Abstract
Dependence on mobile and outside networks exposes businesses to information leakages by insiders, increasing the importance of information security. Consequently, companies need to implement security education training and awareness (SETA) programs, to ensure employees comply with information security policies (ISPs). The influence of supervisor leadership on the effectiveness of such programs has received little empirical attention. This study empirically analyzes the moderating role of leader power bases effect in the relationship between SETA programs and employees’ ISP compliance intention using WarpPLS 5.0. The moderating effects differ by leader power base type, and expertise, reward, and legitimate power have a positive impact on the relationship. The findings have theoretical and practical implications for the execution of SETA programs and creation of organizational environments in the context of information security.
Similar content being viewed by others
References
Anderson, J.C., and D.W. Gerbing. 1988. Structural equation modeling in practice: A review and recommended two-step approach. Psychological Bulletin 103 (3): 411–423.
Atwater, L.E., and F.J. Yammarino. 1996. Bases of power in relation to leader behavior: A field investigation. Journal of Business and Psychology 11 (1): 3–22.
Balozian, P., and D. Leidner. 2017. Review of IS security policy compliance: Toward the building blocks of an IS security theory. DATABASE for Advances in Information Systems. 48 (3): 11–43.
Barbuto, J.E. 2000. Influence triggers: A framework for understanding follower compliance. The Leadership Quarterly. 11 (3): 365–387.
Bass, B.M. 1985. Leadership and performance beyond expectations. NY: The Free Press.
Bélanger, J.J., A. Pierro, and A.W. Kruglanski. 2015. Social power tactics and subordinates’ compliance at work: The role of need for cognitive closure. Revue Européenne de Psychologie Appliquée/European Review of Applied Psychology. 65 (4): 163–169.
Bulgurcu, B., H. Cavusoglu, and I. Benbasat. 2009. Roles of information security awareness and perceived fairness in information security policy compliance. In The proceedings of european and mediterranean conference on information systems 2009, July 13–14, 1–11.
Bulgurcu, B., H. Cavusoglu, and I. Benbasat. 2010. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly. 34 (3): 523–548.
Chan, M., I. Woon, and A. Kankanhalli. 2005. Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security. 1 (3): 18–41.
Chin, W. 1998. The partial least squares approach to structural equation modeling. Modern Methods for Business Research 295 (2): 295–336.
Chin, W., B. Marcolin, and P. Newsted. 2003. A partial least squares latent variable modeling approach for measuring interaction effects: Results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study. Information Systems Research. 14 (2): 189–217.
Choi, M. 2016. Leadership of information security manager on the effectiveness of information systems security for secure sustainable computing. Sustainability. 8 (7): 638.
Cobb, A.T. 1980. Informal influence in the formal organization: Perceived sources or power among work unit peers. Academy of Management Journal 23 (1): 155–161.
Conger, J.A., and R.N. Kanungo. 1987. Toward a behavioral theory of charismatic leadership in organizational settings. Academy of Management Review 12 (4): 637–647.
Crisci, R., and H. Kassinove. 1973. Effect of perceived expertise, strength of advice, and environmental setting on parental compliance. The Journal of Social Psychology. 89 (2): 245–250.
CSI/FBI. 2010/2011. 15th annual CSI/FBI computer crime and security survey. https://www.gocsi.com. Accessed 4 Oct 2018.
Cybersecurity Ventures. 2017. Security awareness training report. A special report from the Editors at Cybersecurity Ventures. https://cybersecurityventures.com/security-awareness-training-report-2017/. Accessed 29 Dec 2017.
D’Arcy, J., and T. Herath. 2011. A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems. 20 (6): 643–658.
D’Arcy, J., and A. Hovav. 2009. Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics 89: 59–71.
D’Arcy, J., A. Hovav, and D. Galletta. 2009. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research. 20 (1): 79–98.
Dhillon, G. 1999. Managing and controlling computer misuse. Information Management & Computer Security. 7 (4): 171–175.
Elangovan, A.R., and J. Lin Xie. 2000. Effects of perceived power of supervisor on subordinate work attitudes. Leadership & Organization Development Journal. 21 (6): 319–328.
Elias, S. 2008. Fifty years of influence in the workplace. Journal of Management History. 14 (3): 267–283.
Ferguson, M., M.C. Sheehan, J.D. Davey, and B.C. Watson. 1999. Drink driving rehabilitation: The present context. Australian Transport Safety Bureau. http://eprints.qut.edu.au/7379/1/Alc_Rehab_2.pdf. Accessed 20 September 2017.
Fornell, C., and D. Larcker. 1981. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18 (1): 39–50.
French, J.R., and B. Raven. 1959. The bases of social power. Studies in Social Power 6: 151–164.
Grojean, M.W., C.J. Resick, M.W. Dickson, and D.B. Smith. 2004. Leaders, values, and organizational climate: Examining leadership strategies for establishing an organizational climate regarding ethics. Journal of Business Ethics 55 (3): 223–241.
Haeussinger, F., and J. Kranz. 2013. Information security awareness: Its antecedents and mediating effects on security compliant behavior. In The proceedings of thirty fourth International Conference on Information Systems, Milan 2013, 1–16.
Hair J., R. Anderson, R. Tatham, and W. Black. 1995. Multivariate data analysis: With readings. Upper Saddle River, NJ: Prentice-Hall Inc.
Hallinger, P. 2003. Leading educational change: Reflections on the practice of instructional and transformational leadership. Cambridge Journal of Education 33 (3): 329–352.
Han, J., Y.J. Kim, and H. Kim. 2017. An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers & Security. 66: 52–65.
Herath, T., and H.R. Rao. 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47 (2): 154–165.
Herold, D.M. 1977. Two-way influence processes in leader-follower dyads. Academy of Management Journal 20 (2): 224–237.
Hinkin, T.R., and C.A. Schriesheim. 1989. Development and application of new scales to measure the French and Raven (1959) bases of social power. Journal of Applied Psychology 74 (4): 561–567.
Hu, Q., T. Dinev, P. Hart, and D. Cooke. 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences. 43 (4): 615–660.
Humaidi, N., and V. Balakrishnan. 2015. Leadership styles and information security compliance behavior: The mediator effect of information security awareness. International Journal of Information and Education Technology. 5 (4): 311.
Ivancevich, J.M., and J.H. Donnelly. 1970. Leader influence and performance. Personnel Psychology 23 (4): 539–549.
Kim, H.J., J. Han, and A. Hovav. 2017. Does your manager have ‘information security intelligence’? In Proceedings of Eighth Workshop on Information Security and Privacy (WISP); 9 December 2017, Seoul.
Kock, N. 2015. WarpPLS 5.0 User Manual. Laredo, TX: ScriptWarp Systems.
Lian, L.K., and L.G. Tui. 2012. Supervisory power and satisfaction with supervision in Malaysian manufacturing companies: The moderating effect of work autonomy. African Journal of Business Management 6 (22): 6530–6545.
Liang, H., Y. Xue, and L. Wu. 2013. Ensuring employees’ it compliance: Carrot or stick? Information Systems Research. 24 (2): 279–294.
Lowry, P.B., and G.D. Moody. 2015. Proposing the control reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal. 25 (5): 433–463.
Lunenburg, F.C. 2012. Power and leadership: An influence process. International Journal of Management, Business, and Administration. 15 (1): 1–9.
Ma, C.C.E., and R.M. Rapee. 2015. Differences in mathematical performance, creativity potential, and need for cognitive closure between Chinese and Australian students. The Journal of Creative Behavior. 49 (4): 295–310.
McCormac, A., T. Zwaans, K. Parsons, D. Calic, M. Butavicius, and M. Pattinson. 2017. Individual differences and information security awareness. Computers in Human Behavior 69: 151–156.
Padayachee, K. 2012. Taxonomy of compliant information security behavior. Computers & Security 31 (5): 673–680.
Pearce, J.A., and R.B. Robinson. 1987. A measure of CEO social power in strategic decision-making. Strategic Management Journal 8 (3): 297–304.
Pfeffer, J. 1992. Managing with power: Politics and influence in organizations. Massachusetts: Harvard Business Press.
Ponemon Institute. 2016. Managing insider risk through training & culture, Ponemon Institute. https://www.experian.com/assets/data-breach/white-papers/experian-2016-ponemon-insider-risk-report.pdf. Accessed 20 Nov 2018.
Posey, C., R.J. Bennett, and T.L. Roberts. 2011. Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers & Security. 30 (6): 486–497.
Puhakainen, P., and M. Siponen. 2010. Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly. 34 (4): 757–778.
Rahim, M.A. 1989. Relationships of leader power to compliance and satisfaction with supervision: Evidence from a national sample of managers. Journal of Management. 15 (4): 545–556.
Rahim, M.A., H.N. Kim, and J.S. Kim. 1994. Bases of leader power, subordinate compliance, and satisfaction with supervision: A cross-cultural study of managers in the US and S. Korea. The International Journal of Organizational Analysis 2 (2): 136–154.
Rantos, K., K. Fysarakis, and C. Manifavas. 2012. How effective is your security awareness program? An evaluation methodology. Information Security Journal: A Global Perspective. 21 (6): 328–345.
Raven, B.H. 1958. Legitimate power, coercive power, and observability in social influence. Sociometry 21 (2): 83–97.
Schriesheim, C.A., and T.R. Hinkin. 1990. Influence tactics used by subordinates: A theoretical and empirical analysis and refinement of the Kipnis, Schmidt, and Wilkinson subscales. Journal of Applied Psychology 75 (3): 246–257.
Shamir, B. 1991. Meaning, self and motivation in organizations. Organization Studies 12 (3): 405–424.
Shamir, B., R.J. House, and M.B. Arthur. 1993. The motivational effects of charismatic leadership: A self-concept based theory. Organization Science 4 (4): 577–594.
Siponen, M.T. 2000. A conceptual foundation for organizational information security awareness. Information Management & Computer Security. 8 (1): 31–41.
Siponen, M., M.A. Mahmood, and S. Pahnila. 2009. Technical opinion are employees putting your company at risk by not following information security policies?. Communications of the ACM 52 (12): 145–147.
Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36 (2): 215–225.
Straub, D. 1989. Validating instruments in MIS research. MIS Quarterly 13 (2): 147–169.
Straub, D.W., and R.J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22 (4): 441–469.
Turel, O., Z. Xu., and K. Guo. 2017. Organizational citizenship behavior regarding security: Leadership approach perspective. Journal of Computer Information Systems, 1–15.
McBride, M., L. Carter, and M. Warkentin. 2012. Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. Prepared by RTI International–Institute for Homeland Security Solutions under contract 3-312-0212782. 1(1), 1–40.
Vance, A., B.P. Lowry, and D. Eggett. 2015. Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quarterly 39 (2): 345–366.
Warkentin, M., A.C. Johnston, and J. Shropshire. 2011. The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20 (3): 267–284.
Whitman, M.E. 2004. In defense of the realm: Understanding the threats to information security. International Journal of Information Management 24 (1): 43–57.
Whitman, M.E., A.M. Townsend, and R.J. Aalberts. 2001. Information systems security and the need for policy. In Information security management: Global challenges in the new millennium. IGI Global, 9–18
Williams, P.A. 2008. In a ‘trusting’ environment, everyone is responsible for information security. Information Security Technical Report 13 (4): 207–215.
Yazdanmehr, A., and J. Wang. 2016. Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems 92: 36–46.
Yukl, G. 1999. An evaluation of conceptual weaknesses in transformational and charismatic leadership theories. The Leadership Quarterly 10 (2): 285–305.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix 1: Survey questionnaire
Appendix 1: Survey questionnaire
Construct (Cronbach’s Alpha) | CR/AVE | Items (loading value) |
---|---|---|
Referent power (0.914) | 0.940/0.797 | RFP1: My supervisor has a pleasing personality (0.913) RFP3: I admire my supervisor because he/she treats every person fairly (0.926) RFP4: I like the personal qualities of my supervisor (0.811) RFP5: I want to develop a good interpersonal relationship with my supervisor (0.917) |
Reward power (0.878) | 0.925/0.805 | RWP4: If I put forth extra effort, my supervisor can take it into consideration to determine my pay raise (0.898) RWP5: My supervisor can get me a bonus for earning a good performance rating (0.921) RWP6: My supervisor can recommend a promotion for me if my performance is consistently above average (0.872) |
Expert power (0.931) | 0.948/0.785 | EPP1: I approach my supervisor for advice on work-related problems because she/he is usually right (0.910) EPP2: When a tough job comes up, my supervisor has the technical “know-how” to get it done (0.882) EPP3: My supervisor has specialized training in his(her) field (0.907) EPP5: I prefer to do what my supervisor suggest because he/she has high professional expertise (0.838) EPP6: My supervisor has considerable professional expertise to draw from in helping me to do my job (0.891) |
Coercive power (0.874) | 0.909/0.667 | CRP1: My supervisor can take disciplinary action against me for insubordination (0.770) CRP2: My supervisor can fire me if my performance is consistently below standards (0.828) CRP3: My supervisor suspend me if I am habitually late in coming to work (0.832) CRP4: My supervisor can see to it that I get no pay raise if my work is unsatisfactory (0.760) CRP5: My supervisor can fire me if I neglect my duties (0.888) |
Legitimate power (0.843) | 0.899/0.616 | LGP1: It is reasonable for my supervisor to decide what he/she wants me to do (0.837) LGP2: My supervisor is justified in expecting cooperation in work-related matters (0.755) LGP4: My supervisor’s position entitles him/her to expect support for his/her policies from me (0.805) LGP5: I should do what my supervisor wants because he/she is my supervisor (0.713) LGP6: My supervisor has the right to expect me to carry out his/her instructions (0.808) |
Compliance intention with ISP (0.952) | 0.966/0.876 | CI1: I would like to follow the company’s security policy (0.904) CI2: It is possible that I comply with information systems security policies to protect information systems (0.945) CI3: I am certain that I will follow the organizational security policies (0.946) CI4: It is clear that I will follow the company’s security policy (0.946) |
SETA program awareness (0.899) | 0.926/0.714 | SETA1: My company provides training to help employees improve their awareness of information system security issues (0.798) SETA2: My company provides employees with education on computer software copyright laws (0.834) SETA3: In my company, employees are briefed on the consequences of modifying computerized data in an unauthorized way (0.828) SETA4: My company educates employees on their information system security responsibilities (0.877) SETA5: In my company, employees are briefed on the consequences of accessing information systems that they are not authorized to use (0.885) |
ISP awareness (0.857) | 0.898/0.638 | ISP1: My company has specific guidelines that describe the acceptable use of e-mail (0.695) ISP2: My company has established rules of behavior for use of computer resources (0.819) ISP3: My company has a formal policy that forbids employees from accessing information systems that they are not authorized to use (0.819) ISP4: My company has specific guidelines that describe the acceptable use of information system passwords (0.829) ISP5: My company has specific guidelines that govern what employees are allowed to do with their information systems (0.823) |
Rights and permissions
About this article
Cite this article
Kim, H.L., Choi, H.S. & Han, J. Leader power and employees’ information security policy compliance. Secur J 32, 391–409 (2019). https://doi.org/10.1057/s41284-019-00168-8
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41284-019-00168-8