Information Systems Security (ISS) of E-Government for Sustainability: A Dual Path Model of ISS Inﬂuenced by Institutional Isomorphism

: This study investigated information systems security (ISS) as one of the important issues of e-government for sustainable development. ISS is becoming increasingly important in the discourse on information technology-related organizational transformation, and governments need to undergo organizational transformation to establish an effective ISS system for advancing e-government capacity which plays a vital role in achieving sustainability. Furthermore, ISS breaches are becoming the norm rather than the exception, but ISS can only be achieved when employees fully and ﬁrmly embrace the concept by changing their behavior to comply with advanced ISS technologies. A research model is theoretically developed in this context based on institution theory, which proposes a dual path model consisting of legitimacy-leading organizational citizenship behaviors (OCB) and organizational cynicism-causing counterproductive work behaviors (CWB) in the process of innovating ISS for e-government. This dual-path model is empirically tested against 388 data collected from information security managers in 30 departments and councils within Korea’s central government. A structural model evaluation of the collected data principally validates the research model. The results indicate that the path through legitimacy, inﬂuenced by normative and coercive isomorphism, is stronger than that through organizational cynicism. The data largely supports the proposed research model, conﬁrming the applicability of institutional theory in explaining the institutionalization processes in effective ISS compliance at the organizational and individual levels. The implications of these ﬁndings are then discussed in detail.


Introduction
Electronic government (e-government) for sustainable development has been recognized as an international cooperation strategy to accomplish green governments through citizen-oriented service delivery with citizens' active interactions and participation, and innovative, effective, and high-quality public service [1].E-government enables public administration to become collaborative governance with citizen and stakeholder participation in public service [2], which can enhance sustainable development [1]. Lee (2017) [3] emphasized the direct and indirect effects of e-government on environmental and social sustainability.Many researchers [3][4][5][6][7][8] highlight the key role of e-government in achieving sustainable development.The positive relationship between e-government and sustainability has been documented, though empirical research has been limited [3].Estevez and Janowski (2013) [6] defined e-government for sustainable development as "the use of ICT to support public services, public administration, and the interaction between government and the public, while making possible public participation in government decisionmaking, promoting social equity and socio-economic development, and protecting natural resources for future generations" (p.S96).
However, Janowski (2016) [7] reported that less than 31% of the member states out of all United Nations Member States attain the contextualization stage (the advanced stage) of the e-government capacity, and 55% remains at the lowest digitization stage.Accordingly, many states need to advance their e-government capacity with benchmarking or mimetic approaches [1].Additionally, information security is identified as one of important issues to build and advance e-government for sustainable development [6,8].
Most governments worldwide have used information technology (IT) as a tool to improve not only public service and citizens' satisfaction, but also efficient communication and interactions with their citizens, constituents, and public administration organizations [9,10].Recently, e-government has become a new support system for public governance [10].As security issues have become the third-most important barrier to e-government, after a lack of financial resources and technologies [11], most governments have been confronted with the task of successful and continuous ISS innovation within their organizations.Moreover, ISS has received much attention since the late 1990s, and the issues surrounding ISS have increased [12].
Defined as the "encompassing systems and procedures designed to protect an organization's information assets from disclosure to any person or entity not authorized to have access to that information" ( [13], p. 15], innovation in ISS involves continuous organizational and administrative processes induced by technological innovation.Accordingly, this study perceives ISS innovation as a holistic organizational and administrative innovation, and embraces a philosophy of administrative innovation generated by the inclusive development of security management programs and information security technologies [14].Furthermore, ISS breaches are becoming the norm rather than the exception.These ISS breaches not only cause inconvenience and harm reputations, but also create strategic, financial, and regulatory risks for firms [15].Compared with private organizations, ISS violations regarding e-governments may have serious consequences for government organizations.They may sustain serious damage to both reputation [16] and trust, and complex financial, political, and economic losses may result [17] Most ISS breaches are related in some way to employees, and insider breaches occur more frequently than viruses or hacking [18].Ultimately, information systems are only secured through the appropriate integration of security technologies and policies-including the institutionalization of these policies into practice.Employees then fully and firmly embrace these policies so their behavior becomes more compliant.
In this regard, this institutionalization process [19][20][21] seems to play an important role in the actual implementation of ISS policies and practices.Three social forces based on institution theory are identified as critical antecedents: normative, coercive, and mimetic isomorphism [20].This study posits that these forces mobilize employees' innate inertia as related to ISS policy instrumentation.These three isomorphic forces seem to complement each other in incorporating policies and directives into employees' actual practices.
This study is designed to explore and expose how ISS institutions not only shape ISS policies and practices, but also how they create organizational reactions that influence employees' behavior, which may consequently lead to effective ISS policy implementation.A dual-path model is proposed regarding these forces' effects on the individualized institutionalization process: one path involves increasing legitimacy, and the other, decreasing organizational cynicism.Legitimacy and organizational cynicism are two different but interrelated paths to successfully implement ISS policies.In other words, it is conceptualized here that an isomorphic institution affects employees' perceptions in terms of dual but closely related paths: one via organizational cynicism, leading to ISS-related counterproductive workplace behavior (CWB); and the other via legitimacy, leading to ISS-related organizational citizenship behavior (OCB) that ultimately leads to ISS effectiveness.
Therefore, this study attempts to answer the following questions: (1) How do external isomorphic forces institutionalize ISS policies into actual practice, embraced by individual employees' OCB and CWB? (2) What are the relative roles played by legitimacy and organizational cynicism in this process?The current study attempts to illuminate the organizational changes made by the South Korean national government to facilitate ISS innovation using an institutional theory framework.Based on its advanced information and communications infrastructure, the Korean government has actively developed e-government as a tool to enhance national competitiveness [22]; Furthermore, the Korean e-government has been evaluated as a most successful model [23].However, with the development and implementation this advanced e-government, a well-developed ISS and continuous ISS innovation are accordingly necessary to ensure public trust and confidence in e-government.Research on Korean governments' ISS effectiveness, based on ISS-related organizational change, will provide useful theoretical and practical implications in the fields of e-government and ISS literature.

ISS and Institution Theory
ISS studies have investigated various factors affecting ISS users' compliant behavior in extant literature, including criminological perspectives, deterrence, environmental factors, and behavioral intentions [24]; Internet abuse, conformity to organizational norms; and ethical practices and moral reasoning [25].However, Greene and D'Arcy [24] pointed out the lack of ISS research within the organizational behavior perspective, and Ifinedo [26] and Kraemer, Carayon, and Clem [27] stressed the importance of personal and organizational behaviors to understand the factors that affect organization members' ISS compliance behavior and ISS effectiveness in their organizations.Nazareth and Choi [25] also indicated insufficient ISS research at the organizational level due to organizations' reluctance to disclose their information on ISS procedures and breaches, which results in a refusal to participate in ISS research.
Dhillon and Backhouse [28] suggested that a socio-organizational perspective should become of importance to achieve ISS effectiveness.However, institutional theory has been recently used as a theoretical framework to investigate information systems and IT [29,30].Researchers [19,31] have argued that institutional theory can be useful to understand ISS innovation in the context of organizational changes.Hu, Hart, and Cooke [9] suggested that institutional theory as a coherent socio-organizational framework should be used to elucidate not only organizational members' behaviors, but also how organizational members' beliefs and attitudes toward ISS develop, change, and are influenced.
Institutional theory has significantly impacted the understanding of organizational changes; some studies [32][33][34] have investigated public sector organizations using the institutional approach.Furthermore, this study focuses on ISS innovation within institutional theory, as both technological and administrative processes that incorporate the Korean government's organizational changes, through isomorphism, legitimacy, and organizational cynicism; intertwined with employees' reactive organizational and individual behaviors.Accordingly, this study uses socio-organizational approaches to elucidate the inter-and intra-organizational factors that affect ISS effectiveness in the Korean government.The current study uses dual-path models to focus on how external pressures influence organizational changes and behavior.The relationships among the model's constituents and their influence on ISS effectiveness were also examined.

Three Types of Isomorphism and Their Influences on Government Organizations
Isomorphism in the context of institutional theory essentially indicates the institutional pressures that drive organizational changes' conformity to institutional measures and requisites; this also incorporates organizations' external influences regarding these organizations' structures [35].DiMaggio and Powell [20] indicated that institutional theory developed isomorphism as a central concept with three multi-dimensions: normative (organizational changes are affected by professional or expert influence), coercive (organizational changes are affected by political influence and legitimacy), and mimetic isomorphism (organizational changes are based on their mimicry of successful or "model" organizations in the field).Isomorphism is led by the relationships between organizations and institutions in terms of "domination and dependency, uncertainty, and professionalization" ([36], p. 5).
Normative isomorphism is derived from organizational actors' professionalization, in terms of educational and training backgrounds and membership in the same professional communities [37].Organizational actors' professionalization results in similar professional insights, activities, models, and normative rules due to these actors' similar dispositions, opinions, and orientations [20].Furthermore, this promotes interactions among professionalized intra-and inter-organizational actors [36].As national governments commonly utilize professionals' and experts' advice about ISS from academics, researchers, and consultants, normative isomorphism may affect national governments' ISS.
Coercive isomorphism stems from both formal and informal institutional pressures, including power differences placed on the organization by more influential organizations and based on law, resource control, and social position [36].These include such regulations and legislation as the European Commission's Data Protection Directive and the United States' Sarbanes-Oxley Act.Cultural expectations also function as coercive pressures on the organization in the organizational field's purported "social network" [38].
Mimetic isomorphism is dominantly used when uncertainty that demands substantial research costs plays a critical role, and is typically and epidemically diffused [32].Regarding ISS innovation as technology innovation in an organization, mimetic isomorphism involves uncertainty as a powerful source that promotes imitation [29].The uncertainty indicates that, when organizational members do not clearly understand organizational technologies, such as ISS, with ambiguous goals and symbolic uncertainty, they model themselves after other organizational technology innovation policies and practices [29].
Mimetic influences have been well documented, including the competitive mimetic influence resulting from obtaining ISS certification in the financial sector [31] as well as the mimetic influences in local UK governments [29].Coercive influences have been evidenced, including coercive effects on an Australian local authority's internal management control processes [39] and four U.S. states' government decisions to adopt generally accepted accounting principles (GAAP) [40], and coercive pressures by ISS regulatory agencies [9].Evidence of normative pressure includes the pervasiveness of the nursing profession as a normative influence on healthcare organizations [36], normative influences on the four U.S. state governments' adoption of GAAP [40], and the normative influences of professionalism and professional networks related to ISS [9].
Frumkin and Galaskiewicz [33] argued that governmental agencies are influenced by institutional pressures more than business organizations.They found that the government agencies that focused on other government organizations became "more centralized, more formalized, and more departmentalized" ( [33], p. 302].Moreover, mimesis among government organizations resulted in a more prototypical form of bureaucratic control, such as greater hierarchy, more centralized decision-making structures, formalized rules, and more functional departments; normative and coercive isomorphism promoted decentralization.Cordella and Tempini [41] criticized e-government literature and suggested that while information communications technology (ICT) could decrease bureaucracies in government organizations, ICT in government organizations enhances bureaucracy.Accordingly, the three isomorphic influences on ISS innovation, as a necessary requisite of e-government, have similar organizational effects in terms of the bureaucratic or decentralized controls in government organizations.Institutional forces induce not only government organizational changes related to formal structures and control systems, but also organizational changes related to culture, norms, rules, rewards, and punishment, and more importantly, government organizational members' cognitive and affective behaviors.

ISS Effectiveness
Organizations' efforts to enhance ISS effectiveness, such as incentives, rewards, and punishment, may provide external motivations for organizational members to comply with ISS policies and practices.However, their internal motivations, which do not necessarily stem from organizational instrumental strategies and policies, are critical for ISS effectiveness [42].As a dynamic and continuous process frequently influenced by institutional isomorphism, ISS involves organizational changes supported by organizational legitimacy or resisted by organizational members.Hu et al. [37] argued that ISS research within an institutional theory context could enable us to better understand ISS organizational changes and contexts.Thus, institutional and organizational behavioral approaches may provide rich insights to further elucidate the dynamic and complicated aspects of ISS effectiveness, in terms of the interrelationships between institutional pressures and organizational aspects.
This ISS effectiveness can be defined as an ISS program's degree of achievement in its goals and objectives; the sufficient protection of information; and continuous application of security measures, such as its methods, information security policies and procedures, and control measures or tools.
Effectiveness must include the entire organization's overall functioning information security efforts.These include organization-based [43,44] and technology-based efforts [44,45], and raising awareness [44,46].Security measures and organizational behaviors are essential to ensure ISS effectiveness, and are tightly coupled.An organization's behavioral factors include user training, a security culture, policy relevance and enforcement [43], and top management [47].Moreover, ISS effectiveness can be improved by the implementation of such security measures as information security policies, procedures, control measures, tools, and methods, and by increasing employees' awareness [46].Raising awareness involves training and education, awareness campaigns, user participation, engaging top management, and learning from incidents.
Hybrid factors consists of overall deterrent efforts and preventive efforts, in addition to preventive efforts targeting the protection of hardware, software, data, and computer services, which also influence ISS effectiveness [45].Hybrid factors include the number of hours per week devoted to prevention and deterrence, dedication to data security, effort spent notifying users about penalties and acceptable system usage, and the violation and utilization of security software [47].
Previous ISS effectiveness studies have focused on one aspect among the organizational, technological, and hybrid approaches; thus, a gap exists between the present and previous studies.The present study suggests that ISS effectiveness includes a combination of various technology-and organization-based efforts as well as increasing awareness.Technology-based efforts consist of the protection of information assets, data, and computer services.Organization-based efforts include information security policies and organizational structures, in addition to efforts to implement an emergency contingency plan.Increasing awareness involves education, training, and the notification of threat information.
Although institutional factors have been identified as important for ISS effectiveness [9,14], few studies have been conducted.Institutional theory offers a more holistic approach, as it considers such elements as institutional influences, organizational factors, policy-making processes, and technical rationales.This approach can more precisely explain the drivers of ISS effectiveness in e-governments [48].Furthermore, OCB and organizational legitimacy are also socio-organizational factors that affect ISS' effectiveness.As OCB improves an organization's efficiency in terms of resource use, this results in higher productivity, thus leading to higher organizational performance [49].Legitimacy generates an individual's loyalty to the organization and leads to organizational members' improved commitment to policies, action, and organizational changes [50,51].
As OCB and CWB "shape the organizational, social, and psychological context that serves as the catalyst for task activities and processes" ( [52], p. 100), OCB-CWB relationships have received much attention regarding job performance, which influences organizational effectiveness [53].As OCB benefits the organization, while CWB harms the organization, they can be regarded as conceptually opposite [53].Thus, it is reasonable to contemplate that OCB as related to ISS helps ISS effectiveness, while CWB hinders it.

Dual Paths
2.4.1.Legitimacy Path: Isomorphism, Legitimacy, and OCB for ISS Effectiveness It is a well-known proposition that isomorphism leads to legitimacy [20].Furthermore, isomorphism highlights its importance [54].Institution theory stresses that organizational changes do not occur for better organizational substantive performance, but for greater legitimacy [32].Institutional isomorphism requires changes to organizational norms, beliefs, structures, practices, and processes, and legitimacy justifies these changes.Organizational members accept the increased legitimacy gained through isomorphism as an adaptive action for their survival [55].
The strategic approach notes that organizations use legitimacy as an operational resource to help achieve their objectives and goals [56], while institutional theory emphasizes legitimacy as "a condition reflecting perceived consonance with relevant rules, norms, and beliefs" ([57], p. 59).Suchman ([58], pp.573-574) integrated the two views to define legitimacy as "the generalized perception or assumption that the actions of an entity are desirable, proper, or appropriate within some socially constructed system of norms, beliefs, and definitions".Suchman ([58], p. 571) also elucidated the role of legitimacy as "an anchor-point of a vastly expanded theoretical apparatus addressing the normative and cognitive forces that constrain, construct, and empower organizational actors".
Westphal et al. [59] argued that different types of legitimacy are shaped by different attributes or levels of isomorphism; for example, individual legitimacy is based on authority and accepted social structure, and organizational legitimacy originates from the organization's prevalent cultural values.This study investigates organizational legitimacy as a central construct of the ISS research model, as organizational legitimacy internalizes the organizational changes stemming from isomorphic influences, and isomorphism functions as an external force.Perceived value congruence and legitimacy are identified as intrinsic incentives for ISS compliance that positively influence it [60].When institutional isomorphism forces national governments to engage in ISS, legitimacy leads organizational actors to identify the new ISS practices as a "socially constructed system of norms, beliefs, and definitions" [57].
Coercive isomorphism, such as enforcing the Sarbanes-Oxley Act as a universal mandate, has established a new legitimacy for information security practices and protocols [37].By adopting total quality management practices, consultants as change agents have normative and mimetic influences, and their input is valued not only as knowledge and as technological advice, but also as a source of legitimacy [61].Hence, the following hypotheses are proposed:

Hypothesis 3 (H3). Mimetic isomorphism is positively associated with ISS legitimacy.
Organ ([62], p. 4) defined OCBs as "individual behavior[s] that [are] discretionary, not directly or explicitly recognized by the formal reward system, and that in the aggregate promote the effective functioning of the organization".These are organizational members' discretionary behaviors, which exceed basic requirements and result in improved organizational effectiveness [25,63].Furthermore, OCBs include OCB-organization (OCB-O) and OCB-individual (OCB-I), which benefit the organization and the individual, respectively.These types distinguish OCBs based on the target or beneficiary of a specific OCB behavior [64].While OCB-O encompasses civic virtue, conscientiousness, and sportsmanship, OCB-I encapsulates altruism and courtesy [65].
Legitimacy leads to organizational members' OCBs as well as organizational commitment and job satisfaction [66].As perceived legitimacy (i.e., organizational members perceive the ISS as appropriate and desirable) justifies ISS compliance [60], perceived legitimacy may lead to OCB when ISS compliance is perceived as meaningful.Organizational actors' perceptions of their own work as meaningful positively affect OCB [67].Thus, this study proposes the following hypotheses: Hypothesis 4 (H4).The legitimacy of ISS is positively associated with OCB-I.

Hypothesis 5 (H5).
The legitimacy of ISS is positively associated with OCB-O.
Furthermore, OCB can improve individual compliance with information security policies and lead to success in information systems [68].While it has been suggested that OCB positively relates to organizational effectiveness, efficiency, and success [18,64], empirical studies have seldom explored the relationship between OCBs and organizational effectiveness [22].
Defined as "individual behavior that is discretionary, not dependent on the use of rewards or punishments to encourage performance, and that in the aggregate promotes the effective functioning of the organization" [62], OCB encourages employees to accept change and find constructive resolutions to problems.This also helps employees cooperate with each other, and share power in the organization's politics.Moreover, OCB can increase individuals' willingness to resolve conflicts and dedicate themselves to their organization, rather than seeking benefits for themselves individually or for the groups in which they participate [69].
Furthermore, such OCBs as helping and advising can improve the effectiveness of information security policies, or ISPs [70,71].Helping involves a small, considerate behavior toward others, and can involve assisting employees who are unfamiliar with ISPs.This can also include with how to implement them may act appropriately by providing guidance to ISPs, identifying inappropriate conduct, or helping others learn the ISPs.Individuals in the working environment can voluntarily provide assistance to keep ISPs.Advising, or providing advice, is another cooperative organizational behavior, and provides feedback intended to improve the current situation [72].Advising is crucial in a contemporary information security environment, in which new threats emerge and frequent changes occur in technologies.Providing adequate advice from employees can encourage individuals to comply with ISPs, and can enhance the ISPs' content.
OCB can be categorized into OCB-I and OCB-O depending on whether a behavior or its target is directed at individuals or an organization [64].First, OCB-I benefits individuals, as this involves an organizational member actively providing advice to other members regarding how to use ISS systems; this category consists of both altruism and courtesy [64,73].Furthermore, OCB-O targets organizations, such as an organizational member voluntarily reporting a hacking e-mail to the organization, and involves conscientiousness, civic virtue, and sportsmanship [64,73].
Although OCB has been studied in various fields for several decades, few researchers have investigated whether OCBs can successfully prompt socio-emotional support, which directly influences the success of both ISS implementation [14,68] and ISS effectiveness [71].Based on previous studies, this study anticipates that OCB positively improves ISS effectiveness.Thus, this study proposes that: Hypothesis 6 (H6).OCB-I is positively associated with ISS effectiveness.

Hypothesis 7 (H7). OCB-O is positively associated with ISS effectiveness.
2.4.2.Organizational Cynicism Path: Isomorphism, Organizational Cynicism, CWB, and ISS Effectiveness People rarely welcome change, and especially in a work context in which they must strive to change their established routines and increase their cognitive load [74].People tend to resist change and become cynical about anything that interrupts the status quo in their working lives [65].When faced with social forces to change the organization, or in this case, ISS policy implementation, an employee's stance is cynical, at best.Organizational cynicism has been identified as a prevalent phenomenon in organizations [75,76], and has recently received increasing attention in research on organizational changes [77,78].According to Reichers, Wanous, and Austin [60], organizational cynicism is conceptually and closely linked to organizational change.Bergström, Styhre, and Thilander ([77], p. 384) argued that "organizational cynicism has been viewed as a form of resistance driven by the unsuccessful implementation of organizational change or, in contrast, as a direct negative attitude towards management".Stanley, Meyer, and Topolnytsky [79] found that change-specific cynicism predicts the intention to resist change, and [80] described cynicism as a discursive tactic of resistance.Organizational cynicism results in increased beliefs of unfairness as a cognitive aspect; feelings of distrust as an affective aspect; and related actions about and against the organization as a behavioral aspect [81].Organizational cynicism causes various negative workplace behaviors, such as frequent absences, poor performance, and grievances [82], and passive participation or inaction in organizational change efforts [60].
Dean et al. ( [76], p. 345) defined organizational cynicism as "a negative attitude toward one's employing organization, comprising three dimensions: (1) a belief that the organization lacks integrity; (2) negative affect toward the organization; and (3) tendencies to disparaging and critical behaviors toward the organization that are consistent with these beliefs and affect".Dean et al.'s [76] definition is based on the conceptualization of organizational cynicism as an attitude detrimental to the organization.Stanley et al. ([79], p. 452) defined the characteristic of cynicism as the "disbelief in the motives of others".The authors further identified three types of cynicism: change-specific cynicism, as "a disbelief of management's stated or implied motives for a specific organizational change"; management cynicism, as "a disbelief in management's stated or implied motives for decisions or actions in general"; and dispositional cynicism, as "a disbelief in the stated or implied motives of people in general for their decisions or actions" ( [79], p. 436).This study focused on change-specific cynicism, because this addresses organizational change for ISS innovation; and management cynicism, because it is incredibly difficult to ignore the interaction effects between employees' disbelief in a specific organizational change and their general disbelief.
Executives and managers typically value employees who are willing to respond positively to the initiation of change.However, organizations attempting to change established routines or introduce new ones frequently falter when insiders resist these changes [83].This often occurs for simple reasons; specifically, the benefits of these changes may not be in concert with the interests of the individuals being asked to make the changes [38].This phenomenon of resistance and organizational cynicism can be explained relative to institution theory, as the social forces shaping organizations can be coercive, normal, or mimetic [20,84].Furthermore, these different forces might have different effects on the levels of organizational cynicism.
Studies of organizational cynicism have been extremely scarce in information systems research, but resistance has been documented.As organizational cynicism can be viewed as a form of resistance, this study extends the literature review on organizational cynicism to that of resistance in information systems literature.Resistance has been recognized as a critical variable in information systems research [85] as well as in organizational transformation literature [38].Lapointe and Rivard [85] identified four different theoretical models to explain user resistance: (1) the power theory [85], (2) equity theory [86], (3) passive-aggressive theory [87], and (4) attribution theory [79].These theories of resistance can be used to relate institution theory to user resistance, as follows.
The pressures coming from professional organizations and colleagues are normative isomorphic forces.Normative isomorphism results in the organizational members' professionalization and creates similar orientations and dispositions among these members through their similar education and training experiences and participation in professional networks [9].These normative pressures are more readily accepted than other institutional forces, as they come from similar shared experiences and orientations.Thus, it is posited that normative isomorphism may mitigate organizational cynicism.
The power theory in information systems resistance research portrays resistance as a result of the redistribution or loss of power [88].Regarding user resistance, users are more likely to resist when they perceive that the system instigates a loss of power on their part, whether implicitly or explicitly [89].Moreover, it can be inferred that the level of resistance relates to the feeling of losing importance.Coercive isomorphic forces result from both formal and informal pressures placed on organizations by the authorities upon which they depend [20].Thus, such pressures may be felt as forcefully unbalancing the present state of power, which may cause people to resist the changes to be implemented [90].Generally, ISS mandates by external authorities are expected to increase the message receiver's resistance.Thus, it is posited here that coercive isomorphism may increase the level of organizational cynicism as a form of resistance on the user's side.
Mimetic isomorphic forces occur due to high uncertainty, which is a powerful driver in persuading organizations to imitate and follow the models in other leading organizations [83].When technologies are not clearly understandable, the goals of changes are ambiguous, or the consequences of technologies are unclear, organizations may attempt to follow other organizations, especially leading ones [20].Mimetic isomorphic forces may increase or decrease the level of organizational cynicism depending upon the reason for mimicry.When this reason justifiably relates to an individual benefit [26], employees will not strongly resist.However, when the reason for mimetic adoption is not clearly explained or justifiable for employees' benefit [26], they may resist or nonetheless act passive-aggressively [86].Regarding ISS, the goals and processes of ISS policy and practice do not directly relate to employees' business activities in most organizations; therefore, ISS' benefit is unclear to most employees.Thus, it is posited that mimetic social forces may increase organizational cynicism.

Hypothesis 10 (H10). Mimetic isomorphism is positively associated with organizational cynicism toward ISS.
Organizational cynics criticize their organization for a lack of integrity [76] and sincerity, unfair operations [66], and prevalent unscrupulous behavior [76].Although organizational cynicism cannot be identified as a simple representation of a lack of organizational commitment, it negatively relates to organizational commitment [76].Organizational cynicism, as a barrier to the enforcement of organizational changes, was viewed from the management perspective as organizational members' reactions to inappropriately implemented changes and managerial incapacity [77].Furthermore, Bergström et al. ([77], p. 387) argued, "Perhaps the most important consequence of cynicism is that the legitimacy of leadership may be undermined and the organization's capacity for future changes is decreased".
Organizational cynicism may hinder organizational changes because it fuels suspicion of change agents' motivations, and increases the inertia and indifference to these agents' efforts [91].Moreover, organizational cynicism compels employees to ignore new programs and procedures [75].MacLean and Behnam (2010) [92] studied the dynamic between decoupling, legitimacy, and institutionalized misconduct to suggest that members' organizational cynicism regarding decoupled programs resulted in internal illegitimacy.Furthermore, Holderness et al. [70] argued that members with negative legitimacy perceptions of their formal ethical program might adopt views that are more cynical; IT resistance also includes this organizational cynicism [47].
Accordingly, it may be reasonable to propose that organizational cynicism might generally cause CWB and breed suspicion of an organization's ulterior motives, as organizational cynicism results in employees' widespread suspicions of the motivations underlying new programs [91].Additionally, organizational cynicism tends to deny organizational integrity, which is fortified by the legitimacy led by isomorphism.
According to Reichers, Wanous, and Austin [60], organizational cynicism about change can cause a decline in employees' motivation, job satisfaction, and loyalty.Accordingly, employees tend to engage in CWB, which can be defined as "[ . . .] voluntary acts that violate significant organizational norms and are contrary to the organization's legitimate interests" ( [93], p. 554).Like OCB, CWB has been distinguished by interpersonally (CWB-I: deviant behavior directed toward other employees, such as gossiping about coworkers) and organizationally directed (CWB-O: deviant behavior directed toward the organization, such as taking overly long breaks) aspects of workplace deviance [53].
The assumption that human agents have malicious intentions leads ISS research regarding how to control employees' antisocial or problematic ISS-related behavior, such as corrupting organizational information, disabling ISS, or destroying or deleting data [94].This kind of ISS-related misconduct can be regarded as CWB to ISS [95].Organizational cynicism-induced or resistance behavior can be passive, such as verbal reactions; or aggressive, such as sabotage and indifference.Generally, it manifests as counterproductive behavior [96].Similarly, counter-ISS behavior can be as passive, as with non-compliance; or active, as with leaking.As CWB is designed to mitigate negative effects [95], organizational cynicism acts as a negative effect, and attitude becomes a proximal cause of CWB.Thus, it is posited here that the organizational cynicism toward ISS policies and practices will increase the level of counter-ISS workplace behavior, which will decrease the ISS' effectiveness: Hypothesis 11 (H11).Organizational cynicism toward ISS is positively associated with ISS-related CWB-O.

Methodology
This study conducted an empirical analysis to demonstrate each isomorphism's influence on ISS effectiveness.We tested these influences by establishing organizational cynicism, organizational legitimacy, OCB-O and OCB-I, and CWB-O and CWB-I as mediating variables.We analyzed these effects by conducting various analyses, including a path analysis, and an analysis of direct, indirect, and mediating effects.

Measurement of Constructs
We used each of the three items to represent mimetic, coercive, and normative isomorphism, derived from an instrument designed by Heugens and Lander [97] and Liang, Saraf, Hu, and Xue [98], which was modified to apply to information security.Organizational legitimacy was measured using four items from the works of Lee and Yoon [99] and Yoon and Thye [100].Organizational cynicism was measured using six items from Stanley et al.'s [79] work.We measured OCB-I and OCB-O by using 12 items from Williams and Anderson [64]; CWB-O and CWB-I were measured using 3 items each from works by Bennett and Robison [101] and Aquino, Lewis, and Bradfield [102].The ISS effectiveness was measured based on previous studies [41,[44][45][46] and modified to reflect particular characteristics of the South Korean government.We measured ISS effectiveness by developing six items that pertain to the completeness of information security policies and efforts to protect information assets, including data protection, information services, awareness, and organizational systems to detect intrusions.
We used four demographic-controlled variables: gender, age, education, and working years.Previous studies have indicated that gender and age are significant in security policy compliance [103,104].
Table 1 illustrates this study's research model.All variables were measured with previously validated items and further modified, and all items were measured on a five-point Likert scale, in which one denotes 'strongly disagree' and five denotes 'strongly agree'.

Data Collection
Paper questionnaires were distributed by information security managers in 46 departments and councils within Korea's central government; 500 questionnaires were distributed to each institution, and 410 were returned.The number of questionnaires sent to each institution was from 12 to 15 in consideration of each institution size.Of the 500 paper questionnaires sent, 410 were collected.We received responses from all of the institutions which received questionnaires.Table 2 shows the response statistics.The average number of returned questionnaire was about 11.38.The minimum number of questionnaire we received from the institution was about 10 and the maximum number of the questionnaire was 14.The questionnaires were collected from May to September 2015.Questionnaires with incomplete or unreliable answers were discarded, with 388 valid questionnaires then obtained, or an effective sample response rate of 77.6%.Table 3 displays the respondents' characteristics.
As Table 3 indicates, the proportion of men was higher than that of women, and most of the respondents were between 31 and 50 years old.Most of the respondents have earned a bachelor's degree and are regularly employed.

Data Analysis and Results
The partial least squares (PLS) was used to empirically evaluate the theoretical model.This method is a structural equation modeling technique that simultaneously tests measurement and structural models; it produces weights between the standardized regression coefficients between constructs, reflective constructs, and their indicators; and coefficients of multiple determination (R-squared) for the dependent variables [66].The significance levels for loadings, weights, and paths are calculated in PLS through bootstrapping; 500 bootstrap samples were used to empirically calculate standard errors and evaluate statistical significance [105].
We used a confirmatory factor analysis instead of an exploratory factor analysis.As an instrument becomes established, exploratory factor analysis procedures are generally replaced with the more sophisticated confirmatory factor analysis [106].We applied the well-established theoretical framework of the institutional theory.The relationships between institutional isomorphism and legitimacy, and between institutional isomorphism and organizational cynicism have been well-documented, which makes CFA appropriate rather than EFA.The low R-squares which have been pointed out and the result that does not show the positive association between mimetic isomorphism and ISS legitimacy may be derived from ISS characteristics, which calls for further studies.Although we did not directly mention about the low R-squares, we extensively discuss about the relationships between isomorphism and legitimacy and organizational cynicism in the Discussion and Conclusion section [105].
The PLS results are two-fold: the first section presents the measurement model and its validities, both convergent and discriminant.The second section presents the structural model's results, in that it assesses each dependent variable's relative importance [107].
Convergent and discriminant validities should also be evaluated in the measurement model [108].An indicator of reliability, composite reliability, and the average variance extracted can assess convergent validity [66].Table 4 demonstrates that most loadings were above the 0.7 threshold, suggesting good indicators of reliability.The composite reliabilities (CR) were all greater than 0.7; additionally, Cronbach's alpha values were greater than 0.7, indicating that the data is reliable.Table 5 notes the correlations among reflective constructs and the square root of the average variance extracted (AVE) and item correlations is described in Appendix A. All of the constructs were more strongly correlated with their own values than with any of the other constructs.Finally, cross-loadings were calculated, and all indicators revealed higher loadings with their respective construct than with any other reflective construct [108], which demonstrates good convergent and discriminant validity.
The structural model illustrates the relationships between constructs as hypothesized in the research model.The paths and coefficients of determination (R-squares) collectively present how well the model performed.Figure 1 shows that the structural model was tested using the loadings and significance of the path coefficients and t-values.The model explained 51.8% of the total variance in ISS effectiveness.Hypothesis 8, which notes that normative isomorphism is negatively associated with organizational cynicism to ISS (path coefficient = −0.111,t-value = 1.983), and Hypothesis 9, which notes that coercive isomorphism is negatively associated with organizational cynicism to ISS (path coefficient = −0.199,t-value = 2.850) were supported.This indicates that both normative and coercive isomorphism decreases organizational cynicism toward ISS.However, Hypothesis 10, in that mimetic isomorphism is positively associated with organizational cynicism toward ISS (path coefficient = 0.158, t-value = 1.929), was supported; this indicates that mimetic isomorphism increases ISS cynicism.
Hypothesis 11, which notes that organizational cynicism toward ISS is positively associated with ISS-related CWB-O (path coefficient = 0.475, t-value = 9.486), and Hypothesis 12, which notes that organizational cynicism to ISS is positively associated with ISS-related CWB-I (path coefficient = 0.519, t-value = 10.361), were collectively supported; this demonstrates that organizational cynicism increases both CWB-O and CWB-I.
Hypothesis 13, which states that employees' ISS-related CWB-O is negatively associated with ISS effectiveness, was not supported.Hypothesis 14, which states that employees' ISS-related CWB-I is negatively associated with ISS effectiveness, was supported.This reveals that employees' CWB-I decreases the effectiveness of ISS.
As Table 6 illustrates, we analyzed individual variables' impacts on the endogenous variables in the model.To know which isomorphism among mimetic, normative and coercive isomorphism influences highly on ISS, we analyzed total effect along the path.The results of the analysis showed that normative isomorphism's total effects on the effectiveness of ISS are the largest of the other two isomorphic types.Hypothesis 1, which states that normative isomorphism is positively associated with the legitimacy of ISS (path coefficient = 0.281, t-value = 3.959), and Hypothesis 2, which states that coercive isomorphism is positively associated with the legitimacy of ISS (path coefficient = 0.188, t-value = 3.106), were supported.However, Hypothesis 3, which states that mimetic isomorphism is positively associated with the legitimacy of ISS (path coefficient = −0.019,t-value = 0.270), was not supported.This indicates that both normative and coercive isomorphism increase the legitimacy of ISS.
Hypothesis 4, which states that the legitimacy of ISS is positively associated with OCB-I (path coefficient = 0.609, t-value = 17.161), and Hypothesis 5, which states that the legitimacy of ISS is positively associated with OCB-O (path coefficient = 0.601, t-value = 17.625), were supported.This demonstrates that the legitimacy of ISS can increase both OCB-I and OCB-O.
Hypothesis 6, which notes that OCB-I is positively associated with ISS effectiveness (path coefficient = 0.430, t-value = 8.880), and Hypothesis 7, which notes that OCB-O is positively associated with ISS effectiveness (path coefficient = 0.375, t-value = 7.684), were collectively supported.This result indicates that both OCB-I and OCB-O improve the effectiveness of ISS.
Hypothesis 8, which notes that normative isomorphism is negatively associated with organizational cynicism to ISS (path coefficient = −0.111,t-value = 1.983), and Hypothesis 9, which notes that coercive isomorphism is negatively associated with organizational cynicism to ISS (path coefficient = −0.199,t-value = 2.850) were supported.This indicates that both normative and coercive isomorphism decreases organizational cynicism toward ISS.However, Hypothesis 10, in that mimetic isomorphism is positively associated with organizational cynicism toward ISS (path coefficient = 0.158, t-value = 1.929), was supported; this indicates that mimetic isomorphism increases ISS cynicism.
Hypothesis 11, which notes that organizational cynicism toward ISS is positively associated with ISS-related CWB-O (path coefficient = 0.475, t-value = 9.486), and Hypothesis 12, which notes that organizational cynicism to ISS is positively associated with ISS-related CWB-I (path coefficient = 0.519, t-value = 10.361), were collectively supported; this demonstrates that organizational cynicism increases both CWB-O and CWB-I.
Hypothesis 13, which states that employees' ISS-related CWB-O is negatively associated with ISS effectiveness, was not supported.Hypothesis 14, which states that employees' ISS-related CWB-I is negatively associated with ISS effectiveness, was supported.This reveals that employees' CWB-I decreases the effectiveness of ISS.
As Table 6 illustrates, we analyzed individual variables' impacts on the endogenous variables in the model.To know which isomorphism among mimetic, normative and coercive isomorphism influences highly on ISS, we analyzed total effect along the path.The results of the analysis showed that normative isomorphism's total effects on the effectiveness of ISS are the largest of the other two isomorphic types.Additionally, we conducted a common method bias (CMB) test based on Podsakoff, MacKenzie, Lee, and Podsakoff's CMB method [109], and adapted this to Liang, Saraf, Hu, and Xue's PLS analysis [98].The indicators of all constructs were reflectively associated with the method factor; each indicator variance was then computed as explained by the principle constructs and the method factor.Table 7 notes that most of the method loadings were not significant.Moreover, the common method-based variance for an indicator was only 0.015, whereas the average substantive explained variance was 0.799.Based on the results of these tests, it was determined that CMB was apparently not a significant threat in this study.
Table 8 summarizes the results of hypothesis.

Discussion and Conclusions
This study investigated ISS as one of important issues of e-government for sustainable development.Effective ISS becomes critical for advancing e-government capacity which plays a vital role in achieving sustainability.As few ISS studies have used institutional theory, and have primarily applied this only conceptually in case studies [9,19], this study investigated this empirically under-researched area.Furthermore, to our knowledge, this is the first study to use both OCB and CWB constructs to explain ISS effectiveness.
This study conceptualizes the three social isomorphic forces proposed in institution theory-coercive, normative, and mimetic-as critical antecedents of effective ISS implementation among employees.Furthermore, a dual-path model is theoretically developed as a mediating mechanism in ISS institutionalization, and proposed here for empirical validation.One path occurs via legitimacy and OCB, while the other occurs through organizational cynicism and CWB.This is the first time that this dual-path model-in which legitimacy, organizational cynicism, and OCB-CWB parallel each other-has been empirically tested to study its ISS effectiveness.
The data largely supports the proposed research model, confirming the applicability of institutional theory in explaining the institutionalization processes in effective ISS compliance at the organizational and individual levels.A total effect analysis reveals that the normative isomorphic force is most influential on ISS effectiveness among the three social forces.Furthermore, it has been illustrated that the path through legitimacy and OCB is stronger than the path through organizational cynicism and CWB.Coercive force also has a favorable effect on the establishment of ISS legitimacy and the reduction of organizational cynicism regarding ISS innovation-related organizational change.Coercive isomorphism's strong effect in our results may imply the need to enact appropriate legislation and regulations focusing on the effective implementation, monitoring, and control of individual ISS-related behavior.This may be due to privacy issues and the problem that it is extremely difficult to establish a formalized, structured evaluation of individual employees' ISS behaviors [107].Furthermore, normative isomorphism promoting ISS professionalism and networks can play a vital role in enacting appropriate ISS implementation-supportive regulations and policies.This is because the leadership of ISS professionals and networks as persuasion agents may reduce organizational cynicism and resistance, and generate organizational and individual agreement and participation in establishing ISS implementation-supportive regulations and policies.Further studies on coercive force's effect on ISS effectiveness in various stages of ISS innovation and implementation can provide useful insight to develop appropriate and useful coercive approaches and methods.
Contrary to our hypothesis, mimetic isomorphism did not lead to ISS legitimacy in our study.This may be because mimetic pressures, such as adopting new systems or procedures mimicked from other government departments or overseas governments, do not change organizational members' prevalent beliefs, norms, and culture, which are the root of legitimacy.The legitimacy of ISS internalizes the isomorphic pressures generating organizational changes.However, mimetic isomorphism seems to threaten organizational members in the form of mimicking without a meticulous inspection of internal resources, capacity, and norms and beliefs.This result is noteworthy, but inconsistent with Hwang and Choi's [71] finding that mimetic isomorphism leads to legitimacy.This inconsistency may stem from the differences between this and the authors' studies, in that Hwang and Choi's [71] study only observed the link between mimetic isomorphism and legitimacy, while this study simultaneously compared the three forces' influence.When these three forces compete with each other to influence the technological and administrative ISS processes that accompany organizational changes, an organization's members might react positively to the most flexible or least threatening force to justify organizational changes.Furthermore, organizational members may perceive that normative isomorphism, such as the establishment of appropriate culture; formal, informal, and discursive communications; model processes and actions; and training ISS experts and professionals through academic ISS associations and committees and government networks does not force radical or rapid organizational and systematic changes.Additionally, normative isomorphism plays a role in persuasion, and in justifying the importance of ISS effectiveness in various ways; thus, normative isomorphism might be involved in psychosocial and communicative processes.
Three forces regarding government control have structurally different influences on government control structures.Moreover, coercive and normative isomorphism promote decentralization, which encourages bottom-level power, duty, and voluntary participation.Conversely, mimetic isomorphism fortifies bureaucratic and top-down control [33].The three forces' differing influences on the government's control structure may result in different effects on organizational cynicism.Contrary to our hypothesis, coercive isomorphism reduces organizational cynicism; this result may be explained by the effect of the coercive force on the promotion of decentralization.Alternatively, mimetic isomorphism in promoting bureaucratic control increases organizational cynicism.
Normative pressure in our analysis seems to be most influential on ISS effectiveness based on a total effect analysis of the three forces.This contrasts the general belief that coercive forces, in the form of governmental regulatory policies, can most powerfully drive organizational changes [34,110].As our model aimed to identify the mechanism of institutionalization to effectively influence ISS effectiveness at the organizational level (legitimacy and organizational cynicism), the normative pressure from a cohort group with similar occupations may not cause strong organizational cynicism compared to other types of forceful isomorphism.Although the coercive strategy might more effectively function for mechanistic changes in business processes, the normative strategy would function better for cases in which employees must voluntarily accept changes, as in the case of ISS.
Awareness among different professions is seemingly more important in practice than having ISS technologies or technicians in place.As the cohort group's influence seems to be the strongest, the ISS strategy should more closely approximate an inkblot approach, expanding the number of supporters in different occupational groups by their associations and networks.Transformation leadership should be developed in this inkblot approach by not only individual department or team levels, but also professional associations or committees, who should act as transformational leaders at the general ISS field level to expand ISS networks, which can help to establish norms, a belief culture, and standards in the government.
As normative isomorphism can be successful when ISS-centered norms and cultures, internalized ISS processes, and organizational integrity are established, transformational ISS leadership is vital, as this promotes extensive communication in real time and builds trust between ISS leaders and organizational members.Transformational leaders demonstrate behaviors at the appropriate stage of the transformational process, which leads to a successful change in the organization's status quo [111].Transformational leaders should not only provide an appropriate vision of ISS policies to promote employees' strategic and motivational focus, but also elicit employees' commitment to ISS with charismatic leadership.This further manages the two components of employee cynicism regarding organizational change: improving perceptions of future success and build faith in those responsible for the changes, transformational leadership can mitigate employee cynicism regarding organizational change.Consistent with social learning theory, employees are more likely to accept and commit to transformational leadership, which can reduce organizational cynicism regarding change.Transformational leaders should lead employees' perceptions of future ISS success, faith in ISS change agents [80], and their benefits from ISS. Sufficient, discursive communication and ISS success stories and rituals can cultivate an ISS-supportive culture.Transformational leaders should become facilitators to promote the creation of an ISS-supportive culture that encourages employees' ISS-related OCB.Rather than developing anecdotal cases across industries, specific examples in specific industries would function better to increase ISS awareness among specific occupational groups.Coercing employees to follow specific ISS policies may also be important in cases with immediate risks, but the normative realization of risks among cohort groups will be more effective in terms of reducing insider risks in the long-term.
It is noteworthy that CWB-O does not influence ISS effectiveness, while CWB-I negatively affects ISS effectiveness.It is possible that ISS violations, which explicitly harm the organization, were prevented by regulations or systematic controls and monitoring, or employees may not assume the risks inherent to deterrence punishment.Alternatively, employees may focus on trivial CWB-I, which is not easily revealed.However, CWB-I should not be treated as a minor deviance because this negatively affects ISS effectiveness.Furthermore, CWB-I may fortify organizational cynicism, harm interpersonal employee relationships, and hinder creating ISS-supportive cultures and norms.This may occur because some employees perceive through CWB-I that their colleagues may treat them as outcasts or subtly harass them due to their participation in ISS-organizational efforts.
This study has a few limitations, which may offer research opportunities.First, it is posited here that three isomorphic forces' different natures should be predicted to work differently in an ISS context.As this is the first empirical trial, these predictions must be further refined and tested to confirm our findings.Moreover, as our study is cross-sectional, a longitudinal approach would be useful to complement our findings.
Theoretically, we have treated the three forces the same, although some may occur before the others.Coercive forces in practice may lead to mimetic institutionalization, as details of policies and practices might not be clearly defined in authorities' coercive directions, or these might be subject to normative discussion and refinement through networks of cohort groups.Thus, these forces might relate to each other either sequentially or in time.

Figure 1 .
Figure 1.Result of model analysis.

Figure 1 .
Figure 1.Result of model analysis.

Table 1 .
Summary of hypotheses.Normative isomorphism is positively associated with ISS legitimacy.H2.Coercive isomorphism is positively associated with ISS legitimacy.H3.Mimetic isomorphism is positively associated with ISS legitimacy.H4.The legitimacy of ISS is positively associated with OCB-I.H5.The legitimacy of ISS is positively associated with OCB-O.H6.OCB-I is positively associated with ISS effectiveness.H7.OCB-O is positively associated with ISS effectiveness.H8.Normative isomorphism is negatively associated with organizational cynicism toward ISS.H9.Coercive isomorphism is positively associated with organizational cynicism toward ISS.H10.Mimetic isomorphism is positively associated with organizational cynicism toward ISS.H11.Organizational cynicism toward ISS is positively associated with ISS-related CWB-O.H12.Organizational cynicism toward ISS is positively associated with ISS-related CWB-I.H13.Employees' ISS-related CWB-O is negatively associated with ISS effectiveness.H14.Employees' ISS-related CWB-I is negatively associated with ISS effectiveness.

Table 2 .
Statistics of response.

Table 3 .
Profiles of respondents.

Table 4 .
Validity and reliability of the reflective constructs

Table 5 .
Correlation of the latent variable scores.

Table 6 .
Effect analysis of independent variable on dependent variable.

Table 7 .
Analysis of common method bias.

Table 8 .
Summary of hypotheses.