Abstract
Is collective agency important for information security management? Drawing on social cognitive theory, this paper proposes four efficacy-shaping factors as antecedents of workgroup collective efficacy and examines its influence on workgroup information security effectiveness. For empirical analysis, a structural model is proposed with theoretical support. 306 individual responses were collected from 33 branch offices of a law enforcement organization in South Korea. Our results support the focal hypotheses that workgroup collective efficacy has significant positive relationships with its antecedents as well as workgroup information security effectiveness. This indicates that the exercise of collective agency is important in enhancing information security effectiveness in organizations. Further theoretical and practical implications will be discussed.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Anderson, S. L., & Betz, N. E. (2001). Sources of social self-efficacy expectations: their measurement and relation to career development. Journal of Vocational Behavior, 58(1), 98–117.
Bandura, A. (1977). Self-Efficacy: toward a unifying theory of behavioral change. Psychological Review, 84(2), 191–215.
Bandura, A. (1982). Self-efficacy mechanism in human agency. American Psychologist, 37(2), 122.
Bandura, A. (1986). Social foundation of thought and action: a social cognitive theory. PrenticeHall.
Bandura, A. (1994). Self-efficacy. Wiley Online Library. https://doi.org/10.1002/9780470479216.corpsy0836
Bandura, A. (1997). Self-efficacy: The exercise of control. Freeman.
Bandura, A. (1999). Social cognitive theory of personality. The Guilford Press.
Bandura, A. (2000). Exercise of human agency through collective efficacy. Current Directions in Psychological Science, 9(3), 75–78.
Baron, R. A. (1990). Environmentally Induced positive affect: its impact on self-efficacy, task performance, negotiation, and conflict 1. Journal of Applied Social Psychology, 20(5), 368–384.
Bhattacherjee, A., & Hikmet, N. (2008). Reconceptualizing organizational support and its effect on information technology usage: evidence from the health care sector. Journal of Computer Information Systems, 48(4), 69–76.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Carroll, J. M., Rosson, M. B., & Zhou, J. (2005). Collective efficacy as a measure of community. Proceedings of The SIGCHI Conference on Human Factors in Computing Systems (pp. 1–10). ACM.
Chan, D. (1998). Functional relations among constructs in the same content domain at different levels of analysis: a typology of composition models. Journal of Applied Psychology, 83(2), 234.
Conger, J. A., & Kanungo, R. N. (1988). The empowerment process: integrating theory and practice. Academy of Management Review, 13(3), 471–482.
Cram, W. A., D’Arcy, J., & Proudfoot, J. G. (2019). Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43, 2.
Da Veiga, A., & Eloff, J. H. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196–207.
DeShon, R. P., Kozlowski, S. W., Schmidt, A. M., Milner, K. R., & Wiechmann, D. (2004). A multiple-goal, multilevel model of feedback effects on the regulation of individual and team performance. Journal of Applied Psychology, 89(6), 1035.
Giordano, A. P., Patient, D., Passos, A. M., & Sguera, F. (2020). Antecedents and consequences of collective psychological ownership: the validation of a conceptual model. Journal of Organizational Behavior, 41(1), 32–49.
Gist, M. E. (1987). Self-efficacy: implications for organizational behavior and human resource management. Academy of Management Review, 12(3), 472–485.
Gist, M. E. (1989). The influence of training method on self-efficacy and idea generation among managers. Personnel Psychology, 42(4), 787–805.
Gist, M. E., Schwoerer, C., & Rosen, B. (1989). Effects of alternative training methods on self-efficacy and performance in computer software training. Journal of applied psychology, 74(6), 884.
Goddard, R. D. (2001). Collective efficacy: a neglected construct in the study of schools and student achievement. Journal of Educational Psychology, 93(3), 467.
Goddard, R. D., & Goddard, Y. L. (2001). A multilevel analysis of the relationship between teacher and collective efficacy in urban schools. Teaching and Teacher Education, 17(7), 807–818.
Goddard, R. D., Hoy, W. K., & Hoy, A. W. (2004). Collective efficacy beliefs: theoretical developments, empirical evidence, and future directions. Educational Researcher, 33(3), 3–13.
Goo, J., Yim, M. S., & Kim, D. J. (2014). A path to successful management of employee security compliance: An empirical study of information security climate. IEEE Transactions on Professional Communication, 57(4), 286–308.
Guzzo, R. A., & Dickson, M. W. (1996). Teams in organizations: recent research on performance and effectiveness. Annual Review of Psychology, 47(1), 307–338.
Herath, T., & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165.
Herath, T., & Rao, H. R. (2009b). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.
Hofmann, D. A. (2004). Issues in multilevel research: Theory development, measurement, and analysis. Wiley-Blackwell.
Hsu, J. S. C., Shih, S. P., Hung, Y. W., & Lowry, P. B. (2015). The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research, 26(2), 282–300.
Huber, G. P. (1996). Organizational learning: The contributing processes and literatures. Sage.
InfoTech (2017). Security effectiveness reports, InfoTech Research Group, Available at https://www.infotech.com/benchmarking/it-security/security-effectiveness. Accessed Oct 2020.
James, L. R., Demaree, R. G., & Wolf, G. (1993). rwg: an assessment of within-group interrater agreement. Journal of Applied Psychology, 78(2), 306.
Johnston, A., Di Gangi, P., Howard, J., & Worrell, J. (2019). It takes a village: understanding the collective security efficacy of employee groups. Journal of the Association for Information Systems, 20(3), 186–212.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3), 548–566.
Kanawattanachai, P., & Yoo, Y. (2007). The impact of knowledge coordination on virtual team performance over time. MIS Quarterly, 31(4), 783–808.
Kang, D., & Hovav, A. (2020). Benchmarking methodology for information security policy (BMISP): artifact development and evaluation. Information Systems Frontiers, 22(1), 221–242.
Kankanhalli, A., Teo, H. H., Tan, B. C., & Wei, K. K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154.
Kavanagh, D. J., & Bower, G. H. (1985). Mood and self-efficacy: impact of joy and sadness on perceived capabilities. Cognitive Therapy and Research, 9(5), 507–525.
Klein, K. J., Dansereau, F., & Hall, R. J. (1994). Levels issues in theory development, data collection, and analysis. Academy of Management Review, 19(2), 195–229.
Kozlowski, S. W. J., & Bell, B. S. (2003). Work groups and teams in organizations. Wiley-Blackwell.
Kozlowski, S. W. J., & Bell, B. S. (2013). Work groups and teams in organizations: Review update. Wiley.
Kozub, S., & McDonnell, J. (2000). Exploring the relationship between cohesion and collective efficacy in rugby teams. Journal of Sport Behaviour, 23(2), 120–129.
Lee, Y., & Chen, A. N. (2011). Usability design and psychological ownership of a virtual world. Journal of Management Information Systems, 28(3), 269–308.
Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433–463.
Malhotra, N. K., Kim, S. S., & Patil, A. (2006). Common method variance in IS research: a comparison of alternative approaches and a reanalysis of past research. Management Science, 52(12), 1865–1883.
Morenoff, J. D., Sampson, R. J., & Raudenbush, S. W. (2001). Neighborhood inequality, collective efficacy, and the spatial dynamics of urban violence. Criminology, 39(3), 517–558.
Mulvey, P. W., & Klein, H. J. (1998). The impact of perceived loafing and collective efficacy on group goal processes and group performance. Organizational Behavior and Human Decision Processes, 74(1), 62–87.
Neal, A., & Griffin, M. A. (2006). A study of the lagged relationships among safety climate, safety motivation, safety behavior, and accidents at the individual and group levels. Journal of Applied Psychology, 91(4), 946.
Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: an action research study. MIS Quarterly, 34(4), 757–778.
Ranganath, K. A., Spellman, B. A., & Joy-Gaba, J. A. (2010). Cognitive “Category-Based Induction” research and social “Persuasion” research are each about what makes arguments believable a tale of two literatures. Perspectives on Psychological Science, 5(2), 115–122.
Ringle, C. M., Wende, S., & Will, A. (2005). SmartPLS, 2.0 (beta). Available at http://smartpls.com. Accessed 16 Jan 2023.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56(1), 70–82.
Salanova, M., Llorens, S., Cifre, E., Martínez, I. M., & Schaufeli, W. B. (2003). Perceived collective efficacy, subjective well-being and task performance among electronic work groups an experimental study. Small Group Research, 34(1), 43–73.
Sampson, R. J., Raudenbush, S. W., & Earls, F. (1997). Neighborhoods and violent crime: a multilevel study of collective efficacy. Science, 277(5328), 918–924.
Sobel, M. E. (1982). Asymptotic confidence intervals for indirect effects in structural equation models. Sociological Methodology, 13, 290–312.
Srivastava, A., Bartol, K. M., & Locke, E. A. (2006). Empowering leadership in management teams: Effects on knowledge sharing, efficacy, and performance. Academy of Management Journal, 49(6), 1239–1251.
Team, C. K. (2015). Information Security – A collective responsibility, Enterprise Bytes, Available at http://www.cmsitservices.com/blog/information-security-a-collective-responsibility/. Accessed Oct 2020.
Tu, Z., Turel, O., Yuan, Y., & Archer, N. (2015). Learning to cope with information security risks regarding mobile device loss or theft: an empirical examination. Information & Management, 52(4), 506–517.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and Protection Motivation Theory. Information & Management, 49(3/4), 190–198.
Volz, D. D., & McCabe, J. C. (2010). ISAAC (Information Security Awareness, Assessment, and Compliance): A success story. Educause Library. Available at: https://events.educause.edu/educauselive/webinars/2010/educause-live-february-24. Accessed Oct 2020.
Vroblefski, M., Chen, A., Shao, B., & Swinarski, M. (2007). Managing user relationships in hierarchies for information system security. Decision Support Systems, 43(2), 408–419.
Walumbwa, F. O., Wang, P., Lawler, J. J., & Shi, K. (2004). The role of collective efficacy in the relations between transformational leadership and work outcomes. Journal of Occupational and Organizational Psychology, 77(4), 515–530.
Wang, J., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: analysis of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91–112.
Warkentin, M., Johnston, A. C., & Shropshire, J. (2011). The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20(3), 267–284.
Xu, Y., Fiedler, M. L., & Flaming, K. H. (2005). Discovering the impact of community policing: The broken windows thesis, collective efficacy, and citizens’ judgment. Journal of Research in Crime and Delinquency, 42(2), 147–186.
Yazdanmehr, A., & Wang, J. (2016). 'Employees’ information security policy compliance: a norm activation perspective. Decision Support Systems, 92, 36–46.
Yi, M. Y., & Davis, F. D. (2003). Developing and validating an observational learning model of computer software training and skill acquisition. Information Systems Research, 14(2), 146–169.
Yoo, C. W., Goo, J., & Rao, H. R. (2020). Is cybersecurity a team sport? A multilevel examination of workgroup information security effectiveness. MIS Quarterly, 44(2), 907–931.
Yoo, C. W., Sanders, G. L., & Cerveny, R. P. (2018). Exploring the influence of flow and psychological ownership on security education, training and awareness effectiveness and security compliance. Decision Support Systems, 108(1), 107–118.
Zimmerman, B. J. (1989). A social cognitive view of self-regulated academic learning. Journal of Educational Psychology, 81(3), 329.
Zohar, D. (2000). A group-level model of safety climate: testing the effect of group climate on microaccidents in manufacturing jobs. Journal of Applied Psychology, 85(4), 587–596.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Competing Interest
The authors have no competing interests to declare that are relevant to the content of this article.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Yoo, C.W., Hur, I. & Goo, J. Workgroup Collective Efficacy to Information Security Management: Manifestation of its Antecedents and Empirical Examination. Inf Syst Front 25, 2475–2491 (2023). https://doi.org/10.1007/s10796-022-10367-1
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-022-10367-1