Information Security Effectiveness

Taking a sequential qualitative-quantitative methodological approach, the authors propose and test a theoretical model that includes four variables through which top management can positively influence security effectiveness: user training, security culture, policy relevance, and policy enforcement. During the qualitative phase of the study, the authors generated the model based on textual responses to a series of questions given to a sample of 220 information security practitioners. During the quantitative phase, we analyzed survey data collected from a sample of 740 information security practitioners. After data collection, we analyzed the survey responses using structural equation modeling and found evidence to support the hypothesized model. They also tested an alternative, higher-order factor version of the original model that demonstrated an improved overall fit and general applicability across the various demographics of the sampled data. They then linked the finding of this study to existing top management support literature, general deterrence theory research, and the theoretical notion of the dilemma of the supervisor.