Assessing Information Security Competencies of Firm Leaders towards Improving Procedural Information Security Countermeasure: Awareness and Cybersecurity Protective Behavior
Abstract
Cybersecurity threats are a serious issue faced by many organizations in this new information era. Therefore, security leaders play a significant role not only to ensure that all their employees are practicing good security behavior to protect organizational information assets but also to ensure that security technology has been installed properly to protect network infrastructure. This study aims to examine cybersecurity protective behavior (CPB) among employees in the organization and focus on the role of leadership competencies and information security countermeasure awareness. The questionnaires were distributed via email and self-administered, and the study managed to obtain 245 responses. Partial Least Squares-Structural Equation Modeling (PLS-SEM) analysis was used to analyze the final data. Confirmatory factor analysis (CFA) testing shows that all the measurement items of each construct were adequate in their validity individually based on their factor loading value. Moreover, each construct is valid based on its parameter estimates and statistical significance. The research findings show that Procedural Information Security Countermeasure (PCM) awareness strongly influences CPB compared to a leader's information security competencies (ISI). Meanwhile, ISI significantly influences PCM awareness. This study adapts the theory of leadership competencies in the context of cybersecurity, which is particularly beneficial to any industry in improving organizational information security strategic plans.
Downloads
References
Akhunzada, A., Sookhak, M., Anuar, N. B., Gani, A., Ahmed, E., Shiraz, M. (2015). Man-At-The-End attacks: Analysis, taxonomy, human aspects, motivation and future directions. Journal of Network and Computer Applications, 48(0), 44-57.
Alghamdi, M. I. (2021). Determining the impact of cyber security awareness on employee behavior: A case of Saudi Arabia. Materials Today: Proceedings, Retrieved from https://doi.org/10.1016/j.matpr.2021.04.093
Ameen, N., Tarhini, A., Mahmood Hussain Shah, Madichie, N., Paul, J. & Choudrie, J. (2021). Keeping customers' data secure A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce. Computers in Human Behavior, 114, 1-19.
Ani, U. D., He, H. & Tiwari, A. (2018). Human factor security: evaluating the cybersecurity capacity of the industrial workforce. Journal of Systems and Information Technology, 21(1), 2-35.
Baikloy, E., Praneetpolgrang, P., Jirawichitchai, N. (2020). Development of cyber re-salient capability maturity model for cloud computing services. TEM Journal, 9(3), 915–923.
Bernama.com (2020). Gov't actively addressing cyber threats, crimes – DPM. Retrieved on 13 Feb 2020 from https://www.kkmm.gov.my/en/public/news/16471-bernama-11-feb-2020-gov-t-actively-addressing-cyber-threats-crimes-dpm
Boyatzis, R. E. (2011). Managerial and leadership competencies: a behavioral approach to emotional, social and cognitive intelligence. The Journal of Business Perspective, 15(2), 91-100.
Bratton, J. and Gold, J. (2012). Human Resource Management. Theory and Practice, 5th ed., Palgrave McMillan, New York, NY.
Cain, A., Edwards, M. E. & Still, J. D. (2018). An exploratory study of cyber hygiene behaviors and knowledge. Journal of Information Security and Applications, 42, 36-45.
Corallo, A., Lazoi, M. & Lezzi, M. (2020). Cybersecurity in the context of Industry 4.0: A structured classification of critical assets and business impacts. Computers in Industry, 114, 1-15.
Cleveland, M. & Cleveland, S. (2018). Building Engaged Communities—A Collaborative Leadership Approach. Smart Cities, 1, 155-162.
CyberSecurity Malaysia (2019). E-Security: The first line of digital defense begins with knowledge. CyberSecuirty Malaysia, 46 (1), 1-44. Retrieved on 24 January 2020 from https://www.cybersecurity.my/data/content_files/12/1971.pdf
da Veiga, A., Astakhova, L. V., Botha, A. & Herselman, M. (2020). Defining organizational information security culture – Perspectives from academia and industry. Computers & Security, 92, 1-23.
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasure and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79-98.
Donalds, C. & Osei-Bryson, K-M. (2020). Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents. International Journal of Information Management, 51, 1-16.
Gefen, D., Rigdon, E. E. & Straub, D. W. (2011). Editor’s Comment: An Update and Extension to SEM Guidelines for Administrative and Social Science Research. MIS Quarterly, 35(2), iii-xiv.
Gold, A. H., Malhotra, A. & Segars, A. H. (2001). Knowledge management: an organizational capabilities perspective. Journal of Management Information Systems, 18(1), 185–214.
Hadlington, Lee, & Murphy. (2018). Is media multitasking good for cybersecurity? Exploring the relationship between media multitasking and everyday cognitive failures on self-reported risky cybersecurity behaviors. Cyberpsychology, Behavior, and Social Networking, 21(3), 168-172.
Hair, F. J., Sarstedt, J. M., Hopkins, L. & Kuppelwieser, V. G. (2014). Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research. European Business Review, 26(2), 106-121.
Haqaf, H. & Koyuncu, M. (2018). Understanding key skills for information security managers. International Journal of Information Management, 43, 165-172.
Hasan, S., Ali, M., Kurnia, S. & Thurasamy, R. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 1-16.
Hassan, N. (Mar 8, 2022), 8 leadership skills every cybersecurity professional must have, Cybrary. https://www.cybrary.it/blog/8-leadership-skills-every-cybersecurity-professional-must-have/x
Henseler, J., Ringle, C. & Sarstedt, M. (2015). A New Criterion for Assessing Discriminant Validity in Variance-based Structural Equation Modeling. Journal of the Academy of Marketing Science, 43, 115-135.
Hina, S., Selvam, D. D. D. P. & Lowry, P. B. (2019). Institutional governance and protection motivation: Theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Computers & Security, 87, 1-15.
Hong, Y. & Furnell, S. (2021). Understanding cybersecurity behavioral habits: Insights from situational support. Journal of Information Security and Applications, 57, 1-9.
Humaidi, N. & Balakrishnan, V. (2018). Indirect effect of management support on users’ compliance behavior towards information security policies. Health Information Management Journal, 47(1), 17-27.
Hwang, I., Wakefield R., Kim, S. & Kim, T. (2019). Security Awareness: The First Step in Information Security Compliance Behavior. Journal of Computer Information System, 61(4), 345-356.
Jeong, M. & Zo, H. (2021). Preventing insider threats to enhance organizational security: The role of opportunity-reducing techniques. Telematics and Informatics, 63, 1-17.
Keers, R. N., Williams, S. D., Cooke, J., & Ashcroft, D. M. (2013). Causes of Medication Administration Errors in Hospitals: a Systematic Review of Quantitative and Qualitative Evidence. Drug Safety, 36 (11), 1045-1067.
Kemper, G. C. (2019). Improving employees’ cyber security awareness. Computer Fraud & Security, 2019(8), 11-14.
Khando, K., Gao, S., Islam, S. M. & Salman, A. (2021). Enhancing employees’ information security awareness in private and public organizations: A systematic literature review. Computers & Security, 106, 1-22.
Kim, H.L., Hovav, A. & Han, J. (2020). Protecting intellectual property from insider threats: A management information security intelligence perspective. Journal of Intellectual Capital, 21(2), 181-202.
Kimani, K., Oduol, V. & Langat, K. (2019). Cyber security challenges for IoT-based smart grid networks. International Journal of Critical Infrastructure Protection, 25, 36-49.
Korzynski, P., Kozminski, A.K., Baczynska, A. & Haenlein, M. (2021). Bounded leadership: an empirical study of leadership competencies, constraints, and effectiveness. European Management Journal, 39(2), 226-235.
Koskosas, I., Kakulidis, K., & Siomos, C. (2011). Examining the linkage between information security and end-user trust. International Journal of Computer Science & Information Security, 9(2), 21-31.
Kreicberge, L. (2010). Internal threat to information security - countermeasures and human factor with SME. Unpublished Master, University of Technology.
Lee, I. (2021). Cybersecurity: Risk management framework and investment cost analysis. Business Horizons, https://doi.org/10.1016/j.bushor.2021.02.022
Li, L., He, W., Xu, L., Ash, I., Mohd Anwar & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24.
McFadden, M. L. (2021). Cybersecurity experiential leadership learning (Doctoral dissertation, Northeastern University).
Mousavi, R., Chen, R., Kim, D. J. & Chen, K. (2020). Effectiveness of privacy assurance mechanisms in users’ privacy protection on social networking sites from the perspective of protection motivation theory. Decision Support Systems, 135, 113323. https://doi.org/10.1016/j.dss.2020.113323.
Newman, L. H. (2019). The Biggest Cybersecurity Crises of 2019 So Far: Ransomware attacks, supply chain hacks, escalating tensions with Iran—the first six months of 2019 have been anything but boring. Retrieved on 24 January 2020 from https://www.wired.com/story/biggest-cybersecurity-crises-2019-so-far/
Northouse, P.G. (2010), Leadership: Theory and Practice, 5th ed., Sage, London.
Pang, M-S. & Tanriverdi, H. (2022). Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government. The Journal of Strategic Information Systems, 31(1), 1-19.
Park, S., Ruighaver, A. B., & Ahamad, A. (2010). Factors influencing the implementation of information systems security strategies in organization. Paper presented at the International Conference on Information Sciences and Application.
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42 (0), 165-176.
Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y. & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88, 879-903.
Puhakainen, P., & Siponen, M. (2010). Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4), 757-778.
Ringle, C. M., Wende, S., & Becker, J.-M. 2015. "SmartPLS 3." Boenningstedt: SmartPLS GmbH, http://www.smartpls.com.
Rönkkö, M. & Ylitalo, J. (2010). Construct Validity in Partial Least Squares Path Modeling. ICIS 2010 Proceedings. Paper 155. Retrieved from http://aisel.aisnet.org/icis2010_submissions/155.
Rowley, D.J. and Sherman, H. (2003). The special challenges of academic leadership. Management Decision, 41(10), 1058-1063.
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behavior formation in organizations. Computers & Security, 53, 65-78.
Safa, N., Maple, C. Furnell, S., Azad, M., Perera, C., Dabbagh, M. & Sookhak, M (2019). Deterrence and prevention-based model to mitigate information security insider threats in organizations. Future Generation Computer Systems, 97, 587-597.
Schuetz, S. W., Lowry, P. B., Pienta, D. A. & Thatcher, J. B. (2020). The Effectiveness of Abstract Versus Concrete Fear Appeals in Information Security. Journal of Management Information Systems, 37(3), 723-757.
Shaikh, F. A. & Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974.
Sussman, L. L. (2021). Exploring the value of non-technical knowledge, skills, and abilities (KSAS) to cybersecurity hiring managers. Journal of Higher Education Theory & Practice, 21(6).
TheStar.com (2021). Maybank warns of new fake banking website created to steal customer details. Retrieved on April 15, 2021, from https://www.thestar.com.my/tech/tech-news/2021/04/14/maybank-warns-of-new-fake-banking-website-created-to-steal-customer-details
Torten, Reaiche, Boyle. (2018). The impact of security awareness on information technology professionals’ behavior. Computers & Security, 79, 68-79.
Triplett, W. (2022). Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy, 2, 573-586.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49(3–4), 190-198.
Whitman, M. E. & Mattord, H. J. (2019). Management of Information Security, 6th Edition. Stamford, CT: Cengage Learning.
Whitman, M. E. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1), 43-57.
Willison, R. & Warkentin, M. (2013). Beyond Deterrence: An Expanded View of Employee Computer Abuse. MIS Quarterly, 37(1), 1-20.
Wong, L-W., Lee, V-H., Tan, G. W-H., Ooi, K-B. & Sohal, A. (2022). The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, 1-15.
Yeoh, W., Wang, S., Popovi?c, A. & Chowdhury, N. H. (2022). A systematic synthesis of critical success factors for cybersecurity. Computers & Security, 118, 1-17.
Yukl, G. (2006), Leadership in Organizations, 6th ed., Pearson-Prentice Hall, Upper Saddle River, NJ.
Zimba, A., Wang, Z. & Chen, H. (2018). Multi-stage crypto ransomware attacks: A new emerging cyber threat to critical infrastructure and industrial control systems. ICT Express, 4(1), 14-18.
Copyright (c) 2023 Saif Hussein Abdallah Alghazo, Norshima Humaidi, Shereen Noranee
This work is licensed under a Creative Commons Attribution 4.0 International License.
Author (s) should affirm that the material has not been published previously. It has not been submitted and it is not under consideration by any other journal. At the same time author (s) need to execute a publication permission agreement to assume the responsibility of the submitted content and any omissions and errors therein. After submission of revised paper in the light of suggestions of the reviewers, the editorial team edits and formats manuscripts to bring uniformity and standardization in published material.
This work will be licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) and under condition of the license, users are free to read, copy, remix, transform, redistribute, download, print, search or link to the full texts of articles and even build upon their work as long as they credit the author for the original work. Moreover, as per journal policy author (s) hold and retain copyrights without any restrictions.