Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action

The purpose of this paper is to empirically validate the conjectural relationship between managerial information security awareness (MISA) and managerial actions toward information security (MATIS).

A model is developed and the relationship between MISA and MATIS is tested using a large set of empirical data collected across different types and sizes of enterprises. The hypotheses of the research model are tested with regression analysis.

The results of the study provide empirical support that MATIS is directly and positively related to MISA.

The R², an estimate of the proportion of the total variation in the data set that is explained by the model, is relatively low. This fact implies that there are other constructs in addition to MISA that play a crucial role in determining MATIS. The paper suggests that intention to act and the risk‐cost tradeoff of the MATIS are other possible constructs that should be incorporated into future research. The conceptual model employed as a theoretical basis also suggests that other factors such as the environment in which an organization operates (e.g. industry) also plays a major role in determining information security decisions independently of MISA. Other possible limitations include the use of secondary data in the study.

The results indicate that developing strategies to raise an organization's MISA should impact MATIS and thus improve information security performance.

The study provides empirical evidence supporting the unproven link between MISA and MATIS.