A Model of Managerial Effectiveness in Information Security: From Grounded Theory to Empirical Test
Abstract
Information security is a critical issue facing organizations worldwide. In order to mitigate risk and protect valuable information, organizations need to operate and manage effective information security programs. Using a research methodology that combines qualitative and quantitative techniques, this study proposes and tests a theoretical model of managerial effectiveness in information security. Specifically, the model demonstrates the influence of top management support on perceived security effectiveness mediated by four constructs critical to successful information security programs: user training, security culture, policy relevance, and policy enforcement. Prior research has not yet examined the mediation factors between management support and information security effectiveness. During the qualitative phase of the study, an open-ended question was given to a sample of 220 certified information system security professionals (CISSPs). Responses were analyzed using a grounded theory strategy to develop a theoretical model as well as a survey instrument to test the model. Because of the potential sensitive nature of information security research, a special effort removed items appearing overly intrusive to the respondents. In this endeavor, an expert panel of security practitioners evaluated all proposed items on a willingness-to-answer scale. The instrument underwent further refinements through multiple pre-tests and a pilot test. During the quantitative phase of the study, the final instrument was completed by 740 CISSPs who provided the data for empirical testing of the model. To control for common method variance, the study employed several procedural remedies during data collection. Once collected, the empirical data were analyzed using structural equation modeling with results suggesting full support for the theoretical model. An additional finding suggested strong support for an alternative, second-order factor model. Further analysis found that the alternative model might have general applicability across demographics and cultures. Overall, a high level of consistency exists between the qualitative and quantitative findings of the study. This study also investigated how the concept of task interdependence relates to information security. Using a previously developed scale given to a sample of 936 CISSPs, the results found that effective IS security programs require high levels of task interdependence in organizations.