Leadership of Information Security Manager on the Effectiveness of Information Systems Security for Secure Sustainable Computing

: Information security has been predicted as a barrier for future sustainable computing. Regarding information security of secure sustainable computing, the role of information security managers has received attention. In particular, transformational leadership by information security managers should be stressed for persuading, directing, and controlling management and employees. This study shows that the transformational leadership (in forms such as idealized inﬂuence, individualized consideration, and inspirational motivation) of information security managers can improve the effectiveness of information security. The enforcement and relevance of information security policies could be mediating effects on the effectiveness of information security. This study collects data from governmental and public institutions in Korea. This study suggests the need for leadership education programs, and indicates that job training for information security managers should be conducted regularly.


Introduction
Many national governments have been utilizing information and communication technology (ICT) to improve public services, for effective communication and interactions with their constituents, and in administrative organizations [1,2].Sustainable computing services are driving sustainability beyond simply energy use and product considerations [3], and deal with the loss of control by individuals, businesses, and governments [3].Sustainable computing services can be defined as effective and reliable processes for delivering sustainable IT services [4].Sustainable computing services consider managing performance and doing what is necessary to keep the service operating smoothly, including ensuring constant security, providing systems recovery planning, and keeping versions current [5].Essentially, sustainable computing provides secure computing services to users.Security can be considered the dividing line between non-sustainable and sustainable computing service [3].Any system is considered unsustainable if it cannot protect data or ensure a required computing quality [3].Information security has been regarded as a serious issue, especially in e-government contexts [6].Organizations attempting to protect information must consider controls on internal stakeholders [7]: a large number of information security breaches are due to poor user compliance with information security protocols [8].The violation of information security harms private organizations by causing financial losses and reputation damage [9]; in the public sector, the violation of information security can lead to serious, complex financial, political, and economic losses; reputation damage; and the loss of public trust in e-government and government organizations that adopt e-government methods.Thus, to prevent cybercrime, it is natural for e-governments to seek advanced security management processes and continuous information security innovation.
Many governments have attempted to overcome the barriers to information systems security (ISS) within their organizations for sustainable computing [10].ISS has become an important focus of e-governments since the late 1990s; ISS issues have received attention [11].ISS is defined as secure systems and policies for protecting an organization's information resources from disclosure to unauthorized persons who attempt to access those information resources [12].Burney [13] and Rohmeyer [14] argued that the combination of information security management and information programs could improve the effectiveness of ISS.They described the critical duties of information security managers in establishing information security programs.Burney argued that information security managers can be information mediators between the general management department and the technical department [12].Rohmeyer investigated the major constructs of information security manager skills and information security program maturity within organizational information security.Pohmeyer argued that the effectiveness of the organization can be improved by skilled information security managers [13].As mentioned in previous studies, the role of information security managers is central to directing e-government ISS efforts, and to encouraging employees to comply with ISS policies.
Research has concluded that for maintaining information security within an organization, information security managers must specify appropriate information security policies and motivate their employees to follow them [11,[15][16][17].Although information security managers cannot directly enforce ISS policy compliance, they must constantly encourage and motivate all members to comply with information security policies, including monitoring and warning those organizational members who violate security policy.Sometimes, information security managers must also persuade top managers to invest in people, budgets, and technological security controls for ISS [18].The leadership of the information security manager could encourage employee compliance with ISS and improve the alertness of top managers, thus improving the effectiveness of ISS.The leadership of the information security manager could improve the effectiveness of ISS in e-governments.
This study attempts to evaluate the factors that affect ISS effectiveness from the perspective of information security manager leadership for secure sustainable computing.Accordingly, this study attempts to elucidate the interplay of information security manager leadership and ISS effectiveness.
Using advanced information and communications infrastructure, the Korean government has actively promoted e-government as a way to improve national competitiveness [19].The Korean e-government model has been found to be one of the most successful models [20].To ensure public trust and confidence in e-government, the Korean government has invested budgets, human resources, and legislative attention in developing, implementing, and imitating advanced ISS and have treated continuous ISS innovation as necessary [21].However, individual Korean government agencies' information security systems still have problems, including a lack of manpower, budget limitations, and ill-defined roles and scopes regarding information security [21].In the development of e-governments worldwide, information security manager leadership issues could have theoretical and practical implications for the development of other countries' e-governments.

Research Background
ISS research has adopted four perspectives, namely, functionalist, radical humanist, radical structuralist, and interpretive.The functionalist perspective has been a major research theme in information security research [22].Hu et al. [23] and Knapp et al. [24] argued the importance of both top management's role and information security policy when investigating ISS using social role theory.According to this theory, managers are expected to model the manager's role behavior expected by the organization to achieve goals and outcomes in most daily activities [25].Regarding social role theory, most researchers have focused on the role of top management.Hu et al. [23] and Knapp et al. [24] showed the importance of top management in influencing employee behavior, resulting in compliance with information security policies.
Many studies have suggested the need for formal research on the relationship between leadership and ISS effectiveness [13,26]; however, studies of these and related areas are limited to a small number of academic studies.Interest groups, such as the Computer Security Institute (CSI), and industry publications such as Information Security Magazine and CSO Magazine have conducted various surveys.Rohmeyer [14] investigated the major constructs of information security effectiveness, information security manager skills, and information security program maturity within organizational information security.High effectiveness in information security management has been shown to be positively related to the leadership and qualifications of information security managers [14,27,28].Rohmeyer argued that organizations that hire skilled information security managers are expected to be more effective at information security [14].A skilled information security manager is one with higher skills and qualifications; the required skills of an information security manager can be summarized as technical, administrative, bureaucratic, and technocratic [14].
Many studies have described the role of information security managers in establishing information security programs.Burney [13] and Kim and Choi [27] have described the essential roles and responsibilities of ISS managers.Burney stressed the leadership activities of information security managers in establishing information security measures.Burney also described the important roles of information security managers as information mediators between technical and general management departments.Wylder [29] described the roles of the information security manager in establishing the information security program.When the information security program reaches maturity, the security manager's skills (technical, administrative, bureaucratic, and technocratic) are required.Luftman [30] described the role of the information security manager from the perspective of IT governance.Information security managers are involved in making decisions and obtaining IT resources in the context of information security tasks.
This study adopts a human behavior approach and an institutional approach to improving ISS effectiveness.Unlike previous studies, which focus on the technological controls for ISS effectiveness, Chaudhry et al. proposed a human behavior and institutional approach as a development framework for enterprise ISS [31].The framework consists of four main pillars, namely, security policy, security awareness, access control, and top-level management support (which has a foundation of corporate governance).This study also considers information security policy as an important part of information security in an organization, and investigates it as a meditating effect on ISS effectiveness.The purpose of transformational leadership of an information manager is improving employee awareness of information security in organizations.Top-level management support and corporate governance are also essential factors in supporting the activities of the information security manager, information security policy [31], and ISS effectiveness [32].
In the information security realm, deterrents are defined as administrative tools that can include information security policies that describe the secure use of information systems [33].The controls of administrative deterrents have been validated as effective in reducing IS [34] and computer abuses (such as software piracy [35,36]) and violation of information security policies [33,37,38].Wiant [39] also regarded information security policies as deterrent measures, and noted that the effectiveness of information security policy can be maintained when computer abuse incidents and their seriousness are monitored and reported.The theory of general deterrence states that policy can prevent potential abusive acts by presenting the threat of sanctions and unpleasant consequences [34,40].

Transformational Leadership
The relationship between information security managers and other employees, regardless of their position in the organization, can be treated as the relationship between leaders and followers.To urge employees within the organization to maintain information security, information security managers should persuade, inspire, and motivate their employees.Information security managers do not have any direct controls by which to order, monitor, or punish other employees.To effectively lead other employees in complying with information security policies, information security managers should display leadership via implementation of information security policy.Here, the authors review the related components leadership.
In the past 100 years, leadership has been defined in terms of the behaviors, traits, role relationships, interaction patterns, and occupations of someone in an administrative position.There is a fundamental and highly controversial issue in the field of leadership, namely, "what we do know and what we should know about leadership and leaders" [41].A wide variety of views on leadership involve the question of whether to judge leadership as a transmission process or a specialized role [42].
Burns [43] and Bass [44] suggested the need to shift the emphasis of leadership studies from mainly examining transactional models grounded on "how leaders and followers make an exchange with each other to models that might expand transactional leadership and were labeled charismatic, transformational, inspirational, and visionary".Both transactional and transformational leadership are originally embedded in the dyadic paradigm, the theory of which retains the relationship of the leader subordinate dyad, as described above.Unlike traditional leadership models that describe leader behavior in terms of providing direction, support, reinforcement behaviors, goals, and leader-follower exchange relationships (or indeed being based on "economic cost-benefit assumptions" [44]), new leadership models highlight "symbolic leader behavior; visionary, inspirational messages; emotional feelings; ideological and moral values; individualized attention; and intellectual stimulation".Emerging from these studies, transformational leadership theories have been the most frequently researched theories over the past 20 years [45,46].Transformational leadership has been redefined as the mutual commitment to the objectives and mission/vision of the work unit [47].
The theory of transformational leadership indicates that such leaders have reinforced their higher-order values and elevated followers' aspirations such that the followers can identify their mission/vision, work more effectively and efficiently, and work to do their part beyond base expectations and mere transactions [44,48].Transformational leadership appeals to the moral values of followers in an attempt to raise their consciousness with regard to ethical issues and mobilize their energy and resources to reform institutions.
Judge and Piccolo [49] state that transformational leadership is positively related to leadership effectiveness and to several significant organizational outcomes across many different types of organizations, levels of analyses, situations, and cultures using a series of meta-analytic studies.Many researchers have studied different processes using transformational leadership effects that are eventually realized in the form of performance outcomes [41].These processes involve follower formation of identification; satisfaction; commitment; perceived fairness [50,51]; job characteristics such as identity, significance, variety, feedback, and autonomy [52]; trust in the leader [53]; and how followers feel about themselves and their group in terms of cohesion, potency, and efficacy [54,55].
New theories of transformational leadership are more concerned with goal attainment in pragmatic task objectives by followers, groups, and organizations than with the moral elevation of followers.Jansen and Crossan [56] state that it is necessary to consider interactions between leaders and followers, rather than the leaders' unreciprocated behaviors.Kahai and colleagues showed that transformational leadership reduces the incidence of social loafing (a "counterproductive" behavior) [57].Transformational leadership not only reduces the impact of counterproductive behaviors but also improves the performance of individuals and groups, because transformational leaders have the ability to gather followers committed to collective goals, rather than simply to satisfying the followers' personal goals.
Social role theory is a perspective in sociology in which socially defined categories or roles (such as mother, manager, teacher, group member, and team members) have distinct expectations associated with them; correct leader behaviors are required to achieve organization goals and outcomes in most daily activities [25].Kark et al. [58] suggested that transformational leadership has an impact on both social identification within the work unit and personal identification with the leader.Leadership research on social identity formation has also focused heavily on what constitutes prototypicality, which has shown that followers can be closer to those leaders who are exemplars of the groups the followers want to join or to which they already belong [58].Lord and Brown [59] presented a model that studies two specific ways in which leaders can influence the manner in which followers choose to behave, in terms of the motivations they have regulated through actions and behaviors.The idea of a working self-concept brings up issues of identity [60].
Transformational leadership by information security managers is expected to improve ISS effectiveness.Although ISS managers can inspire employees to comply with ISS, information security managers do not have direct means for influencing employees.Information security policy is an important mediator in influence among employees.
Researchers have suggested that transformational leadership behaviors include four components: inspirational motivation, idealized influence, individualized consideration, and intellectual stimulation.The first two components are similar to the concept of "charisma" [44,61].Inspirational motivation includes the demonstration of enthusiasm and optimism, presentation and creation of symbols and emotional arguments, and an attractive vision of the future.Thus, the author hypothesizes that: (H-1a) The inspirational motivation of transformational leadership affects the relevance of information security policy.(H-1b) The inspirational motivation of transformational leadership affects the enforcement of information security policy.
Support for (H-1a) and (H-1b) would indicate that the inspirational motivation of transformational leadership has an indirect influence on the relevance of information security policy and the enforcement of information policy, because of its direct influence on the maturity of the information security policy.
Idealized influence involves behaviors such as setting a personal example, demonstrating high ethical standards, and making sacrifices for the benefit of the group.Thus, the author hypothesizes that: (H-2a) The idealized influence of transformational leadership affects the relevance of information security policy.(H-2b) The idealized influence of transformational leadership affects the enforcement of information security policy.
Support for (H-2a) and (H-2b) would indicate that the idealized influence of transformational leadership has an indirect influence on the relevance of information security policy and the enforcement of information policy, because of its direct influence on the maturity of the information security policy.
The third component, individualized consideration, contains coaching, encouraging, and providing support to followers.Thus, the author hypothesizes that: (H-3a) The individualized consideration of transformational leadership affects the relevance of information security policy.(H-3b) The individualized consideration of transformational leadership affects the enforcement of information security policy.
Support for (H-3a) and (H-3b) would indicate that the individualized consideration of transformational leadership has an indirect influence on the relevance of information security policy and the enforcement of information policy, because of its direct influence on the maturity of the information security policy.
The fourth component, intellectual stimulation, includes behaviors that challenge followers to view problems from new perspectives.Previous studies have demonstrated that these transformational behaviors are related to high employee performance [49] and high leadership effectiveness [62].Thus, the author hypothesizes that: (H-4a) The intellectual stimulation of transformational leadership affects the relevance of information security policy.(H-4b) The intellectual stimulation of transformational leadership affects the enforcement of information security policy.
Support for (H-4a) and (H-4b) would indicate that the intellectual stimulation of transformational leadership has an indirect influence on the relevance of information security policy and the enforcement of information policy, because of its direct influence on the maturity of the information security policy.

Relevance and Enforcement of Information Security Policies
Several authors have investigated the role of information security policies [24,[63][64][65].Kemp [63] noted that management should support information security policies if they are to be effective.Thomson and von Solms [64] argued that the effectiveness of information security policies is improved for employees that adopt them in practical cases.
To improve the effectiveness of information security, information security policies should be established as a control for effective deterrence efforts.After the establishment of information security policies, information security managers should manage information security policy properly and stress that policy violation will be punished accordingly.Based on the established policy, information security managers should conduct appropriate monitoring and surveillance programs of employee activities, so as to enforce policy.Information security managers should observe all of the identified violations to deter potential violators.Finally, the organization's management should ensure the deployment of preventive controls that proactively help minimize security incidents [34].
Knapp et al. considered the influences of information security policies on the effectiveness of information security, and divided the concept of information security policy into policy relevance and enforcement [65].Knapp et al. utilized a qualitative research approach that closely observes grounded theory, which attempts to derive theory from corpus data [66].Knapp et al. [24] also argued that the enforcement of information security policy would improve the effectiveness of information security.Enforcement is the most important information security policy issue.To improve information security, an organization attempts to include all desired goals.The content of information security policies will be rendered useless if not enforced.
We expect that the enforcement of information security policies will influence the effectiveness of information security.Thus, we hypothesize that: (H-5) The enforcement of information security policies improves the effectiveness of ISS.
To achieve sustainability of information security policies, information security managers should ensure their relevance, which includes the four aspects described here.Information security policies should reflect changes in technology.Policies should periodically (and correctly) be updated on a regular basis.Review and update processes for updating information security policies should exist [65].The relevance of information security policies will improve the effectiveness of ISS.To improve the effectiveness of information systems, the enforcement of information security policies should be sustained [34,65].To improve enforcement, the organization can sanction employees who violate the rules of information security policy, enforce the rules of information security by sanctioning those employees who violate them, and educate security offenders.Management needs to ensure that users are educated and informed on proper IS use.Information security managers should stress that policy violations will be punished accordingly.With policies in place, the managers can ensure that appropriate employee activity monitoring and surveillance programs are utilized to enforce policy.Information security managers should then follow-up with all identified violations to help deter potential abusers.Management should ensure that the implementation of preventive mechanisms using security software proactively helps minimize security incidents.An organization might consider termination of employees who repeatedly violate information security policies [65].
In this study, we expect the relevance of information security policies to influence the effectiveness of information security.Thus, we hypothesize that: (H-6) The relevance of information security policy improves the effectiveness of ISS.

ISS Effectiveness
The definition of ISS effectiveness includes the extent to which objectives and goals of an ISS program are achieved, the secure operation of information programs, and the protection of information.ISS effectiveness includes the overall functions of ISS.
ISS effectiveness is influenced by the ways in which security content is addressed in the policy, and how content is communicated to users [67].ISS effectiveness can be enhanced by security items specified in security policies [68], organizational factors [65], and security measures [69].
Information security measures (such as tools, methods, procedures, and controls) and raising awareness [69] can increase ISS effectiveness.Among information security measures, ISS effectiveness is also influenced by preventive efforts, such as the protection of data, software, hardware, and computer services [70].Among organizational behaviors, the effectiveness of ISS is impacted by several factors, including policy relevance, user training, policy enforcement [65], and top management [71].Among hybrid factors, efforts such as hours spent on deterrence and prevention in a week, dedication to data security, notification to users of penalties, and the utilization and violation of security software [34] can also influence ISS effectiveness.Table 1 summarizes research background.

ISS research
Importance of the top management role and information security policy.social role theory, focus on manager's role Hu et al. [23], Knapp et al. [24], Eagly et al. [25] Research on the relationship between leadership and ISS effectiveness Burney [13], Long [26] Information security effectiveness is positively related with the leadership of information security managers Rohmeyer [14], Kim and Choi [27], Kim et al. [28] Role of information security managers in establishing information security programs Burney [13], Kim and Choi [27], Wylder [29] Information security policy as a deterrent measure Wiant [39] Transformational leadership Emphasis on leadership from transactional model Burns [43], Bass [44], Judge and Piccolo [49], Kark et al. [58] Theory of transformational leadership Bass [44], Avolio [48] Interactions between leaders and followers Jansen and Crossan [56] Relevance

Measurement Construct
This study uses the research model presented in Figure 1.The variables are measured based on previously validated items, and are then further modified as required.Some of the items have been developed by the authors.The measurement of all variables utilizes a five-point Likert scale, where 1 denotes "strongly disagree" and 5 denotes "strongly agree".
The three items that measure idealized influence are taken from Viator [72] and Podsakoff et al. [73].The three items that measure intellectual stimulation are taken from Ke and Wei [74], and Podsakoff et al. [73].The three items of individualized consideration are based on those used by Viator [72] and Ke and Wei [74].To measure inspirational motivation, three variables taken from Viator [72] and Ke and Wei [74] are used.Four items taken from Knapp et al. [65] are used as measures of the relevance of information security policy.To measure the enforcement of information security policies, four items from Knapp et al. [65] are used.Four items from Hagen et al. [69] are used to measure ISS effectiveness.The items of questionnaire in this study are described in the Appendix.

Measurement Construct
This study uses the research model presented in Figure 1.The variables are measured based on previously validated items, and are then further modified as required.Some of the items have been developed by the authors.The measurement of all variables utilizes a five-point Likert scale, where 1 denotes "strongly disagree" and 5 denotes "strongly agree".
The three items that measure idealized influence are taken from Viator [72] and Podsakoff et al. [73].The three items that measure intellectual stimulation are taken from Ke and Wei [74], and Podsakoff et al. [73].The three items of individualized consideration are based on those used by Viator [72] and Ke and Wei [74].To measure inspirational motivation, three variables taken from Viator [72] and Ke and Wei [74] are used.Four items taken from Knapp et al. [65] are used as measures of the relevance of information security policy.To measure the enforcement of information security policies, four items from Knapp et al. [65] are used.Four items from Hagen et al. [69] are used to measure ISS effectiveness.The items of questionnaire in this study are described in the Appendix.

Data Collection
To confirm the validity of the questionnaire, the questionnaire was sent to three information security managers in government and five professors researching information security management by email and phone.These experts gave comments on some of items in the questionnaire (and corrected them for clarity) and the predicted results.Based on their feedback, the authors corrected several items in the questionnaire.After validation, the authors conducted a pilot test.Five researchers were asked to participate in the pilot test.They responded to the

Data Collection
To confirm the validity of the questionnaire, the questionnaire was sent to three information security managers in government and five professors researching information security management by email and phone.These experts gave comments on some of items in the questionnaire (and corrected them for clarity) and the predicted results.Based on their feedback, the authors corrected several items in the questionnaire.After validation, the authors conducted a pilot test.Five researchers were asked to participate in the pilot test.They responded to the questionnaire from the perspective of information security managers and indicated that some of the terms needed to be clarified.Based on their feedback, we modified the questionnaire.
Questionnaires were presented as opinion surveys on information security management to information security managers from approximately 35 Korean central government agencies, 17 local-autonomy governments, and 103 government-owned enterprises.We sent mail to the information security managers in these organizations, asked for the help of an acquaintance in a Sustainability 2016, 8, 638 9 of 21 government agency, and asked them to fill out the questionnaire.The author chose the surveyed enterprises based on only summary reports of evaluating information security available to the public.To effectively reflect the responses of information security managers, the author sent two or three questionnaires to very large government-owned enterprises such as electricity companies, energy companies, transportation companies, and water management companies.The number of information security managers in these enterprises is known to be greater than 10.Of the 200 paper questionnaires sent, we received 190 back and analyzed the 180 that had valid responses.The valid response rate was 90%.
The results from the 180 respondents are reported in Table 2.The age of most respondents was between 41 and 50 years.Of the respondents, approximately 60% had worked for less than five years at their corresponding positions, and 96.6% were regular employees.

Analysis of Results
The research model is validated using structural equation modeling, which allows analysis of the relationships (and their strengths) between constructs.Reflecting growing use in management studies [75], partial least squares (PLS) is used as the estimation procedure.PLS combines factor analysis with linear regression and does not require large sample sizes; it makes only minimal assumptions about the goal of variance explanation, and makes no assumptions regarding the underlying distribution of data [76].Smart PLS 2.0 and SPSS 18.0 software packages are used for data analysis.
Reliability can be defined as the overall internal consistency of the results.A standardized approach was taken to improve reliability.Construction of a well-defined survey instrument and consistent administration of the survey improved reliability.In this study, multiple items were developed to measure the statements, which describe the relationships between constructs.Reliability analysis was conducted using SPSS, using the calculation of Cronbach's alpha.The majority of individuals correctly used Cronbach's alpha as the measure of internal consistency.Cronbach's alpha reliability coefficient normally ranges between 0 and 1.The closer Cronbach's alpha coefficient is to 1.0, the greater the internal consistency of the items in the scale.Table 3 shows the reliability of each construct and indicates that Cronbach's alpha values are greater than 0.7, which means that the measurement of the constructs maintained internal consistency.
Exploratory factor analysis is conducted using principle component analysis and varimax orthogonal factor rotation utilizing SPSS.The purposes of exploratory factor analysis are determining the number of fundamental influences underling the domain of variables, measuring the extent to which each construct is associated with the factors, and acquiring information about their nature by observing which factors influence performance on which variables.Table 4 lists the results of the exploratory factor analysis.
Validity represents effectiveness when producing accurate results and conclusions.Internal validity indicates the overall integrity of the experiment.External validity indicates the ability to generalize the findings of the study to the general population (i.e., beyond the limited sample).Threat sources to validity can be statistical or constructs.Statistical threats are related to concerns of whether the observed results were due to chance or, in fact, they can be attributed to some effect of the independent variable.Construct validity is related to the concept of whether or not the operational definitions are valid measures of the various constructs.Construct validity includes empirical and theoretical support for the interpretation of the construct.There are two kinds of approaches in construct validity.First, convergent validity represents the degree to which a measure is correlated with other measures that it is theoretically predicted to correlate with.Second, discriminant validity represents the extent to which the operational definitions do not correlate with other operational definitions that, theoretically, it should not correlate with.Convergent validity was evaluated using that composite reliability (CR) and average variance extracted (AVE) values for all constructs that are greater than the required validity thresholds.Convergent validity is considered valid if the composite reliability and AVE values are greater than 0.7 and 0.5, respectively [76].Table 3 indicates that all of the measures satisfy all of the thresholds, and thus, convergent validity is satisfied.To satisfy discriminant validity, the square root of the AVE values must exceed the correlation coefficients between the construct and the other constructs in the model [76].Table 5 indicates that the square roots of the AVE values exceeded the correlation coefficients, thereby verifying discriminant validity.The fact that convergent validity and discriminant validity were satisfied means that all of measurements maintain internal consistency.The effects proposed in the model and their significance values are estimated using PLS.Table 6 lists the results of the structural model PLS regressions.The bootstrap method was used to evaluate the path (bootstrap resampling number = 500).The proportion of the ISS effectiveness, the dependent variable that is predicted from the independent variables and meditate variables, is 58%.We tested the suggested research model and further investigated the mediating effects of information security policy on ISS effectiveness in the other models.In the first model (Figure 2), all of the constructs are included, and direct and indirect paths to effectiveness (and the effects of the control variable on ISS effectiveness) are tested.Hypothesis 1a, which states that idealized influence is positively associated with policy relevance, is supported (β = 0.292, p < 0.01).This result shows that the strong idealized influence of the information security manager is associated with an improvement in information security relevance.Hypothesis 1b, which states that idealized influence is positively associated with policy enforcement, is supported (β = 0.211, p < 0.01).This result means that the strong idealized influence of the information security manager can increase the level of enforcement of information security policy.
Hypothesis 2a, which states that intellectual stimulation of the information security manager is positively associated with policy relevance, is not supported.This result shows that intellectual stimulation of the information security manager cannot increase the degree of policy relevance.Hypothesis 2b, which states that intellectual stimulation of the information security manager is positively associated with policy enforcement, is also not supported.This result shows that intellectual stimulation of the information security manager cannot increase the level of enforcement of information security policy. of the constructs are included, and direct and indirect paths to effectiveness (and the effects of the control variable on ISS effectiveness) are tested.Hypothesis 1a, which states that idealized influence is positively associated with policy relevance, is supported (β = 0.292, p < 0.01).This result shows that the strong idealized influence of the information security manager is associated with an improvement in information security relevance.Hypothesis 1b, which states that idealized influence is positively associated with policy enforcement, is supported (β = 0.211, p < 0.01).This result means that the strong idealized influence of the information security manager can increase the level of enforcement of information security policy.Hypothesis 2a, which states that intellectual stimulation of the information security manager is positively associated with policy relevance, is not supported.This result shows that intellectual stimulation of the information security manager cannot increase the degree of policy relevance.Hypothesis 2b, which states that intellectual stimulation of the information security manager is positively associated with policy enforcement, is also not supported.This result shows that intellectual stimulation of the information security manager cannot increase the level of enforcement of information security policy.Hypothesis 3a, which states that individualized consideration of the information security manager is positively associated with policy relevance, is supported (β = 0.191, p < 0.05).This result means that individual care by the information security manager for employees can increase the degree of policy relevance.Hypothesis 3b, which states that individualized consideration of the information security manager is positively associated with policy enforcement, is supported (β = 0.361, p < 0.01).This result shows that individual care of the information security manager can increase the degree of enforcement of information security policy.
Hypothesis 4a, which states that inspirational motivation of the information security manager's leadership is positively associated with policy relevance, is supported (β = 0.168, p < 0.05).This result means that motivation due to the information security manager's leadership can increase the degree of policy relevance.Hypothesis 4b, which states that inspirational motivation of the information security manager's leadership is positively associated with enforcement of information security policy, is supported (β = 0.222, p < 0.01).This result shows that inspirational motivation by the information security manager regarding information security can increase the degree of enforcement of information security policy.
Hypothesis 5, which states that the relevance of information security policy is positively associated with ISS effectiveness, is supported (β = 0.318, p < 0.01).This result means that the relevance of information security policy positively influences ISS effectiveness.Hypothesis 6, which Hypothesis 3a, which states that individualized consideration of the information security manager is positively associated with policy relevance, is supported (β = 0.191, p < 0.05).This result means that individual care by the information security manager for employees can increase the degree of policy relevance.Hypothesis 3b, which states that individualized consideration of the information security manager is positively associated with policy enforcement, is supported (β = 0.361, p < 0.01).This result shows that individual care of the information security manager can increase the degree of enforcement of information security policy.
Hypothesis 4a, which states that inspirational motivation of the information security manager's leadership is positively associated with policy relevance, is supported (β = 0.168, p < 0.05).This result means that motivation due to the information security manager's leadership can increase the degree of policy relevance.Hypothesis 4b, which states that inspirational motivation of the information security manager's leadership is positively associated with enforcement of information security policy, is supported (β = 0.222, p < 0.01).This result shows that inspirational motivation by the information security manager regarding information security can increase the degree of enforcement of information security policy.
Hypothesis 5, which states that the relevance of information security policy is positively associated with ISS effectiveness, is supported (β = 0.318, p < 0.01).This result means that the relevance of information security policy positively influences ISS effectiveness.Hypothesis 6, which states that the enforcement of information security policy is positively associated with ISS effectiveness, is supported (β = 0.515, p < 0.01).This result shows that the relevance of the information security policy positively influences ISS effectiveness.
As Table 7 indicates, the number of years on the job and training frequency within one year are associated with ISS effectiveness.This shows that education and training of information security managers has influenced the ISS effectiveness [14].Interestingly, the number of years on job is negatively associated with ISS effectiveness.The relation between the number of years on job of information security managers and ISS effectiveness is needed to be further investigated because other theoretical evidences do not mention the relationship.In addition, the mediation effects of the relevance and enforcement of information security policy are statistically tested.This analysis of the mediation effect explains the relationships between the independent and dependent variables.The mediating effects of the relevance and enforcement are tested using logic developed by Baron and Kenny [77], which suggests that a variable can be considered a mediator when it satisfies the following three conditions: (1) The path between the independent and mediating variables (path a) is significant.
(2) The path between the meditating and dependent variables (path b) is significant.
(3) When paths a and b are controlled, the correlation in path c (from independent to dependent variables) is no longer statistically significant, and thus, can be eliminated.
As Figure 3 shows, the direct paths from idealized influence, individualized consideration, and inspirational motivation to ISS effectiveness are significant; however, the direct path from intellectual stimulation to ISS effectiveness is not significant.Therefore, intellectual stimulation of the information security manager is excluded from the subsequent mediational analysis.states that the enforcement of information security policy is positively associated with ISS effectiveness, is supported (β = 0.515, p < 0.01).This result shows that the relevance of the information security policy positively influences ISS effectiveness.As Table 7 indicates, the number of years on the job and training frequency within one year are associated with ISS effectiveness.This shows that education and training of information security managers has influenced the ISS effectiveness [14].Interestingly, the number of years on job is negatively associated with ISS effectiveness.The relation between the number of years on job of information security managers and ISS effectiveness is needed to be further investigated because other theoretical evidences do not mention the relationship.In addition, the mediation effects of the relevance and enforcement of information security policy are statistically tested.This analysis of the mediation effect explains the relationships between the independent and dependent variables.The mediating effects of the relevance and enforcement are tested using logic developed by Baron and Kenny [77], which suggests that a variable can be considered a mediator when it satisfies the following three conditions: (1) The path between the independent and mediating variables (path a) is significant.
(2) The path between the meditating and dependent variables (path b) is significant.
(3) When paths a and b are controlled, the correlation in path c (from independent to dependent variables) is no longer statistically significant, and thus, can be eliminated.
As Figure 3 shows, the direct paths from idealized influence, individualized consideration, and inspirational motivation to ISS effectiveness are significant; however, the direct path from intellectual stimulation to ISS effectiveness is not significant.Therefore, intellectual stimulation of the information security manager is excluded from the subsequent mediational analysis.By introducing information policy relevance as a mediator of the paths between the three independent variables and ISS effectiveness, we observe weak partial mediating effects.The strength of each relationship between ISS effectiveness and idealized influence, individualized care, and inspirational motivation is reduced, thus indicating a partial mediating effect of information security relevance (Figure 4).In other words, idealized influence, individualized consideration, and inspirational motivation are related to ISS effectiveness via the relevance of information security.By introducing information policy relevance as a mediator of the paths between the three independent variables and ISS effectiveness, we observe weak partial mediating effects.The strength of each relationship between ISS effectiveness and idealized influence, individualized care, and inspirational motivation is reduced, thus indicating a partial mediating effect of information security relevance (Figure 4).In other words, idealized influence, individualized consideration, and inspirational motivation are related to ISS effectiveness via the relevance of information security.The same procedure is conducted to test the meditating effect of information security policy enforcement on each relationship between ISS effectiveness and idealized influence, individual consideration, and inspirational motivation.The relationship between individual consideration and ISS effectiveness is eliminated, thus indicating a complete mediating effect of the enforcement of information security policy on the effects of individualized consideration of the information security manager (Figure 5).This result shows that individual consideration is related to ISS effectiveness via the enforcement of information security policy.Thus, the enforcement and relevance of information security policy contribute to a better explanation of ISS effectiveness.The same procedure is conducted to test the meditating effect of information security policy enforcement on each relationship between ISS effectiveness and idealized influence, individual consideration, and inspirational motivation.The relationship between individual consideration and ISS effectiveness is eliminated, thus indicating a complete mediating effect of the enforcement of information security policy on the effects of individualized consideration of the information security manager (Figure 5).This result shows that individual consideration is related to ISS effectiveness via the enforcement of information security policy.Thus, the enforcement and relevance of information security policy contribute to a better explanation of ISS effectiveness.By introducing information policy relevance as a mediator of the paths between the three independent variables and ISS effectiveness, we observe weak partial mediating effects.The strength of each relationship between ISS effectiveness and idealized influence, individualized care, and inspirational motivation is reduced, thus indicating a partial mediating effect of information security relevance (Figure 4).In other words, idealized influence, individualized consideration, and inspirational motivation are related to ISS effectiveness via the relevance of information security.The same procedure is conducted to test the meditating effect of information security policy enforcement on each relationship between ISS effectiveness and idealized influence, individual consideration, and inspirational motivation.The relationship between individual consideration and ISS effectiveness is eliminated, thus indicating a complete mediating effect of the enforcement of information security policy on the effects of individualized consideration of the information security manager (Figure 5).This result shows that individual consideration is related to ISS effectiveness via the enforcement of information security policy.Thus, the enforcement and relevance of information security policy contribute to a better explanation of ISS effectiveness.For practicing managers, who try to diagnose the status of ISS effectiveness in their organizations, checklist approaches could be used.Many checklists such as ISO 27001 and parsimonious framework by Ma et al., can be utilized for information security in organizations [78].

Conclusions and Discussion
This study showed that transformational leadership by information security managers can improve the effectiveness of ISS used by e-governments.The transformational leadership of information security managers can take a central role in maintaining secure sustainable computing.The results of the study extend and support those of previous studies, which argue that essential skills and the essential role of the information security manager are required for effective information security programs.This study suggests three important results regarding the leadership of information security managers.First, the transformational leadership of information security managers can improve ISS effectiveness.Whereas most previous studies focused on the technical aspects of information security management, this study focused on behavioral characteristics.Although studies into how the leadership of the IT manager can improve the performance of organizations have been performed [14,27,28], this study focused on the transformational leadership of IS managers.The importance of transformational leadership by the information security manager is based on the fact that individuals in organizations have many reasons not to comply with ISS policies.The transformational leadership of IS managers can persuade, assist, and direct employees in complying with ISS policies, thereby improving the effectiveness of IS.Most organizations have tried to provide technological education and training for IS mangers.Education and training for transformational leadership by IS managers should also be established.Organizations should hire IS managers who have the appropriate transformational leadership skills, so as to increase the level of ISS effectiveness.
Second, the relevance and enforcement of information security policy can be mediators between the transformational leadership of information security managers and ISS effectiveness.This study also showed that IS policy should be managed reflecting the changes of information technology environment and the IS policy should be enforced with a certainty and severity.Although most of organizations have established IS policy, they would not regular and consistent update processes, and they have difficulty in punishing the violators committing IS policy [24].This study showed that the consistent and severe IS policy can improve the maturity of ISS.As the previous study mention, only both the information security governance and top management support can support information security policy [79].The information security managers, therefore, try to obtain the support of top management level.
Third, this study showed that the education and training positively affect ISS effectiveness in organizations.As the previous study asserts that the adequate IS skills and qualifications have improved the maturity of IS program [78], education and training of information security manager can improve ISS effectiveness.As environments of information technology change rapidly, information security managers need to learn current skills and knowledge.This finding shows that the education and training for IS manager should be provided in a regular period.The author suggests that organizations have to provide mandatory training and education with information security manager at least over 40 h in a year.
This study suggests the effects of information security managers' transformational leadership.Specifically, this study suggests the importance of the leadership of information security managers in e-governments, thus contributing to theoretical research into improving ISS effectiveness in e-governments.E-governments have difficulty considering the transformational leadership of IS managers.Governmental agencies are more centralized, more formalized, and more departmentalized; government organizations result in a form of bureaucratic control (i.e., a greater degree of hierarchy, more centralized decision-making structures, formalized rules, and more functional departments) [80].As this study indicates, e-governments should try to hire IS managers who have high technical skills and transformational leadership, resulting in improving the maturity of ISS.Additional studies on

Table 3 .
Validity and reliability of reflective constructs.

Table 5 .
Discriminant validity and correlation of latent variable scores.

Table 6 .
Testing results of structural model.

Table 7 .
Results of control variables that influerences ISS effectiveness.

Table 7 .
Results of control variables that influerences ISS effectiveness.