The Effective Factors on Continuity of Corporate Information Security Management: Based on TOE Framework
Abstract
:1. Introduction
2. Literature Review and Hypothesis Development
2.1. Corporate Intention and Continuity of Information Security Management
2.2. TOE Framework and Information Security Management
3. Methods
3.1. Research Model
3.2. Measurement Variable and Data Collection
3.3. Demographic Information of the Data
4. Results
4.1. Analysis Results of Reliability and Validity
4.2. Analysis Results of Structural Model
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Gangwar, H.; Date, H.; Raoot, A. Review on IT adoption: Insights from recent technologies. J. Enterp. Inf. Manag. 2014, 27, 488–502. [Google Scholar] [CrossRef]
- von Solms, R. Information security management: The second generation. Comput. Secur. 1996, 15, 281–288. [Google Scholar] [CrossRef]
- Jeong, S.; Yoon, J.; Lim, J.; Lee, K. Studies on the effect of information security investment executive. J. Korea Inst. Inf. Secur. Cryptol. 2014, 24, 1271–1284. [Google Scholar]
- Choi, W.N.; Kim, W.J.; Kook, K.H. An evaluation of the efficiency of information protection activities of private companies. Converg. Secur. J. 2018, 18, 25–32. [Google Scholar]
- Lee, H.; Chai, S. An empirical study of relationship between information security investment and information security incidents. J. Korea Inst. Inf. Secur. Cryptol. 2018, 28, 269–281. [Google Scholar]
- Henriksen, H. Motivators for IOS adoption in Denmark. J. Electron. Commer. Organ. 2006, 4, 25–39. [Google Scholar] [CrossRef]
- Barnard, L.; von Solms, R. A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls. Comput. Secur. 2000, 19, 185–194. [Google Scholar] [CrossRef]
- Da Veiga, A.; Eloff, J. An Information Security Governance Framework. Inf. Syst. Manag. 2007, 24, 361–372. [Google Scholar] [CrossRef] [Green Version]
- Soomro, Z.A.; Shah, M.H.; Ahmed, J. Information security management needs more holistic approach: A literature review. Int. J. Inf. Manag. 2016, 36, 215–225. [Google Scholar] [CrossRef]
- Eloff, J.H.P.; Eloff, M. Integrated information security architecture. Comput. Fraud. Secur. 2005, 11, 10–16. [Google Scholar] [CrossRef]
- Posthumus, S.; Von Solms, R. IT governance. Comput. Fraud. Secur. 2005, 6, 11–17. [Google Scholar]
- Richards, N. The critical importance of information security to financial institutions. Bus. Credit. 2002, 104, 35–36. [Google Scholar]
- Siponen, M.; Willison, R. Information security management standards: Problems and solutions. Inf. Manag. 2009, 46, 267–270. [Google Scholar] [CrossRef] [Green Version]
- Bulgurcu, B.; Cavusoglu, H.; Benbasat, I. Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Q. 2010, 34, 523. [Google Scholar] [CrossRef] [Green Version]
- Baker, W.H.; Wallace, L. Is Information Security Under Control? Investigating Quality in Information Security Management. IEEE Secur. Priv. Mag. 2007, 5, 36–44. [Google Scholar] [CrossRef]
- Eloff, M.M.; Von Solms, S.H. Information Security management: A hierarchical framework for various approaches. Comput. Secur. 2000, 19, 243–256. [Google Scholar] [CrossRef]
- Von Solms, B. Information security—The third wave? Comput. Secur. 2000, 19, 615–620. [Google Scholar] [CrossRef]
- Hedström, K.; Kolkowska, E.; Karlsson, F.; Allen, J. Value conflicts for information security management. J. Strat. Inf. Syst. 2011, 20, 373–384. [Google Scholar] [CrossRef]
- Vroom, C.; von Solms, R. Towards information security behavioural compliance. Comput. Secur. 2004, 23, 191–198. [Google Scholar] [CrossRef]
- Ma, Q.; Johnston, A.C.; Pearson, J.M. Information security management objectives and practices: A parsimonious framework. Inf. Manag. Comput. Secur. 2008, 16, 251–270. [Google Scholar] [CrossRef] [Green Version]
- Kritzinger, E.; Smith, E. Information security management: An information security retrieval and awareness model for industry. Comput. Secur. 2008, 27, 224–231. [Google Scholar] [CrossRef]
- Wiley, A.; McCormac, A.; Calic, D. More than the individual: Examining the relationship between culture and Information Security Awareness. Comput. Secur. 2019, 88, 101640. [Google Scholar] [CrossRef]
- Singh, A.N.; Gupta, M.; Ojha, A. Identifying factors of “organizational information security management”. J. Enterp. Inf. Manag. 2014, 27, 644–667. [Google Scholar] [CrossRef]
- Awa, H.O.; Ojiabo, O.U. A model of adoption determinants of ERP within T-O-E framework. Inf. Technol. People 2016, 29, 901–930. [Google Scholar] [CrossRef]
- Farn, K.J.; Lin, S.K.; Fung, A.R.-W. A study on information security management system evaluation—Assets, threat and vulnerability. Comput. Stand. Interfaces 2004, 26, 501–513. [Google Scholar] [CrossRef]
- Steven, W.; Karen, G.; Catherine, J.; Joseph, C.; Collin, G. An Extended TOE Framework for Cybersecurity Adoption Decisions. Commun. Assoc. Inf. Syst. 2020, 47, 51–77. [Google Scholar]
- Awa, H.O.; Ojiabo, O.U.; Emecheta, B.C. Integrating TAM, TPB and TOE frameworks and expanding their characteristic constructs for e-commerce adoption by SMEs. J. Sci. Technol. Policy Manag. 2015, 6, 76–94. [Google Scholar] [CrossRef] [Green Version]
- Awa, H.O.; Ukoha, O.; Emecheta, B.C. Using T-O-E theoretical framework to study the adoption of ERP solution. Cogent Bus. Manag. 2016, 3, 1196571. [Google Scholar] [CrossRef]
- Kitsios, F.; Kamariotou, M. Business strategy modelling based on enterprise architecture: A state of the art review. Bus. Process. Manag. J. 2018, 25, 606–624. [Google Scholar] [CrossRef]
- Ullah, F.; Qayyum, S.; Thaheem, M.J.; Al-Turjman, F.; Sepasgozar, S.M. Risk management in sustainable smart cities governance: A TOE framework. Technol. Forecast. Soc. Chang. 2021, 167, 120743. [Google Scholar] [CrossRef]
- Ahmad, S.K.; Janczewski, L.; Beltran, F. SEC-TOE framework: Exploring security determinants in big data solutions adoption. In Proceedings of the 19th Pacific Asia Conference on Information Systems, Singapore, 5–9 July 2015. [Google Scholar]
- Steinbart, P.J.; Raschke, R.L.; Gal, G.; Dilla, W.N. The influence of a good relationship between the internal audit and information security functions on information security outcomes. Account. Organ. Soc. 2018, 71, 15–29. [Google Scholar] [CrossRef] [Green Version]
- Hong, K.-S.; Chi, Y.-P.; Chao, L.R.; Tang, J.-H. An integrated system theory of information security management. Inf. Manag. Comput. Secur. 2003, 11, 243–248. [Google Scholar] [CrossRef]
- Lebek, B.; Uffen, J.; Neumann, M.; Hohler, B.; Breitner, M.H. Information security awareness and behavior: A theory-based literature review. Manag. Res. Rev. 2014, 37, 1049–1092. [Google Scholar] [CrossRef] [Green Version]
- Sun, J.; Ahluwalia, P.; Koong, K.S. The more secure the better? A study of information security readiness. Ind. Manag. Data Syst. 2011, 111, 570–588. [Google Scholar] [CrossRef]
- Pérez-González, D.; Preciado, S.T.; Solana-Gonzalez, P. Organizational practices as antecedents of the information security management performance: An empirical investigation. Inf. Technol. People 2019, 32, 1262–1275. [Google Scholar] [CrossRef]
- Alzahrani, L.; Seth, K.P. The Impact of Organizational Practices on the Information Security Management Performance. Information 2021, 12, 398. [Google Scholar] [CrossRef]
- Jeyaraj, A.; Rottman, J.W.; Lacity, M.C. A Review of the Predictors, Linkages, and Biases in IT Innovation Adoption Research. J. Inf. Technol. 2006, 21, 1–23. [Google Scholar] [CrossRef]
- Kamal, M.M. IT innovation adoption in the government sector: Identifying the critical success factors. J. Enterp. Inf. Manag. 2006, 19, 192–222. [Google Scholar] [CrossRef]
- Al-Natour, S.; Benbasat, I. The adoption and IT artefacts: A new interaction-centric model for the study of user artefact relationships. J. Assoc. Inf. Syst. 2009, 10, 661–685. [Google Scholar]
- Hossain, M.A.; Quaddus, M. The adoption and continued usage intention of RFID: An integrated framework. Inf. Technol. People 2011, 24, 236–256. [Google Scholar] [CrossRef]
- Ajzen, I. The theory of planned behaviour. Organ. Behav. Hum. Decis. Process. 1991, 20, 179–211. [Google Scholar] [CrossRef]
- Alsene, E. ERP systems and the co-ordination of the enterprise. Bus. Process. Manag. J. 2007, 13, 417–432. [Google Scholar] [CrossRef]
- Grandon, E.; Pearson, J. Electronic commerce adoption: An empirical study of small and medium US businesses. Inf. Manag. 2004, 42, 197–216. [Google Scholar] [CrossRef]
- Davis, F. Perceived usefulness, perceived ease of use and acceptance of information technology. MIS Q. 1989, 3, 319–340. [Google Scholar] [CrossRef] [Green Version]
- Caldeira, M.M.; Ward, J.M. Understanding the successful adoption and use of IS/IT in SMEs: An explanation from Portuguese manufacturing industries. Inf. Syst. J. 2002, 12, 121–152. [Google Scholar] [CrossRef]
- Eze, S.; Awa, H.; Okoye, J.; Emecheta, B.; Anazodo, R. Determinant factors of information communication technology (ICT) adoption by government-owned universities in Nigeria: A qualitative approach. J. Enterp. Inf. Manag. 2013, 26, 427–443. [Google Scholar] [CrossRef]
- Rajab, M.; Eydgahi, A. Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Comput. Secur. 2018, 80, 211–223. [Google Scholar] [CrossRef]
- Ritzman, M.E.; Kahle-Piasecki, L. What Works: A Systems Approach to Employee Performance in Strengthening Information Security. Perform. Improv. 2016, 55, 17–22. [Google Scholar] [CrossRef]
- Järveläinen, J. Information security and business continuity management in interorganizational IT relationships. Inf. Manag. Comput. Secur. 2012, 20, 332–349. [Google Scholar] [CrossRef]
- Aleksandrova, S.V.; Aleksandrov, M.N.; Vasiliev, V.A. Business Continuity Management System. In Proceedings of the 2018 IEEE Conference on Quality Management, Transport and Information Security, Information Technologies (IT&MQ&IS), St. Petersburg, Russia, 24–28 September 2018; pp. 14–17. [Google Scholar]
- Lindström, J.; Samuelsson, S.; Hägerfors, A. Business continuity planning methodology. Disaster Prev. Manag. Int. J. 2010, 19, 243–255. [Google Scholar] [CrossRef]
- Mitchell, R.C.; Marcella, R.; Baxter, G. Corporate information security management. New Libr. World 1999, 100, 213–227. [Google Scholar] [CrossRef] [Green Version]
- Vermeulen, C.; Von Solms, R. The information security management toolbox—taking the pain out of security management. Inf. Manag. Comput. Secur. 2002, 10, 119–125. [Google Scholar] [CrossRef]
- Manshaei, M.H.; Zhu, Q.; Alpcan, T.; Bacşar, T.; Hubaux, J.-P. Game theory meets network security and privacy. ACM Comput. Surv. 2013, 45, 1–39. [Google Scholar] [CrossRef]
- Yildirim, E.Y.; Akalp, G.; Aytac, S.; Bayram, N. Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey. Int. J. Inf. Manag. 2011, 31, 360–365. [Google Scholar] [CrossRef]
Factors | Survey Items | References |
---|---|---|
Technology | (1) Various types for information security management activity; (2) the enterprise’s organizational culture and environment; (3) relevant technologies appropriate; (4) managing in a centralized manner; (5) the technology operation system; (6) cooperation between organizations; (7) the capability to conduct the activity; (8) the technical workforce; (9) IT infrastructures | Jeyaraj et al. [38], Kamal [39], Al-Natour and Benbasat [40], Hossain and Quaddus [41] |
Organization | (1) The executives show a solid; (2) the executives are well-aware; (3) the executives provide active support; (4) various related departments actively participate; (5) the organization and system capable of sharing and learning; (6) there is a process being operated; (7) clear plans; (8) capital budgets; (9) if necessary, other budgets too may be used. | Ajzen [42], Alsene [43], Grandon and Pearson [44] |
Environment | (1) There are reasonable regulations and instructions; (2) the current operating standards and procedures; (3) supportive measures in line with governmental legislation; (4) various supportive policies of the government; (5) the government’s institutional support related; (6) the government’s policies; (7) a competitive edge over other competitors; (8) conducted in cooperation with partners or customers; (9) the current status of competitors is being monitored. | Davis [45], Caldeira and Ward [46], Eze et al. [47] |
Intention of information security management | (1) Intending to increase the level; (2) Willing to invest more in the activity; (3) Recognized as one of the major strategic means. | Rajab and Eydgahi [48] |
Strengthening of information security management | (1) Transmission of information out of the acceptable range; (2) Information asset is well-managed;(3) Laws, institutions, and regulations are well-complied with. | Ritzman and Kahle-Piasecki [49] Järveläinen [50] |
Continuity of information security management | (1) Relevant technologies appropriate continue to be developed; (2) Follow-up measures are always established and taken; (3) Company-wide activity is conducted continually. | Aleksandrova et al. [51] |
Classification | Frequency (n) | Percentage (%) | |
---|---|---|---|
Sex | Male | 103 | 96.3 |
Female | 4 | 3.7 | |
Age | Less than 30 | 3 | 2.8 |
30–less than 40 | 28 | 26.2 | |
40–less than 50 | 59 | 55.1 | |
50 or older | 17 | 15.9 | |
Working experience | 1–less than 5 years | 16 | 14.9 |
5–less than 10 years | 23 | 21.5 | |
10–less than 15 years | 23 | 21.5 | |
15 or longer | 45 | 42.1 | |
Academic background | College graduate | 65 | 60.8 |
Master’s degree | 35 | 32.7 | |
Doctor’s degree | 7 | 6.5 | |
Position | Employee | 9 | 8.3 |
Manager | 36 | 33.7 | |
General director | 22 | 20.6 | |
Executive | 40 | 37.4 | |
Corporate scale (no. of employees) | Less than 50 | 30 | 28.0 |
50-less than 300 | 34 | 31.8 | |
300-less than 1000 | 11 | 10.3 | |
1000 or more | 32 | 29.9 |
Variables | Measurement Item | Non-Standard Loading | Standard Loading | SE | t Value | p | CR | AVE | Cronbach α |
---|---|---|---|---|---|---|---|---|---|
Technology | T1-3 | 1 | 0.887 | 0.907 | 0.765 | 0.939 | |||
T4-6 | 1.002 | 0.880 | 0.077 | 12.925 | *** | ||||
T7-9 | 1.089 | 0.869 | 0.086 | 12.599 | *** | ||||
Organization | O1-3 | 1 | 0.881 | 0.913 | 0.778 | 0.948 | |||
O4-6 | 1.123 | 0.948 | 0.071 | 15.800 | *** | ||||
O7-9 | 1.088 | 0.874 | 0.102 | 10.661 | *** | ||||
Environment | E1-3 | 1 | 0.890 | 0.914 | 0.779 | 0.945 | |||
E4-6 | 0.983 | 0.857 | 0.077 | 12.734 | *** | ||||
E7-9 | 1.043 | 0.925 | 0.068 | 15.265 | *** | ||||
Intention of information security management | DM1 | 1 | 0.889 | 0.903 | 0.756 | 0.921 | |||
DM2 | 1.207 | 0.952 | 0.076 | 15.864 | *** | ||||
DM3 | 1.156 | 0.862 | 0.091 | 12.717 | *** | ||||
Strengthening of information security management | DI4 | 1 | 0.900 | 0.928 | 0.810 | 0.941 | |||
DI5 | 1.064 | 0.948 | 0.063 | 16.796 | *** | ||||
DI6 | 0.953 | 0.907 | 0.064 | 14.893 | *** | ||||
Continuity of Information Security Management | DS7 | 1 | 0.902 | 0.904 | 0.759 | 0.929 | |||
DS8 | 0.967 | 0.903 | 0.065 | 14.945 | *** | ||||
DS9 | 0.932 | 0.903 | 0.062 | 14.965 | *** |
Classification | Technology | Organization | Environment | Intention of ISM | Strengthening of ISM | Continuity of ISM |
---|---|---|---|---|---|---|
Technology | 0.765 | |||||
Organization | 0.853 ** | 0.778 | ||||
Environment | 0.787 ** | 0.890 ** | 0.779 | |||
Intention of ISM | 0.696 ** | 0.829 ** | 0.800 ** | 0.756 | ||
Strengthening of ISM | 0.740 ** | 0.820 ** | 0.860 ** | 0.686 ** | 0.810 | |
Continuity of ISM | 0.783 ** | 0.900 ** | 0.877 ** | 0.834 ** | 0.873 ** | 0.759 |
Hypothesis (path) | Standardized Regression Weights | t-Value (p) | Hypothesis Adoption | |
---|---|---|---|---|
H1 | Technology > Intention of information security management | −0.348 | −1.737 | Rejected |
H2 | Organization > Intention of information security management | 0.714 | 2.478 ** | Supported |
H3 | Environment > Intention of information security management | 0.503 | 2.228 * | Supported |
H4 | Technology > Strengthening of information security management | 0.394 | 1.347 * | Supported |
H5 | Organization > Strengthening of information security management | 0.102 | 0.335 | Rejected |
H6 | Environment > Strengthening of information security management | 1.201 | 4.436 *** | Supported |
H7 | Intention of information security management > Strengthening of information security management | −0.339 | −2.123 * | Supported |
H8 | Intention of information security management > Continuity of information security management | 0.244 | 1.953 | Rejected |
H9 | Strengthening of information security management > Continuity of information security management | 0.505 | 3.188 *** | Supported |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kim, Y.; Kim, B. The Effective Factors on Continuity of Corporate Information Security Management: Based on TOE Framework. Information 2021, 12, 446. https://doi.org/10.3390/info12110446
Kim Y, Kim B. The Effective Factors on Continuity of Corporate Information Security Management: Based on TOE Framework. Information. 2021; 12(11):446. https://doi.org/10.3390/info12110446
Chicago/Turabian StyleKim, Yongho, and Boyoung Kim. 2021. "The Effective Factors on Continuity of Corporate Information Security Management: Based on TOE Framework" Information 12, no. 11: 446. https://doi.org/10.3390/info12110446
APA StyleKim, Y., & Kim, B. (2021). The Effective Factors on Continuity of Corporate Information Security Management: Based on TOE Framework. Information, 12(11), 446. https://doi.org/10.3390/info12110446