Information security: management's effect on culture and policy

Abstract

PurposeThis study proposes to put forward and test a theoretical model that demonstrates the influence of top management support on an organization's security culture and level of security policy enforcement.Design/methodology/approachThe project used a combination of qualitative and quantitative techniques. The grounded theory approach was used to analyze responses to open‐ended questions answered by 220 certified information system security professionals. Using these responses, a survey instrument was developed. Survey results were analyzed using structural equation modeling.FindingsEvidence suggests that top management support is a significant predictor of an organization's security culture and level of policy enforcement.Research limitations/implicationsDuring instrument validation, a special effort removed survey items that appeared overly intrusive to the respondents. In this endeavor, an expert panel of security practitioners evaluated all candidate items on a willingness‐to‐answer scale. While especially helpful in security, this scale may be used in other research domains.Practical implicationsPractitioners should understand the impact of top management support on achieving security effectiveness. Based on the findings of this study, low levels of executive support will produce an organizational culture less tolerant of good security practices. Low levels of support will diminish the level of enforcement of existing security policies.Originality/valueResearchers developed original scales to measure levels of top management support, policy enforcement, and organizational culture. The scales demonstrated acceptable reliability and validity scores.