CEOs’ information security behavior in SMEs: Does ownership matter?

Yves Barlette, Katherine Gundolf, Annabelle Jaouen


Past research in the area of behavioral information security has mainly focused on large company employees. However, SMEs constitute a relevant eld of study, as they rep- resent more than 99 percent of European companies and are subject to rapidly increasing security threats. In addition, within SMEs, CEOs play a vital role in protecting their information through the actions they can initiate and the influence they have on their employees. We attempt to ll a gap in information security (ISS) research, as few studies have aimed to understand CEOs’ behaviors related to the implementation of ISS. In addition, the literature shows that particularly in a small rm context, ownership influences CEOs’ behavior. Even less research has addressed SMEs, specifically with regard to the impact of ownership on CEOs’ ISS-related behaviors. This paper details an empirical study based on the protection motivation theory (PMT) to investigate the following research question: what factors explain SME CEOs’ information security protective behavior? We conducted a questionnaire-based survey with 292 SME CEOs, and we analyzed the collected data using partial least squares (PLS). Because the academic literature shows that SME CEOs engage in specific behaviors, we tested the influence of the PMT on two subgroups: SME owners (n=183) and non-owners (n=109). Our results show very important and significant discrepancies between the two subgroups. Our work is original because it constitutes the first study dedicated to the protective behaviors of SME CEOs; moreover, it distinguishes between owners and non-owners. Our major theoretical contribution corresponds to the identification and investigation of this differentiated population, which requires more in-depth studies. The main managerial implication of our work is that as the factors triggering owner and non-owner SME CEOs protective behaviors are almost in total contrast, any communication or action should be specifically tailored to each audience.


Protection motivation theory, owner CEO, SME, behavior, information security.

Full Text:

 Subscribers Only