Institutional  Antecedents  of  ISA

Institutional   antecedents   refer   to   an   organization’s   security   management   practices.   In   the   ISS   literature,   these   factors   are   often   summarized   under   the   term   “management   support”  (Chan  et  al.  2005).  The  greater  the  management  support,  the  more  resources   are   available   for   security   issues   (Kankanhalli   et   al.   2003,   Herath   and   Rao   2009b).  

Scholars   have   emphasized   that   reasonable   resources   for   security   management   are   essential   for   establishing   sufficient   levels   of   security   awareness   among   employees   (Tsohou   et   al.   2009).   Reviewing   the   ISS   literature   carefully,   SETA   programs   and   information  security  policy  provision  (ISP  provision)  are  identified  as  vital  institutional   factors  that  can  have  an  impact  on  employees’  ISA.  

3.1.1 Information  Security  Policy  Provision  

The  development  of  corporate  ISPs  is  a  primary  resource  of  ISS  management  practices   (Chan  et  al.  2005).  A  policy  in  general  is  defined  as  ‘‘a  course  of  action,  guiding  principle,   or   procedure   considered   expedient’’   (Houghton   Mifflin.   2000).   In   the   context   of   organizational  information  security,  an  ISP  can  be  broadly  defined  as  statements  by  an   organization  providing  guidance  about  ISS  related  responsibilities,  rules,  and  guidelines   which  prescribe  how  the  IS  resources  are  used  properly  and  in  a  secure  way  (Whitman   et  al.  2001,  Whitman  2008,  D'Arcy  et  al.  2009).    

Prior  research  offers  contradicting  results  with  regard  to  the  effect  of  ISPs.  While  many   studies   found   corporate   ISPs   to   be   effective   for   preventing   IS   misuse   behavior,   others   revealed  that  the  existence  of  an  ISP  had  only  limited  influence  on  ISS  related  behavior.  

D’Arcy  et  al.  (2009)  for  example,  found  corporate  ISPs  to  be  effective  for  preventing  IS   misuse  behavior  in  organizations,  and  ascribed  this  effect  to  deterrence  mechanisms  of   ISPs  comparable  to  the  mechanisms  of  societal  laws.  Similarly,  Straub  and  Nance  (1990)   discovered   policies   and   guidelines   that   specify   rules   for   proper   use   of   information  

systems   to   be   one   of   the   security   management’s   most   effective   deterrence   measures   against   computer   abuse.   Kwon   and   Johnson   (2011)   gathered   qualitative   and   quantitative  data  from  IT  managers  of  250  healthcare  organizations,  and  found  that  IS   security   policies   were   positively   associated   with   the   security   performance   of   the   organizations.  Conversely,  the  literature  also  provides  studies  in  which  ISPs  could  not  be   proved   to   positively   influence   information   security   behavior   (Foltz   2000,   Wiant   2003,   Lee  et  al.  2004).  Such  inconsistent  results,  the  literature  argues,  are  due  to  employees’  

lack  of  awareness  of  security  policies  (Thomson  and  von  Solms  1998,  Siponen  2000).  

In  this  respect,  scholars  emphasize  that  the  “simple”  existence  of  ISPs  is  not  enough,  and   highlight  the  importance  of  promoting  ISPs  and  ensuring  that  they  are  comprehensible,   easily   available,   and   understandable.   These   aspects   for   effectively   promoting   ISPs   are   summarized  here  under  the  term  ISP  provision.  There  is  broad  empirical  evidence  that   ISP  provision  is  positively  associated  with  security  related  behavior.  For  example,  Chan   et  al.  (2005)  found  that  making  ISPs  readily  available  for  employees’  reference,  as  part   of  security  management  practices,  is  positively  associated  with  their  policy  compliance   behavior.   Similarly,   Siponen   et   al.   (2009)   found   that   the   visibility   of   policies   plays   an   important   role   in   employees’   compliance   with   organizational   security   policies.   Herath   and  Rao  (2009b)  also  showed  that  ISPs  should  be  made  easily  accessible  and  available   to  employees  online,  and  should  furthermore  be  written  in  a  clear  and  understandable   way,   as   this   has   positive   effects   on   the   intention   to   comply.   However,   none   of   these   studies  investigated  ISA.  Based  on  the  definition  of  ISA,  it  is  claimed  in  this  thesis  that   the  reported  positive  direct  effects  of  ISP  provision  on  behavioral  intention  are  largely  a   result   of   an   increase   in   employees’   awareness   regarding   ISP,   and   therefore   also   of   security   issues   in   general.   This   argument   is   consistent   with   the   notion   of   D'Arcy   and   Hovav   (2007b),   who   state   that   to   enhance   the   individual’s   awareness   of   security   policies,   these   should   be   available   online   and   phrased   in   a   manner   that   is   easy   to   understand.   The   rationale   employed   here   is   that   promoting   easily   accessible   and   comprehensible  ISPs  firstly  raises  employees’  contextual  awareness  and  knowledge,  and   secondly   the   situational   intention   to   comply.   Accordingly,   it   is   contended   in   this   study/thesis  that  ISA  at  least  partially  mediates  the  positive  effect  of  ISP  provision  on   security  compliant  behavior.  Hence,  

Hypothesis  2a:  ISP  provision  positively  influences  employees’  level  of  ISA.  

Hypothesis   2b:   ISA   mediates   the   positive   effects   of   ISP   provision   on   the   intentions   to   comply  with  ISPs.  

3.1.2 SETA  Programs  

The   mere   existence   of   an   ISP   does   not   guarantee   that   employees   internalize   and   comprehend  it  (Whitman  2003,  Herath  and  Rao  2009a).  Thus,  once  an  organization  has   developed   an   ISP,   its   content,   rules   and   specifications   need   to   be   communicated   and   trained   throughout   the   organizations’   employees   and   IS-­‐users   (Rotvold   2008).  

Institutional   security   education,   training,   and   awareness   raising   programs   typically   referred  to  as  SETA  programs  are  the  most  important  and  qualified  instrument  for  this   purpose,  and  accordingly  are  one  of  the  major  ISS  management  resources  (e.g.,  Chan  et   al.   2005,   Puhakainen   2006,   D'Arcy   et   al.   2009).   In   praxis   and   in   the   literature   there   exists  a  great  variety  of  different  designs,  methods,  and  nomenclatures  of  institutional   security  training  activities.  Some  of  the  various  practices  are  e.g.,  the  explanation  of  ISPs   (Straub  and  Welke  1998),  periodic  newsletters,  emails  and  presentations  concerning  ISS   relevant   issues   (Spurling   1995,   Herath   and   Rao   2009a),   ISS   workshops   and   seminars   (Thomson   and   von   Solms   1998),   providing   posters,   flyers,   and   lectures   (Crossler   and   Bélanger  2006),  supporting  online-­‐  and  computer-­‐based  learning  (Chen  et  al.  2006),  or   periodic   security   refresher   courses   (Hansche   2001a,   von   Solms   and   von   Solms   2004).  

SETA   programs   aim   to   improve   organizational   information   security   by   increasing   employees’   knowledge   and   awareness   of   potential   security   risks,   policies,   and   responsibilities.  Furthermore,  they  aim  at  providing  employees  with  the  skills  necessary   to  comply  with  organizational  ISS  procedures  (Straub  and  Welke  1998,  Whitman  et  al.  

2001,  Lee  and  Lee  2002,  D'Arcy  et  al.  2009).  Thus,  SETA  programs  intend  to  sensitize   employees   to   the   value   of   ISS,   as   well   as   to   qualify   them   for   security   conscious   use   of   organizational  information  resources.  

Several  studies  provided  evidence  that  SETA  programs  are  an  essential  building  block  of   security  management  and  that  they  influence  information  security  behavior  positively.  

For  example,  Straub  and  Welke  (1998)  and  Chan  et  al.  (2005)  empirically  proved  that   SETA  programs,  being  part  of  security  management  practices,  lead  to  greater  intentions  

on   the   part   of   employees   to   comply   with   ISPs.   Jenkins   et   al.   (2010)   designed   an   experiment   which   showed   that   training   videos   significantly   increased   employees’  

security  password  policy  compliance.  Other  studies  argue  that  SETA  programs  promote   an   individual’s   self-­‐efficacy   or   perceived   behavioral   control   regarding   a   related   topic   (Bandura  1989),  which  have  been  frequently  proven  to  be  essential  prerequisites  of  ISS   behavior   (Lee   et   al.   2008,   Ng   et   al.   2009,   Jenkins   et   al.   2010,   Herath   and   Rao   2009b,   Bulgurcu   et   al.   2010).   Other   studies   based   on   GDT   argue   that   SETA   programs   communicate   the   presence   of   sanctions   for   policy   violations,   and   therefore   have   a   significant  influence  on  employee  security  behavior  by  improving  their  perception  of  the   certainty  and  severity  of  those  sanctions  (Straub  and  Welke  1998,  D’Arcy  et  al.  2009).  In   addition,  scholars  emphasize  the  role  of  SETA  programs  on  employees’  ISA  (e.g.,  Straub   and  Welke  1998,  D’Arcy  et  al.  2009).  Siponen  et  al.  (2009)  state  that  security  education   helps  employees  to  become  aware  and  develop  an  interest  in  security  issues.  They  also   contend  that  SETA  Programs  raise  employees’  consciousness  about  the  vulnerability  of   their  organization  owing  to  ISS  threats.  As  the  primary  goals  of  SETA  programs  are  on   ISS  education,  training,  and  awareness  it  is  contended  here  that  these  programs  have  a   positive  impact  on  ISA  and  that  the  influence  on  intention  to  comply  is  at  least  partially   mediated  by  ISA.  Thus,  

Hypothesis  3a:  The  provision  of  SETA  programs  positively  influences  employees’  level  of   ISA.  

Hypothesis  3b:  ISA  mediates  the  positive  effects  of  SETA  programs  on  the  intention  to   comply  with  ISPs.  

3.2 Individual  Antecedents  of  ISA