The current issue and full text archive of this journal is available at
www.emeraldinsight.com/0968-5227.htm
IMCS
16,5
484
Received 20 February 2008
Revised 16 May 2008
Accepted 4 July 2008
Information Management &
Computer Security
Vol. 16 No. 5, 2008
pp. 484-501
q Emerald Group Publishing Limited
0968-5227
DOI 10.1108/09685220810920558
Knowing is doing
An empirical validation of the relationship
between managerial information security
awareness and action
Namjoo Choi
Informatics, State University of New York at Albany, Albany, New York, USA
Dan Kim
Computer Information Systems, University of Houston-Clear Lake,
Houston, Texas, USA
Jahyun Goo
Information Technology and Operations Management,
Florida Atlantic University, Boca Raton, Florida, USA, and
Andrew Whitmore
Informatics, State University of New York at Albany, Albany, New York, USA
Abstract
Purpose – The purpose of this paper is to empirically validate the conjectural relationship between
managerial information security awareness (MISA) and managerial actions toward information
security (MATIS).
Design/methodology/approach – A model is developed and the relationship between MISA and
MATIS is tested using a large set of empirical data collected across different types and sizes of
enterprises. The hypotheses of the research model are tested with regression analysis.
Findings – The results of the study provide empirical support that MATIS is directly and positively
related to MISA.
Research limitations/implications – The R 2, an estimate of the proportion of the total variation
in the data set that is explained by the model, is relatively low. This fact implies that there are other
constructs in addition to MISA that play a crucial role in determining MATIS. The paper suggests that
intention to act and the risk-cost tradeoff of the MATIS are other possible constructs that should be
incorporated into future research. The conceptual model employed as a theoretical basis also suggests
that other factors such as the environment in which an organization operates (e.g. industry) also plays
a major role in determining information security decisions independently of MISA. Other possible
limitations include the use of secondary data in the study.
Practical implications – The results indicate that developing strategies to raise an organization’s
MISA should impact MATIS and thus improve information security performance.
Originality/value – The study provides empirical evidence supporting the unproven link between
MISA and MATIS.
Keywords Data security, Information systems, Management strategy
Paper type Research paper
The authors would like to thank the KIMI for allowing them to use the survey data for this study.
Introduction Knowing
Information systems have penetrated every aspect of today’s business processes is doing
requiring organizations to implement comprehensive solutions encompassing
physical, procedural and logical forms of protection. Exacerbating the already
difficult situation is the fact that threats to information security have characteristics
that are often transparent until a breach occurs. For this reason, both academia and
practitioners alike emphasize the importance of security awareness as a first line of 485
defense against unauthorized security breaches. Therefore, it is critical for an
organization to ensure that information security receives the appropriate attention and
emphasis in the development of corporate strategies (Furnell et al., 2002).
A review of literature (Chen et al., 2006; Furnell et al., 2002; Furnell and Clarke, 2005;
Hawkins et al., 2000; Hu and Dinev, 2005; McLean, 1992; Morwood, 1998; Puhakainen,
2006; Siponen and Kajava, 1998; Siponen, 2000, 2001; Siponen and Iivari, 2006; Spurling,
1995; Straub, 1990; Straub and Welke, 1998) reveals that information security awareness
(ISA) has emerged as the most significant determinant of success in protecting
information systems from security threats and is a highly significant indicator of an
organization’s overall information security performance. Ironically, even though ISA is
largely considered a pre-condition of an organization’s actions toward information
security, there is an absence of empirical studies examining the relationship between
managerial information security awareness (MISA) and managerial actions toward
information security (MATIS) in an organization. Prior studies on ISA have mainly
examined awareness at the employee level within an organization, not at the managerial
level across organizations. For example, Furnell et al. (2002) and Thomson and Solms
(1998) focused on employees’ baseline ISA to understand how to raise their awareness
through more effective and efficient educational programs.
While the relationship between MISA and MATIS has not been empirically tested in
the literature, attention has been given to the relationship between MISA and an
organization’s information security performance. For example, by interviewing
information security executives, Cline and Jensen (2004) reveals that interviewees
consider executive management’s ISA a major factor impacting the decisions of senior
executives with respect to information security implementations and the resulting
security performance of the organization. Thus, while the academic and popular presses
provide conjectures and anecdotal evidence concerning the importance of ISA, there is
an absence of empirical studies that investigate the role that the managerial awareness
plays in the development of MATIS across organizations. We argue that the lack of
understanding of this relationship constitutes a serious omission in the literature.
In order to fill the gap, this study examines the impact of MISA on MATIS using more
than 1,700 empirical samples that were collected by the Korean Information
Management Institute for Small and Medium Enterprises (KIMI, 2003).
This study aims to contribute to the literature in two ways. First, the study
empirically validates a conjectural relationship by examining whether MATIS is
positively related to MISA. Second, the results of the study provide justification for an
organization to establish strategies to raise its MISA.
The paper is organized as follows: the next section briefly reviews literature related
to the study. The third section presents a conceptual framework that provides a
theoretical foundation for the study and guides the focus of the study. Based on the
conceptual framework, the fourth section discusses a research model shedding light on
IMCS the impact of MISA on MATIS. Research hypotheses are also presented in the fourth
16,5 section. Fifth section describes the research method used to test the research model.
Data analyses and results follow in the sixth section. Finally, seventh section provides
a discussion of the findings, theoretical and managerial implications, as well as
limitations and future direction for the study.

486
Relevant literature
The concept of awareness is widely used in social sciences (social awareness),
psychology (sexual awareness), medical sciences, and information systems (information
systems awareness) (Abu-Musa, 2002; Bickford and Reynolds, 2002; Biglan and Taylor,
2000; Green and Kamimura, 2003; McLean, 1992; Snell and Wooldridge, 1998; Straub,
1990; Tillman, 2002). Awareness is defined in the literature as the individual’s passive
involvement and increased interest toward certain issues and it is considered one of the
key components of consciousness-raising, the other being action. By staying aware of
the current state of activities and threats related to environments, people are able to
adjust their own work toward a common goal. Thus, awareness is about appreciating
the needs, impetus, and specificity of issues, events and processes.
Previous research (Furnell et al., 2002; Furnell and Clarke, 2005; Siponen, 2001;
Spurling, 1995; Straub and Welke, 1998) on ISA in information systems defined ISA as
the extent to which employees in an organization regard the significance of information
security and as a state in which they are aware of information security objectives.
Information technology (IT) executives and security officers talk about the importance
of “raising the awareness of security threats” as evident from the security bulletins of a
majority of business, academic, and government institutions. In many institutions,
workforce members must complete “IT Security Awareness Training” and
recommendations are given to maintain a high degree of awareness of the computers’
operating state (Stafford and Urbaczewski, 2004).
Goodhue and Straub (1991) suggested that awareness is an important factor in
an individual’s belief about information security. Thus, the concept of “awareness”
is already present in the vocabulary of IT organizations but needs to be
conceptualized as a theoretical construct in IT research, with its importance
scientifically established.
Several studies (Loch et al., 1992; Parker, 1981, 1998; Perry, 1985; Straub and Welke,
1998) have emerged to highlight the vital role of managerial concerns about
information security. Those studies attempt to answer the question: if managers have
become aware that information is a critical organizational resource, then why is it often
the case that managerial concern about information security is lower than it should be?
By exploring the issue from both a theoretical and empirical perspective, Goodhue
and Straub (1991) emphasized that managerial concern about system risks is a function
of: organizational environment (risk inherent in the industry), IS environment (the
extent of the effort already taken to control the risks), and individual characteristics
(e.g. ISA). Also, Loch et al. (1992) predicted that the growth of connectivity and
dispersion of technology within or between organizations would continuously increase
information systems security risk. To reduce the risk, they suggested that information
system management teams need to become more informed of the potential for security
breaches.
 By conducting a survey of 1,211 randomly selected organizations, Straub (1990) Knowing
empirically proved that a management decision to invest in information systems is doing
security results in more effective control of computer abuse. In other words, MATIS
positively impacts information security performance. This research complements their
study by completing the chain linking awareness, action, and results. The study (Straub,
1990) supports the hypothesis that MATIS has a positive impact on an organization’s
total information security performance, but also it raises a question of whether MISA 487
has a positive impact on MATIS. While their work proposed a relationship between
MISA, MATIS, and an organization’s information security performance (i.e.
MISA ! MATIS ! Performance), they did not validate the (MISA ! MATIS)
relationship empirically.
Straub and Welke (1998) recognized the vital role of managers’ ISA to plan and execute
appropriate information security strategies. They describe the relationship between MISA
and MATIS using a comparative qualitative case study. They supported their two
propositions:
(1) managers are aware of only a fraction of the full spectrum of actions that could
be taken to reduce system risk; and
(2) managers exposed to theory-grounded security planning techniques are
inclined to employ these in their planning processes.

However, there is a limitation in that the support is based on a case study and does not
provide empirically proven support for the relationship (i.e. MISA ! MATIS).
With regard to MATIS, there has been a line of research (Fitzgerald, 1995; Forcht,
1994; Icove et al., 1995; Loch et al., 1992; White et al., 1996) that attempts to identify and
classify the actions toward information security in organizations. White et al. (1996)
classified them into the two categories: internal and external, where internal functions
focus on technical issues and external functions focus on nontechnical issues such as
managerial security (Yeh and Chang, 2007). Forcht (1994) characterized actions toward
information security as counter-measures for increasing IS security by reducing IS
risk, and decomposed them into deterrent or preventive measures. Preventive efforts
include the deployment of advanced security software or controls to protect IS assets,
such as advanced access control, intrusion detection and firewalls. Deterrent efforts
include developing security policies and guidelines and educating and training users.
IS security studies (Gopal and Sanders, 1997; Straub and Nance, 1990; Straub, 1990)
have widely adopted this categorization of IS security measures as deterrents and
preventives (Kankanhalli et al., 2003). From the non-academic journals, a survey
conducted by InformationWeek (2003) reports top information security priorities as
perceived at the managerial level. These include:
.
raise user awareness of policy and procedures;
.
train/retrain staff, security review and assessment;
.
security policies and standards;
.
data ownership and classification standards;
.
qualified staff; and
.
incident response teams.
IMCS In addition, the survey used as a secondary data source in this research (KIMI, 2003)
16,5 conducted exploratory interviews with CEOs and identified key managerial actions
directed towards information security:
.
information security policies and procedures;
.
information security training and education;
488 .
information access control;
.
information security systems and programs updates; and
.
information security teams.

Synthesizing recent organizational change literature to include ideas from the rational,
learning, and cognitive theories on organizational change, Rajagopalan and Spreitzer
(1997) develop a model that illustrates the dynamic interplay of the factors inherent in the
organizational change process (Figure 1). By adopting Rajagopalan and Spreitzer’s model
and conducting a qualitative content analysis and interviews, Cline and Jensen (2004)
collected all the possible information security issues[1] in an organization and separated
them into the relevant constructs (environmental conditions and changes, organizational
conditions and changes, managerial cognition, MATIS, changes in the content of strategy,
and organizational outcomes) of the conceptual model. Additionally, they examined
changing information security requirements and the strategies that organizations are
developing to meet the related challenges. They argued that employing an organizational
change model to study information security is appropriate because IS security models
have emphasized the role of management in implementing and maintaining security
policies, procedures, and standards. Further, they investigated how an organization can
develop the strategies in response to new information security requirements.

Environmental
Managerial
Conditions and
Cognition
Changes

Changes in the Organizational

Content of Strategy Outcomes

Organizational
Managerial
Conditions and
Actions
Changes

Direct Link
Figure 1. Learning Link
Conceptual model
Source: Rajagopalan and Spreitzer (1997)
In sum, drawing from these previous studies, we argue that the level of MISA Knowing
influences the MATIS in an organization. Indeed, the more knowledgeable the is doing
management is about the existing problems and their potential consequences, the more
likely it is that the organization will take positive actions toward eliminating
those threats and protecting their systems.

Conceptual model 489

This study employs the model developed by Rajagopalan and Spreitzer (1997) as the
conceptual model of the study (Figure 1). In this model, the direct impact of managerial
cognition on managerial actions plays a vital role in creating an environmental and
organizational context that guides an organization’s strategies. Also, it acknowledges
that both variations in contextual conditions and managerial cognition and actions
result in changes to the content of the strategy which in turn impacts organizational
outcomes. The model also depicts managerial learning (i.e. learning link) as a continuous
reshaping of managerial cognition from managerial actions, changes in the content of
strategy, and organizational outcomes (Cline and Jensen, 2004; Rajagopalan and
Spreitzer, 1997).
Since the main research question concerns the relationship between MISA and
MATIS, this study sheds light on the link between managerial cognition and
managerial action in the conceptual model (Figure 2). In summary, the study focuses on
the relationship between managerial cognition and managerial actions, develops a
research model in a context of information security, and tests the relationship
empirically.

Research model and hypotheses

In the context of information security, the concept of managerial cognition from the
conceptual model can be represented as MISA, because awareness is defined as
(re)cognition or understanding of issues. MISA in the current study particularly
focuses on how senior managers regard the significance of information security. For
example, executives can be aware of security and not view it as significant (maybe not
significant to their own job or maybe not significant in relationship to other issues).
Managerial actions from the conceptual model are represented in this study by MATIS.
The major categories of managerial activities related to information security are
encompassed in MATIS. These activities include setting, maintaining, and
implementing security policies, procedures, and standards, increased hiring of

Managerial Actions toward

Information Security (MATIS)

H1 1. Security Policies & Procedures

H2 2. Security Training & Education
Managerial Information
Security Awareness H3
3. Access Control
(MISA) H4 Figure 2.
4. Systems & Programs Updates Research model – security
H5
awareness to managerial
5. Security Teams actions model
IMCS certified security professionals, increasing training, installations of security hardware
16,5 and software, acquisition of security services, and others.
As described in detail in section five the proposition and its five hypotheses were
evaluated by means of a secondary data analysis. We utilized data collected in an annual
study by the KIMI (2003). The study (KIMI, 2003) is designed to assess the overall
information systems readiness of organizations including the information security
490 posture of those organizations. Prior to finalizing the questionnaire used in the study,
KIMI (2003) conducted exploratory interviews with CEOs and identified key managerial
actions directed towards information security. These key managerial actions were then
incorporated into the final questionnaire to examine the information security posture of
the sample organizations. For the current study, these key managerial actions were
selected to represent the construct, MATIS. This representation is supported by the
literature described in section two and any potential limitations are discussed in section
seven.
Thus, we operationalized MATIS as the following five key MATIS as employed in
the original questionnaire (KIMI, 2003):
(1) information security policies and procedures;
(2) information security training and education;
(3) information access control;
(4) information security systems and programs updates; and
(5) information security teams.

Using these five key managerial actions to represent MATIS, we develop a research
model with five hypotheses (Figure 2). In addition, the relationship between MISA and
MATIS is summarized as a proposition:
Proposition. MATIS are positively related to MISA.
In order to test the relationships between MISA and the five key MATIS, we developed
five hypotheses, one for each action associated with MATIS: information access
control, information security systems and programs updates, information security
teams, information security training and education, and information security policies
and procedures. Finally, to test the proposition of the study, MATIS was calculated by
compositing the scores of the five key variables. Table II in section five describes the
operationalizations of each variable. The limitations of the measures resulted from the
secondary data use are discussed in section seven.

Information security policies and procedures

The development of information security policies and procedures is generally
considered the beginning of an effective information security program. If there is no
process in place to make sure that the employees are made aware of their
responsibilities regarding information security issues, the implemented information
security system will be less effective (Peltier, 2003). Management establishes its goals
and objectives for protecting the assets by implementing policies. Policies are used to
introduce the concepts of what is expected of all employees when using enterprise
assets. In other words, information security policies establish the behavior expected of
all personnel granted access to the information system. Information security
procedures provide users with the information needed to complete a task and assure Knowing
management that the tasks are being completed in a uniform and approved manner. is doing
Procedures improve efficiencies in employee workflow and assist in the prevention of
misuse and fraud. Development of information security policies and procedures require
awareness of information security as a necessary precondition. Thus, we hypothesize:
H1. An organization’s establishment of information security policies and
procedures is positively related to MISA.
491

Information security training and education

Information security policies and procedures can only be effective if employees
understand the necessary safety measures and always keep those in mind when
performing the tasks that are given to them. In other words, the establishment of
perfect policies and procedures does not directly guarantee their successful observance
among employees unless employees are made aware of those policies and procedures
(Fowler, 1996). As mentioned in the first section of the study, the few studies conducted
on the topic of ISA have focused primarily on employees’ ISA with topics such as how
to raise their ISA through more effective and efficient education programs. Thus, it is
important to determine whether MISA has a positive impact on an organization’s
execution of information security training and education programs because it is logical
to assume that without managerial support, employee level training programs would
be ineffective:
H2. An organization’s execution of information security training and education
programs is positively related to MISA.

Information access control

Traditionally, information access control has been used as a term to describe the
process of allowing the user to access only authorized data so that different users can
be restricted to different modes of access based on need (Farahmand et al., 2005). Since
information access control is the primary method of restricting unauthorized access of
computing resources, it is used here as an umbrella term under which any means
employed to prevent unauthorized access by users, hackers, or malicious code is
included. Thus, access control as used here includes firewalls, authentication protocols,
virus protection, and any other security component that supports enterprise security
management (ESM):
H3. An organization’s implementation of information access control is positively
related to MISA.

Information security system and program updates

Maintaining current and effective information security systems requires the updating
of all security software, business applications, and operating systems. Without proper
updates, well-developed information security systems and programs can become
ineffective as threats change and evolve over time:
H4. An organization’s updating of information security systems and programs is
positively related to MISA.
IMCS Information security teams
16,5 Experience shows that prevention is far less expensive than recovery after a loss has
taken place. Toward that end, establishing specialized security teams whose mandate
is to provide accelerated problem detection, damage control, and problem correction
services has become a security priority for many organizations. However, in small and
medium sized organizations, management often does not allocate the resources
492 necessary to establish information security teams. This may be due to budgetary
limitations or simply misunderstanding of the importance of such teams. The functions
of the security team can be outsourced to specialized information security firms,
processed by related departments (mostly found in small and medium sized
organizations), or solely processed by an internal information security team:
H5. An organization’s retainment of an information security team is positively
related to MISA.

Data collection and research method

The proposition and its five hypotheses were examined by means of a secondary data
analysis. The research uses the data that were collected by the KIMI in 2003. Since 2001,
the KIMI study has been used as a tool to counsel relevant policymakers in Korea.
Research on information security from the managerial perspective is still in an early
stage of development with the consequence that there is less data on the topic than
desired. The current study offsets the above limitation by utilizing secondary data.
While the study was conducted by the KIMI, the study’s population included all
enterprises in Korea regardless of size. By executing the random stratification
sampling method on the parameters area, type, and size, 1,773 enterprises were
selected and participated in the study. Table I shows a simple breakdown of the sample
by industry type and size. They demonstrate that the survey polled organizations of
diverse size and types. The data were collected by a specialized research firm that
visited each selected enterprise and conducted the survey and in-depth interviews with
senior executives.

Measurements
MISA was measured by adding the scores of three related items (Table II):
(1) how senior executives regard the significance of information security;
(2) how senior executives regard their concerns about information security and
their willingness to support it; and

Small and medium Large

(no. of employees , 300) (no. of employees $ 300) Global

Table I. Machine and metalworking 530 30 24

Distribution of the Electric and electronic 150 7 12
sample (the total of 1,773) Textile and chemical 340 22 34
by industrial type and Information 156 23 12
size Others 320 20 17
 Knowing
Question Answer Score
is doing
MISA How do senior executives regard the significance Necessary 2.0
of information security? Somewhat necessary 1.0
Not necessary 0.0
Do not know 0.0
How do senior executives regard their concerns Very high 2.0 493
about information security and their willingness High 1.5
to support it? Medium 1.0
Low 0.5
Very low 0.0
How do senior executives regard their participation Very high 2.0
in information security investment strategies? High 1.5
Medium 1.0
Low 0.5
Very low 0.0
Has your organization established information Yes 1.0
security policies and procedures? No 0.0
Does your organization conduct information security Yes 1.0
training and education programs? No 0.0
MATIS Has your organization implemented access control Yes 1.0
for the network and information systems? No 0.0
How often does your organization update Regularly 1.0
information security systems and programs? Where there is damage 0.5
Never 0.0
Does your organization retain information security Specialized or outsourced 1.0
teams? In relevant departments 0.5
No security teams 0.0
Table II.
Source: KIMI (2003) Measurements

(3) how senior executives regard their participation in information security

investment strategies.
Cronbach’s a reliability is used to check the validity of measurement as was suggested
by Nunnally (1967) and Churchill (1979). The reliability a coefficient of MISA is 0.703
which exceeds the minimum cutoff score (0.7) (Nunnally, 1978; Nunnally and Bernstein,
1994).
As shown in Table II, the first MATIS, information security policies and procedures
was measured by employing an item that asked subjects whether their enterprises
established information security policies and procedures. The second, information
security training and education, was measured by employing an item that asked
subjects whether their enterprises conducted information security training and
education programs. Information access control was measured by employing an item
that asked subjects whether their enterprises implemented access control for the
network and information systems. Information security systems and programs updates
were measured by employing an item that asked subjects how often their enterprises
updated information security systems and programs. The fifth MATIS, information
security teams was measured by employing an item that asked subjects whether their
enterprises retained information security teams. Finally, to test the overall MATIS,
IMCS all the scores (Table II) of information access control, information security systems and
16,5 programs updates, information security teams, information security training and
education, and information security policies and procedures were composited. For the
MATIS, again, the Cronbach’s a reliability is used to check the validity of measurement
as was suggested by Nunnally (1967) and Churchill (1979). The reliability a coefficient of
MISA is 0.735 which exceeds the minimum cutoff score (0.7) (Nunnally, 1978; Nunnally
494 and Bernstein, 1994).

Data analyses and results

Pearson’s correlation coefficient analysis of seven variables (i.e. MISA, five MATIS,
and overall MATIS) using a two-tailed test of significant at the 0.01 level was
conducted to test how closely the variables are related to one another. Table III
summarizes the results of the analysis. The results show that all variables are closely
related to one another.
To test the hypotheses of the research model, we conducted two statistical tests – an
analysis of variance test and regression analysis. First, by dividing the scores of MISA
into three groups (group 1: low, group 2: medium, group 3: high), One-way ANOVA
tests were conducted to assess the hypotheses for each MATIS as a dependent variable
by MISA, an independent variable. Table IV summarizes the F-ratio results of six
ANOVA tests, and the mean and standard deviation (SD) score of each variable:
information access control, information security systems and programs updates,
information security teams, information security training and education, and
information security policies and procedures. The results show that the mean of
each managerial action as well as that of the overall MATIS vary significantly by
MISA group (i.e. low, medium, or high).
Based on the results of the ANOVA tests which determined that differences exist
among the means, we conducted regression analyses to provide a more accurate
estimate of the effects of MISA on the five managerial actions. Since the first three
managerial action variables (i.e. information security policies and procedures, training
and education, and access control) are bivariate, three separate logistic regression
analyses were conducted. Table V presents the results of these three logistic regression
analyses. The results show that MISA has strong effects on all three MATIS: security
policies and procedures (b ¼ 0.2.147, R 2 ¼ 0.254; p , 0.001), training and education
(b ¼ 2.328, R 2 ¼ 0.287; p , 0.001), and access control (b ¼ 2.050, R 2 ¼ 0.282;
p , 0.001). Overall fitness of the logistic regression analysis model can be tested by
Log Likelihood Ratio: security policies and procedures (L ¼ 1,677.149, p , 0.001),

(1) (2) (3) (4) (5) (6) (7)

MISA (1) 1
Security policies and procedures (2) 0.310 * 1
Training and education (3) 0.357 * 0.476 * 1
Access control (4) 0.371 * 0.344 * 0.306 * 1
Systems and programs updates (5) 0.346 * 0.274 * 0.281 * 0.399 * 1
Security teams (6) 0.334 * 0.380 * 0.440 * 0.377 * 0.480 * 1
MATIS (7) 0.496 * 0.713 * 0.719 * 0.722 * 0.641 * 0.698 * 1
Table III.
Correlation analysis Note: * Correlation is significant at the 0.01 level (two-tailed)
training and education (L ¼ 1,799.172, p , 0.001), and access control (L ¼ 1,677.149, Knowing
p , 0.001). We also conducted two more regression analyses for the remaining is doing
managerial action variables (i.e. systems and programs updates, and security teams)
and overall MATIS. The results are also summarized in Table V. The regression
analyses found that the MISA level significantly contributed to the degree of the two
MATIS: systems and programs updates (b ¼ 0.334, p , 0.001, R 2 ¼ 0.220;
F ¼ 226.530, p , 0.001), and security teams (b ¼ 0.303, p , 0.001, R 2 ¼ 0.211; 495
F ¼ 215.172, p , 0.001). Finally, to test the relationship between MISA and overall
MATIS, the degrees of managerial awareness was regressed on the degree of overall
material actions toward information security. The relationship is significant
(b ¼ 1.791, p , 0.001, R 2 ¼ 0.211; F ¼ 536.067, p , 0.001).
Table VI summarizes the results of hypotheses tests along with the test results of
ANOVA and regression coefficients. The proposition of the study (i.e. MATIS is
positively related to MISA) was supported according to the results of both ANOVA
and regression analysis. Thus, we can infer that when senior executives have a higher
level of MISA, they are more likely to take MATIS. The five hypotheses regarding the
effect of MISA on each MATIS were also fully supported by the results of analyses.

Discussion and conclusions

Although it may seem intuitive that higher MISA (i.e. awareness) would lead to more
MATIS (i.e. actions), empirical studies that investigate the relationship are
conspicuously absent. Based on the theoretical relationship between managerial
cognition and managerial actions proposed by Rajagopalan and Spreitzer (1997), we
developed a research model in the context of information security and tested the
relationship between ISA and managerial actions using a large set of empirical data
collected across different types and sizes of enterprises.
This study has the following theoretical and practical contributions. As we expected
and the conceptual model suggested, a statistically significant relationship between
MISA and MATIS was found and supported by a set of rich empirical data. These are
primary findings and major theoretical contributions of the study. More specifically,
the study provides empirical evidence supporting the unproven link (i.e.
MISA ! MATIS) suggested by (Straub, 1990; Straub and Welke, 1998). Therefore,
integrating with their empirical finding of the link (i.e. MATIS ! Organizational
information security performance), this study completes the link (i.e.
MISA ! MATIS ! Organizational information security performance). From the
links above, we argue that MISA is one of the major constructs impacting managerial
actions and the subsequent security performance of the organization. As suggested by

Low Medium High

MISA ! F-test Mean SD Mean SD Mean SD

Security policies and procedures F(2, 1,742) ¼ 52.01, P , 0.001 0.03 0.18 0.14 0.35 0.32 0.47
Training and education F(2, 1,745) ¼ 64.37, P , 0.001 0.05 0.21 0.17 0.37 0.37 0.48
Access control F(2, 1,742) ¼ 128.47, P , 0.001 0.12 0.33 0.36 0.48 0.66 0.47
Systems and programs updates F(2, 1,689) ¼ 109.88, P , 0.001 0.37 0.39 0.58 0.42 0.80 0.35 Table IV.
Security teams F(2, 1,746) ¼ 69.29, P , 0.001 0.05 0.21 0.19 0.34 0.36 0.39 ANOVA results, means
Overall MATIS F(2, 1,665) ¼ 182.62, P , 0.001 0.61 0.73 1.44 1.27 2.53 1.49 and SD
IMCS
1. Security policies and procedures MISA mean MISA SD N
16,5 No security policies and procedures (0) 1.2944 0.01172 1,255
Security policies and procedures (1) 1.6045 0.01591 389
Results of logistic regression analysis
x2 df Sig.
Model 184.035 1 0.0000
496 22 Log likelihood (L) 1,677.149
Variable B SE Wald Sig. R2
MISA 2.147 0.175 150.854 0.0000 0.254
Constant Term 24.316 0.274 247.193 0.0000
2. Security training and education MISA mean MISA SD N
No training and education (0) 1.2761 0.01204 1,176
Training and education (1) 1.5983 0.01477 468
Results of logistic regression analysis
x2 df Sig.
Model 238.797 1 0.0000
22 Log likelihood (L) 1,799.172
Variable B SE Wald Sig. R2
MISA 2.328 0.169 190.575 0.0000 0.287
Constant term 24.311 0.262 270.942 0.0000
3. Security access control MISA mean MISA SD N
No security access control (0) 1.2066 0.01484 793
Security access control (1) 1.5180 0.01203 851
Results of logistic regression analysis
x2 df Sig.
Model 251.795 1 0.0000
22 Log likelihood (L) 2,124.902 1,677.149
Variable B SE Wald Sig. R2
MISA 2.050 0.142 208.227 0.0000 0.282
Constant term 22.763 0.202 186.671 0.0000
4. Systems and programs updates MISA mean MISA SD N
Never (0) 1.1408 0.02257 335
When there is damage (0.5) 1.2661 0.02273 352
Regularly (1) 1.4847 0.01183 957
Results of regression analysis
Model Sum of squares df Mean square F Sig.
Regression 31.926 1 31.926 226.530 0.0000
Residual 234.515 1,664 0.141
Total 266.441 1,665
Coefficient
Variable B SE t Sig. R2
Constant 0.233 0.032 7.346 0.000 0.220
MISA 0.334 0.022 15.051 0.000
5. Security teams MISA mean MISA SD N
No security teams (0) 1.2421 0.01307 996
Relevant department (0.5) 1.5674 0.01703 386
Specialized teams or outsourcing (1.0) 1.5515 0.02114 262
Results of regression analysis
Model Sum of squares df Mean square F Sig.
Table V. Regression 26.999 1 26.999 215.172 0.0000
Summary of statistics Residual 215.570 1,718 0.125
and regression analysis Total 242.570 1,719
results (continued)
Coefficient Knowing
Variable B SE t Sig. R2
Constant 20.140 0.029 24.748 0.000 0.211 is doing
MISA 0.303 0.021 14.669 0.000
6. Overall MATIS
Model Sum of squares df Mean square F Sig.
Regression 913.599 1 913.599 536.067 0.0000
Residual 2,798.399 1,642 1.704 497
Total 3,711.998 1,643
Coefficient
Variable B SE t Sig. R2
Constant 20.460 0.111 24.142 0.000 0.349
MISA 1.797 0.078 23.153 Table V.

the study, an organization should consider it a priority to set up strategies to raise its
MISA. Without senior executives’ awareness or perception of information security and
its fundamental significance, it is paradoxical to expect successful information security
implementation and performance.
Also, the findings of the current study can be generalized to different dimensions
outside the context of private organizations: the general public dimension,
socio-political dimension, computer ethical dimension, and institutional dimension
(Siponen, 2001). While this study examined MISA’s role in private organizations,
information system practitioners in any type of organization should identify key
leaders who have the most powerful impact on others and focus on raising their ISA.
This research has several limitations. First, R 2, an estimate of the proportion of the
total variation in the data set that is explained by the model is relatively low (25, 29, 28,
22, and 21 percent of variance of security policies and procedures, training and
education, access control, systems and programs updates, and security teams,
respectively). Future research can explore more variables which may further explain
the relationship between MISA and MATIS. In other words, although the current study
is grounded in the literature (Straub, 1990; Straub and Welke, 1998), the relatively low
values of R 2 indicate that more constructs need to be explored in order to better explain
the relationship between MISA and MATIS. For example, intention can be an
important factor because it is possible that senior executives understand the
significance of information security and are aware of information security but have no
intention of taking actions. Thus, future research could examine the relationship
between MISA and MATIS in light of the intentions of senior executives.

ANOVA Regression
Independent ! Dependent F-test result coefficient Hypothesis

P MISA ! Overall MATIS F (2, 1,645) ¼ 182.50 * 1.797 * Accepted

H1 MISA ! Security policies and procedures F (2, 1,742) ¼ 52.01 * 2.147 * Accepted
H2 MISA ! Training and education F (2, 1,745) ¼ 64.37 * 2.328 * Accepted
H3 MISA ! Access control F (2, 1,742) ¼ 128.47 * 2.050 * Accepted
H4 MISA ! Systems and programs updates F (2, 1,689) ¼ 109.88 * 0.334 * Accepted
H5 MISA ! Security teams F (2, 1,746) ¼ 69.29 * 0.303 * Accepted
Table VI.
Note: *Significant at the 0.001 level Summarized results
IMCS The conceptual model (Rajagopalan and Spreitzer, 1997) employed in this study also
16,5 provides insight into these results. For the purposes of this study, the authors chose
MISA to represent the construct, managerial cognition. However, MISA does not fully
cover managerial cognition, but is one part of managerial cognition. As the conceptual
model indicates, managerial cognition is impacted by environmental and organizations
conditions and changes as well as by organizational outcomes. For example, a health
498 insurance provider will be required by the Health Insurance Portability and
Accountability Act to take specific MATIS (a result of environmental and
organizational conditions) independent of the relative MISA of the organization’s
senior executives. In other words, while the health insurance CEO’s MISA might be very
low, he will know specific technical regulations governing the organization’s
information systems and ensure that the requirements are met without necessarily
having any understanding in terms of MISA of those requirements. Thus, while the CEO
has low MISA he has the legislated technical requirements as part of his managerial
cognition by virtue of the environmental conditions and changes construct from the
conceptual model. This is consistent with the conclusion by Goodhue and Straub (1991)
that managerial concern about system risk is a function of organizational environment
(industry). Thus, as the study has demonstrated, MISA is an important factor, but not
the only factor, in determining MATIS. However, since organizations do not set the laws
and regulations that govern them, MISA is a rare leverage point for an organization to
impact MATIS.
In addition to the organizational environment and individual characteristics (e.g.
MISA), Goodhue and Straub (1991) identified the current state of the IS environment as
being a key factor contributing to a manager’s risk-cost tradeoff, which is an important
precursor to MATIS. For example, if the IS environment is already hardened and
additional security measures are perceived to yield only incremental benefits while
entailing a high cost, a manager will likely to take no action to implement the proposed
MATIS program even if that manager has high MISA. Thus, future studies can explore
the variables that can provide a more complete picture of the relationship between
managerial cognition and MATIS.
The second limitation is related to the measurement issues that result from the use of
secondary data. For example, the measures adopted may need to be more elaborate.
Specifically, the first three MATIS variables (i.e. information security policies and
procedures, information security training and education, information access control) were
measured by binary variables, and that might have imposed an unrealistically discrete
measure. This possibility may be reflected in the fact that 89 respondents out of the total
1,733 (5 percent) were unable to answer the question that addressed the use of security
policies and procedures. It is conceivable that these respondents did not answer the
question because they felt that both “yes” and “no” were not appropriate for their
circumstances. Likewise, the variable for the presence of information security teams
differentiated between dedicated security teams whose sole function is to ensure the
information security of the organization and cross-departmental security teams composed
of relevant individuals drawn from throughout the organization. For most small
organizations, the ability to afford a dedicated security team is constrained; therefore it is
possible that the survey may not reflect the reality facing small organizations.
While several of the measures used are binary, the sample size is large enough to ensure
accuracy (1,773) and the binary questions themselves (e.g. does your organization conduct
information security training and education programs?) represent the current situation Knowing
fairly well. Also, while there is the possibility that the measures may not fully represent the is doing
actual conditions in some organizations that might partially meet the criteria for the
question and might partially not, we believe that the overall bias is relatively low.
In addition to the discreetness of some of the measures, another potential limitation
is the use of five variables to represent MITAS. It is certainly true that there are more
than five possible MATIS that an organization can take. However, since the five 499
identified aspects of MATIS are considered the most common practices in the field
(Forcht, 1994; InformationWeek, 2003; Kankanhalli et al., 2003; KIMI, 2003), we believe
that the current variables properly capture the essence of managerial actions that can
be taken by an organization to ensure its security and that other possible actions not
included in these variables will minimally bias the results of the study.
Another concern is that since the data were collected in one specific country, South
Korea, the findings of the study should be applied to other countries with caution.
Finally, a comparison study with the data from other countries dealing with the same
topics as the current research can help generalize the results.

Note
1. For the complete set of the issues in each construct, refer to the Table II in Cline and Jensen
(2004).

References
Abu-Musa, A.A. (2002), “Computer crimes: how can you protect your computerized accounting
information system?”, Journal of American Academy of Business, Vol. 2 No. 1, pp. 91-101.
Bickford, D.M. and Reynolds, N. (2002), “Activism and service-learning: reframing volunteerism
as acts of dissent”, Pedagogy: Critical Approaches to Teaching Literature, Language,
Composition and Culture, Vol. 8 No. 2, pp. 229-52.
Biglan, A. and Taylor, T.K. (2000), “Why have we been more successful in reducing tobacco use
than violent crime?”, American Journal of Community Psychology, Vol. 28 No. 3, pp. 269-302.
Chen, C.C., Shaw, R.S. and Yang, S.C. (2006), “Mitigating information security risks by increasing
user security awareness: a case study of an information security awareness system”,
Information Technology, Learning, and Performance Journal, Vol. 24 No. 1, pp. 1-14.
Churchill, G.A. (1979), “A paradigm for developing better measures of marketing constructs”,
Journal of Marketing Research, Vol. 16 No. 1, pp. 64-73.
Cline, M. and Jensen, B.K. (2004), “Information security: an organizational change perspective”,
paper presented at The Tenth Americas Conference on Information Systems.
Farahmand, F., Navathe, S.B., Sharp, G.P. and Enslow, P.H. (2005), “A management perspective
on risk of security threats to information systems”, Information Technology and
Management, Vol. 6 Nos 2/3, pp. 203-25.
Fitzgerald, K.J. (1995), “Information security baselines”, Information Management & Computer
Security, Vol. 3 No. 2, pp. 8-12.
Forcht, K.A. (1994), Computer Security Management, Boyd and Fraser, Danvers, MA.
Fowler, J. (1996), “Developing the security culture at the SEISMED reference centers”, in Barber, B.,
Treacher, A. and Louwerse, K. (Eds), Towards Security in Medical Telematics: Legal and
Technical Aspects, IOS Press, Amsterdam, pp. 156-61.
IMCS Furnell, S.M. and Clarke, N.L. (2005), “Organisational security culture: embedding security
awareness, education and training”, Proceedings of the 4th World Conference on
16,5 Information Security Education (WISE 2005), 18-20 May, Moscow, Russia.
Furnell, S.M., Gennatou, M. and Dowland, P.S. (2002), “A prototype tool for information security
awareness and training”, Logistics Information Management, Vol. 15 Nos 5/6, pp. 352-7.
Goodhue, D.L. and Straub, D.W. (1991), “Security concerns of system users: a study of perceptions
500 of the adequacy of security”, Information & Management, Vol. 20 No. 1, pp. 13-27.
Gopal, R.D. and Sanders, G.L. (1997), “Preventive and deterrent controls for software piracy”,
Journal of Management Information Systems, Vol. 13 No. 4, pp. 29-47.
Green, S.P. and Kamimura, M. (2003), “Ties that bind: enhanced social awareness development
through interactions with diverse peers”, paper presented at Annual Meeting of the
Association for the Study of Higher Education, Portland, OR.
Hawkins, S., Yen, D.C. and Chou, D.C. (2000), “Awareness and challenges of internet security”,
Information Management & Computer Security, Vol. 8 No. 3, pp. 131-43.
Hu, Q. and Dinev, T. (2005), “Is spyware an internet nuisance or public menace?”,
Communications of the ACM, Vol. 48 No. 8, pp. 61-6.
Icove, D., Seger, K. and Vonstorch, W. (1995), Computer Crime: A Crimefighter’s Handbook,
O’Reilly & Associates, Inc., Sebastopol, CA.
InformationWeek (2003), “What’s to come”, InformationWeek, 10 November, p. 116.
KIMI (2003), The Annual Survey 2003: The Small and Medium-sized Enterprises’
Informationalization Level Evaluation, Korean Information Management Institute for
Small and Medium Enterprises, Seoul.
Kankanhalli, A., Teo, H.H., Tan, B.C.Y. and Wei, K.K. (2003), “An integrative study of information
systems security effectiveness”, International Journal of Information Management, Vol. 23
No. 2, pp. 139-54.
Loch, K.D., Carr, H.H. and Warkentin, M.E. (1992), “Threats to information systems: today’
reality, yesterday’s understanding”, Management Information Systems Quarterly, Vol. 17
No. 2, pp. 173-86.
McLean, K. (1992), “Information security awareness – selling the cause”, Proceedings of the IFIP
TC11/Sec’92, Singapore, Vol. 92.
Morwood, G. (1998), “Business continuity: awareness and training programmes”, Information
Management & Computer Security, Vol. 6 No. 1, pp. 28-32.
Nunnally, J.C. (1967), Psychometric Theory, McGraw-Hill, New York, NY.
Nunnally, J.C. (1978), Psychometric Theory, 2nd ed., McGraw-Hill, New York, NY.
Nunnally, J.C. and Bernstein, I.H. (1994), Psychometric Theory, 3rd ed., McGraw-Hill, New York, NY.
Parker, D.B. (1981), Computer Security Management, Prentice-Hall, Reston, VA.
Parker, D.B. (1998), Fighting Computer Crime: A New Framework for Protecting Information,
Wiley, New York, NY.
Peltier, T.R. (2003), “Implementing an information security awareness program”, EDPACS,
Vol. 33 No. 1, pp. 1-18.
Perry, W.E. (1985), Management Strategies for Computer Security, Butterworth-Heinemann,
Newton, MA.
Puhakainen, P. (2006), “Design theory for information security awareness”, PhD thesis,
University of Oulu, Oulu.
Rajagopalan, N. and Spreitzer, G. (1997), “Toward a theory of strategic change: a multi-lens Knowing
perspective and integrative framework”, The Academy of Management Review, Vol. 22 No. 1,
pp. 48-79. is doing
Siponen, M.T. (2000), “A conceptual foundation for organizational information security
awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
Siponen, M.T. (2001), “Five dimensions of information security awareness”, Computers and
Society, Vol. 31 No. 2, pp. 24-9. 501
Siponen, M.T. and Iivari, J. (2006), “IS security design theory framework and six approaches to
the application of IS security policies and guidelines”, Journal of the Association for
Information Systems, Vol. 7 No. 7, pp. 445-72.
Siponen, M.T. and Kajava, J. (1998), Ontology of Organizational IT Security Awareness. From
Theoretical Foundations to Practical Framework, IEEE Computer Society Press, Los Alamitos,
CA.
Snell, W.E.J. and Wooldridge, D.G. (1998), “Sexual awareness: contraception, sexual behaviors
and sexual attitudes”, Sexual and Marital Therapy, Vol. 13, pp. 191-9.
Spurling, P. (1995), “Promoting security awareness and commitment”, Information Management
& Computer Security, Vol. 3 No. 2, pp. 20-6.
Stafford, T.F. and Urbaczewski, A. (2004), “Spyware: the ghost in the machine”, Communications
of the Association for Information Systems, Vol. 14, pp. 291-306.
Straub, D.W. (1990), “Effective IS security: an empirical study”, Information Systems Research,
Vol. 1 No. 3, pp. 255-76.
Straub, D.W. and Nance, W.D. (1990), “Discovering and disciplining computer abuse in organization:
a field study”, Management Information Systems Quarterly, Vol. 14 No. 1, pp. 45-55.
Straub, D.W. and Welke, R.J. (1998), “Coping with systems risks: security planning models for
management decision making”, Management Information Systems Quarterly, Vol. 22 No. 4,
pp. 441-69.
Thomson, M.E. and Solms, R.V. (1998), “Information security awareness: educating our users
effectively”, Information Management & Computer Security, Vol. 6 No. 4, pp. 167-73.
Tillman, B. (2002), “Internet privacy legislation emerges: new legislation could bring US privacy
protection laws into step with those of the European Union (Legislative and Regulatory
Update)”, Information Management Journal, Vol. 36 No. 5, pp. 14-18.
White, G.B., Fisch, E.A. and Pooch, U.W. (1996), Computer System and Network Security, CRC
Press, Boca Raton, FL.
Yeh, Q-J. and Chang, A.J-T. (2007), “Threats and countermeasures for information system
security: a cross-industry study”, Information & Management, Vol. 44 No. 5, pp. 480-91.

Corresponding author
Namjoo Choi can be contacted at: nc236879@albany.edu

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints