 1 No. 3, pp. 255-76.
Straub, D.W. and Welke, R.J. (1998), Coping with systems risk: security planning models for
management decision making, Management Information Systems Quarterly, Vol. 22 No. 4,
pp. 441-69.
Strauss, A. and Corbin, J. (1998), Basics of Qualitative Research. Techniques and Procedures for
Developing Grounded Theory, 2nd ed., Sage, Thousand Oaks, CA.
Van Tassel, D. (1972), Computer Security Management, Prentice-Hall, Englewood Cliffs, NJ.
Whitman, M.E. and Woszczynski, A.B. (2004), The problem of common method variance in IS
research, in Whitman, M.E. and Woszczynski, A.B. (Eds), The Handbook of Information
Systems Research, Idea Group Publishing, Hershey, PA.
About the authors
Kenneth J. Knapp is a doctoral candidate in Management Information Systems at Auburn
University. He has a BS in Computer Science from DeSales University and an MBA from Auburn
University. He has published in Communications of the Association for Information Systems.
Kenneth J. Knapp is the corresponding author and can be contacted at: Knappkj@auburn.edu
Thomas E. Marshall is an Associate Professor of Management Information Systems at
Auburn University, Auburn, Alabama. He has published in journals such as Omega and
Information & Management. His research interests include information security and database
management.
R. Kelly Rainer, Jr is George Privett Professor of Management Information Systems at
Auburn University, Auburn, Alabama. He is co-author, with Efrain Turban and Richard Potter,
of Introduction to Information Technology (3rd ed.), Wiley.
F. Nelson Ford is an Associate Professor of Management Information Systems at Auburn
University, Auburn, Alabama. He has published in journals such as MIS Quarterly, Journal of
Management Information Systems, and Information & Management. His research interests
include decision support systems and the principles of scholarship.