A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness
- PDF / 1,345,928 Bytes
- 24 Pages / 595.276 x 790.866 pts Page_size
- 18 Downloads / 193 Views
A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness Hwee-Joo Kam 1 & Thomas Mattson 2 & Sanjay Goel 3
# Springer Science+Business Media, LLC, part of Springer Nature 2019
Abstract In this paper, we conceptually and empirically investigate the relationship between industry and information security awareness (ISA). Different industries have unique security related norms, rules, and values, which we propose promotes different levels of organizational effort to raise their employees’ general ISA. To examine these potential industry effects, we draw on NeoInstitutional Theory (NIT) because different industries operate in unique institutional environments. We specifically theorize that the pressures from the three institutional pillars (regulative, normative, and cultural-cognitive) will affect employees across all industries but the magnitude of those effects will vary across industries, because different industries have institutionalized security practices in unique ways. To evaluate our theorized relationships empirically, we surveyed employees in the banking, healthcare, retail, and higher education industries. We found that our subjects’ perceptions of the pressures from the three institutional pillars positively affected their perceptions of how much effort their organizations exerted to raise their general ISA. However, we also found that these effects were not consistent across our surveyed employees in the different industries, especially related to the direct and moderating effect of perceived normative institutional pressures. The implication of our paper is that future behavioral information security research should consider how industry and their corresponding institutional structures might affect (positively or negatively) the relationships in our core theoretical models. Keywords Neo-institutional theory (NIT) . Cross industry . Industry effects . Information security awareness . Organizational effort
1 Introduction The weakest link in an organization’s information security defense systems is its employees (Crossler et al. 2017; Warkentin and Willison 2009). A small fraction of employees may maliciously intend to harm their organizations but most
* Hwee-Joo Kam [email protected] Thomas Mattson [email protected] Sanjay Goel [email protected] 1
University of Tampa, 401 W. Kennedy Blvd., Tampa, FL 33606, USA
2
University of Richmond, 410 Westhampton Way, Richmond, VA 23173, USA
3
University at Albany, SUNY, Business Building 311. 1400 Washington Ave., Albany, NY 12222, USA
employees are non-malicious in their information security related actions (Guo et al. 2011; Workman et al. 2008). Informing these non-malicious employees about the current threats and mitigating controls is an ongoing challenge facing modern organizations (Chang and Wang 2011). As such, the information security literature has devoted significant time explicating how these non-malicious employees become aware of the existing threat landscape and why they perform a variety o
Data Loading...
