Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources

doi:10.1016/j.im.2014.12.004

Information & Management

Volume 52, Issue 4, June 2015, Pages 385-400

https://doi.org/10.1016/j.im.2014.12.004 Get rights and content

Highlights

•
Organizations invest in three types of information security control resources (ISCR).
•
Internal security needs assessment (ISNA) affects the level of ISCR in organizations.
•
Key activities of ISNA are security investment rationale and risk analysis.
•
Institutional pressures affect ISCR directly and indirectly through ISNA.
•
Coercive and normative pressures are two critical institutional pressures.

Abstract

To offer theoretical explanations of why differences exist in the level of information security control resources (ISCR) among organizations, we develop a research model by applying insights obtained from resource-based theory of the firm and institutional theory. The results, based on data collected through a survey of 241 organizations, generally support our research model. Institutional pressures and internal security needs assessment (ISNA) significantly explain the variation in organizational investment in ISCR. Specifically, coercive and normative pressures are found to have not only a direct impact but also an indirect impact through ISNA on organizational investment in ISCR.

Introduction

The dependency on the connectivity enabled by the Internet has created unprecedented challenges for organizations to establish more secure information technology (IT) infrastructures. Even a single security breach may result in irreparable damage to firms in terms of corporate liability, loss of credibility, and reduced revenues [9]. High-profile security incidents in recent years have raised awareness of information security and brought it to the forefront of corporate priorities [20]. Many firms today rate information security as one of the highest priorities for their IT expenditures [13].

The early research stream on management of information security focused on developing comprehensive checklists for security procedures and controls, encompassing various areas of threats [14]. This approach later led to the development of risk management methodologies to assess the magnitude of risk using the probability of occurrence of a security lapse and the cost associated with it [3]. Later studies focused on information security policies and investigated drivers for compliance and violations (e.g., [8], [53], [54]). Despite a widespread belief that organizations can successfully address security issues by investing in technical and socio-organizational resources [17], there is still a lack of theory on and empirical support for what constitutes a coherent set of organizational resources for information security controls and why variations exist in the amount of such resources among organizations. In the wake of recent high profile security breaches at Target and Neiman Marcus, our research will provide insights as to why the other retailers, such as Wal-Mart and Sears, have different resources that protected them from malware stealing payment card numbers from the memory in cash registers in retail stores during the payment process or payment authorization [28].

This study intends to fill this gap in the literature with two objectives. First, drawing upon the resource-based view (RBV) of the firm [64], we first examined the nature of organizational resources deployed for better security—hereafter referred to as information security control resources (ISCR) in organizations. We used the typology of Grant [24] as a theoretical lens to identify three distinct but interrelated dimensions – information security technologies, qualified information security personnel, and security awareness of organizational users – of ISCR in organizations. Second, based on institutional theory and its recent development, we explicate antecedents of an organization's investment in ISCR. We posit that organizations heterogeneously respond to institutional pressures related to information security by making different levels of investment in ISCR. In particular, we argue that institutional pressures, such as mimetic, coercive, and normative pressures, exerted from the external environment have both direct and indirect impacts through ISNA on organizational investment in ISCR.

Section snippets

A resource-based view of information security controls

The RBV literature suggests that the set of resources a firm possesses can explain its performance [64]. Viewed either as a strength or a weakness of a firm, resources are considered assets that enable the firm to conceive and execute strategies that improve efficiency and effectiveness [64]. Although the RBV tends to define resources broadly to include capabilities, resources and capabilities have been considered as distinct concepts [5], [24]. Resources refer to the principal assets needed

Theory and hypotheses development

Our research model is developed by employing institutional theory and its recent development. Institutional theory suggests that the main objective in organizational decisions is to gain greater legitimacy from the stakeholders in its environment, and this legitimacy can be gained by adopting processes, structures, and strategies that others in the environment have already adopted. As Scott and Meyer [51] posit, the institutional environments “are characterized by the elaboration of rules and

Measure development

We borrowed existing measurement scales whenever available in the literature. When existing scales are not available, new measures were developed by tightly operationalizing definitions of constructs in this study. Appendix A presents all measurement items. We operationalized ISCR as a second-order construct with three subconstructs: information security technologies, qualified security personnel, and security awareness of organizational users. The second-order construct was modeled as

Data analysis

The components-based PLS approach was used to evaluate the psychometric properties of the measurement scales and to test research hypotheses. We used Smart PLS version 2.0 for both validating measurement scales and testing the research model. The partial least squares (PLS) approach rather than the covariance-based modeling approach was used because the PLS approach is often considered to optimize the predictive power on the dependent variable (e.g., ISCR in our study). In addition, the PLS

Discussion of the findings

Our study identifies three distinct types of ISCR – information security technologies, qualified information security personnel, and security awareness of organizational users – to provide theoretical explanations of what constitutes a coherent set of organizational resources for information security controls. Specifically, we developed a second-order construct of ISCR with the three types of control resources as subconstructs and a research model to explain why differences exist in the level

Study limitations

The study is not without limitations. First, while the organizations that our participants work for represent a broad range of industries, they are for-profit organizations. Our data does not include not-for-profit firms. Therefore, the findings of the study should be interpreted accordingly. Motivations for security investment might differ for not-for-profit organizations. For instance, Anthony et al. [2] found that for-profit hospitals are more (less) likely to comply with a mandatory

Future research directions

This study offers several avenues for future research. One avenue for future research is to empirically investigate the link between ISCR and security performance. It seems that such an investigation, while of great importance, poses formidable challenges for researchers. One reason is the lack of reliable metrics in measuring the security performance of organizations. It is difficult or impossible to use traditional performance metrics in an information security context. Thus, we first need to

Concluding remarks

Despite the growing importance of information security, our understanding of organizational approaches to managing IS security remains rudimentary. In particular, this study answered a fundamental question regarding what constitutes ISCR and why variations exist in the level of ISCR among organizations. We offered theoretical explanations for both of the questions and gave strong empirical support for our arguments. Nonetheless, we cannot exclude the possibility that other theoretical

References (66)

Q. Hu et al.
The role of external and internal influences on information systems security—a neo-institutional perspective
J. Strategic Inf. Syst.
(2007)
J. Son
Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies
Inf. Manage.
(2011)
C.M. Trompeter et al.
A framework for implication of socio-ethical controls in information security
Comput. Secur.
(2001)
M.P. Adler
A unified approach to information security compliance
EDUCASE Rev.
(2006)
D.L. Anthony et al.
Institutionalizing hipaa compliance: organizations and competing logics in U.S. Healthcare
J. Health Soc. Behav.
(2014)
R. Baskerville
Risk analysis: an interpretive feasibility tool in justifying information systems security
Eur. J. Inf. Syst.
(1991)
N. Beck et al.
Technical efficiency or adaptation to institutionalized expectations? The adoption of ISO 9000 standards in the german mechanical engineering industry
Organ. Stud.
(2005)
A.S. Bharadwaj
A resource-based perspective on information technology capability and firm performance: an empirical investigation
MIS Q.
(2000)
F. Bjorck
Institutional theory: a new perspective for research into IS/IT security
E. Boxenbaum et al.
Isomorphism, diffusion and decoupling

B. Bulgurcu et al.

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

MIS Q.

(2010)

H. Cavusoglu et al.

The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers

Int. J. Electron. Com.

(2004)

H. Cavusoglu et al.

The value of intrusion detection systems (IDSS) in information technology (IT) security

Inf. Syst. Res.

(2005)

D. Chatterjee et al.

Shaping up for e-commerce: institutional enablers of the organizational assimilation of web technologies

MIS Q.

(2002)

W.W. Chin

The partial least squares approach to structural equation modeling

S. Collett

Forecast 2014: How to Wring Value from Your IT Budget

(September, 2013)

R. Courtney

Security risk assessment in electronic data processing

Deloitte Touche

2005 Global Security Survey

(2005)

G. Dhillon et al.

Information system security management in the new millennium

Commun. ACM

(2000)

G. Dhillon et al.

Current directions in IS security research: towards socio-organizational perspectives

Inf. Syst. J.

(2001)

P.J. DiMaggio et al.

The iron cage revisited—institutional isomorphism and collective rationality in organizational fields

Am. Sociol. Rev.

(1983)

S. Dynes et al.

Information security in the extended enterprise: some initial results from a field study of an industrial firm

E&Y

Global Information Security Survey 2005: Report on the Widening Gap

(2005)

R. Fisher

Information Systems Security

(1984)

R. Garud et al.

Institutional entrepreneurship as embedded agency: an introduction to the special issue

Organ. Stud.

(2007)

D. Gefen et al.

Structural equation modeling and regression: guidelines for research practice

Commun. Assoc. Inf. Syst.

(2000)

R.M. Grant

Contemporary Strategy Analysis

(2005)

K.E. Greenaway et al.

Theoretical explanations for firms’ information privacy behaviors

Commun. AIS

(2005)

R. Grewal et al.

An investigation into the antecedents of organizational participation in business-to-business electronic markets

J. Marketing

(2001)

A.E. Harris et al.

A sneaky path into Target customers’ wallets

N.Y. Times

(2014)

E.A. Harris et al.

Neiman Marcus data breach worse than first said

N.Y. Times

(2014)

H.A. Haveman

Follow the leader—mimetic isomorphism and entry into new markets

Admin. Sci. Q.

(1993)

C.B. Jarvis et al.

A critical review of construct indicators and measurement model misspecification in marketing and consumer research

J. Consum. Res.

(2003)

Cited by (79)

Who should own the data? The impact of data value creation on data ownership
2024, Computers and Industrial Engineering
With the popularization and application of the Industrial Internet of Things, equipment manufacturers as upstream enterprises can collect in real time the operational data of their downstream enterprise customers’ devices. As the notion of “data as an asset” gains acceptance, enterprises increasingly value the data value chain. In the current market mechanism, ownership of data is not clear, which hinders the creation of data value. This study establishes a theoretical analytical model that considers the influences of the benefits and losses derived from value co-creation on claiming data ownership. Benefits obtained by upstream and downstream enterprises through data and losses incurred owing to data breaches are distinct, which impact their investments in data security and data authorization. Results reveal that investments in data security by upstream businesses are affected by benefits and losses and also correlated with data ownership. Conversely, if the downstream enterprise owns the data, its expected benefits can inversely affect the upstream's data security investment—increasing the downstream's benefits can lead to reduced security investment by the upstream, even though other factors may encourage the upstream to invest more in data security. The impact of who owns the data on the security investments of both upstream and downstream enterprises becomes less pronounced when the expected benefits or potential losses for one side grow. Lastly, the current study provides guiding principles for upstream businesses to claim data ownership, thereby facilitating the exploration and utilization of data value co-creation opportunities for upstream and downstream businesses.
“I don't think we're there yet”: The practices and challenges of organisational learning from cyber security incidents
2024, Computers and Security
Learning from cyber incidents is crucial for organisations to enhance their cyber resilience and effectively respond to evolving threats. This study employs neo-institutional and organisational learning theories to examine how organisations learn from incidents and gain insights into the challenges they face. Drawing on qualitative research methods, interviews were conducted with 34 security practitioners from organisations operating in the UK spanning a range of industries. The findings highlight the importance of consciously evaluating learning practices and creating a culture of openness to hear about incidents from employees, customers and suppliers. Deciding which incidents to learn from, as well as who should participate in the learning process, emerged as critical considerations. Overcoming defensiveness and addressing systemic causes were recognised as barriers to effective learning. The study emphasises the need to assess the value and impact of identified lessons and to avoid superficial reviews that treat symptoms rather than underlying causes to improve resilience. While progress has been made in learning from incidents, further enhancements are needed. Practical recommendations have been proposed to suggest how organisations may gain valuable insights for maximising the benefits derived from incident learning. This research contributes to the existing knowledge on organisational learning and informs future studies exploring the social and political influences on the learning process. By considering the suggested recommendations, organisations may strengthen their cyber security, foster a culture of continuous improvement, and respond effectively to the dynamic cyber security landscape.
Do environmental management practices mediate institutional pressures-environmental performance relationship? Evidence from Vietnamese SMEs
2023, Heliyon
Although SMEs contribute much to Vietnamese economic growth, they cause significant negative impacts on the environment. In environmental literature, the institutional theory is suggested to be used as a theoretical lens to examine the pressure driving an organization to improve environmental performance and indirectly through strategic response. Despite that, this theory needs more application to predict SMEs' environmentally friendly outcomes. Hence, this study draws upon institutional theory to examine that three institutional pressures, coercive, normative, and mimetic pressures have a direct impact on environmental performance as well as an indirect impact through the adoption of environmental management practices. Data were collected by surveying 253 manufacturing SMEs operating in Vietnam. Partial least-squared structural equation modeling was executed to assess data. The results suggest that three institutional pressures, coercive, mimetic, and normative pressure, indirectly improve environmental performance by adopting environmental management practices. At the same time, there is no direct effect of these pressures on environmental performance. These findings shed light on how institutional pressures affect environmental management practice adoption and environmental performance in the SME context. These findings also contribute the theoretical development of institutional theory by showing that adopting environmental management practices is a strategic response to institutional pressures to gain environmental performance. Lastly, due to mixed results on the relationship between institutional pressures and its outcomes (e.g., environmental management practice adoption, environmental performance), this study cast light on those relationships in Vietnam.
Managing compliance with privacy regulations through translation guardrails: A health information exchange case study
2023, Information and Organization
Information privacy is increasingly important in our digitally connected world, particularly in healthcare, and privacy regulations are ramping up to promote appropriate privacy practices. As a digital platform that enables healthcare providers to exchange protected health information (PHI), a health information exchange (HIE) is governed by health information privacy regulations. The challenge for HIEs is to operate in a way that will maximize information exchange while maintaining compliance with regulations that may constrain the sharing of PHI. Regulations impose a measure of universality through compliance requirements, while being flexible to allow adaptation to the local context. However, our longitudinal case study into the privacy policies of an HIE, demonstrates that the journey of privacy ideas from their original formulation in regulations, to their ultimate enactment in an organizational setting, is accompanied by translations, such that the final implementation may vary extensively from its original form. Such variability often results in interpretations that differ from what the regulators intended. Consequently, translation guardrails are necessary to protect against problematic translations of regulatory ideas which could lead to compliance issues and loss of platform participation. Our findings offer two contributions. First, we contribute to the compliance literature by explaining how guardrails can balance the use of permission and obligation schemas which are necessary to translate regulations into effective organizational policies for the success of HIEs and other information exchange platforms. Second, we contribute to extending translation theory by explaining how pragmatic reasoning schemas function as the mechanism through which translation of regulations occurs.
Cybersecurity capabilities and cyber-attacks as drivers of investment in cybersecurity systems: A UK survey for 2018 and 2019
2023, Computers and Security
Citation Excerpt :
Cybersecurity has become a key factor that determines the success or failure of organizations (Karjalainen et al., 2019; Jeong et al., 2019; Chronopoulos et al., 2017; Wolff, 2016; Cavusoglu et al., 2015; Bose and Luo, 2014; Bulgurcu et al., 2010).
Our study explores how cyber-capabilities and cyber-attacks drive investment in cybersecurity systems. We assume that cybersecurity investment is a strategic decision in the organizations. To analyze this research question, we make use of the Cyber Security Breaches Survey data, with a sample consisting of 4,163 UK organizations in the periods 2018 to 2019, and employ machine learning techniques (ANN and K-mean cluster). The study extends the current literature on cybersecurity systems and improves our understanding of it in several ways. First, it provides evidence for how the cybersecurity systems are developed in organizations. Second, regarding what factors affect investment in cybersecurity systems, it shows that organizations invest in cybersecurity based on their cybersecurity capabilities and the experienced cyber-attacks. Third, from a managerial point of view, the paper contributes to understanding cybersecurity within the management of the organization.
Explanatory factors for variation in supplier sustainability performance in the automotive sector – A quantitative analysis
2022, Cleaner Logistics and Supply Chain
This article analyses differences in sustainability performances across supplier groups in the automotive industry using a multiple regression approach. The supplier sustainability performance is proxied by the self-assessment questionnaire (SAQ), a document-based assessment tool widely used in the automotive industry. The supplier groups are divided according to their headcount, business category and the region suppliers are located in. The analysis shows that the sustainability performance increases significantly with a supplier’s headcount. Furthermore, it shows that manufacturing suppliers perform significantly better compared to service providers. While there exist regional performance differences, the development stage of a country is found to be only a small significant factor influencing suppliers’ sustainability performances. Our results suggest OEM requirements in their assessments to be a major driver for supplier sustainability performance and that further analysis of regional factors is necessary.

View all citing articles on Scopus

¹: The co-authors have contributed equally to this paper.

²: Tel.: +1 972 883 5939; fax: +1 972 883 2089.

³: Tel.: +1 604 822 8894; fax: +1 604 822 0045.

⁴: Tel.: +1 604 822 8396; fax: +1 604 822 0045.

View full text

Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources

Highlights

Abstract

Introduction

Section snippets

A resource-based view of information security controls

Theory and hypotheses development

Measure development

Data analysis

Discussion of the findings

Study limitations

Future research directions

Concluding remarks

J. Strategic Inf. Syst.

Inf. Manage.

Comput. Secur.

A unified approach to information security compliance

EDUCASE Rev.

Institutionalizing hipaa compliance: organizations and competing logics in U.S. Healthcare

J. Health Soc. Behav.

Risk analysis: an interpretive feasibility tool in justifying information systems security

Eur. J. Inf. Syst.

Technical efficiency or adaptation to institutionalized expectations? The adoption of ISO 9000 standards in the german mechanical engineering industry

Organ. Stud.

A resource-based perspective on information technology capability and firm performance: an empirical investigation

MIS Q.

Institutional theory: a new perspective for research into IS/IT security

Isomorphism, diffusion and decoupling

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

MIS Q.

The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers

Int. J. Electron. Com.

The value of intrusion detection systems (IDSS) in information technology (IT) security

Inf. Syst. Res.

Shaping up for e-commerce: institutional enablers of the organizational assimilation of web technologies

MIS Q.

The partial least squares approach to structural equation modeling

Forecast 2014: How to Wring Value from Your IT Budget

Security risk assessment in electronic data processing

2005 Global Security Survey

Information system security management in the new millennium

Commun. ACM

Current directions in IS security research: towards socio-organizational perspectives

Inf. Syst. J.

The iron cage revisited—institutional isomorphism and collective rationality in organizational fields

Am. Sociol. Rev.

Information security in the extended enterprise: some initial results from a field study of an industrial firm

Global Information Security Survey 2005: Report on the Widening Gap

Information Systems Security

Institutional entrepreneurship as embedded agency: an introduction to the special issue

Organ. Stud.

Structural equation modeling and regression: guidelines for research practice

Commun. Assoc. Inf. Syst.

Contemporary Strategy Analysis

Theoretical explanations for firms’ information privacy behaviors

Commun. AIS

An investigation into the antecedents of organizational participation in business-to-business electronic markets

J. Marketing

A sneaky path into Target customers’ wallets

N.Y. Times

Neiman Marcus data breach worse than first said

N.Y. Times

Follow the leader—mimetic isomorphism and entry into new markets

Admin. Sci. Q.

A critical review of construct indicators and measurement model misspecification in marketing and consumer research

J. Consum. Res.