Do it yourself or get it done? Enhancing SME CEOs’ decision-making regarding Information Security

Authors

Keywords:

ISS, CEO, SME, Protection Motivation Theory, Top Management Support

Abstract

This research addresses the determinants of CEOs’ actions regarding the information security (ISS) of small and medium enterprises (SMEs). This article aims to (a) identify factors influencing CEOs’ ISS actions, (b) examine the relevance of protection motivation theory (PMT) in explaining top management support (TMS, i.e., supportive actions), and (c) find potential differentiated effects on protective vs. supportive actions.

The results of a questionnaire-based survey (N=200) show that the PMT and social influence constructs, while explaining a significant amount of variance, exert differentiated effects: in contrast with protective actions, which are influenced mainly by self-efficacy, SME CEOs’ supportive actions are strongly affected by the social influence of peers (partners and competitors) and customers.

At a theoretical level, this research validates the relevance of the PMT framework for the study of TMS determinants in the context of ISS. This study is also the first to distinguish between these two types of actions and offers new insights on CEOs’ ISS-related behavior literature. For practitioners, the results imply that even when CEOs do not exert protective actions, it is important to build on their professional relations to trigger and enhance their supportive actions.

Author Biographies

Yves Barlette, Montpellier Business School

Associate Professor

Annabelle Jaouen, Montpellier Business School

Associate Professor

References

Abubakare M., Coombs C. R., Ravishankar M. N. (2017), "The Impact of Salient Cultural Practices on the Outcome of IS Implementation", Journal of Global Information Management, vol. 25, n 3, p. 1–20.

Almandoz J., Tilcsik A. (2016), "When Experts Become Liabilities: Domain Experts on Boards and Organizational Failure", Academy of Management Journal, vol. 59, n 3, p. 1124–1149.

Anderson C. L., Agarwal R. (2010), "Practicing Safe Computing: A Multimethod Empirical Examination of Computer User Security Behavioral Intentions", MIS Quarterly, vol. 34, n 3, p. 613–643.

Baillette P., Barlette Y. (2018), "Examining CEOs’ Behavior related to BYOD implementation through the CMUA", 23rd conference of the Association Information et Management (AIM), May 16-18, Montréal, Canada.

Bandura A. (1977), "Self-Efficacy: Toward a Unifying Theory of Behavioral Change", Psychological Review, vol. 84, n 3, p. 191–215.

Bandura A. (1986), Social Foundations of Thought and Action: A Social Cognitive Theory, Prentice-Hall, Englewood Cliffs, NJ.

Barber J., Metcalfe S., Porteous M. (2016), Barriers to growth in small firms, Routledge.

Barlette Y. (2012), "Implication et Action Des Dirigeants : Quelles Pistes Pour Améliorer la Sécurité de l'Information en PME ?", Systèmes d'Information & Management, vol. 17, n 3, p. 115–149.

Barlette Y., Gundolf K., Jaouen A. (2017), "CEOs’ Information Security Behavior in SMEs: Does Ownership Matter?", Systèmes d'Information & Management, vol. 22, n 3, p. 7–45.

Barlette Y., Jaouen A. (2012), "What is the Influence of Certified Public Accountants on Microfirm Owner-Managers?", in XXVIth Research in Entrepreneurship and Small Business Conference (RENT, Lyon, France.

Beaudry, A., Pinsonneault, A. (2005), "Understanding user responses to information technology: A coping model of user adaptation", MIS Quarterly, vol. 29, n°3, p. 493–524.

Berry C. T., Berry R. L. (2018), "An Initial Assessment of Small Business Risk Management Approaches for Cyber Security Threats", International Journal of Business Continuity and Risk Management, vol. 8, n 3, p. 1–10.

Boonstra A. (2013), "How do Top Managers Support Strategic Information System Projects and Why do they Sometimes Withhold this Support?", International Journal of Project Management, vol. 31, n 3, p. 498–512.

Boss S. R., Galletta D. F., Lowry P. B., Moody G. D., Polak P. (2015), "What do Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors", MIS Quarterly, vol. 39, n 3, p. 837–864.

Boss S. R., Kirsch L. J., Angermeier I., Shingler R. A., Boss R. W. (2009), "If Someone is Watching, I'll do What I'm Asked: Mandatoriness, Control, and Information Security", European Journal of Information Systems, vol. 18, n 3, p. 151–164.

Burkhardt M. E. (1994), "Social Interaction Effects Following a Technological Change: A Longitudinal Investigation", Academy of Management Journal, vol. 37, n 3, p. 869–898.

Burt R. S. (1987), "Social Contagion and Innovation: Cohesion versus Structural Equivalence", American Journal of Sociology, vol. 92, n 3, p. 1287–1335.

Chen Y., Ramamurthy K., Wen K.-W. (2012), "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?", Journal of Management Information Systems, vol. 29, n 3, p. 157–188.

Chen Y., Zahedi F. M. (2016), "Individuals’ internet Security Perceptions and Behaviors: Polycontextual Contrasts between the United States and China", MIS Quarterly, vol. 40, n 3, p. 205–222.

Chu A. M. Y., Chau P. Y. K. (2014), "Development and Validation of Instruments of Information Security Deviant Behavior", Decision Support Systems, vol. 66, n 3, p. 93–101.

Contractor N. S., Eisenberg E. M. (1990), "Communication Networks and New Media in Organizations" in J. Fulk and C. Steinfield (eds), Organizations and Communication Technology, Sage, Newbury Park, CA, p. 143–172.

Crossler R., Bélanger F. (2014), "An Extended Perspective on Individual Security Behaviors", SIGMIS Database, vol. 45, n 3, p. 51–71.

Curran J., Burrows R. (2015), "The Social Analysis of Small Business: Some Emerging Themes" in R. Goffee and R. Scase (eds), Entrepreneurship in Europe: The Social Processes, Routledge, London, UK, p. 164–191.

Dagorn N., Poussing N. (2012), "Engagement et Pratiques des Organisations en Matière de Gouvernance de la Sécurité de L'information", Systèmes d'Information & Management, vol. 17, n 3, p. 113–143.

Daud M., Rasiah R., George M., Asirvatham D., Thangiah G. (2018), "Bridging the Gap between Organisational Practices and Cyber Security Compliance: Can Cooperation Promote Compliance in Organisations?", International Journal of Business & Society, vol. 19, n 3, p. 161–180.

de Guinea A. O., Kelley H., Hunter M. G. (2005), "Information Systems Effectiveness in Small Businesses", Journal of Global Information Management, vol. 13, n 3, p. 55–79.

Dojkovski S., Lichtenstein S., Warren M. J. (2007), "Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia", in 15th European Conference on Information Systems, St. Gallen, Switzerland.

Dong L., Neufeld D., Higgins C. (2009), "Top Management Support of Enterprise Systems Implementations", Journal of Information Technology, vol. 24, n 3, p. 55–80.

Elbanna A. (2013), "Top Management Support in Multiple-Project Environments: An In-Practice View", European Journal of Information Systems, vol. 22, n 3, p. 278–294.

European Union. (2016), Annual Report on European SMEs 2015-2016, EU Publication Office, London, UK.

Fielder A., Panaousis E., Malacaria P., Hankin C., Smeraldi F. (2016), "Decision Support Approaches for Cyber Security Investment", Decision Support Systems, vol. 86, n 3, p. 13–23.

Fishbein M., Ajzen I. (1975), Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research, Addison-Wesley Pub. Co., Reading, MA.

Floyd D. L., Prentice-Dunn S., Rogers R. W. (2000), "A Meta-Analysis of Research on Protection Motivation Theory", Journal of Applied Social Psychology, vol. 30, n 3, p. 407–429.

Fornell C., Larcker D. F. (1981), "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error", Journal of Marketing Research, vol. 18, n 3, p. 39–50.

Friend M. A., Pagliari L. R. (2000), "Establishing a Safety Culture: Getting Started", Professional Safety, vol. 45, n 3, p. 30–32.

Gottschalk P. (1999), "Strategic Information Systems Planning: the IT Strategy Implementation Matrix", European Journal of Information Systems, vol. 8, n 3, p. 107–118.

Gupta A., Hammond R. (2005), "Information Systems Security Issues and Decisions for Small Businesses", Information Management & Computer Security, vol. 13, n 3, p. 297–310.

Gurung A., Luo X., Liao Q. (2009), "Consumer Motivations in Taking Action Against Spyware: An Empirical Investigation", Information Management & Computer Security, vol. 17, n 3, p. 276–289.

Hair J., Hollingsworth C. L., Randolph A. B., Chong A. Y. L. (2017b), "An Updated and Expanded Assessment of PLS-SEM in Information Systems Research", Industrial Management & Data Systems, vol. 117, n 3, p. 442–458.

Hair J. F., Hult G. T. M., Ringle C., Sarstedt M. (2017a), A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM), Sage, Thousand Oaks, CA.

Hair J. F., Ringle C. M., Sarstedt M. (2011), "PLS-SEM: Indeed a Silver Bullet", The Journal of Marketing Theory and Practice, vol. 19, n 3, p. 139–152.

Hanus B., Wu Y. A. (2016), "Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective", Information Systems Management, vol. 33, n 3, p. 2–16.

Henseler J., Hubona G., Ray P. A. (2016), "Using PLS Path Modeling in New Technology Research: Updated Guidelines", Industrial Management & Data Systems, vol. 116, n 3, p. 2–20.

Henseler J., Ringle C. M., Sarstedt M. (2015), "A New Criterion for Assessing Discriminant Validity in Variance-Based Structural Equation Modeling", Journal of the Academy of Marketing Science, vol. 43, n 3, p. 115–135.

Herath T., Rao H. R. (2009), "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness", Decision Support Systems, vol. 47, n 3, p. 154–165.

Hu Q., Dinev T., Hart P., Cooke D. (2012), "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture", Decision Sciences, vol. 43, n 3, p. 615–660.

Ifinedo P. (2012), "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory", Computers & Security, vol. 31, n 3, p. 83–95.

Ismail N. (2018), SMEs: Don’t Just Wait for a Security Compromise. Be Proactive. https://www.information-age.com/smes-security-compromise-123473095/. Accessed April 25, 2019.

Jaouen A., Lasch F. (2015), "A New Typology of Micro-Firm Owner-Managers", International Small Business Journal, vol. 33, n 3, p. 397–421.

Jaouen A., Nakara W. A. (2015), "‘Bricolage’ in the Implementation and the Use of IS by Micro-Firms: An Empirical Study" in Rocha, Á., Correia, A.M., Costanzo, S., Reis, L.P. (eds), New Contributions in Information Systems and Technologies, Springer, New York, NY, p. 449–458.

Jarvenpaa S. L., Ives B. (1991), "Executive Involvement and Participation in the Management of Information Technology", MIS Quarterly, vol. 15, n 3, p. 205–227.

Johnston, A. C., Hale, R. (2009), "Improved Security through Information Security Governance", Communications of the ACM, vol. 52, n°1, p. 126-129.

Johnston A. C., Warkentin M. (2010), "Fear Appeals and Information Security Behaviors: An Empirical Study", MIS Quarterly, vol. 34, n 3, p. 549–566.

Johnston A. C., Warkentin M., Siponen M. T. (2015), "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric", MIS Quarterly, vol. 39, n 3, p. 113–134.

Kankanhalli A., Teo H.-H., Tan B. C. Y., Wei K.-K. (2003), "An Integrative Study of Information Systems Security Effectiveness", International Journal of Information Management, vol. 23, n 3, p. 139–154.

Kanwal N., Zafar M. S., Bashir S. (2017), "The Combined Effects of Managerial Control, Resource Commitment, and Top Management Support on the Successful Delivery of Information Systems Projects", International Journal of Project Management, vol. 35, n 3, p. 1459–1465.

Kappelman L. A., McKeeman R., Zhang L. (2006), "Early Warning Signs of IT Project Failure: The Dominant Dozen", Information Systems Management, vol. 23, n 3, p. 31–36.

Karjalainen M., Sarker S., Siponen M. (2019), "Toward a Theory of Information Systems Security Behaviors of Organizational Employees: A Dialectical Process Perspective", Information Systems Research, vol. 30, n°2, p. 687-704.

Knapp K. J., Marshall T. E., Rainer R. K., Ford F. N. (2006), "Information Security: Management's Effect on Culture and Policy", Information Management & Computer Security, vol. 14, n 3, p. 24–36.

Kulkarni U., Robles-Flores J., Popovič A. (2017), "Business Intelligence Capability: The Effect of Top Management and the Mediating Roles of User Participation and Analytical Decision-Making Orientation", Journal of the Association for Information Systems, vol. 18, n 3, p. 516–541.

Kwon J., Ulmer J. R., Wang T. (2013), "The Association between Top Management Involvement and Compensation and Information Security Breaches", Journal of Information Systems, vol. 27, n 3, p. 219–236.

Kyobe M. (2008), "The Impact of Entrepreneur Behaviors on the Quality of e-Commerce Security: A Comparison of Urban and Rural Findings", Journal of Global Information Technology Management, vol. 11, n 3, p. 58–79.

Lábodi C., Michelberger P. (2010), "Necessity or Challenge-Information Security for Small and Medium Enterprises", Annals of the University of Petrosani Economics, vol. 10, n 3, p. 207–216.

Lai F., Li D., Hsieh C.-T. (2012), "Fighting Identity Theft: The Coping Perspective", Decision Support Systems, vol. 52, n 3, p. 353–363.

Lee J. Y., Park S., Baker R. (2018), "The Moderating Role of Top Management Support on Employees’ Attitudes in Response to Human Resource Development Efforts", Journal of Management & Organization, vol. 24, n 3, p. 369–387.

Lee Y. (2011), "Understanding Anti-Plagiarism Software Adoption: An Extended Protection Motivation Theory Perspective", Decision Support Systems, vol. 50, n 3, p. 361–369.

Lee Y., Larsen K. R. (2009), "Threat or Coping Appraisal: Determinants of SMB Executives’ Decision to Adopt Anti-Malware Software", European Journal of Information Systems, vol. 18, n 3, p. 177–187.

Lent R. W., Hoffman M. A., Hill C. E., Treistman D., Mount M., Singley D. (2006), "Client-Specific Counselor Self-Efficacy in Novice Counselors: Relation to Perceptions of Session Quality", Journal of Counseling Psychology, vol. 53, n 3, p. 453–463.

Lewis W., Agarwal R., Sambamurthy V. (2003), "Sources of Influence on Beliefs about Information Technology Use: An Empirical Study of Knowledge Workers", MIS Quarterly, vol. 27, n 3, p. 657–678.

Li L., He W., Xu L., Ash I., Anwar M., & Yuan X. (2019), "Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior", International Journal of Information Management, vol. 45, p. 13-24.

Li H., Zhang J., Sarathy R. (2010), "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory", Decision Support Systems, vol. 48, n 3, p. 635–645.

Liang H., Saraf N., Hu Q., Xue Y. (2007), "Assimilation of Enterprise Systems: the Effect of Institutional Pressures and the Mediating Role of top Management", MIS Quarterly, vol. 31, n 3, p. 59–87.

Liang H., Xue Y. (2010), "Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective", Journal of the Association for Information Systems, vol. 11, n 3, p. 394–413.

Limayem M., Hirt S. G., Cheung C. M. K. (2007), "How Habit Limits the Predictive Power of Intention: The Case of Information Systems Continuance", MIS Quarterly, vol. 31, n 3, p. 705–737.

Lin T.-C., Ku Y.-C., Huang Y.-S. (2014), "Exploring Top Managers’ Innovative IT (IIT) Championing Behavior: Integrating the Personal and Technical Contexts", Information & Management, vol. 51, n 3, p. 1–12.

Lindell M. K., Whitney D. J. (2001), "Accounting for Common Method Variance in Cross-Sectional Research Designs", Journal of Applied Psychology, vol. 86, n 3, p. 114–121.

Liu G., Wang E., Chua C. (2015), "Leveraging Social Capital to Obtain Top Management Support in Complex, Cross-Functional IT Projects", Journal of the Association for Information Systems, vol. 16, n 3, p. 707–737.

López-Muñoz J. F., Escribá-Esteve A. (2017), "An Upper Echelons Perspective on Information Technology Business Value", European Research on Management and Business Economics, vol. 23, n 3, p. 173–181.

Maddux J. E., Rogers R. W. (1983), "Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change", Journal of Experimental Social Psychology, vol. 19, n 3, p. 469–479.

Malhotra N. K., Schaller T. K., Patil A. (2017), "Common Method Variance in Advertising Research: When to be Concerned and How to Control for it", Journal of Advertising, vol. 46, n 3, p. 193–212.

Maruping L. M., Magni M. (2012), "What's the Weather Like? The Effect of Team Learning Climate, Empowerment Climate, and Gender on Individuals' Technology Exploration and Use", Journal of Management Information Systems, vol. 29, n 3, p. 79–114.

McComb S. A., Kennedy D. M., Green S. G., Compton W. D. (2008), "Project Team Effectiveness: The Case for Sufficient Setup and Top Management Involvement", Production Planning & Control, vol. 19, n 3, p. 301–311.

Menard P., Bott G. J., Crossler R. E. (2017), "User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory", Journal of Management Information Systems, vol. 34, n 3, p. 1203–1230.

Merhi M. I., Ahluwalia P. (2015), "Top Management can Lower Resistance toward Information Security Compliance", in Thirty Sixth ICIS Conference, Fort Worth, Texas.

Mitchell J. R., Shepherd D. A. (2010), "To Thine Own Self be True: Images of Self, Images of Opportunity, and Entrepreneurial Action", Journal of Business Venturing, vol. 25, n 3, p. 138–154.

Moody G. D., Siponen M., Pahnila S. (2018), "Toward a Unified Model of Information Security Policy Compliance", MIS Quarterly, vol. 42, n 3, p. 285–311.

Mullins J. W., Forlani D. (2005), "Missing the Boat or Sinking the Boat: A Study of New Venture Decision Making", Journal of Business Venturing, vol. 20, n 3, p. 47–69.

Mwagwabi F., McGill T., Dixon M. (2018), "Short-Term and Long-Term Effects of Fear Appeals in Improving Compliance with Password Guidelines", Communications of the Association for Information Systems, vol. 42, n 3, p. 147–192.

Ng B.-Y., Kankanhalli A., Xu Y. (2009), "Studying Users' Computer Security Behavior: A Health Belief Perspective", Decision Support Systems, vol. 46, n 3, p. 815–825.

Nguyen T. H., Newby M., Macaulay M. J. (2015), "Information Technology Adoption in Small Business: Confirmation of a Proposed Framework", Journal of Small Business Management, vol. 53, n 3, p. 207–227.

Nice S. (2018), Protecting SMEs from the Evolving Threat Landscape. https://www.scmagazineuk.com/protecting-smes-evolving-threat-landscape/article/1472907/. Accessed April 25, 2019.

Ozgen E., Baron R. A. (2007), "Social Sources of Information in Opportunity Recognition: Effects of Mentors, Industry Networks, and Professional Forums", Journal of Business Venturing, vol. 22, n 3, p. 174–192.

Pérès A., Latour R., Bergeron J. (2003), "Attitude des Utilisateurs de Systèmes à l'égard de la Protection des Informations : Un Modèle des Facteurs d'influence", Systèmes d'Information & Management, vol. 8, n 3, p. 87–118.

Petter S., Straub D., Rai A. (2007), "Specifying Formative Constructs in Information Systems Research", MIS Quarterly, vol. 31, n 3, p. 623–656.

Podsakoff P. M., MacKenzie S. B., Lee J.-Y., Podsakoff N. P. (2003), "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies", Journal of Applied Psychology, vol. 88, n 3, p. 879–903.

Podsakoff P. M., MacKenzie S. B., Podsakoff N. P. (2012), "Sources of Method Bias in Social Science Research and Recommendations on How to Control it", Annual Review of Psychology, vol. 63, n 3, p. 539–569.

Posey C., Roberts T. L., Lowry P. B. (2015), "The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets", Journal of Management Information Systems, vol. 32, n 3, p. 179–214.

Prentice-Dunn S., Rogers R. W. (1986), "Protection Motivation Theory and Preventive Health: Beyond the Health Belief Model", Health Education Research, vol. 1, n 3, p. 153–161.

Pritchard S. (2010), "Navigating the Black Hole of Small Business Security", Infosecurity, vol. 7, n 3, p. 18–21.

Puhakainen P., Siponen M. (2010), "Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study", MIS Quarterly, vol. 34, n 3, p. 757–778.

Ragu-Nathan B. S., Apigian C. H., Ragu-Nathan T. S., Tu Q. (2004), "A Path Analytic Study of the Effect of Top Management Support for Information Systems Performance", Omega, vol. 32, n 3, p. 459–471.

Rainer R. K., Marshall T. E., Knapp K. J., Montgomery G. H. (2007), "Do Information Security Professionals and Business Managers View Information Security Issues Differently?", Information Systems Security, vol. 16, n 3, p. 100–108.

Richter N. F., Cepeda G., Roldán J. L., Ringle C. M. (2016), "European Management Research Using Partial Least Squares Structural Equation Modeling (PLS-SEM)", European Management Journal, vol. 34, n 3, p. 589–597.

Rogers R. W. (1983), "Cognitive and Psychological Processes in Fear-Based Attitude Change: A Revised Theory of Protection Motivation" in J. Cacioppo and R. Petty (eds), Social Psychophysiology: A Sourcebook, Guilford Press, New York, NY, p. 153–176.

Rondeau, P. J., Ragu-Nathan, T. S., Vonderembse, M. A. (2006), "How involvement, IS management effectiveness, and end-user computing impact IS performance in manufacturing firms", Information & Management, vol. 43, n°1, p. 93–107.

Rothrock R. A., Kaplan J., van der Oord F. (2018), "The Board's Role in Managing Cybersecurity Risks", MIT Sloan Management Review, vol. 59, n 3, p. 12–15.

Sarstedt M., Ringle C. M., Smith D., Reams R., Hair J. F. (2014), "Partial Least Squares Structural Equation Modeling (PLS-SEM): A Useful Tool for Family Business Researchers", Journal of Family Business Strategy, vol. 5, n 3, p. 105–115.

Schaller T. K., Patil A., Malhotra N. K. (2015), "Alternative Techniques for Assessing Common Method Variance", Organizational Research Methods, vol. 18, n 3, p. 177–206.

Schoonjans B., van Cauwenberge P., Bauwhede H. V. (2013), "Formal Business Networking and SME Growth", Small Business Economics, vol. 41, n 3, p. 169–181.

Senyard J. M., Baker T., Davidsson P. (2011), "Bricolage as a Path to Innovation for Resource Constrained New Firms", Academy of Management Proceedings, vol. 2011, n 3, p. 1–5.

Shao Z., Feng Y., Hu Q. (2016), "Effectiveness of Top Management Support in Enterprise Systems Success: A Contingency Perspective of Fit between Leadership Style and System Life-Cycle", European Journal of Information Systems, vol. 25, n 3, p. 131–153.

Shao Z., Feng Y., Hu Q. (2017), "Impact of Top Management Leadership Styles on ERP Assimilation and the Role of Organizational Learning", Information & Management, vol. 54, n 3, p. 902–919.

Shepherd D. A., Williams T. A., Patzelt H. (2015), "Thinking about Entrepreneurial Decision Making: Review and Research Agenda", Journal of Management, vol. 41, n 3, p. 11–46.

Simmering M. J., Fuller C. M., Richardson H. A., Ocal Y., Atinc G. M. (2015), "Marker Variable Choice, Reporting, and Interpretation in the Detection of Common Method Variance", Organizational Research Methods, vol. 18, n 3, p. 473–511.

Siponen M., Baskerville R. (2018), "Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example", Journal of the Association for Information Systems, vol. 19, n°4, p. 247-265.

Siponen M., Mahmood M. A., Pahnila S. (2014), "Employees’ Adherence to Information Security Policies: An Exploratory Field Study", Information & Management, vol. 51, n 3, p. 217–224.

Siponen M., Pahnila S., Mahmood M. A. (2010), "Compliance with Information Security Policies: An Empirical Investigation", Computer, vol. 43, n 3, p. 64–71.

Staehr L. (2010), "Understanding the Role of Managerial Agency in Achieving Business Benefits from ERP Systems", Information Systems Journal, vol. 20, n 3, p. 213–238.

Štemberger M.I., Manfreda A., Kovačič A. (2011), "Achieving Top Management Support with Business Knowledge and Role of IT/IS Personnel", International Journal of Information Management, vol. 31, n 3, p. 428–436.

Straub D., Limayem M., Karahanna-Evaristo E. (1995), "Measuring System Usage: Implications for IS Theory Testing", Management Science, vol. 41, n 3, p. 1328–1342.

Tehseen S., Ramayah T., Sajilan S. (2017), "Testing and Controlling for Common Method Variance: A Review of Available Methods", Journal of Management Sciences, vol. 4, n 3, p. 142–168.

Thompson N., McGill T. J., Wang X. (2017), "“Security Begins at Home”: Determinants of Home Computer and Mobile Device Security Behavior", Computers & Security, vol. 70, n 3, p. 376–391.

Thong J. Y. L., Yap C.-S., Raman K. S. (1996), "Top Management Support, External Expertise and Information Systems Implementation in Small Businesses", Information Systems Research, vol. 7, n 3, p. 248–267.

Torres O., Julien P. A. (2005), "Specificity and Denaturing of Small Business", International Small Business Journal, vol. 23, n 3, p. 355–377.

Tsai H.-Y. S., Jiang M., Alhabash S., LaRose R., Rifon N. J., Cotten S. R. (2016), "Understanding Online Safety Behaviors: A Protection Motivation Theory Perspective", Computers & Security, vol. 59, n 3, p. 138–150.

Tu Z., Turel O., Yuan Y., Archer N. (2015), "Learning to Cope with Information Security Risks Regarding Mobile Device Loss or Theft: An Empirical Examination", Information & Management, vol. 52, n 3, p. 506–517.

Vance A., Siponen M., Pahnila S. (2012), "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory", Information & Management, vol. 49, n 3, p. 190–198.

Venkatesh V., Morris M. G., Ackerman P. L. (2000), "A Longitudinal Field Investigation of Gender Differences in Individual Technology Adoption Decision-Making Processes", Organizational Behavior and Human Decision Processes, vol. 83, n 3, p. 33–60.

Venkatesh V., Morris M. G., Davis G. B., Davis F. D. (2003), "User Acceptance of Information Technology: Toward a Unified View", MIS Quarterly, vol. 27, n 3, p. 425–478.

Warkentin M., Johnston A. C., Shropshire J., Barnett W. D. (2016), "Continuance of Protective Security Behavior: A Longitudinal Study", Decision Support Systems, vol. 92, n 3, p. 25–35.

Williams C. K., Wynn D., Madupalli R., Karahanna E., Duncan B. K. (2014), "Explaining Users' Security Behaviors with the Security Belief Model", Journal of Organizational and End User Computing, vol. 26, n 3, p. 23–46.

Wolcott P., Kamal M., Qureshi S. (2008), "Meeting the Challenges of ICT Adoption by Micro-Enterprises", Journal of Enterprise Information Management, vol. 21, n 3, p. 616–632.

Wold H. (2006), "Partial Least Squares" in S. Kotz and N. L. Johnson (eds), Encyclopedia of Statistical Sciences, John Wiley, New York, NY, p. 581–591.

Workman M., Bommer W. H., Straub D. (2008), "Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test", Computers in Human Behavior, vol. 24, n 3, p. 2799–2816.

Yazdanmehr A., Wang J. (2016), "Employees' Information Security Policy Compliance: A Norm Activation Perspective", Decision Support Systems, vol. 92, n 3, p. 36–46.

Yoon C., Kim H. (2013), "Understanding Computer Security Behavioral Intention in the Workplace", Information Technology & People, vol. 26, n 3, p. 401–419.

Zafar H., Ko M. S., Osei-Bryson K.-M. (2016), "The Value of the CIO in the Top Management Team on Performance in the Case of Information Security Breaches", Information Systems Frontiers, vol. 18, n 3, p. 1205–1215.

Zhang B., Pavlou P. A., Krishnan R. (2018), "On Direct vs. Indirect Peer Influence in Large Social Networks", Information Systems Research, vol. 29, n 3, p. 292–314.

Published

2019-10-02

How to Cite

Barlette, Y., & Jaouen, A. (2019). Do it yourself or get it done? Enhancing SME CEOs’ decision-making regarding Information Security. Systèmes d’Information Et Management (French Journal of Management Information Systems), 24(3), 7–40. Retrieved from https://revuesim.org/index.php/sim/article/view/964

Issue

Section

Empirical research