Information security: management's effect on culture and policy

This study proposes to put forward and test a theoretical model that demonstrates the influence of top management support on an organization's security culture and level of security policy enforcement.

The project used a combination of qualitative and quantitative techniques. The grounded theory approach was used to analyze responses to open‐ended questions answered by 220 certified information system security professionals. Using these responses, a survey instrument was developed. Survey results were analyzed using structural equation modeling.

Evidence suggests that top management support is a significant predictor of an organization's security culture and level of policy enforcement.

During instrument validation, a special effort removed survey items that appeared overly intrusive to the respondents. In this endeavor, an expert panel of security practitioners evaluated all candidate items on a willingness‐to‐answer scale. While especially helpful in security, this scale may be used in other research domains.

Practitioners should understand the impact of top management support on achieving security effectiveness. Based on the findings of this study, low levels of executive support will produce an organizational culture less tolerant of good security practices. Low levels of support will diminish the level of enforcement of existing security policies.

Researchers developed original scales to measure levels of top management support, policy enforcement, and organizational culture. The scales demonstrated acceptable reliability and validity scores.