Kenneth J. Knapp

Information security: management's effect on culture and policy

Purpose – This study proposes to put forward and test a theoretical model that demonstrates the influence of top management support on an organizations security culture and level of security policy enforcement.Design/methodology/approach – The project used a combination of qualitative and quantitative techniques. The grounded theory approach was used to analyze responses to open‐ended questions answered by 220 certified information system security professionals. Using these responses, a survey instrument was developed. Survey results were analyzed using structural equation modeling.Findings – Evidence suggests that top management support is a significant predictor of an organizations security culture and level of policy enforcement.Research limitations/implications – During instrument validation, a special effort removed survey items that appeared overly intrusive to the respondents. In this endeavor, an expert panel of security practitioners evaluated all candidate items on a willingness‐to‐answer scal...

Information Security Effectiveness: Conceptualization and Validation of a Theory

Taking a sequential qualitative-quantitative methodological approach, we propose and test a theoretical model that includes four variables through which top management can positively influence security effectiveness: user training, security culture, policy relevance, and policy enforcement. During the qualitative phase of the study, we generated the model based on textual responses to a series of questions given to a sample of 220 information security practitioners. During the quantitative phase, we analyzed survey data collected from a sample of 740 information security practitioners. After data collection, we analyzed the survey responses using structural equation modeling and found evidence to support the hypothesized model. We also tested an alternative, higher-order factor version of the original model that demonstrated an improved overall fit and general applicability across the various demographics of the sampled data. We then linked the finding of this study to existing top management support literature, general deterrence theory research, and the theoretical notion of the dilemma of the supervisor.

Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments

Abstract On the basis of a review of information warfare literature from 1990 to mid-2005, this article presents a framework of 12 important trends. These trends demonstrate the transformation of information warfare from primarily a military issue into a major commercial issue as well. Corporate IS managers need to understand the growing cyberwar threats and implement appropriate strategies to mitigate risk.

The Top Information Security Issues Facing Organizations: What Can Government do to Help?

Abstract Considering that many organizations today are fully dependent on information technology for survival,1 information security is one of the most important concerns facing the modern organization. The increasing variety of threats and ferociousness of attacks has made protecting information a complex challenge.2 Improved knowledge of the critical issues underlying information security can help practitioners, researchers, and government employees alike to understand and solve the biggest problems. To this end, the International Information Systems Security Certification Consortium [(ISC)2]® teamed up with Auburn University researchers to identify and rank the top information security issues in two sequential, but related surveys. The first survey involved a worldwide sample of 874 certified information system security professionals (CISSPs)®, who ranked a list of 25 information security issues based on which ones were the most critical facing organizations today. In a follow-on survey, 623 U.S.-based...

Information Security and Task Interdependence: An Exploratory Investigation

This sequential qualitative-quantitative study investigates reported levels of task interdependence by certified information security professionals from organizations worldwide. The empirical tests show that information security ranked high in task interdependence compared to other information system related tasks. Additionally, comparing results from a different survey, information security work demonstrates higher levels of reported task interdependence than telecommunications software development work. We present the results of a demographic analysis of the survey taken by 936 certified information security professionals. Overall, the results suggest that information security work in organizations requires high levels of task interdependence. These findings have implications for researchers by identifying task interdependence-related topics for future study. For practitioners, these findings provide relevant insight into the nature of information security work in organizations