You are here: Home Contents V15 N1 V15N1_Gallagher.html
Personal tools

Antecedents of Information Security Activities: Drivers, Enablers, and Constraints



Full text

Journal of Information System Security
Volume 15, Number 1 (2019)
Pages 2760
ISSN 1551-0123
Kevin Gallagher — Cleveland State University, USA
Xiaoni Zhang — Northern Kentucky University, USA
Vickie Coleman Gallagher — Cleveland State University, USA
Information Institute Publishing, Washington DC, USA




Information security-related activities, such as documenting policies, safeguarding assets, monitoring for breaches, and gaining user compliance, are important for organizations wishing to protect their information against adverse threats. However, fully instituting these activities seems to be challenged, given ongoing reports of organizations experiencing information security breaches. As explained in institutional theory, breaches can undermine the organization’s reputation and legitimacy in the eyes of many stakeholders. In this research, we examined institutional forces, along with organization-innovation related enablers and constraints, as predictors of higher levels of assimilation of information security-related activities. Consistent with prior research in the areas of institutional and innovation theory, the research examined mimetic, normative, and coercive forces, as well as the organization’s compatibility with, and the perceived complexity of, the security-related activities. We also control for both organization structure and size as control variables. We found two of the three institutional forces were significant, as were complexity, compatibility and the control variables. The practical implications of our research are that coercive forces, i.e. legal, governmental, and parent company requirements, provide the greatest positive influence on instituting these activities. Normative forces, based in interorganizational relationships with and industry and its organizations also contribute, but not to coercive forces. Perceived compatibility of activities enable, and complexity constrains higher levels of assimilation, thus the degree to which activities are adapted into existing practices could help in introducing and achieving greater levels of assimilation.




Institutional Theory, Security Activities, Complexity, Compatibility




Alrige, M., Alsudais, A., Plachkinova, M., Chatterjee, S., Edwards, A., Edwards, J., and Weinstein, A. (2014). EHR adoption in healthcare practices: lessons from two case studies. Proceedings of the Twentieth American. Conference on Information System, Savannah, GA.

Alshaikh, M., Maynard, M., Ahmad, S. B., and Chang, S. (2015). Information security policy: a management practice perspective, Australian. Conference on Information System, Adelaide, South Australia, 2015.

Anderson, J. C. and Gerbing, D. W. (1988). Structural equation modeling in practice: a review and recommended two-step approach, Psychological Bulletin, 103(3), 411-423.

Armstrong, C. P. and Sambamurthy, V. (1999). Information technology assimilation in firms: the influence of senior leadership and it infrastructures, Information System Research, 10(4), 304-327.

Attwell, P. (1992). Technology diffusion and organizational learning: The case of business computing, Organization Science, 3(1), 1-19.

Aurigemma, S. and L. Leonard (2015), "The Influence of Employee Affective Organizational Commitment on Security Policy Attitudes and Compliance Intentions", Journal of Information System Security, 11(3): 201–222.

Bala, H. and Venkatesh, V. (2007). Assimilation of interorganizational business process standards, Information System Research, 18(3), 340-362.

Baskerville, R. L. (2008). Strategic information security risk management, in information security policies and practices, Straub D., Goodman S., and Baskerville, R.L. Eds., M.E. Sharpe, Armonk, NY, 112-122.

Bharadwaj, A. (2000). A resource-based perspective on information technology capability and firm performance: An Empirical Investigation. MIS Quarterly, 24(1), 169-196.

Bjork, F. (2004). Institutional theory: a new perspective for research into is/it security in organizations, Proceedings of the 37th Hawaii International Conference on Systems Sciences, Hawaii.

Blakely, B. (2002). Lock IT down: Consultants can offer remedies to lax SME security, TechRepublic,, Feb. 6, 2002.

Bauer, S., Bernroider, E. W. N., and Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks, Computer. & Security, 68, 145-159.

Bulgurcu, B., Cavusolglu, H., and Banbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness, MIS Quarterly. 34, 523-548.

Burns, A. J., Roberts, T. L., Posey, C., Bennett, R. J., and Courtney, J. F. (2017). Intentions to Comply Versus Intentions to Protect: A VIE Theory Approach to Understanding the Influences of Insiders’ Awareness of Organizational SETA Efforts, Decision Science.

Burt, R.S. (1987). Social contagion and innovation: cohesion versus structural equivalence, American Journal of Sociology, 92(6), 1287-1335.

Campbell, D .T. and Fiske, D. W. (1959). Convergent and discriminant validation by the multitrait-multimethod matrix, Psychological Bulletin, 56, 81-105.

Chu, Z., Xu, J., Lai, F., and Collins, B.J. (2018). Institutional theory and environmental pressures: the moderating effect of market uncertainty on innovation and firm performance. IEEE Trans on Engineering. Management, 65(3), 392-403.

Chua, H. N., Wong, S. F., Low, Y. C., and Chang, Y. (2018). Impact of employees' demographic characteristics on the awareness and compliance of information security policy in organizations, Telecommunication and Information, 35(6), 1770-1780.

Churchill, G. A. (1979). A paradigm for developing better measures of marketing constructs, Journal of Market Research, 16(1), 64–73.

Cohen, W. M. and Levinthal, D. A. (1990). Absorptive Capacity: A New Perspective on

Learning and Innovation, Administrative Science Quarterly, 35, 128-152.

Cooper, D. R. and Schindler, P. S. Business Research Methods. McGraw-Hill Higher Education, London, 2001.

Daft, R. L. (2010). Organization theory and design. South-Western Cengage Learning, Mason, Ohio.

Damonpour, F. (1991). Organizational innovation, a meta-analysis of effects of determinants and Moderators, Academy of Management Journal, 34(3), 583-613.

DiMaggio, P. J. and Powell, W. W. (1983). The iron cage revisited: institutional isomorphism and collective rationality in organizational fields, American Sociology Review, 48, 147-160.

Dimopoulos, V., Furnell, S., Jennex, M., and Kritharas, I. (2004). Approaches to IT security in small and medium enterprises, Second Australian Information Security Management Conference, pp. 73-82.

Fichman, R. G. and Kemerer, C. F. (1999). The illusory diffusion of innovation: An examination of assimilation gaps, Information Systems Research, 10(3), 255-275.

Fichman, R. G. and Kemerer, C. F. (2007). The assimilation of software process innovations: an organizational learning perspective, Management Science., 43(10), 345-1363.

Fornell, C. and Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error, Journal of Marketing Research, 18(1), 39–50.

Gallagher, K. G. and Gallagher, V. C. (2012). Organizing for post-implementation ERP: a contingency theory perspective, Journal of Enterprise Information Management, 25(2), 170-185

Goo, J., Yim, M. S., and Kim, D. J. (2013). A Path Way to Successful Management of Individual Intention to Security Compliance: A Role of Organizational Security Climate, Proceedings of the 46th Hawaii International Conference on System Science.

Grover, V. (1993). An empirically derived model for the adoption of customer-based interorganizational systems, Decision Science, 24(3), 603-640.

Hair, Jr. J.F., Black, W. C, Babin, B. J., Anderson, R. E., and Tatham, R. L. (2006). Multivariate data analysis. (6th ed.). Upper Saddle River, NJ: Pearson-Prentice Hall.

Herath, T. and Rao, H. R. (2009). Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations, European Journal of Information Systems. 18, 106-125.

Hu, Q., Dinev, T., Hart, P., and Cooke, D. (2012). Managing employee compliance with information security policies: the critical role of top management and organizational culture, Decision Science, 43(4), 615-660.

Hu, Q., Hart, P., and Cooke, D. (2004). The Role of external and internal influences on information systems security - a neo-institutional perspective, Journal of Strategic Information. System, 16,153-172.

Jones, M. C. and Beatty, R. C. (1998). Toward the development of measures of perceived benefits and compatibility of edi: a comparative assessment of competing first order factor models, European Journal of Information Systems, 7(3), 210-220.

Kankanhalli, A., Teo, H-H, Tan, B. C. Y., and Wei, K. K. (2003). An integrative study of information systems security effectiveness, International Journal of Information Management 23(2), 139-154.

Lian, J., Yen, D. C., and Wang, Y. (2013). An exploratory study to understand the critical factors affecting the decision to adopt cloud computing in Taiwan hospitals, International Journal of Information Management, 34, 28-36.

Liang, H., Saraf, H., Hu, Q., and Xue, Y. (2007). Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management, MIS Quarterly, 31(1), 59-87.

Lu, G., Koufteros, X., and Lucianetti, L. (2017). Supply chain security: a classification of practices and an empirical study of differential effects and complementarity, IEEE Transactions on Engineering Management, 64(2), 234 –248.

Maphanga, G. C., and Jokonya, O. (2017). The risk of users' negative behaviors’ influence on information security compliance policy in organizations, Risk Governance and Control: Financial Markets & Instrument., 7(4), 30-40.

Meyer, J. and Rowan, B. (1977). Institutionalized organizations: formal structures as myth and ceremony, American Journal of Sociology, 83, 340-363.

Nunnally, J. C., and Bernstein, I. H. The assessment of reliability, Psychological Theory, Vol. 3, pp. 248-292, 1994.

Penrose, E. and Penrose, E.T. (2009). The Theory of the Growth of the Firm, Oxford university press.

Porter, M. E. and Millar, V. E. (1985). How information gives you competitive advantage, Harvard Business Review, 63(4), 149-160.

Powell, W. W. and DiMaggio, P. J. (1991). The New Institutionalism in Organizational Analysis, University of Chicago Press.

Puhakainen, P. and Siponen, M. (2010). Improving Employees’ Compliance through information systems security training: an action research study, MIS Quarterly, 34(4), 757-778.

Purvis, R. L., Sambamurthy, V., and Zmud, R. W. (2001). The assimilation of knowledge platforms in organizations: an empirical investigation, Organization Science, 12(2), 117-135.

Reardon, J. L. and Davidson, E. (2007). An organizational learning perspective on the assimilation of electronic medical records among small physician practices, European Journal of Information System. 16, 681-694.

Robins, G. Egovernment, Information Warfare, Risks Management: an Australian Case Study, the Second Australian Information Warfare and Security Conference, 2001.

Rogers, E. M. (1995). Diffusion of Innovations, Free Press, New York.

Sambamurthy, V., Bharadwaj, A., and Grover, V. (2003). Shaping agility through digital options: re-conceptualizing the role of it in contemporary firms, MIS Quarterly, 27, 237-263.

Sambamurthy, V. and Zmud, R. W. (1999). Arrangements for information technology governance: a theory of multiple contingencies, MIS Quarterly, 23(2), 261-91.

Straub, D. W. (1990). Effective IS security: an empirical study, Information. System. Research, 1(3), 255-276.

Straub, D. (2010). Special issue: Information Systems Security, MIS Quarterly, 34(3).

Suchman, M. C. (1995). Managing legitimacy: strategic and institutional approaches, Academy of Management Review, 20, 571-610.

Teo, H. H., Wei, K. K., and Banbasat, I. (2003). Predicting intention to adopt interorganizational linkages: an institutional perspective, MIS Quarterly, 27(1), 19-49.

Tornatzky, L. G. and Klein, K. (1982). Innovation characteristics and innovation implementation: a meta-analysis of findings, IEEE Transactions on Engineering Management, 29(1), 28-45, 1982.

Warkentin, M. and Johnston, A. C. (2008). IT Governance and Organizational Development for Security Management, in Information Security: Policies, Processes, and Practices, D. Straub, S. Goodman, R. L. Baskerville (eds), Information Security Policies and Practices, pp. 46-68, NY: M.E. Sharpe.

Weick, K. E. (1990). Technology as equivoque: sensemaking in new technologies, in P.S. Goodman, L.S. Sproull, and associates, eds, Technology and Organization. Jossey-Bass, San Francisco, CA, 1-44

Whitman, M. E. (2008). Security Policy: From Design to Maintenance”. In Information Security Policies and Practices, Straub D., Goodman S. and Baskerville R. L., Eds. M.E. Sharpe, Armonk, NY, pp. 123-151.

Yazdanmehr, A. and Wang, J. (2016). Employees' information security policy compliance: A norm activation perspective, Decision Support System, 92, 36-46.

Yoo, C. W., Sanders, G. L., and Cerveny, R. P. (2018). Exploring the influence of flow and psychological ownership on security education, training and awareness effectiveness and security compliance, Decision Support Systems, 108, 107-118.

Veiga, A. D. and Eloff, J. H. P. (2007). An Information Security Governance Framework, Information System Management, 24, 261-372.

Yayla, A. A. and Hu, Q. (2011). The Impact of Information Security Events on the Stock Value of Firms: The Effect of Contingency Factors, Journal of Information Technology, 26, 60-77.