Abstract
In this paper, we conceptually and empirically investigate the relationship between industry and information security awareness (ISA). Different industries have unique security related norms, rules, and values, which we propose promotes different levels of organizational effort to raise their employees’ general ISA. To examine these potential industry effects, we draw on Neo-Institutional Theory (NIT) because different industries operate in unique institutional environments. We specifically theorize that the pressures from the three institutional pillars (regulative, normative, and cultural-cognitive) will affect employees across all industries but the magnitude of those effects will vary across industries, because different industries have institutionalized security practices in unique ways. To evaluate our theorized relationships empirically, we surveyed employees in the banking, healthcare, retail, and higher education industries. We found that our subjects’ perceptions of the pressures from the three institutional pillars positively affected their perceptions of how much effort their organizations exerted to raise their general ISA. However, we also found that these effects were not consistent across our surveyed employees in the different industries, especially related to the direct and moderating effect of perceived normative institutional pressures. The implication of our paper is that future behavioral information security research should consider how industry and their corresponding institutional structures might affect (positively or negatively) the relationships in our core theoretical models.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
For the purposes of our paper, we define industry as a collection of organizations that sell a similar product, provide similar services, operate in similar institutional and/or technical environments, and take actions that are influenced by shared regulative, normative, and cultural-cognitive institutional structures (Chiasson and Davidson 2005; Scott 2008).
The idea that organizations structure and act in pursuit of legitimacy instead of in pursuit of economic rationality (or bounded rationality) is a fundamental aspect of neo (new)-institutional that is different from traditional institutional theory. Traditional institutional theories suggest that organizations form based on transaction cost economics or a series of economically rational or bounded rational choices (North 1990; Scott 2008).
For the multi-group analyses, we ran PLS multi-group analyses (PLS-MGA) with bootstrapping (using 500 random re-samples) to calculate the path coefficients (β) for each path in the proposed research model.
We asked each survey participant a single question concerning their perceptions about the perceived sanctions for violating one of the institutional pillars. The ANOVAs tested differences using this single item measure.
References
Aldrich, H. E., & Fiol, C. M. (1994). Fools rush in? The institutional context of industry creation. Academy of Management Review, 19(4), 645–670. https://doi.org/10.5465/amr.1994.9412190214.
Alexander, E. A. (2012). The effects of legal, normative, and cultural-cognitive institutions on innovation in technology alliances. Management International Review, 52(6), 791–815. https://doi.org/10.1007/s11575-011-0123-y.
Angst, C. M., Block, E. S., D’Arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), 893–916. https://doi.org/10.25300/MISQ/2017/41.3.10.
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International Journal of Internet and Enterprise Management, 6, 279–314. https://doi.org/10.1504/IJIEM.2010.035624.
Ashforth, B. E., Rogers, K. M., & Corley, K. G. (2010). Identity in organizations: exploring cross-level dynamics. Organization Science, 22(5), 1144–1156. https://doi.org/10.1287/orsc.1100.0591.
Aurigemma, S., & Mattson, T. (2018). Exploring the effect of uncertainty avoidance on taking voluntary protective security actions. Computers & Security, 73, 219–234. https://doi.org/10.1016/j.cose.2017.11.001.
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: managing a strategic balance between prevention and response. Information & Management, 51(1), 138–151. https://doi.org/10.1016/j.im.2013.11.004.
Bauer, S., & Bernroider, E. W. N. (2017). From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. SIGMIS Database, 48(3), 44–68. https://doi.org/10.1145/3130515.3130519.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do Systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864. https://doi.org/10.25300/MISQ/2015/39.4.5.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690.
Burns, A. J., Posey, C., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017). Organizational information security as a complex adaptive system: insights from three agent-based models. Information Systems Frontiers, 19(3), 509–524. https://doi.org/10.1007/s10796-015-9608-8.
Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1(3), 18–41. https://doi.org/10.1080/15536548.2005.10855772.
Chang, K., & Wang, C. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593. https://doi.org/10.1007/s10796-010-9232-6.
Chatman, J. A., & Jehn, K. A. (1994). Assessing the relationship between industry characteristics and organizational culture: how different can you be? Academy of Management Journal, 37(3), 522–553. https://doi.org/10.5465/256699.
Chen, Y., & Zahedi, F. M. (2016). Individuals’ internet security perceptions and behaviors: polycontextual contrasts between the United States and China. MIS Quarterly, 40(1), 205–222. https://doi.org/10.25300/MISQ/2016/40.1.09.
Chiasson, M. W., & Davidson, E. (2005). Taking industry seriously in information systems research. MIS Quarterly, 29(4), 591–605. https://doi.org/10.2307/25148701.
Chin, W. W. (1998). The partial least squares approach to structural equation modeling. Mahwah: Lawrence Erlbaum Associates.
Cohen, J. (1977). Statistical power analysis for the behavioral sciences. New York: Academic Press.
Cohen, J. (1992). A power primer. Psychological Bulletin, 112(1), 155–159. https://doi.org/10.1037/0033-2909.112.1.155.
Cooter, R. D. (2000). Three effects of social norms on law: expression, deterrence, and internalization. Oregon Law Review, 79(1), 1–23.
Crossler, R. E., Bélanger, F., & Ormond, D. (2017). The quest for complete security: an empirical analysis of users’ multi-layered protection from security threats. Information Systems Frontiers, 1–15. https://doi.org/10.1007/s10796-017-9755-1.
D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. https://doi.org/10.1057/ejis.2011.23.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98. https://doi.org/10.1287/isre.1070.0160.
Davidson, D. E., & Heslinga, D. D. (2006). Bridging the IT adoption gap for small physician practices: an action research study on electronic health records. Information Systems Management, 24(1), 15–28. https://doi.org/10.1080/10580530601036786.
Deephouse, D. L. (1996). Does isomorphism legitimate? Academy of Management Journal, 39(4), 1024–1039. https://doi.org/10.5465/256722.
Desai, C., Wright, G., & Fletcher, K. (1998). Barriers to successful implementation of database marketing: a cross-industry study. International Journal of Information Management, 18(4), 265–276. https://doi.org/10.1016/S0268-4012(98)00015-2.
Dhillon, G., Syed, R., & Pedron, C. (2016). Interpreting information security culture: an organizational transformation case study. Computers & Security, 56, 63–69. https://doi.org/10.1016/j.cose.2015.10.001.
Dillman, D. A., Smyth, J. D., & Christian, L. M. (2014). Internet, phone, mail, and mixed-mode surveys. In The tailored design method (4th ed.). Hoboken: Wiley.
DiMaggio, P. J., & Powell, W. W. (1983). The iron cage revisited: institutional isomorphism and collective rationality in organizational fields. American Sociological Review, 48(2), 147–160. https://doi.org/10.2307/2095101.
Douglas, M. (1986). How institutions think. Syracuse: Syracuse University Press.
Dunn, M. B., & Jones, C. (2010). Institutional logics and institutional pluralism: the contestation of care and science logics in medical education, 1967–2005. Administrative Science Quarterly, 55(1), 114–149. https://doi.org/10.2189/asqu.2010.55.1.114.
Durand, R., & Thornton, P. H. (2018). Categorizing institutional logics, institutionalizing categories: a review of two literatures. Academy of Management Annals, 12(2), 631–658. https://doi.org/10.5465/annals.2016.0089.
Ferguson, C. J. (2009). An effect size primer: A guide for clinicians and researchers. Professional Psychology: Research and Practice, 40(5), 532–538. https://doi.org/10.1037/a0015808.
Fornell, C., & Bookstein, F. L. (1982). Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. Journal of Marketing Research, 19(4), 440–452. https://doi.org/10.2307/3151718.
Fornell, C., & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39–50. https://doi.org/10.2307/3151312.
Friedland, R., & Alford, R. (1991). Bringing society back in: Symbols, practices and institutional contradictions. In W. Powell & P. DiMaggio (Eds.), The new institutionalism in organizational analysis (pp. 232–263). University Of Chicago Press.
Gefen, D., & Straub, D. (2005). A practical guide to factorial validity using PLS-graph: tutorial and annotated example. Communications of the Association for Information Systems, 16(1), 16. https://doi.org/10.17705/1CAIS.01605.
Gordon, G. G. (1991). Industry determinants of organizational culture. Academy of Management Review, 16(2), 396–415. https://doi.org/10.5465/amr.1991.4278959.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: a composite behavior model. Journal of Management Information Systems, 28(2), 203–236. https://doi.org/10.2753/MIS0742-1222280208.
Hair, J. F., Jr., Hult, G. T. M., Ringle, C., & Sarstedt, M. (2016). A primer on partial least squares structural equation modeling (PLS-SEM). Los Angeles: Sage Publications.
Hannan, M. T., & Freeman, J. (1977). The population ecology of organizations. American Journal of Sociology, 82(5), 929–964. https://doi.org/10.1086/226424.
Henseler, J., Dijkstra, T. K., Sarstedt, M., Ringle, C. M., Diamantopoulos, A., Straub, D. W., Ketchen, D. J., Hair, J. F., Hult, G. T. M., & Calantone, R. J. (2014). Common beliefs and reality about partial least squares: comments on Rönkkö & Evermann (2013). Organizational Research Methods, 17(2), 182–209.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in Organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6.
Hrebiniak, L. G., & Snow, C. C. (1980). Industry differences in environmental uncertainty and organizational characteristics related to uncertainty. Academy of Management Journal, 23(4), 750–759. https://doi.org/10.5465/255561.
Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security – a neo-institutional perspective. The Journal of Strategic Information Systems, 16(2), 153–172. https://doi.org/10.1016/j.jsis.2007.05.004.
King, J. L., Gurbaxani, V., Kraemer, K. L., McFarlan, F. W., Raman, K. S., & Yap, C. S. (1994). Institutional factors in information technology innovation. Information Systems Research, 5(2), 139–169. https://doi.org/10.1287/isre.5.2.139.
Kohli, R., & Kettinger, W. J. (2004). Informating the clan: controlling physicians’ costs and outcomes. MIS Quarterly, 28(3), 363.
MacKenzie, S. B., Podsakoff, P. M., & Podsakoff, N. P. (2011). Construct measurement and validation procedures in MIS and behavioral research: integrating new and existing techniques. MIS Quarterly, 35(2), 293–334. https://doi.org/10.2307/23044045.
March, J. G., & Olsen, J. P. (1989). Rediscovering institutions: the organizational basis of politics (1st edn.). New York: The Free Press.
Menard, P., Warkentin, M., & Lowry, P. B. (2018). The impact of collectivism and psychological ownership on protection motivation: a cross-cultural examination. Computers & Security, 75, 147–166. https://doi.org/10.1016/j.cose.2018.01.020.
Meyer, J. W., & Rowan, B. (1977). Institutionalized organizations: formal structure as myth and ceremony. American Journal of Sociology, 83(2), 340–363. https://doi.org/10.1086/226550.
Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–311. https://doi.org/10.25300/MISQ/2018/13853.
North, D. C. (1990). Institutions, institutional change and economic performance. New York: Cambridge University Press.
Podsakoff, P. M., MacKenzie, S. B., & Podsakoff, N. P. (2012). Sources of method bias in social science research and recommendations on how to control it. Annual Review of Psychology, 63(1), 539–569. https://doi.org/10.1146/annurev-psych-120710-100452.
Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214. https://doi.org/10.1080/07421222.2015.1138374.
Ringle, C. M., Sarstedt, M., & Henseler, J. (2016). Testing measurement invariance of composites using partial least squares. International Marketing Review, 33(3), 405–431. https://doi.org/10.1108/IMR-09-2014-0304.
Rockness, H., & Rockness, J. (2005). Legislated ethics: from Enron to Sarbanes-Oxley, the impact on corporate America. Journal of Business Ethics, 57(1), 31–54. https://doi.org/10.1007/s10551-004-3819-0.
Rousseau, D. M., Sitkin, S. B., Burt, R. S., & Camerer, C. (1998). Not so different after all: a cross-discipline view of trust. Academy of Management Review, 23(3), 393–404. https://doi.org/10.5465/amr.1998.926617.
Scott, W. R. (2008). Institutions and organizations, ideas and interest (3rd ed.). Thousand Oaks: Sage.
Singh, J. V., & Lumsden, C. J. (1990). Theory and research in organizational ecology. Annual Review of Sociology, 16(1), 161–195. https://doi.org/10.1146/annurev.so.16.080190.001113.
Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502. https://doi.org/10.2307/25750688.
Siponen, M., & Vance, A. (2014). Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems, 23(3), 289–305. https://doi.org/10.1057/ejis.2012.59.
Stahl, B. C., Doherty, N. F., & Shaw, M. (2012). Information security policies in the UK healthcare sector: a critical evaluation. Information Systems Journal, 22(1), 77–94. https://doi.org/10.1111/j.1365-2575.2011.00378.x.
Suchman, M. C. (1995). Managing legitimacy: strategic and institutional approaches. Academy of Management Review, 20(3), 571–610. https://doi.org/10.5465/amr.1995.9508080331.
Suddaby, R. (2010). Challenges for institutional theory. Journal of Management Inquiry, 19(1), 14–20.
Suddaby, R., Gendron, Y., & Lam, H. (2009). The organizational context of professionalism in accounting. Accounting, Organizations and Society, 34(3), 409–427. https://doi.org/10.1016/j.aos.2009.01.007.
Swidler, A. (1986). Culture in action: symbols and strategies. American Sociological Review, 51(2), 273–286. https://doi.org/10.2307/2095521.
Thornton, P. H., & Ocasio, W. (1999). Institutional logics and the historical contingency of power in organizations: executive succession in the higher education publishing industry, 1958–1990. American Journal of Sociology, 105(3), 801–843. https://doi.org/10.1086/210361.
Thornton, P. H., & Ocasio, W. (2008). Institutional logics. In R. Greenwood, C. Oliver, R. Suddaby, & K. Sahlin-Andersson (Eds.), The Sage handbook of organizational institutionalism (Vol. 840, pp. 99–128). Thousand Oaks: SAGE Publications Ltd.
Tolbert, P. S., & Zucker, L. G. (1983). Institutional sources of change in the formal structure of organizations: the diffusion of civil service reform, 1880–1935. Administrative Science Quarterly, 28(1), 22–39. https://doi.org/10.2307/2392383.
Trice, H. M. (1993). Occupational subcultures in the workplace. Ithaca: Cornell University Press.
Wang, P. (2010). Chasing the hottest IT: effects of information technology fashion on organizations. MIS Quarterly, 34(1), 63–85.
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems, 18(2), 101–105. https://doi.org/10.1057/ejis.2009.12.
Warkentin, M., Johnston, A. C., Shropshire, J., & Barnett, W. D. (2016). Continuance of protective security behavior: a longitudinal study. Decision Support Systems, 92, 25–35. https://doi.org/10.1016/j.dss.2016.09.013.
Wilkinson, L. (1999). Statistical methods in psychology journals: guidelines and explanations. American Psychologist, 54(8), 594–604. https://doi.org/10.1037/0003-066X.54.8.594.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816. https://doi.org/10.1016/j.chb.2008.04.005.
Xu, X. M., Kaye, G. R., & Duan, Y. (2003). UK executives’ vision on business environment for information scanning: a cross industry study. Information & Management, 40(5), 381–389. https://doi.org/10.1016/S0378-7206(02)00045-9.
Yeh, Q.-J., & Chang, A. J.-T. (2007). Threats and countermeasures for information system security: a cross-industry study. Information & Management, 44(5), 480–491. https://doi.org/10.1016/j.im.2007.05.003.
Zucker, L. G. (1977). The role of institutionalization in cultural persistence. American Sociological Review, 42(5), 726–743. https://doi.org/10.2307/2094862.
Zucker, L. G. (1987). Institutional theories of organization. Annual Review of Sociology, 13(1), 443–464. https://doi.org/10.1146/annurev.so.13.080187.002303.
Zwikael, O., & Ahn, M. (2011). The effectiveness of risk management: an analysis of project risk planning across industries and countries. Risk Analysis, 31(1), 25–37. https://doi.org/10.1111/j.1539-6924.2010.01470.x.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A
There are four reflective constructs in our paper: 1) REG – perceived regulatory institutional pressure, 2) NORM – perceived normative institutional pressure, 3) COG – perceived cultural-cognitive institutional pressure, and 4) ISA – perceived organizational effort to raise general information security awareness.
Appendix 2 - Factor loading
Appendix C: 3-Step Measurement Invariance Testing Using Permutation
We used the MICOM three-step procedure for measurement invariance testing (Ringle et al. 2016). The first step involves configural invariance where we made sure that (1) the same indicator variables were used in each group, (2) all the data were treated equally across groups, and (3) the same variance-based estimations were used for all the groups (Ringle et al. 2016). Next, in step 2, if a correlational value is close to 1 and falls within the range of the confident intervals, then it indicates compositional invariance. Finally, step 3 incorporates invariance for means (Step 3a) and variances (Step 3b). If a mean difference or a variance difference between two groups falls within the range of the confident intervals, then equal mean value or equal invariance has been attained, respectively.
The following tables (from Tables 16, 17, 18, 19, 20, and 21) display the results for our invariance tests for each industry pair. The permutation test in SmartPLS 3.2 requires us to make a comparison of two groups at a time. We found that for each pair of group comparison, the criteria for compositional invariance has been satisfied in the second step of MICOM. With compositional invariance, although the mean value equal and the variance equal were not fully attained in the third step, it is still possible to compare the standardized coefficients of the structural model across groups (Ringle et al. 2016). Therefore, we conclude that our Multi-Group Analysis (MGA) produces meaningful statistical results.
Rights and permissions
About this article
Cite this article
Kam, HJ., Mattson, T. & Goel, S. A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness. Inf Syst Front 22, 1241–1264 (2020). https://doi.org/10.1007/s10796-019-09927-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-019-09927-9