AN EXPLORATORY QUALITATIVE STUDY: HOW MIDDLE MANAGERS INFLUENCE INFORMATION SECURITY POLICY COMPLIANCE BEHAVIORS IN THE U.S. FINANCIAL INDUSTRY by Wendy A. Emanuelson
SHARON GAGNON, PhD, Faculty Mentor and Chair GLENN BOTTOMLY, PhD, Committee Member KATHLEEN HARGISS, PhD, Committee Member
Rhonda Capron, EdD, Dean, School of Business and Technology
A Dissertation Presented in Partial Fulfillment Of the Requirements for the Degree Doctor of Philosophy
Capella University April 2018
© Wendy Emanuelson, 2018
Abstract The purpose of this study was to gain an understanding of how middle managers influence ISPC behaviors in the U.S. financial industry. The study was designed as an exploratory qualitative inquiry utilizing semi-structured interviews to obtain lived experiences, observations, and perceptions of how middle managers influence ISPC behaviors. The targeted population was the professionals working in the U.S. financial industry for at least 10 years using technology for critical business processes and tasked with following the policies and processes developed to meet regulatory requirements and protect data. The sample included participants from three hierarchical levels: executive, middle management, and nonmanagement, with five in each group. The 15 participants were in eight different states and represented 11 organizations within the U.S. financial sector. Data collected from the interviews were analyzed utilizing manual and software aided thematic coding. Software assisted analysis was also used to compare the responses from the different hierarchical levels. The results of the analysis confirmed the core assumption that middle managers influence ISPC; however, their activities are not clearly defined. The executives and nonmanager participants perceived the middle manager to be doing more than what the middle manager felt they were responsible for. Middle managers indicated they needed monitoring tools, so they could do more than policing compliance behaviors. Another finding indicated that middle managers struggle with production requirements versus protection requirements. Lastly, all levels felt that specialized training would benefit the middle manager and perhaps improve their influence on ISPC behaviors.
Dedication This dissertation is dedicated to my family. They have struggled alongside me through the entire doctoral program with support and love. Never complaining when my studies kept me from attending functions that a mother should be attending. Dedicated to my husband who has been by my side cheering me on and pulling up the slack and complications in life to ease the pressures on me. My daughter, who never complained but always left me little notes on the whiteboard in my office. This always gave me a smile and a feeling that she was also cheering me forward. Dedicated to my son, for whom we lost to a tragic accident during the writing of this dissertation, his support and reassurance was a blessing. Finally, to my father who also left us during this doctoral journey. I know, even though he wasn’t aware of the extent of the effort put forth for this journey, he was proud nonetheless.
iii
Acknowledgments First and foremost, I would like to thank my mentor, Dr. Sharon Gagnon. Her guidance, patience, and knowledge in both doctoral writing and the subject matter of this dissertation has been valuable and refreshing. I would also like to thank my committee for their support and encouragement as well as my many advisors throughout this journey. I would also like to acknowledge the faculty chair of the doctoral program in information technology, Dr. Tsun Chow. His challenging feedback provided an opportunity for improvement and clarity that would have possibly been missed otherwise. And finally, to the Dean of Technology Dr. Bill Dafnis, his frankness and encouragement gave me that momentum to finish.
iv
Table of Contents Acknowledgments.................................................................................................. iv List of Tables ...........................................................................................................x List of Figures ....................................................................................................... xii CHAPTER 1. INTRODUCTION ........................................................................................1 Background of the Study .........................................................................................2 Rationale ..................................................................................................................3 Purpose of the Study ................................................................................................7 The Significance of the Study ..................................................................................7 Research Question ...................................................................................................8 Definition of Terms..................................................................................................9 Research Design.....................................................................................................10 Assumptions and Limitations ................................................................................12 Organization of the Remainder of the Study .........................................................13 CHAPTER 2. LITERATURE REVIEW ...............................................................14 Methods of Searching ............................................................................................14 Theoretical Orientation for the Study ....................................................................15 Review of the Literature ........................................................................................16 Middle Manager’s Organizational Role .........................................................17 The U.S. Financial Industry’s Regulatory Landscape ....................................18 ISPC Influences in Extant Research ...............................................................20 v
Organizational culture. ...............................................................................21 Security awareness influence. ....................................................................24 Leadership influence. .................................................................................26 Theories Commonly Applied to ISPC ............................................................28 Protection motivation theory......................................................................29 Psychological contract theory. ...................................................................31 Theory of planned behavior. ......................................................................33 General deterrence theory. .........................................................................35 Synthesis of the Research Findings .......................................................................37 Critique of Previous Research Methods ................................................................38 Summary ................................................................................................................39 CHAPTER 3. METHODOLOGY ....................................................................................40 Purpose of the Study ..............................................................................................40 Research Question .................................................................................................41 Research Design.....................................................................................................42 Target Population and Sample ...............................................................................43 Population .......................................................................................................43 Sample ............................................................................................................44 Procedures ..............................................................................................................45 Participant Selection .......................................................................................46 Protection of Participants ................................................................................47 vi
Data Collection ......................................................................................................49 Data Analysis .........................................................................................................50 Instruments .............................................................................................................53 The Role of the Researcher.............................................................................53 Guiding Interview Questions ..........................................................................54 Ethical Considerations ...........................................................................................54 Summary ................................................................................................................55 CHAPTER 4. PRESENTATION OF THE DATA...........................................................57 Introduction: The Study and the Researcher ..........................................................57 Description of the Sample ......................................................................................59 Participant Demographics ...............................................................................59 Method of Contact ..........................................................................................61 Research Methodology Applied to the Data Analysis ...........................................61 Manual Analysis .............................................................................................62 Software Assisted Analysis ............................................................................63 Presentation of Data and Results of the Analysis ..................................................65 Perceptions ......................................................................................................65 The perceived responsibility of MM to influence ISPC behaviors............67 Perceived importance to improve MM influence on ISPC behaviors. ......73 Perceived barriers to MM influence on ISPC behaviors. ..........................79 Empirical Data ................................................................................................85 vii
Executive leaders. ......................................................................................85 Middle managers ........................................................................................88 Non-managers. ...........................................................................................91 Recommendations...........................................................................................91 Executive leaders. ......................................................................................92 Middle managers. .......................................................................................94 Non-managers. ...........................................................................................97 Summary ..............................................................................................................101 CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS .................103 Summary of the Results .......................................................................................103 Discussion of the Results .....................................................................................104 Empirical Data ..............................................................................................105 Perceptions ....................................................................................................107 Recommendations.........................................................................................110 Conclusions Based on the Results .......................................................................111 Comparison with Theoretical Framework and Previous Literature .............111 Applicable theory alignment. ...................................................................112 Alignment with variables in existing literature. .......................................114 Interpretation of the Findings .......................................................................116 Limitations ...........................................................................................................118 Implications for Practice ......................................................................................119 viii
Tools to aid MM ...........................................................................................120 Improving Communications of the MM .......................................................120 Training.........................................................................................................121 Recommendations for Further Research ..............................................................122 Recommendations Developed Directly from the Data .................................122 Recommendations Developed From Issues Identified .................................123 Conclusion ...........................................................................................................124 STATEMENT OF ORIGINAL WORK ..........................................................................139 APPENDIX A. INTERVIEW QUESTIONS .................................................................141 APPENDIX B. TOP 5 WORD FREQUENCY ...............................................................143 APPENDIX C. REPRESENTATIVE QUOTATIONS -EMPIRICAL DATA ..............144
ix
List of Tables Table 1. Interview Procedure ........................................................................................................ 49 Table 2. Data Analysis – Keywords ............................................................................................. 51 Table 3. Study Participants ........................................................................................................... 60 Table 4. Participant Demographics ............................................................................................... 60 Table 5. NVivo Queries Based on Participant Organizational Level ........................................... 64 Table 6. Perceptions - Top 5 Words Used .................................................................................... 67 Table 7. Representative Quotes – EL Perceived MM Responsibility .......................................... 68 Table 8. Representative Quotes – MM Perceived MM Responsibility ........................................ 69 Table 9. Representative Quotes – NM Perceived MM Responsibility ......................................... 72 Table 10. Representative Quotations – EL Perceived Importance to Improve MM Influence .... 75 Table 11. Representative Quotations – MM Perceived Importance to Improve MM Influence .. 77 Table 12. Representative Quotations – NM Perceived Importance to Improve MM Influence ... 78 Table 13. Representative Quotations – EL Perceived Barriers to MM Influence ........................ 80 Table 14. Representative Quotations – MM Perceived Barries to MM Influence ....................... 82 Table 15. Representative Quotations – NM Perceived Barriers to MM Influence ....................... 84 Table 16. Empirical Data – Top 5 Words Used ............................................................................ 85 Table 17. Recommendations – Top 5 Words Used ...................................................................... 92 Table 18. Representative Quotations – EL Recommendations for Improving MM Influence ..... 93 Table 19. Representative Quotations – MM Recommendations for Improving MM Influence .. 96 Table 20. Representative Quotations – NM Recommendations for Improving MM Influence ... 98 x
Table 21. The ABC(s) of MM Influence on ISPC Behaviors .................................................... 106
xi
List of Figures Figure 1. Study Focus – Grey Area ................................................................................................ 4 Figure 2. Percentage of Usable Data Provided by Participant group ......................................... 118
xii
CHAPTER 1. INTRODUCTION The U.S. Financial industry is complex, highly dependent upon technology, and stringently regulated (Mohammed, 2015). Financial organizations design and implement secure networks while developing security policies and procedures to protect against a wide array of risks to the confidentiality, availability, and integrity of data. The security measures developed not only protect business operations and the customers, but also help to prevent adverse events from impacting the economy (Barton, Shenkir, & Walker, 2009). Employees of an organization are tasked with complying with the information security policies and procedures developed to minimize risk. Researchers have indicated that the responsibility for information security belongs to every employee in the organization (Alhogail & Mizra, 2014; Kim, 2017). Extant literature and recent security reports have indicated that employees are often also responsible for security breaches (Goel, Hart, Junglas, & Ives, 2016; Humaidi and Baker, 2015; IBM, 2015). Therefore, the information security policy compliance (ISPC) behaviors of employees are critical to the security of an organization within any industry, including those within the U.S. financial sector. Bulgurcu, Cavusoglu, and Benbasat (2010) indicated that managing ISPC is challenging and vital to managing risk in an organization. Chapter 1 will begin with a brief background of the study followed by the rationale and purpose of the study. The remainder of the chapter covers the significance of the study, the research question, a definition of terms, and the research design. An overview of the study’s assumptions and limitations follows, and the chapter concludes with a brief overview of how the remainder of the study chapters are organized. 1
Background of the Study In Silic and Back’s (2014) literature review, they illustrated that more than fifty percent of the research related to information security between 1993 and 2012 was related to business continuity, security governance, and security incident management. Within current literature, many standards, guidelines, frameworks, and best practices were found. Extant literature provides guidance for meeting regulatory requirements, managing risk, and developing policies and processes to maintain compliance (Aronson, 2013; Fakhri, Fahimah, & Ibrahim, 2015). Guidance is readily available on developing strong policies and procedures for compliance with the regulatory landscape of the financial industry. However, ensuring the employees are following those policies and procedures remains to be complex and not fully explored (Cannoy & Salam, 2010). Influencing the employee’s intentions to comply with information security policies has been a topic of recent studies. Existing studies evidence that top management, organizational culture, and security awareness initiatives play a major role in influencing ISPC behaviors (Bauer, Bernroider, & Chudzikowski, 2017; Hu, Dinev, Hart, & Cooke, 2012; Puhakainen & Siponen, 2010). Extant literature on ISPC also includes the application of psychological theories such as protection motivation theory identified by Rogers (1975), and psychological contract theory defined by Raman (2009) and more recently applied by Haggard and Turban (2012). Recent research explores methods that impact the employee's beliefs and incorporate theories such as, deterrence theory and the theory of planned behavior (D’Arcy, Herath & Shoss, 2014; Johnston, Warkentin, & Siponen, 2015; Siponen & Vance, 2010).
2
The human’s intent, attitude, and perception, as well as the ways in which attitude and perceptions are developed, are predominate within existing literature (Crossler, Long, Loraas, & Trinkle, 2014; Rogers, 1975). Values, morals, social norms, assumptions, and beliefs are some of the dependent variables found related to forming the intent to comply, attitude toward compliance, and perception of ISPC (Alhogail & Mizra, 2014; Christian & Ellis, 2014). Influencing ISPC behavior is a growing area of research that has researchers pulling from psychological theories, educational methodologies, organizational culture variables, and leadership impact on ISPC (Sommestad, Hallberg, Lundholm, & Bengtsson, 2014, p. 60). This study will similarly align while seeking to explore the middle manager’s influence on ISPC within the U.S. financial industry. Rationale The research literature on influencing ISPC behaviors illustrated in Figure 1, reflects existing literature findings that executive leadership and organizational culture play a role in influencing employee compliance (Guo, Yuan, Archer, & Connelly, 2011; Hu et al., 2012; Ifinedo, 2014). Existing literature showed that an individual’s beliefs influence the employee’s intention to comply, and these views can be influenced by training and awareness methods, as well as deploying methods outlined within psychologically derived theories (Bulgurcu et al., 2010; Kim, Yang, & Park, 2014; Sommestad et al., 2014). Researchers reported that middle managers (MM) play a role in influencing employee acceptance of strategic initiatives (Parera & Fernández-Vallejo, 2013; Raman, 2009). However, the lack of research indicating the MM influence on ISPC behaviors prompted this exploratory study. This study seeks to explore the how MMs influence ISPC behaviors within the U.S. financial industry. 3
Figure 1. Study Focus – Grey Area Graphical representation of the existing literature related to influencing ISPC behaviors created for this study. Highlighting topics widely covered in existing literature related to organizational factors and theories linked to impacting intentions, attitudes and perceptions known to influence ISPC behavior. The grey areas represent the study focus of middle manager influence on ISPC in the U.S. financial industry. The rationale behind limiting the study to the U.S. financial industry was based upon recent studies highlighting the strong pressures put upon this industry related to privacy laws, financial regulations, and the potential for impact on the economy (Barton et al., 2009; Barton, Tejay, Lane, & Terrell, 2016; Culhane, 2014). MM influence on ISPC was found to be missing coverage in extant literature even though it is a common role across many industries. Existing studies have indicated that the MM is a catalyst for change as well as a mediator between the upper and lower ranks within an organization (Agostino, Arena, & Arnaboldi, 2013). Studies also indicate the commonality of the MM role across both public and private sector organizations (Agostino et al., 2013; Barton & Ambrosini, 2013; Doos, Johansson, Wilhelmson, 2015).
4
This research designed to explore the ISPC influence of MMs working in the U.S. financial industry is not only a discovered gap in existing literature but one of great interest to the researcher. Culhane (2014) explained that the regulatory environment of the U.S. financial industry has added to the risk to financial industry organizations. The risk of noncompliance with the requirements of the growing regulatory environment coupled with the already rising threat to the financial data from malicious actors makes the U.S. financial industry a prime focus of this study. Determining whom within the U.S. financial industry could provide valuable insight into how MMs influence ISPC behaviors were the next consideration for this study. Chaudhry, Chaudhry, and Reese (2012) explored the correlation between the security and the information systems that enterprise organizations use for business processes. This correlation is important because in today’s financial industry information systems are integrated into all areas of the business, generating large amounts of data that must be protected (Bennett, 2013; Cook, 2015). Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), for example, introduced the need for controls on the data used for financial reporting (Cook, Probert, & Martin, 2009). SOX isn’t the only regulation to impact financial industries; however, it was one that studies have shown to impact the way in which humans interact with the information systems and the data, due to the requirement for more stringent controls on data and processing (Chanda & Zaorski, 2013). The regulatory environment created a need for governance and controls, and the impact was felt by all areas of the financial industry organizations from the board of directors to the entry-level employee (Conyon, Judge, & Useem, 2011). Knowing the threat and regulatory landscape of the financial industry, it’s dependency on information systems it was necessary to find subject matter experts in the U.S. financial industry 5
who could provide information needed to explore how MMs are influencing ISPC. This lead to the decision to try to reach into several hierarchical levels in an organization and ensure that the participants were experienced in the financial industry for at least ten years. The amount of experience would improve the chances that they would have some knowledge of the impacts of the financial crises of the past. Anyone working with information systems within the financial industry organization would logically be a good candidate. However, it has been reported that entry-level positions such as bank tellers, loan officers, and data entry clerks, for example, have a very high turnover rate and likely not to meet the 10-year requirement (Oh, Park, & Rutherford, 2014). It was important to find U.S. financial industry employees that could provide valuable input on their experiences, observations, and perceptions of MMs influence on ISPC. It was important that the participants were also those utilizing the information systems of the organization to ensure they have adequate exposure to the policies and procedures that have been developed to meet regulatory requirements and minimize risk. The information technology (IT) professionals were chosen and defined as any employee who is skilled in an area of information systems and has proficiencies with technology, applications, or processes critical to the organization they work for (Ryan & Harden, 2014). The IT professionals, defined for this study, should not be confused with the information systems professionals that are technology specialist that manage, configure, and are the skilled administrators of the systems, networks, and devices. IT professionals coupled with the 10 years’ experience and from various levels within a U.S. financial industry organization became the target population for this exploration into the MM’s influence on ISPC. 6
Purpose of the Study The goal of this exploratory qualitative study was to develop an understanding of the influence MMs have on the ISPC behaviors within the U.S. financial industry. In this study, ISPC behaviors were defined as the employee’ intent, ability, and actions associated with complying with the information security policies, processes, and procedures that have been developed to protect an organization’s information and assets. This study was designed to add to the body of research on ISPC. It was specifically designed to present data gathered from firsthand accounts employees working in the U.S. financial industry on the topic of MM influence on ISPC. The IT professionals who are tasked with following information security policies can provide first-hand experiences of MMs influence. The analysis of the data, the results, and findings are to be compared and contrasted with existing literature to help create an opportunity for future development of a theory. This study and existing research could be used to develop a framework approach to improving compliant behaviors within one of the top targeted industries in the U.S. identified by IBM (2015). The Significance of the Study The U.S. financial industry has been among the top five industries targeted by cybercriminals repeatedly from 2013 to 2016 (IBM, 2013; IBM, 2014; IBM, 2015; IBM, 2016). The fact that the U.S. financial industry is consistently targeted and that researchers have indicated that employees represent the greatest risk to security, makes exploring ISPC in the U.S financial industry germane (Bulgurcu et al., 2010; Chen, Ramamurthy, & Wen, 2012; Guo et al., 2011; Myyry, Siponen, Pahnila, Vartiainen, & Vance, 2009). Sommestad et al. (2014) acknowledged ISPC influencing variables that had been identified in the previous literature, to 7
realize the importance of the ISPC influencing variables. Attitudes towards compliance, intentions to comply or not, as well as types of misuse, were prevalent in the findings of the Sommestad et al. (2014) study. Financial industry organizations develop technologically secured networks and write policies and procedures to be applied to business processes. The policies and procedures are developed to protect against a wide array of risks related to availability, integrity, and confidentiality of data related to business operations, customers, and intellectual property. Just as many other industries do, financial industry organizations depend on employees to comply with policies and procedures written and implemented to minimize risk to the business and maintain regulatory requirements. Researching every variable that influences ISPC is necessary to provide a solution to mitigate the risks the human assets present. This study was designed to explore middle managers influence on information security policy compliance due to the negative impact noncompliance can have on a financial industry organization (Chanda & Zaorski, 2013). This exploratory qualitative inquiry’s goal was to identify how MMs influence ISPC expanding on existing literature on how to mitigate the risks introduced by the human asset (Safa, Von Solms, & Furnell, 2016). Research Question The goal of exploring the how MMs influence ISPC is to gain an understanding of the functions the MM performs to influencing ISPC behaviors. It is known that MMs influence subordinates to accept and participate in strategic initiatives (Parera et al., 2013; Raman, 2009). It is also known that MMs influence and interact with top leadership during formation of those strategic initiatives (Raes, Heijltjes, Glunk, & Row, 2011). If the MM could also be influencing ISPC the purpose of this study was to enhance the understanding of the role an MM plays in 8
influencing ISPC behaviors. An exploratory qualitative study was conducted to answer the research question. Semi-structured interviews have been carried out to collect data from the study participants. The interview questions were designed to gather descriptions of the participants lived experiences and perceptions regarding middle management’s influence on ISPC behaviors. The research question for this study was as follows. RQ: How do middle managers in the U.S. financial industry influence ISPC behaviors? Definition of Terms Information security policy: Rules and procedural guidelines for handling of information and resources, typically documented and developed to identify responsibilities of the employee as well as consequences of violation while providing a method of governance (Sommestad, Karlzén, & Hallberg, 2015). Information security policy compliance (ISPC) behaviors: Lee, Lee, and Kim (2016) defined ISPC behaviors as the activities performed during the act of conformity with the information security guidelines included in the policies developed to protect the organization’s information and assets. Financial industry or sector: Multiple financial related industries make up the financial sector. This study was limited to the financial sector industries that are subject to financial sector regulatory requirements. These consist of banking, real estate, insurance, and financial services such as brokerages, consumer finance companies, investment services, credit services, and payroll or benefits service providers (Bateh, Thornton, Arbogast, & Farah, 2015). Information technology (IT) professional: The IT professional is an employee who is skilled in an area of information systems and has proficiencies with technology, applications, and 9
processes critical to the organization they work for (Ryan & Harden, 2014). In this study, the IT professionals selected were within the executive leadership, middle managerial, and nonmanagement roles working within the U.S financial sector (Tirgari, 2012). Human assets: Human assets of the organization are simply the employees of the organization. Employees are the users of the information and systems or even the owners of the information or systems (Safa, von Solms, & Futcher, 2016). For this study, the human assets were those employees who fit the definition of an IT professional. Executive Leadership role: for this study, the executive leadership role was recognized as those IT professionals holding a senior leadership role such as chief-level executives working within a financial sector organization and having MM direct reports. Middle management role: for this study the middle management role was recognized as those IT professional middle managers who reported to IT executive leadership. Including working within a financial industry organization and having nonmanagement IT professional direct reports (Raes, Heijltjes, Glunk, & Row, 2011; Wooldridge, Schmid, & Floyd, 2008). Non-management role: This role included any IT professional working within a financial industry organization and who held no management role within the organization. For this study, this role included team leads and supervisors to be a non-management. Research Design ISPC is a real concern in organizations, and the financial industry is a top target for data breaches, theft, and attack (Chen et al., 2012; IBM, 2015). Researchers have identified variables that influence compliance behaviors, many of which were grounded in theory. This study was designed to explore practice, specifically MM influence on ISPC behaviors, through the firsthand 10
accounts of IT professionals working in the U.S. financial industry. The study of this group was important because of the high number of attacks in the financial sector which are often a direct result of employee actions (IBM, 2014). Ponelis and Britz (2012) pointed out that IT professionals have more interaction with data and information systems resources and can have elevated privileges greater than normal employees and therefore, present a greater risk. Either through carelessness, good intentions, or malicious intent, insiders present the greatest threat (Chen, Ramamurthy, & Wen, 2015). An exploratory qualitative inquiry was well suited to this study. The exploratory approach to gathering the participant’s interpretations of their experiences, the constructs, and the meanings they have developed from these experiences, were at the roots of qualitative inquiry (Merriam & Tisdell, 2015). Social constructionism suggests that theories and concepts are underlying the interpretations and meaning given to experiences: but also, suggests that the meanings and interpretations do not necessarily reflect reality (Walker, 2015). The interview questions were designed to gather those interpretations, meanings, as well as perceptions of the participants. The design did not include the development of theory but did include comparison during data analysis, of existing theories and variables found to apply to influencing ISPC behaviors. The data for this study was collected through semi-structured interviews using a predefined set of questions and additional probing questions as needed (Salmons, 2010). The researcher provided the participants an opportunity to answer each question as it related to them. The participants were asked to elaborate and describe their perceptions, assumptions, and recommendations as it related to the research question. The primary data collection occurred 11
during interviews with the participants. The analysis of that data included coding and analysis designed to search for commonalities and themes that emerged while utilizing existing theoretical studies to validate interpretations when themes began to appear (Stebbins, 2008). Assumptions and Limitations This study was designed to answer the research question on how MMs working in the U.S. financial industry influences their direct reporting IT professionals ISPC behaviors. The core assumption made in this study was assuming that an MM has an influence on ISPC behaviors. A logical assumption explicitly based on existing literature indicating that a mid-level manager, not limited to justs an MM, has an impact and active role in strategic initiative achievement, organizational change, and communication between top management and the rest of the organization (Parera et al., 2013; Raman, 2009; Wooldridge et al., 2008). Assumptions associated with the IT professionals, including MMs, in the U.S. financial industry, guided the research methodology and design and were directly related to the constructivist stance. An assumption was made that the IT professional participants could provide data related to the MM’s influence through describing their experiences, observations, and perceptions. An assumption that the participants would be truthful in their responses was made. Finally, it was assumed that the interviewed subjects interpretations of the phenomenon would not be impacted or construed by the researcher’s interpretations. The problem of ensuring that employees adhere to the information security policies of an organization is a complex issue. Multiple studies exist that explored methods and variables found to be useful for improving ISPC, one such study identified reward and punishment (Chen et al., 2012). Other studies described, incorporating psychological theories into the methods 12
when developing a security culture (Alfawaz, Nelson, & Mohannak, 2010), and security training to improve awareness (Olusegun & Ithnin, 2013). This study, much like the ones listed previously was limited to a piece of the overall complex problem of influencing ISPC compliant behavior. This study was restricted to industries within the financial sector creating boundaries to the study and limitations of the population sample. The constraints identified were planned and therefore not detrimental to the goal and success of the inquiry. The goal was to provide a better understanding of the MM’s influence which was found to be a gap in the many pieces of this complex problem. Reduction of the population to only IT professionals working in the U.S. financial industry was necessary to narrow the topic to make the study feasible. The limitation, however, was mitigated by development of a design that could be replicated in other industry sectors for future research. Organization of the Remainder of the Study In Chapter 1, background, need, significance and purpose of this research were described. The key terms as they related to this study and a brief description of the research design, assumptions, and limitations were also explained. Chapter 2 includes a review of literature that related to influencing ISPC. Descriptions of the methods used to search for the pertinent literature and brief critiques of the research methods are also provided. Chapter 3 is a more detailed account of the research methodology including the purpose, the research question, the design, population and sample, the procedures, and finally the ethical considerations. Chapter 4 presents the data and analysis, along with the results of the research. Finally, Chapter 5 provides a summary and discussion of the results, the conclusions, the limitations, the implications, and the recommendations for future studies. 13
CHAPTER 2. LITERATURE REVIEW In this literature review, existing literature on the topic of influencing information security policy compliance was explored, synthesized, and examined including a description of the search methods and a review of the theoretical orientation of the study. A synopsis of the existing literature on ISPC influencing variables, ISPC influencing theories, U.S. financial industry regulatory landscape, and the MM’s role follows. The remaining sections include a synthesis of the research findings, a critique of the research methods found in the extant literature, and a summary of the literature review concludes Chapter 2. Methods of Searching This study was focused on understanding what influence an MM has on ISPC behaviors in real-world practice through exploring experiences, observations, and perceptions of IT professionals working in the U.S. financial industry. With this topic in mind, the researcher chose to explore multiple databases that were focused on business, financial, and technology topics. The databases mostly utilized during the search for existing literature included ABI/INFORM Global, Business Expert Press, Business Source Complete, Homeland Security Digital Library, SAGE Journals, and Online and Science Direct. The focused business databases allowed the researcher to explore both current and seminal works regarding influencing ISPC. The keywords utilized when searching for existing literature on influencing ISPC behaviors included searching on keywords such as information security AND policy compliance as well as influencing compliance or compliance behaviors individually. Combining the previously mentioned keywords with words such as management, MM, leadership, organizational culture, security culture, or financial industry utilizing the AND allowed further 14
narrowing of the search results. The searches were limited to peer-reviewed and scholarly journals. Multiple searches were performed utilizing Google Scholar, Skillsoft, and the Summon search engine, utilizing the same keywords and combinations. This type of additional search assisted the researcher in identifying any literature that may have otherwise been missed utilizing the databases previously searched. Finally, the researcher utilized searches on the SAGE Knowledge and SAGE Research Methods databases to develop this study’s research design. The SAGE database searches also allowed the researcher to gain an understanding of less familiar research methodologies, designs, and related terms discovered in the existing literature under review. Theoretical Orientation for the Study This study’s primary orientation was that of social constructivism (Logan, 2015). Exploring the participant’s experiences, interpretations, and perceptions of the influence that MMs have on ISPC was the basis of this qualitative inquiry. This study was a social investigation and best described by Goodyear, Barela, and Jewiss (2014) as a cooperative between the researcher and the participant, built upon a foundation of communication concepts such as listening, interpretation, and understanding. These concepts were vital to obtaining answers to the research question and were best carried out through semi-structured interviews. The semi-structured interviews allowed for some conversational flexibility. This flexibility allowed the researcher to build a relationship with the participant, validate understanding, and ask for elaborations on the participant’s answers.
15
It was important to understand, about the theoretical orientation of this study, that this qualitative inquiry was of a multicultural orientation (Yin, 2010). Yin described multicultural orientation as the possibility of “multiple interpretations of similar events” (2010, p. 13). In this study, the multicultural orientation was created purposely to triangulate the views of the influence of MMs on ISPC. By equally choosing participants in different organizational roles the researcher was able to recognize quickly the similarities and differences in experiences and perceptions based upon this hierarchical division and possible context differences. Review of the Literature Information security, information systems security, information technology security and information assurance and security, each was used in research and described two categories for consideration; the technological and the human aspects (Chaudhry, Chaudhry, & Reese, 2012). The technological aspect includes a wide variety of methods for securing the technology that allows for secure storage, transport, and use of information or data. For this review; the technological aspect was out of scope and focus was upon the human side where behavior becomes a point of interest and theory can help improve understanding (Chaudhry et al., 2012; Corley & Gioia, 2011). The human aspect of information security and compliance has been a topic of interest in recent literature. Multiple psychological theories have been part of extant research on ISPC. The theory of protection motivation, the theory of planned behavior, psychological contract theory, compliance theory, and deterrence theory were frequently identified in existing literature on ISPC (Ajzen, 2012; Crossler et al., 2014; D'Arcy & Herath, 2011; Etzioni, 2013).
16
Ransbotham and Mitra (2009), as well as Puhakainen and Siponen (2010), claimed that information security is a management issue. Hu et al. (2012) later studied the participation and influence of executive leadership on ISPC and validated the critical role played by top management. Besides executive management, studies have identified organizational culture and security awareness as having an influence on ISPC (Alfawaz et al., 2010; Chen et al., 2015; D'Arcy & Green, 2014; Humaidi & Balakrishnan, 2015; Olusegun & Ithnin, 2013). The review of literature that follows begins with a review of the MM’s organizational role, followed by a review of the U.S. financial industry’s regulatory landscape. The literature review continues with a review of existing literature highlighting the variables found to influence ISPC and concludes with a review of the theories commonly applied to ISPC. Middle Manager’s Organizational Role The organizational function of the MM has been described as a buffer, a link, a promoter, a funnel, a gossip, a storyteller, and last but not least, a resistor (Barton & Ambrosini, 2013; Harding, Lee, & Ford, 2014; Parera, & Fernández-Vallejo, 2013). It is helpful to understand that the MM is also an employee. Harding et al. (2014) described the MM function as a dual role, which includes (1) the role of a manager and change agent and (2) the role of one that is managed and can obstruct change. Existing researchers have sought to understand the way in which MM’s influence the acceptance or the resistance to change (Barton & Ambrosini, 2013; Parera, & Fernández-Vallejo, 2013). Current literature also indicates that MM are key influencers as well as, linked to the success of strategic initiatives (Jansen, Davis, & Venter, 2014; Parera, & Fernández-Vallejo, 2013).
17
One study, on learning-oriented leadership, showed that the MM influences the way in which work is done (Döös, Johansson, & Wilhelmson, 2015). Haggard and Turban, (2012) explored the mentor role and identified that a supervisor with direct reports could assume a mentoring role. The MM has direct reports and with similar mentoring opportunities and considering the dual role defined by Harding et al., (2014) the MM would similarly have mentee opportunities. Barton and Ambrosini (2013) chose to examine commitment to strategic change initiatives and the impact of cynicism. The study resulted in confirmation of previously researched elements shown to have an impact on strategy acceptance, such as leadership support and the MM’s engagement in strategy development (Barton & Ambrosini, 2013; Raman, 2009). Parera and Fernández-Vallejo’s (2013) review of the MM role in an organization reiterated that the role of MM was indeed a change agent and because of that role, should have specialized training (p. 363). An IT middle manager has such a vital and influential role in an organization (Harding et al., 2014; Parera & Fernández-Vallejo, 2013; Raes et al., 2011; Raman, 2009). ISPC is also vital to an organization, yet little research exists identifying the MM as an influencer of ISPC. The ISPC body of knowledge covered a broad range of topics as demonstrated in this literature review. There appears; however, to be a shared agenda. A synthesis of the literature examined in this study on MM influence has assisted in the identification of the commonalities. The U.S. Financial Industry’s Regulatory Landscape The regulatory landscape of the U.S. financial industry is complex and focused on enforcing ethical business practices, economic stability, and protecting the consumer (Mohammed, 2015). Combine this regulatory environment with the risks associated being a top 18
target for cyber-attacks (IBM, 2013, 2014, 2015, 2016) and the significance of compliance becomes critical. Regulatory controls and industry standards have changed the way organizations in the U.S. financial industry operate (Kaal, 2016). A 2013 study by Young indicated that the interaction between the financial industry and the regulatory groups changed after the 2007-2009 financial crisis. Young (2010) indicated that communications with regulatory groups were strained and the financial industry which was once held in high regard was no longer trusted. The post-crisis regulatory changes have made a huge impact on the way financial industries organizations do business (Aronson,2013; Lempka & Stallard, 2015; Young, 2013). For example, the anti-money laundering regulation (2007), the USA Patriot Act (2001), Sarbanes Oxley Act (2001), Gramm-Leach-Bliley Act (1999) and standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and changed the way in which financial institutions conducted business through the introduction of stringent policies and controls for financial transactions (Filbeck, Gorman, & Zhao, 2011; Kulkarni, 2009; Lempka & Stallard, 2015). The financial industry organizational structures are hierarchical in nature as many industries are. This makes the ability to visualize many of the already existing ISPC studies as appropriately transferable at a very basic level. For instance, the study by Barton et al. (2016) was designed to explore the impact of senior leadership’s commitment to security and was not limited to a single industry. The financial industry isn’t limited to traditional brick and mortar banking business. Electronic markets are evolving the financial industry such as online stock market trading, payroll processing, retail processing, online bill pay and mobile banking (Alt & Puschman, 2012). The increase in reach, the overlap in industry, and the electronic connections 19
makes nearly anyone who uses these services in some way or another part of the threat landscape. It is this electronically connected characteristic added to the already known impact the financial industry crises have had on the U.S. economy makes the financial industry more attractive to cybercriminals (Mohammed, 2015). As pointed out by Chen et al., (2012) security policies, procedures, and standard operating procedures are developed to create an organizational-wide security program and ensure controls are in place to meet regulatory requirements. Understanding how to make sure the organization adapts to the security program and how to improve compliance needs further research. The extant literature on influencing ISPC are often limited specific variables such as morals and values (Myyry et al., 2009); attitudes, perceptions, and intent to comply (Sommestad et al., 2014); and accountability (Vance et al., 2013). The volume of studies on ISPC specifically limited to the financial Industry alone is growing; however, more studies are broadly focused. For example, Bulgurcu et al.’s, (2010) study only indicated that their quantitative study was focused on “employee who use the IT resources of their organizations” and “are employed by a diverse set of organizations” (p. 535) with no indication of specific target industry. The limitations to specific variables or the broadness of industry target for population combined with the previously identified threat landscape and regulatory environment made the financial industry the grey area to be explored as indicated in Figure 1 displayed in Chapter 1. ISPC Influences in Extant Research The Sommestad et al.’s (2014) analysis of 29 quantitative studies identified variables that have an impact on ISPC and quantitatively reporting on the importance of the variables. The 20
study by Alhogail and Mirza (2014) showed alignment with the findings of Sommestad et al. (2014) which indicated that attitude, perceptions, intentions, and behaviors as predictors of compliance. D’Arcy and Green (2014) added influencers such as job satisfaction and various organizational initiatives could have an encouraging influence on all four predictors of compliance. The culture of an organization has also been identified as a key influence on ISPC by multiple studies (Alfawaz et al., 2010; Alhogail & Mirza, 2014; Interligi, 2010). Organizational culture influence is a topic of interest when reviewing the literature on influencing ISPC behaviors. Organizational culture, leadership, and security awareness have been found to be interrelated (Interligi, 2010). Even though these have been found to be interrelated, each has its growing body of knowledge and were reviewed as key influencers. This ISPC influencing variables review section begins with a consideration of extant literature on organizational culture influence, followed by a review of security awareness influence, a review of top management influence, and ends with a summary of the interrelation or correlation of the three variables as tools to influence ISPC compliant behavior. Organizational culture. Existing literature indicated several definitions and commonly indicated it is a social paradigm (Interligi, 2010; Schein, 1990; Smircich, 1983; Sulkowski, 2012). An early literature review by Smircich (1983) on organizational culture provided a historical account of the study of culture in organizations including the earliest social, theoretical, and political orientations. Edgar Schein’s contribution to organizational culture research has been extensive, and his early research introduced a model of organizational culture in 1985 (Karlsson, Åström, & Karlsson, 2015).
21
In 1990; Schein did an extensive literature review on the origins of organizational culture from the 1920s to the 1930s which described culture commonly as group norms and climate. Shein’s (2010) fourth edition book on organizational culture and leadership shared the same definition identified in his earlier literature review. Multiple authors have utilized the definition in their research on this topic (Alhogail & Mirza, 2014; Hu et al., 2012; Interligi, 2010; Sulkowski, 2012). The following definition identifies six aspects of culture. Culture can now be defined as (a) a pattern of basic assumptions, (b) invented, discovered, or developed by a given group, (c) as it learns to cope with its problems of external adaptation and internal integration, (d) that has worked well enough to be considered valid and, therefore (e) is to be taught to new members as the (f) correct way to perceive, think, and feel in relation to those problems. (Schein, 1990, p. 111) Schein’s (1990) definition and the six aspects have been a guiding definition in studies such as the 2012 literature review by Sulkowski. Sulkowski’s (2012) literature review of organizational culture covered literature from 1966 to 2009 seeking to identify key elements of organizational culture. Sulkowski (2012) identified 13 elements of organizational culture, many of which are found to be common among organizational cultural studies. The commonly listed elements of organizational culture are values, assumptions, norms, and artifacts which include rituals, taboo, heroes and stereotypes (Alfawaz et al., 2010; Interligi, 2010; Schein, 1990; Sulkowski, 2012). The elements of an organization’s culture have been targets for tactics developed to move an organization’s culture into a security culture (Alfawaz et al., 2010; Paulsen & Coulson, 2011). Paulsen and Coulson’s (2011) study provided a link between organizational culture and security and recommended utilization of business intelligence to aid in the conversion of the organizational culture to an organizational security culture, building on a foundation of awareness. Alfawaz et al.’s (2010) research on nontechnical issues of information security 22
included a case study. The results not only included alignment with organizational culture definition and elements identified thus far but also included similar findings on security awareness importance to managing ISPC behaviors. Karlsson et al. (2015) surveyed existing organizational security culture research between 2000 and 2013 and described much of studies during the thirteen-year period were mostly philosophical, theoretical, and descriptive research. Karlsson et al. (2015) also identified the single most used theory in the literature reviewed was Schein’s 1985 model of organizational culture. Like the study by Paulsen and Coulson (2011) which indicated a move to a security culture to influence compliance, Brown (2013) conferred a specific method such as the development of an enterprise risk management (ERM) culture to influence compliance. The Brown (2013) study included findings which indicated that the ERM culture centers on training and communication at all levels of the organization. Awareness at all levels of the organization is found to be key to the development of security culture and has been supported by multiple studies (Alfawaz et al., 2010; Brown, 2015; D’Arcy & Green, 2014; Interligi, 2010; Paulsen & Coulson, 2011). A study by Gebrasilase and Lessa (2011) explored the organizational culture impact on IS compliance; although focusing on the medical industry the findings were useful in understanding the vital role the organizational culture plays in influencing ISPC behavior. The results of the Gegrasilase and Lessa study indicated that it is essential for employees to be aware of what IS risks are present in their jobs as well as trained on proper processes and preventative measures (2011, p. 83). The previously described studies all make a clear case that
23
organizational culture has an influence on ISPC and that culture must be a culture that utilizes communication, training, and security awareness methods. Security awareness influence. The current security awareness (SA) literature reflects various recommendations for improvement of SA programs. Multiple theories and guidelines, as well as the importance of the players and their perceptions, were proposed. Security awareness defined by Bulgurcu et al., (2010) has been restated simply as the employees’ knowledge of information security and their employers’ information security policies. Olusegun and Ithnin (2013) as well as Taylor and Brice (2012), maintained that the perception of information security directly links to ISPC. Bulgurcu et al., (2010) defined the purpose of security awareness as a way in which to influence perception, through increasing knowledge (p. 532). Research has brought to light the current complex state of developing and implementing SA programs and the body of knowledge is growing. For instance, Tsohou, Karyda, Kokolakis, and Kiontouzis (2012) indicated that a security awareness program has multiple stakeholders and often their interests are conflicting. The interpretive case study by Tsohou et al. (2012) resulted in the agreement that the security awareness program is important in influencing security behaviors and must be tailored to the audience. The idea of tailoring the security awareness program to the organization was supported early on by Thomson and Von Solms (1998) when they indicated that it is important to reach all levels top, bottom, and middle. Later this tailored stance was supported in a study by Liu (2015), on employee perceptions of security. Tsohou, Karyda, Kokolakis, and Kiountouzis’s (2015) later study added a layer of complexity by explaining the dual role of the employee as both guardian and menace. Knapp and Ferrante’s (2012) study showed a positive impact on the effectiveness of an organization’s 24
security program when policy awareness is part of the security awareness program. Understanding the stakeholders, possible conflicting interests, and tailoring the security awareness (Tsohou et al., 2012) implementation is a current topic in extant literature. A multitude of theories is also present in the SA body of knowledge. A literature review by Lebek, Uffen, Neumann, Hohler, and Breitner (2014) identified 54 theories in 113 existing publications. Lebek et al. (2014) identified both, top behavioral and top learning theories commonly referenced in the existing literature. Several most common theories are explored later in this literature review. The complexity of developing a successful security awareness program grows as the body of knowledge grows. Previously identified the users have a vital role (Spears & Barki, 2010) and various researchers similarly described the need for a security awareness program that tailored to the organization. Researchers such as Taylor and Brice (2012) and Liu (2015) pointed out the role perceptions of security and risk play in successful security programs. Taylor and Brice (2012) conducted a case study that focused on the financial industry. The findings indicated that a common perception of risk by leadership was that the policies were in place, available for review, and presumed to be followed (Taylor & Brice, 2012). Liu’s (2015) study focused on the user’s perception of risk and aligned with Steward and Lacey’s (2012) study that indicated doing a security awareness assessment can assist in identifying the different security perceptions allowing for the development of a more efficient security awareness program. Findings of the study by Humaidi and Balakrishnan (2015) showed that there was a direct bearing on compliant behavior when the severity of issues, benefits of the countermeasures, and leadership engagement are part of the security awareness solution. 25
More recently leadership variables have been brought into the essentials of a successful security awareness program. Humaidi and Balakrishnan’s (2015) study focused on leadership style, the security awareness program, and the impact on ISPC compliant behaviors. Paulson and Coulson’s (2011) research sought to examine the use of business intelligence (BI) to enhance security awareness. The findings specified the need for decision maker participation in the development and selection of BI data (Paulson and Coulson, 2011). The regulatory environment and its impact on business attributed to the justification for BI enhanced security awareness. BI data served a purpose to provide the statistics regarding risks and other security-related information, so leadership could make informed decisions. The same leadership that other researchers on the topic of security awareness, and organizational culture refer to as vital to an effective security awareness program (Bulgurcu et al., 2010; Taylor & Brice, 2012). Leadership influence. Researchers agree on the importance of senior management participation, and its criticality to successful information security and compliance in an organization (D’Arcy & Greene, 2014; Hu et al., 2012; Kappelman, McLean, Luffman, & Johnson, 2013). Barton, Tejay, Lane, and Terrell (2016) sought to discover what motivated top leadership to commit to information security. Their findings showed that external influences made a stronger impact on senior leadership than internal influences. The Barton et al. (2016) study also aligns with other studies that indicated the regulatory environment had influenced senior leadership’s involvement with information security (Andreisova, 2016; Lukianenko, Mozhovyi, & Burmaka, 2015; Wallace, Hui, & Cefaratti, 2011). Andreisova (2016) explained the rise in compliance investments as a response to regulatory environment changes. Andreisovia (2016) brought together ideas and findings of 26
several other researchers and presented the importance of executive commitment to compliance as a way to influence by example and setting a “tone from the top” (p. 33). Andreisova also linked leadership as one of the vital elements of “a culture of compliance” (2016, p. 38) which can improve an organization's industry advantage. The study by Hu et al., (2012) was grounded in the theoretical basis of the theory of planned behavior and focused on the effect of senior leadership and organizational culture on the ISPC behaviors of employees. Studies such as those by Andreisova (2016) and Puhakainen and Siponen (2010) align with the Hu et al.’s, (2012) study which indicated that employees are influenced by the example senior management sets. Lowry and Moody (2015) suggested the direct correlation between formal policies and controls coming from leadership, have a positive impact on the employee’s perception of ISPC and the overall security culture. Top leadership input, support, and advocacy of ISPC and the influence on the compliance of employees is supported by multiple research studies (Barton et al., 2016; D’Arcy & Greene, 2014; Williams, Hardy & Holgate, 2013). The interpretative case study by Williams et al., (2013) explained the need for executive and board level roles and participation in information security governance. The findings show a high degree of responsibility for information security governance fell on executive and board levels and concluded that there was a greater need for broader ownership (Williams et al., 2013). The need for broader ownership of governance warrants exploration into the roles and responsibilities of those at other levels of an organization. D’Arcy and Green’s (2014) study focused on security culture and organizational relationships as drivers of compliance. The importance of top management’s commitment was 27
supported by the authors as well as the influence it has on employee ISPC (Lukianenko et al., 2015; Wallace et al., 2011). The influence of top management comes from setting an example and including security as part of business processes, which will allow senior management to benefit from this commitment (D’Arcy & Greene, 2014). An added variable indicated in the study by D’Arcy and Greene (2014) as well as a study by Herath and Rao (2009a), showed that monitoring of employees could also encourage information security compliant behaviors. Theories Commonly Applied to ISPC While reviewing articles and studies related to the human aspect of ISPC, it became apparent, that the theory of planned behavior and protection motivation theories were among the most frequently seen theories referenced within research. The article by Hu et al. (2012) shared these findings and explained other commonly found theories such as; control theory, general deterrence theory, institutional theory, communication theory, and learning theory (p. 617). Lebek et al. (2014) also identified multiple theories applicable to ISPC research. The theory of planned behavior, protection motivation theory, general deterrence theory, and technology acceptance model have been designated as the four most utilized theories in information security compliance research (Lebek et al., 2014). Fear appeals are prominent within the ISPC body of knowledge. When the focus is on the improving compliance, the need for a more detailed understanding of the industry, the organization, and the individual is required. It has been suggested that going “beyond deterrence” (Willison & Warkentin, 2013, p. 1), reducing stress (D’Arcy et al., 2014), determining motivations and extinguishing “neutralization” (Siponen & Vance, 2010, p. 487) while improving “accountability” (Vance, Lowry, & Eggett, 2013 p. 263) was the best approach. 28
After consideration of the multiple theories found within existing literature reviewed on the topic of ISPC research, four theories stood out as commonly applied to ISPC studies and therefore relevant to this study of IT middle management influence. A review of the extant literature on the four theories included consideration of protection motivation theory and psychological contract theory, followed by the theory of planned behavior and general deterrence theory. Protection motivation theory. The protection motivation theory (PMT) defined by Rogers (1975) draws upon multiple human psychological studies on motivation and behavior including excerpts from Darwin’s 1872 book, The Expression of the Emotions in Man and Animals. Rogers drew upon Darwin’s (1872) link of emotion, specifically fear, to the viewable physical manifestations of fear, illustrating how fear is recognized (1975, p. 96). The PMT defined by Rogers (1975) in Herath and Rao’s (2009b) study, combined PMT with general deterrence theory to develop a program for improving ISPC. Extant literature includes research on understanding the intent to comply; many of which have a policy or focus and draws upon theoretical research with social psychological and behavioral exploration. If seeking to understand ISPC and intent to comply, psychological and behavioral research is at the foundation (Crossler et al., 2014; Johnston & Wartentin, 2010; Son, 2011; Vance, Siponen, & Pahnilla, 2012). When exploring literature on ISPC, it becomes apparent that the topic is not new. The literature review used to set the context for the study by Herath and Rao (2009b) showed literature; dating as far back as 1992, including studies related to the problem of compliance. Herath and Rao’s (2009b) description of the threat appraisal and coping appraisal elements of 29
PMT identified fear at the crux of protection motivated behavior. Crediting fear as a partner of PMT includes the idea that a threat appraisal that has resulted in fear will produce protection motivated behaviors during the coping appraisal process (Rogers, 1975). The role of fear appeals is at the center of the partnership between PMT and general deterrence theory in Herath and Rao’s (2009b) field study. Herath and Rao’s (2009b) study tested 15 hypotheses while drawing on other literature for guidance on other constructs that showed positive results when applied to ISPC. Much like Herath and Rao (2009b), Crossler et al. (2014) adopted many of the constructs already identified in previous literature. Recognizing threat appraisal and coping appraisal processes as predictors of intentions to comply, the Crossler et al. (2014) study aligns with the past and present research identifying self-efficacy and response efficacy as rudiments of the intention to comply. (Herath & Rao, 2009b; Ifinedo, 2012; Johnston & Warkentin, 2010; Vance et al., 2012). The Crossler et al. (2014) study built a solid case for utilization of PMT in their research focused on bring-your-own-device (BYOD) policy compliance. Following Herath and Roa’s (2009b) study, as well as earlier studies highlighting fear partnered with PMT to improve compliant behavior, more researchers have explored the impact fear has on ISPC behaviors. Posey, Roberts, Lowry, Bennett, and Courtney (2013) and Posey Roberts, Lowry, and Hightower (2014) identified PMT and fear appeals at the theoretical foundation of their studies. Posey, Roberts, and Lowry (2015) built upon their previously indicated theoretical foundation of PMT and fear appeals by exploring the influence security education, training, and awareness as well as, the degree of organizational commitment has on threat appraisal and coping appraisals (2015, pp. 179-180). 30
Moquin and Wakefield (2016), continued in the same research direction as Posey et al. (2015) when they studied the effect awareness training with a theoretical foundation of PMT had on compliance. Moquin and Wakefield (2016) also included ethics and the use of sanctions in influencing compliance. Like many of the previous research on ISPC, the study had a limited focus on a single policy against utilizing unlicensed software an organization (Moquin & Wakefield, 2016). The apparent consensus of the previously reviewed studies that PMT alone is lacking and therefore researchers are partnering PMT with other theories or constructs. The theory of planned behavior (Infinedo, 2012; Moquin & Wakefield, 2016), security awareness (Posey et al., 2015) and consideration for habits (Vance et al., 2012) have each been partnered with PMT in ISPC research. A theory identified in the study by Lowry, Posey, Bennet, & Roberts (2015) was shown to impact decisions in the appraisal processes of PMT and included consideration of the relationship between organization and employee. The relationship between employee and the organization has been identified as having an impact on ISPC and the relationship construct consideration adds psychological contract theory as a theoretical lens (Lowry et al., 2015). Psychological contract theory. Current literature includes studies that research to understand ISPC through the lens of psychological contract theory (PCT). Researchers have explored how the psychological contract is developed as well as how it is linked to employee retention and even deviant behaviors (Christian & Ellis, 2014; Sherman & Morley, 2015). This section will explore current extant literature linking PCT to influencing ISPC compliant behaviors.
31
Haggard and Turban’s (2012) study was focused on mentoring relationships and sought to understand the relationship between mentor and mentee with PCT at the theoretical foundation. The relationship between mentor and mentee and the psychological contracts (PC) developed, were explored by Haggard and Truban (2012) and the results identified that both parties develop obligations. Haggard and Turban’s research pointed out that the mentor’s status and the relationship formality are recognized as a construct of the developed obligations (2012, p. 1905). The need to improve employee retention has also motivated research designed to explore the developed obligations employees perceive about their employers (Low, Bordia, & Bordia, 2016). Other researchers have also utilized the constructs of PCT to improve understanding of how to influence employee behavior (Christian & Ellis, 2014; Lowry et al., 2015; Workman, 2009). Christian and Ellis (2014) undertook an exploration of the psychological contract and its relationship to predicting deviant behaviors in an organization. The research results indicated that failure of the employer to meet obligations perceived by the employee as part of the psychological contract could influence moral disengagement, which was found to increase deviance in employee behavior (Christian & Ellis, 2014). The perceived obligations developed and delivery of those obligations are at the base of psychological contract theory. Lambert (2011) sought to identify the elements that motivate the obligation formation and identify which were dominant influencers. The results of the study by Lambert showed that satisfaction of needs and pay were dominant influencers when the employee seeks to determine if the employer’s obligations have been met and fulfill their obligations to the employer (2011, p. 695).
32
Goel, Hart, Junglas, and Ives (2016) offer a reminder that contractual theories such as PCT create contingent obligations based on human perceptions which can be unique to the individual. This reminder was the basis for the identification of PCT along with other social theories for the foundation of Goel et al.’s (2016) study of information systems proper use. Mamonov and Benbunan-Fich (2015) also utilized PCT as a theoretical basis for a study designed to identify the perceived severity of privacy breach during smartphone and application usage considering the perceived privacy expectations developed by the user. The development of perceived obligations of PCT have been found to be beneficial in predicting behavior, and like PMT can be combined with other theories to explore how to influence behaviors. Theory of planned behavior has also been partnered with PCT and applied alone as the theoretical foundation for studies seeking to understand the human behavior in organizations (Ajzen, Joyce, Sheikh, & Cote, 2011). Theory of planned behavior. The theory of planned behavior (TPB) has shown useful at the foundation of studies aimed at understanding the intent to comply with information security policies (Godlove, 2012; Lebek et al., 2014). Ajzen (2012) explained that a precursor to any behavior is intent and intent is subjective in nature. In Lebek et al.’s literature review, the TPB was presented as the most used theoretical foundation in existing studies on information systems security and human behavior (2014, p. 1052). TPB has been applied alone and often partnered with other theories to explore ISPC. The study by Bulgurcu et al. (2010) explored employee beliefs around compliance and consequences as well as adding security awareness to sway intent to comply. Similarly, Godlove (2012) utilized TPB as a foundation for his ISPC research regarding influences on the 33
willingness to comply. Both the Bulgurcu et al. (2010) and the Godlove (2012) suggested that subjective norms, attitudes, and beliefs were at the core of intent or willingness to comply. A study by Chu, Chau, and So (2015) was designed to explore misuse of business information systems resources and unlike other TPB based studies, bypassed intention to examine the actual misuse behavior. Chu et al.’s (2015) study conflicted with previous studies and showed that subjective norms had no real impact on the actions of ill use. Chu et al. (2015) indicated that the findings of their study would contribute to management knowledge of why misuse happens to improve compliance with use policies. Hu et al. (2012) also indicated identified top management as vital part of improving compliance. Hu et al. (2012) utilizing TPB as a foundation linked top management and organizational culture as key to building a solid framework for ISPC and indicated that senior management’s influence on ISPC behaviors is a result of their influence on organizational culture. Kim, Yang, and Park’s (2014) research combined PMT and TPB with neutralization theory and rational choice theory as a foundation for a study on ISPC. The researchers claimed the four theories as “harmonious” when exploring ISPC (Kim et al., 2014, p. 2). Researchers have recognized the compatibility of TPB and PMT and that TPB works well other theories as well when studying ISPC (Infinedo, 2012; Sommestad et al., 2015). Sommestad et al. (2015) challenged the use of TPB alone to study prediction of ISPC behaviors and support the premise that additional constructs were required to explain ISPC. The study by Sommestad et al., designed to explore the necessary constructs for predicting ISPC behavior, resulting in the confirmation that additional constructs that considered the undesirable effects of noncompliance, such as anticipated regret is critical (2015, p. 212). 34
Additional constructs such as the previously identified security awareness training and anticipated regret as well as other theories have been combined with TPB to explore ISPC behaviors. Previously discussed, PMT included self-efficacy, response efficacy, and fear appeals among the constructs necessary to explore ISPC behaviors. Fear appeals were indirectly directly indicated in combination with TPB; however, undesirable results of noncompliant behaviors were identified, such as anticipated regret. Existing research on TPB, PMT, and PCT have similarly indicated the additional constructs needed to understand and even predict intent to comply (Infinedo, 2012; Johnston & Warkentin, 2010; Lowry et al., 2015; Son, 2011). Commonly the existing studies on ISPC reference fear or sanctions as a method to influence the predicting constructs towards compliant behaviors (Chen et al., 2012; Herath & Rao, 2009b; Son, 2011). General deterrence theory. While reviewing studies on ISPC, general deterrence theory (GDT) was rarely included solely as the theoretical foundation. A study by Hovav and D’Arcy (2012) referenced GDT at the basis of their study; however, they included constructs that were utilized in conjunction other theories. The Hovav and D’Arcy (2012) study expanded the literature on ISPC by identifying that that country, age, and gender had an impact on the effectiveness of deterrence measures. In an earlier study, Son (2011) conducted a comparison of intrinsic and extrinsic motivations in relation to the influence they have on ISPC. The study findings indicated that intrinsic motivations had more impact than the known extrinsic motivations normally associated with GDT (Son, 2011). The findings that indicate intrinsic motivations have more impact on ISPC adds an extra layer of complexity when trying to understand what motivates ISPC behaviors due to the unpredictability of humans. D’Arcy & 35
Herath (2011) recognized the regular use GDT theory in the study of ISPC behaviors; however, like Son (2011) also recognized the commonality of conflicting results. Lebek et al.’s (2014) conducted a literature review of theories found in existing literature in the ISPC body of knowledge and claimed that the four top theories found were PMT, TPB, GDT, and technology acceptance model (TAM). When applied together the four would present a list of elements to predict and influence the intent to comply and prove useful in the development of security awareness and education program (Lebek et al., 2014). This claim aligns well with a previously reviewed study by Bulgurcu et al. (2010) that utilized TPB as the theoretical foundation of a study that explored the influence of security awareness. Chen et al.’s (2012) study explored the shortcomings of sanctions commonly associated with GDT and chose to explore reward where sanctions failed to produce desired compliance. Johnston et al. (2015) claimed that GDT utilized mainly formal sanctions and argued that informal sanctions should also be included. Johnston et al. (2015) described the informal sanctions as those that do not have a monetary or legal cost but an impact on reputation, shame, and social implications. The existing literature in the ISPC body of knowledge has shown a wide range of constructs that can influence and predict intent to comply. The ISPC body of knowledge also has shown that the theoretical considerations when trying to improve ISPC behaviors are subjective (Ajzen, 2012). Puhakainen and Siponen (2010) findings make a case for leading by example. The research positively identified a link between the behaviors of employees towards ISPC and the perceptions of leadership behaviors towards ISPC (p. 769). Employees and Leadership are positioned at opposite ends of a chain of command. Both roles depend greatly on the MM, and 36
both roles have been shown to play a vital role in information security as protectors and influencers of ISPC (Barton & Ambrosini, 2013; Harding et al., 2014; Parera, & FernándezVallejo, 2013). Synthesis of the Research Findings Researchers are writing a complex roadmap for understanding human ISPC. Common themes emerged during a review of the extant literature, previously established theories were merged in ways in which shed a new lens upon ISPC research. For instance, known psychological and sociological theories such as TPB, PMT, PCT, and GDT can be combined to reveal influencing factors of ISPC (Ifinedo, 2012; Lebek et al., 2014). Researchers identified security awareness and training as an influence on ISPC and recommended customizing the training for the audience (Stewart & Lacey, 2012; Tsohou, Kokolakis, Lambrinoudakis, & Gritzalis, 2010). Research on improving, predicting, or influencing ISPC has shown that it requires an understanding of the organizational culture (Alfawaz et al., 2010; Sulkowski, 2012). Understanding the organization's culture could prove useful when trying to customize a security awareness and training program. Extant literature supports the findings of Leadership support and participation (D'Arcy & Green, 2014; Williams et al., 2013). Hue et al. (2012) explained the important role of leadership as well as the influence they have on organizational culture. Each of these previously explored topics add to the complexity of the challenges with ISPC and seem in many ways to be interdependent, like cogs in a machine. Theoretical lenses, organizational cultural characteristics, security awareness measures, top management engagement, and much more make up a complex formula for improving ISPC behavior. 37
The extant literature represented in this literature review held a common theme. Senior leadership, organizational culture, and security awareness training have been identified and grounded in behavioral theories. These are known to be beneficial to improving ISPC compliant behaviors when applied; however, the application is not a one size fits all scenario. Influencing ISPC includes tailoring methods to fit the organization’s culture; training must be fit to the audience, and Leadership must be engaged. Extant literature provides multiple theoretical applications, commonly used conceptual elements shown to have a positive effect on ISPC, and a variety of frameworks and methods to assist in improving compliance. A variety of research methods have been utilized to study ISPC; yet, due to the consensus that methods of influence depend greatly on the audience, the body of knowledge is still growing, and the problem of noncompliance still exists. Critique of Previous Research Methods The research methods found when reviewing the literature on ISPC are diverse. Case studies have given a picture into a specific organization’s culture (Alfawaz et al., 2010). Another gave a view of a security awareness program readiness (Taylor & Brice, 2012; Tsohou et al., 2012), and the critical role top management in information security governance (Williams et al., 2013). The case studies reviewed were limited in focus which is a known characteristic of a case study. Several literature reviews were chosen for consideration mainly for their historical content. The literature reviews were not helpful for building a case for ISPC research; however, were valuable in identifying seminal works and ontological positions over time. Multiple quantitative studies were seen that were dependent upon self-reporting of compliance actions and intent to comply (Crossler et al., 2014). Some quantitative studies 38
sought to focus on one or more previously identified constructs of predicting the intent to comply. The methods of exploring known constructs with different theoretical foundations determine the usefulness of the constructs but still do not paint the full picture and are often limited to one use case or industry. The literature previously reviewed shows researchers beginning to move forward with development of frameworks and conceptual approaches to the development of security culture (Alfawaz et al., 2010; Alhogail & Mirza, 2014). Summary The information security body of knowledge extensive. A focus on ISPC finds topics that are further centralized on a specific case or specific phenomenon. In Chapter 2, a review of the extant literature found when focused on improving ISPC was provided. Understanding ISPC behavior and how to improve it in the U.S. financial industry was a motivation for this study. Top leadership, security awareness, employees, and organizational culture were shown to have research which indicated a positive influence on ISPC behaviors. The previous literature review provided a look at the MM role between employees and top management and reflected a lack of extant research linking the MM’s role to ISPC behavioral influence. The literature review provided an overview of the regulatory landscape of the U.S. financial industry in order to provide a foundation for the importance of ISPC. This exploratory qualitative inquiry was designed to gain an understanding how middle managers influence ISPC in the U.S. financial industry through the lens of the IT professionals tasked with following the processes and procedures developed to meet regulatory requirements and protect data.
39
CHAPTER 3. METHODOLOGY Chapter 1 included a brief description of the characteristics, design, and rationale for this exploratory qualitative study of the MM’s influence on ISPC behaviors. The literature reviewed in Chapter 2 included existing research on the topic of ISPC including known influencing factors and relevant theories. Chapter 3 contains a more in-depth description of the key components of the study conducted. Chapter 3 also contains descriptions of the procedures used to answer the research question such as participant selection, participant protections, data collection, and data analysis. The role of the researcher as well as the guiding interview questions are detailed and followed by a summary of the ethical considerations required. Finally, an overview of the methodology used to answer the research question, concludes Chapter 3. Purpose of the Study Simply put, the objective of this exploratory qualitative study was to provide additional research on MM influence on ISPC. A gap found in current literature involves the lack of direct correlation between MMs and influencing ISPC even though research showed MMs actively influence the success or failure of strategic initiatives (Barton & Ambrosini, 2013; Jansen et al., 2014). This study was designed to explore how MMs influence ISPC behaviors. Since the MM position is common across industries, it was necessary to narrow industry sector as well as country to make the study feasible. Information security policy compliant behavior is a current need within most industries and a key component of risk management (Barton.et al., 2016). However, the U.S. financial sector frequents the top targeted industry lists (APWG, 2013; IBM, 2013, 2014, 2015; Verizon, 2014, 2015, 2016) making it a good choice for purposes of tightening the scope of the study. 40
Even after the narrowing to U.S. financial industry, the study scope remained too broad. The topic is influencing information security policy compliance, and in the financial sector, they are very much invested in technology. Information security policies are guides for protecting the technology and data of an organization (Knapp & Ferrante, 2012) and if limited to the U.S. financial sector it was decided that IT professionals would provide enough limitations on the population to make the study feasible and were deeply exposed the topic of ISPC. Logan (2015) also identified the greater risk that IT professionals posed, as more privileged users of the organization's resources. The goal of this exploratory qualitative inquiry was to develop an understanding of the influence MMs have on the ISPC behaviors of IT professionals working within the U.S. financial sector. Research Question The core assumption of this study was identified in Chapter 1. The assumption was based upon known characteristics of the MM’s role within an organizational hierarchy and the known influence that the MM has on strategic initiatives (Agostino, Arena, & Arnaboldi, 2013; Barton & Ambrosini, 2013; Harding et al., 2014). Improving ISPC behaviors could be packaged as a strategic initiative for an organization considering the ongoing challenges related to ISPC compliance (Chen et al., 2012). The assumption that an MM would also have an influence on the employee’s ISPC when driven by a strategic initiative lacks support in existing literature. This lack of support for this assumption prompted this research study on MM influence on ISPC. This study was designed to answer the following research question. RQ: How do middle managers in the U.S. financial industry influence ISPC behaviors?
41
Research Design Existing research highlights the many variables associated with influencing ISPC including the theories that have shown to be applicable. Some of the key variables and theories were identified in Chapter 1 and reviewed in the Chapter 2 literature review. This study was designed to investigate how MMs influence ISPC. The goal was not to rate how much influence the MM has, nor was it to determine the type of influence, be it positive or negative. By exploring the experiences, observations, and perceptions of IT professionals working in the financial industry, this research was designed to identify what MMs are doing to influence ISPC. Semi-structured interviews were conducted to gather data. The participants were asked to describe experiences, observations, and perceptions of MM influence on ISPC. The interviewees were also given the opportunity to describe the importance of the MM influence on ISPC and recommend how the MM’s influence could be improved. The data collected from the interviews were further analyzed and compared to the variables and theories reviewed from existing literature. The exploratory qualitative design allowed for a fully synthesized analysis of the MM influence described by the participants. The exploratory design also gave the researcher opportunity to identify if any of the previously defined variables and theories were recognized in the experiences, observations, and perceptions described by the participants. This study of MM influence on ISPC was limited to a single industry to make the study feasible. As previously indicated in Chapter 1, the financial sector was of interest due to the repeated presence on data breach reports (IBM, 2013, 2014, 2015, 2016; Identity Theft Resource Center, 2016; Idtheftcenter.org, 2014). Further reduction in scope was found to be necessary to focus the population on the financial sector and will be further detailed in the following section. 42
Target Population and Sample Information systems and technology have transformed financial organizations (Alt & Puschmann, 2012). This transformation made those using the information and technology, IT professionals, significant to operations in the financial sector (Flores, Sommestad, Holm, & Ekstedt, 2011; Ryan & Harden, 2014; Tirgari, 2012). The IT professionals in the U.S. financial industry perform the transactions and the processes, back office and customer facing, businesscritical activities and have access to large amounts of data. Although information systems professionals who have direct access and elevated privileges to technology resource present a greater risk than the IT professionals chosen for this study, they were deemed out of scope for this study due to their limited sight into the business operations. The IT professional possess greater access to an organization’s resources, funds, clients, data, and business operations; therefore, can impact the effectiveness of security. The IT professionals would most likely provide more sight into MM influence in the U.S. financial industry as they are the same people that the MMs can influence to adopt strategic initiatives. The following two sections will further detail the targeted population as well as the sample used to obtain data needed to answer the research question. Population The focus of this study on MM influence on ISPC behaviors in the U.S. financial industry through the lived experiences of IT professionals. The IT professional and the financial sector or industry organization were defined previously in Chapter 1. The financial sector or industry organizations include those organizations that provide financial services. A characteristic of this type of organization includes one that must adhere to some or all of the financial sector 43
regulations set forth by the U.S. government, either directly or indirectly as a result of the services provided. This characteristic makes third-party vendors such as payroll and benefits services considered part of the U.S. Financial sector population. Including these third party vendors that are indirectly impacted by financial industry regulatory requirements was necessary because of the growing use of outsourced IT services in the financial sector (Gonzalez, Llopis, & Gasco, 2013). A technologically driven society, the regulations imposed, and the competitiveness of the industry has required the financial sector to commit to technologically driven processes carried out by IT professionals who specialize in the various technologically driven processes (Gonzalez et al., 2013) . This commitment indicates the importance of IT professionals in the financial sector and supports the choice of IT professionals working in the financial sector as the target population for this study on MM influence on ISPC behaviors. Sample While determining the sample for the study on MM influence on ISPC behaviors, it was necessary to consider certain biases. Selecting participants from a single organization could have introduced bias derived from the organizational culture and therefore, making the study less representative of the overall population. To avoid this organizational cultural driven bias it was necessary to put a limitation on the number of participants included from a single organization. It was then decided that no more than two participants from one organization would be part of the sample. Another bias to consider was based on the MM position within the hierarchy of an organization. It was necessary to consider that perhaps the experiences, observations, and 44
perceptions obtained from only an MM level participant could present more idealistic responses than a true representation of the experiences, observations, and perceptions. A triangulation approach was required and based on traditional organizational hierarchies it was decided that the sample should include leadership and nonmanagement participants in addition to MM participants. Purposeful sampling was used while considering avoidance of the previously mentioned bias to ensure the participants would be able to provide data needed to answer the research question. At least 3 to 7 participants within each professional level were considered to be appropriate for data saturation. To ensure information-rich data were collected additional criterion was applied to the sample. All participants had to have at least 10 years experience as an IT professional working in the U.S.financial sector and be between 18 and 65 at the time of data collection. The sample utilized for this study included five IT professionals with a leadership role, five IT professionals with a middle management role, and five IT professionals with a nonmanagement role. Each of the IT professional level groupings contained three male and two female participants. The 15 participants represented 11 different organizations within the U.S. financial sector. There were only two organizations represented that did not have multiple locations across the U.S. and each of the two having only one participant. Procedures In this section, the procedures followed for participant selection have been detailed. How the participants were protected during the study has also been described. A description of the proceedings for data collection has been provided and is presented in step by step format. 45
Details of the data analysis process have also been provided. The procedures represented in this section were designed to provide full transparency into the way in which this research was conducted. Participant Selection A call for participants’ flyer was created and utilized to obtain volunteers for the study of how MMs influence ISPC behaviors. The purpose of the research was presented along with the specific qualifications required to be a participant. The flyers were posted to two professional organization websites for which the target members and audiences were mainly IT professionals. The flyer was also distributed to several of the researcher’s IT professional colleagues through email correspondence. The emails were responses to inquiries from the IT colleagues after they had seen the postings of the flyers on the professional organization websites and not unsolicited. When an e-mail was received as a response to the flyer, the researcher provided an e-mail response to the possible volunteer asking for a contact number and two available dates and times for a screening call. This email also included an attachment of the adult informed consent document for the volunteer with a note asking them to review and present any questions they may have during the screening call. During the screening call; the researcher would go through the requirements for participation and validate that the person met the qualifications. If the candidate did not meet the qualifications, they were thanked for their time, and no further communication was required. It is also important to note that a candidate’s current employer was part of the requirements. No more than two participants from the same organization were accepted into the study. If the candidate was found to meet the requirements, the adult informed consent was reviewed with the candidate. 46
Each potential participant that qualified for the study was given the opportunity to ask questions during the examination of the adult informed consent document. Once the participant was satisfied with the informed consent, they were provided the opportunity to either sign and returned the document or withdraw without further communications required. Once each potential participant signed and returned the informed consent, they were assigned an alphanumeric code based on their professional level and participant order. For instance, an IT professional participant that was in an executive leadership role would be given EL and if they were the first to agree to participate their code going forward would be ELP1, MMP1 for an IT middle manager, and NMP1 for the nonmanager (NM) IT professional. The codes applied to the participants served several purposes. First, it was important to be able to recognize the number of participants for each professional level, so each had equal representation. Next, it was necessary to be able to associate the organizational level for the responses to allow for a compare and contrast analysis of the data based on organizational level. Last but not least, it was necessary for the anonymity of the participants. Anonymity was important for data analysis because the researcher was from the same population and would be able to avoid any bias based on the possibility of past associations with any participants. The codes applied to the participants were also part of the protections provided for the participants. Protection of Participants The protection of the participants began with the unsolicited communications. By presenting a call for participants, it was the potential participant that would make the first contact with the researcher. The protection of the participants continued with the adult informed consent document. The review of this document with every potential participant allowed the potential 47
candidate to understand it before deciding to participate or not. Once the candidate signed and returned the informed consent, they became an official participant in the study and anonymity became a top priority. It was necessary to first explain to the participant that they would not be required to give names or organizational affiliations in their responses. The participants were notified at the beginning of the interview to use pseudonyms and if any names or organizations were mentioned that they would be stricken from the transcripts. Each participant was provided an alphanumeric code, and all recorded interviews and transcriptions were labeled with the code instead of the person's name. Additional protections were taken to protect the well being of the participants. For instance, the interview questions were field tested by several colleagues that met the inclusion criteria. Two experts from each IT professional organizational level (EL, MM, NM) were asked to field test the interview questions. The field testers were tasked with reviewing the questions while considering two specific issues. First, they were invited to identify if any of the interview questions were found to be inappropriate for the intended population. Second, they were asked to provide feedback on any of the interview questions that they felt would cause any distress or discomfort to the participant answering them. The field test returned only minor semantic recommendations for the interview questions, and no inappropriate questions were identified. Furthermore,there were no distress or discomfort causing questions determined by the expert reviewers. The field test was considered a success and the study was moved forward to the data collection stage.
48
Data Collection Data collection was performed through semi-structured interviews. The participants were recruited and, once five participants from each IT professional level were validated and had signed informed consent documents the interview process began. The first three volunteers for each IT professional level were scheduled, and interviews were held. Once the first three participants for each level were interviewed, the researcher determined that data saturation had not yet been achieved. The remaining two volunteers for each IT professional level were scheduled, and interviews were conducted. The semi-structured interviews in this exploratory qualitative study were designed to allow for data analysis to be performed in combination with data collection. Simultaneously analyzing the data as it was collected was recommended by qualitative researchers and identified as useful for early identification of emerging themes (Merriam & Tisdell, 2015; O’Reilly, Paper, & Marx, 2012; Yin, 2010). Analyzing data while collecting it also allowed for early recognition of data saturation. The way in which the researcher collected the data and analyzed it during the process completes this overview of how data were collected. The interview procedure for data collection is outlined in Table 1. Table 1. Interview Procedure Interview Procedure for Data Collection Step 1. Introductions- Icebreakers > Put participant at ease with a short chat + Used this opportunity to give more information about the research and researcher > Explained interview process and recording + Used this opportunity to explain recording and expectations > Started audio Recording + Asked participant to acknowledge and confirm approval of interview recording > Asked participant to confirm level within their the organization they are representing + Leadership, Middle Manager, or Non-Management role 49
Table 1. Interview Procedure Continued Interview Procedure for Data Collection > Asked introduction questions and gave anonymity guidelines prior to role-based questioning + See Introduction section of Interview Questions document Appendix A Step 2. Began Role-based Questions > Selected Question set based on Level clarified previously during Introduction Step > Question Set completed + Took Notes during the interview - Analyzing as we progressed + Analyzed responses during the interview and noted keywords or themes > Answered any questions or concerns + Gave participant opportunity to ask any questions or voice concerns > Explained next steps + Opportunity for review of the transcript was explained + Explained all future correspondence would be conducted through e-mail Step 3. The e-mailed participant with interview transcript for their review and opportunity to revise. < Set time frame for return allowed 2 weeks for review + E-Mail included the date that the transcription would be assumed ok if no response was received < Make Final Version all transcripts + Transcripts that received no response by the two-week deadline were deemed as ready for analysis + Transcripts that were returned with revisions were reviewed and deemed as ready for analysis Data Analysis During data collection, data analysis began. The interviews consisted of six questions for each participant. The questions were designed appropriately for each organizational level; nonmanagement (NM), IT middle management (MM), and executive leadership (EL). Each interview question represented a different category of data to be collected. The notes taken by the researcher included keywords identified in answers to the questions provided by the participants. Table 2 is a sample representation of the key topics covered in the interview questions as well as the format for which the keywords were tracked. The format was designed 50
to allow a comparison of like keywords across the role-based groups and early recognition of emergent themes. Table 2. Data Analysis – Keywords NM Participants
MM Participants
MMP5
MMP4
MMP3
MMP2
MMP1
ELP5
ELP4
ELP3
ELP2
ELP1
NMP5
NMP4
NMP3
NMP2
NMP1
Key Categories
EL Participants
Perceived Responsibility MM InfluenceExperience MM InfluenceObserved Perceived Barriers Perceived Importance Recommendation s for Improving Each interview recording was transcribed into a Microsoft Word document format. The transcription was performed by online transcription service. The remainder of data analysis was conducted utilizing transcriptions of the interviews. Previously mentioned in the data collection procedure represented in Table 1, step three allowed for participant review of the transcripts. Both the original transcript and revised copy if applicable were kept. These are noted as original and final in the file names. The transcript versions marked as final were used for further data analysis. 51
Manual coding and analysis were performed on the transcripts by reading and highlighting or circling relevant words and phrases. Coding was conducted by identifying keywords found for each question per participant. Thematic analysis was manually performed during the second and third reading of each transcript. Themes were identified by highlighting sentences that stood out as germane. These sentences were compared individually and by professional role group of each participant. A comparison was made to assist in determining true emergent themes across the samples. The comparison by role allowed for the identification of possible contrasting perceptions based upon role grouping. Validation of the manual coding and thematic analysis was conducted using NVivo 11 Pro Edition for Windows. Each transcript was copied and formatted for NVivo consumption. The formatting required cleanup of interviewer affirmations and comments. Formatting for NVivo also included making the questions a heading 1 format style and the interviewee indicator as heading 2 format style. Utilizing the heading styles allowed for coding by the question and by the participant. The transcripts included the word interviewee as an indicator of when the participant was speaking. The interviewee indicator was changed to the participant code such as ELP1 or NMP2, and then formatted as heading 2 styles in the Word documents. The formatted versions of the interview transcripts were then loaded into the data analysis tool. Analysis continued with keyword identification for the six categories shown in Table 2. Each category represented the interview question topic and was entered as a node in the data analysis software NVivo. Each participant code was entered as a node and specified as a case. A further grouping of the cases was performed to group all executive leadership participants in a thematic cluster ELP and the same for MM participants into an MMP clustering 52
and non-management participants into an NMP thematic cluster. The thematic clustering made a comparison of themes between the three organizational levels possible. Once the configuration of the nodes, cases, and thematic clustering was completed, the data were ready to analyze utilizing the built-in functionality of the analysis tool. Instruments Several tools were used during this study of MM influence on ISPC behaviors. Microsoft Excel (2016) software was utilized to log participant information such as contact details, interview times, and demographic details. TapeACall (Pro) mobile application for iOS was the instrument used to record the interview sessions. Microsoft Office 365 (v. 1706) software was utilized extensively by the researcher, throughout the duration of this study. The researcher also made extensive use of electronic Sticky Notes, a native software of Microsoft Windows (10) operating system. The researcher was the interview instrument of this study. The Role of the Researcher The role of the Researcher in the study of MM influence on ISPC compliant behaviors was crucial. The researcher as the instrument was the facilitator of the semi-structured interviews. The researcher’s role, however, was not limited to only the interviews. The researcher was the recruiter, the scheduler, and the data analyzer. It was important that the researcher could build a relationship with the interview participant early in the vetting process and maintain a healthy relaxed relationship throughout the interview stage. The researcher was familiar with the population and sample from a criteria perspective and could have herself qualified for the study based on that criteria. This similarity between the researcher and the participants proved to be beneficial from a communication and understanding 53
perspective. This similarity also had a possible negative impact and had to be managed accordingly. The researchers had to separate her own experiences and perceptions from those of the study participants so related bias could be avoided. Tufford and Newman explained, “Bracketing has the potential to greatly enrich data collection, research findings and interpretation – to the extent the researcher as an instrument, maintains self-awareness as a part of an ongoing process” (2012, p. 85). It was Tufford and Newman’s (2012) explanation that led the researcher to utilize bracketing in such a way that the researchers’ own experiences would be assessed first and often while in the interview stages of a study. The researcher personally answered each of the research questions so identification of any presuppositions or preconceptions could be identified. This identification was necessary to allow the researcher to be self-aware during the participant interviews and avoid influencing the participants as they were given the same guiding interview questions. Guiding Interview Questions The interview questions were developed to ask the same six questions to each participant. Since the participants were providing their perceptions, observations, experiences from the perspective of one of the three IT professional organizational levels, the questions were structured accordingly. The same set of initial questions were asked of all participants prior to moving into the role-based questions. These initial questions, as well as each role based set of questions, are outlined in and included in Appendix A. Ethical Considerations The most important ethical considerations for this study of MM influence on ISPC behaviors was the privacy and well being of the participants. This study was conducted in line 54
with the three core principles from the Belmont Report: respect for persons, beneficence, and justice (Gabriele, 2003; Miracle, 2016). This study was conducted with respect for the participants and allowing them to choose to participate or not; care was taken to do no harm, and every participant was treated equally. With the focus on the financial sector and IT professionals, it was apparent that it would be imperative for participants to feel that their privacy and anonymity would be protected. It was also important to ensure that the experiences and observations that the participants would be sharing would not in some way jeopardize any nondisclosure agreements the participants were bound to. The only risk that was determined possible was psychological and directly related to privacy of the participant. The nonexperimental nature of this study posed no physical risk to the participants. However, there was a risk associated with dissemination of sensitive information. It was important to identify and mitigate the risks immediately, and it was important to be cognizant of the possibility of the risks throughout the participant engagement. Mitigation began in the way in which the call for participants was done. It was noted in the recruitment flyer that no names or organizational affiliations would be used in this study. Next, the assurance of anonymity was restated and further explained in the adult informed consent that was reviewed and signed by each participant. Finally, during the interview sessions, part of the introduction question script included instructions on how the participant should avoid the use of names of people or organizations and that these would be stricken from the transcripts if they are used. Summary Chapter 3 included a detailed description of the methodology employed for this exploratory qualitative study. The exploratory nature of the research conducted allowed a more 55
in-depth inquiry into the perceptions, experiences, and observations of the IT professional participants. The purpose of the research and the core assumptions made led the researcher to a design that would help answer the research question. The semi-structured design of the interviews allowed the researcher some flexibility to use a conversational format that put the participant at ease and allowed for the use of additional probing questions, comments, affirmations. The target population and sample were described in more detail than the initial description found in Chapter 1. The data collection procedures and how manual coding was performed was also provided. Data analysis and coding began manually and were validated with an electronic coding and analysis software. An overview of the manual analysis and the software-driven analysis was included in Chapter 3; however, Chapter 4 provides more detailed coverage of the data analysis and presents the data collected.
56
CHAPTER 4. PRESENTATION OF THE DATA The purpose of Chapter 4 is to present the data collected and the results of the data analysis. The researcher’s relationship to the subject matter and topic; however, is key to understanding what motivated the researcher to investigate the topic of MM influence on ISPC behaviors. The researcher’s experience, interest, and stake in the study, as well as the overall contributions of the researcher, opens Chapter 4. A detailed description of the sample used for data collection follows. Next, the methodology applied to data analysis is explained. The chapter continues with the presentation of the data collected, the results of the data analysis, and concludes with a summary. Introduction: The Study and the Researcher Over 20 years of practical experience as an IT professional and over half working in the U.S. financial sector, the researcher qualifies as part of the target population for this study. A career that moved from a purely IT technical path to an IT security path after completion of security and assurance specialized Master of Science degree program at Capella University led to the understanding that policy compliance was vital. During the technical career path, the researcher was front line when information security privacy and regulatory sanctions made technical services delivery more complex. The introduction of policy, processes, and controls into business, as usual, added to that complexity. Valuable experiences, observations, and perceptions were gained from a technical career path, some of which came into question when looked at through an IT security lens. This conflict was the motivation to investigate the topic of ISPC. The experiences with policy compliance from the action side did not provide indications of what variables impacted ISPC. The literature review conducted allowed matching of variables to what had previously been 57
observed, experienced, or perceived even if they were not positively matching what was known to the researcher. After a career expansion into management, the upward path led to the need to gain a better understanding of how to have more influence on ISPC behaviors. This curiosity and lack of direct correlation found in existing literature between MM and how they influence ISPC, motivated the development of this study. An answer to the question of how Middle managers in the U.S. financial industry influenced IT professionals ISPC compliant behaviors was found as a gap in existing literature. The researcher’s own experiences, observations, and perceptions needed to be acknowledged and set aside as part of the data to be analyzed. The researcher as the instrument requires objectivity; therefore, bracketing provided a reasonable solution. While studying bracketing methods it became clear that setting aside the experiences and preconceptions was necessary, but a decision as to whether to abandon them or consider them as part of the data collected had to be made. Tufford and Newman (2010) provided a historical account of this very topic. The researcher decided to abandon Husserl’s approach of setting aside the researcher’s own experiences and preconceptions for Heidegger and Derrida’s belief that this is not possible (Carr, 2014). Instead, the researcher’s experiences, observations, perceptions, and recommendations would be used as part of the data collected if found to vary from the sample’s responses. By answering the interview questions first, any existing preconceptions were identified. Early acknowledgment allowed the researcher to stay cognizant of any preconceptions and allow for an unbiased conversation with the sample participants.
58
Description of the Sample IT professionals working in the U.S. financial sector was the population for the study. A call for participants flyer was utilized to acquire volunteers to participate in the study. A total of 27 responses were received. A prequalification call with the potential volunteer was carried out to determine if the criteria for the study was met. Twenty-four of the volunteers met the criteria, and the informed consent was reviewed with them. Subsequently, only 15 participants agreed to participate in the study with two indicating that if participants were still needed later, to check back with them because they were too busy at that time to commit to the study. The 15 participants who agreed to participate acknowledged understanding and signed an informed consent to participate. Participant Demographics The fifteen sample participants fell into three categories representative of the current role held in their organization. These categories were executive leadership (EL), IT middle management (MM), and non-management (NM). The participants spanned eight U.S. states and twelve different financial sector organizations. There were nine male IT professionals and six female IT professionals who participated in the study. The participant's role category, job title, gender, and years of experience outlined in Table 3. Table 4 displays the geographic locale and the type of business within the financial sector the participant worked in at the time of the study.
59
Table 3. Study Participants ID
Role Category
Job Title
Gender
ELP1 ELP2 ELP3 ELP4 ELP5 MMP2 MMP1 MMP3 MMP4 MMP5 NMP1 NMP2 NMP3 NMP4 NMP5
Executive Leadership Executive Leadership Executive Leadership Executive Leadership Executive Leadership Middle Manager Middle Manager Middle Manager Middle Manager Middle Manager Non- Management Non-Management Non-Management Non-Management Non-Management
Chief Technology Officer IT Director Chief Compliance Officer Head of Access Control Chief Security Architect Information Security Manager PCI Program Manager Vulnerability Assessment Manager Information Security Manager Risk Manager PCI Security Engineering Consultant IT Incident Coordinator IT and Accounting Auditor Regulatory Compliance Coordinator Disaster Recovery Coordinator
M M F F M M M M F F M M F F M
Table 4. Participant Demographics ID ELP1 ELP2 ELP3 ELP4 ELP5 MMP2 MMP1 MMP3 MMP4 MMP5 NMP1 NMP2 NMP3 NMP4 NMP5
State Michigan New York Indiana North Carolina Michigan Michigan Michigan Connecticut New York Florida Michigan Florida Florida California Georgia
Financial Sector Business Type Banking Investments/Stock Market Payroll/Benefits Services Banking Banking Banking Banking Banking Banking Banking Banking Payroll/Benefits Services Banking Banking Insurance/Investments/Benefits
60
Years of Experience 15 10 17 10 15 10 12 11 10 20 16 10 10 22 24
Method of Contact Potential participants emailed the researcher in response to the call for participants flyer. Initial contact with each respondent was conducted through email. The purpose of the email was to set up a call to determine if the respondent met the criteria for the study. During the qualification call if the participant met the criteria, the informed consent was sent by email to the respondent. The informed consent was reviewed with the respondent, and upon completion of the informed consent discussion, the respondent was asked if they were willing to participate. Those who chose not to participate were thanked for their time and not contacted again. Those who agreed to participate were asked to sign the informed consent and return via email. Interview appointments were arranged through email giving each participant an opportunity to identify the best time frame for the interview and then given three times to choose from that fell within that best time frame they indicated. All interviews were arranged in this manner. The interviews were conducted over the phone using a call recording application on the researcher’s mobile phone. Each recording was then transferred to a transcription service via encrypted secure upload method for transcription into an MS Word document format. The participant was then emailed a copy of the transcription to review and make additional comments or revisions if needed. Once returned, the transcript was saved and identified as being ready for data analysis. Research Methodology Applied to the Data Analysis During the design phase of this study, interview questions were developed to collect data from a purposeful sample. The questions also served the as the first division for future analysis of the data. Five IT Professionals from each organizational level; EL, MM, and NM were asked 61
six questions. The questions were designed to explore the perceptions, experiences, observations, and recommendations of how MMs influence ISPC. The semi-structured interviews produced data that were analyzed utilizing both manual and software driven thematic analysis. Manual Analysis Manual analysis began during the interviews. Keywords or phrases were jotted down into a spreadsheet, previously presented in Table 2. The keywords rendered multiple comparison points between the different organizational levels. Manual analysis and coding continued with reading and highlighting keywords and phrases, taking notes, and repeating until nothing new emerged. The manual data analysis method used, closely models thematic analysis. However, the actual process of thematic analysis can be performed in several ways. Gale, Heath, Cameron, Rashid, and Redwood’s (2013) paper on the framework method was a guide for the organization of the data analysis. Although the framework method is best suited for team research (Gale et al., 2013), it provided a systematic approach for both analysis of the data and documenting the data analysis process. Morgan explained that in a qualitative inquiry research study, the repetitive review of the data is an approach called the “hermeneutic circle” (2011, p. 69) and is how the researcher can ascertain meaning from the data collected. Manual analysis alone was not enough to fully analyze and compare the data. Therefore, when saturation was reached, the interview texts were uploaded into NVivo for validation and additional software-assisted analysis.
62
Software Assisted Analysis The use of NVivo provided an opportunity for a deeper dive into the thematic analysis as well as improving the ability to make comparisons of the data. Executive Leader (EL) interviews were queried using the interview question topics as identifiers. The same was done for MM interviews and then NM interviews. The queries included frequency of words from the coded themes previously identified from the manual analysis and duplicated in Nvivo. The observations and experiences were grouped together because these responses represent the empirical, unlike the other topics which purely draw upon perceptions. This deeper review also allowed for the identification of assumptions based on the participant's experience in the industry. The queries and groupings within each organizational level , the participants, and the topics set the frame for the software-assisted analysis. The software assisted analysis was used to determine the differences and similarities of responses between the participants. Word frequencies along with quotes taken from the participant transcripts were compared to other’s responding to the same question yet from a different organizational level perspective. Nvivo queries provided an easy graphical visualization of the comparisons. Table 5 outlines the topics, organizational levels, and case classifications within each topic and shows how the data were organized for the software assisted analysis. NVivo also allowed for the compilation and organization of the data during the review of the interview transcripts. Each participant’s perceptions, experiences, observations, and recommendations produced multiple coded references also identified in Table 5. After the
63
coding, queries, and comparisons were completed, the data compiled from both the manual and software-assisted analysis was ready for presentation. Table 5. NVivo Queries Based on Participant Organizational Level Data Organization- Thematic Topics - Classifications Name Sources References Case Classification Perceived Responsibility of MM to 15 42 Perceptions influence ISPC behaviors EL Responsibility MM Responsibility NM Responsibility MM Influence on ISPC behaviors Experienced and Observed NM Observed NM Experienced MM Observed MM Experienced EL Observed EL Experienced Perceived Importance to improve MM Influence on ISPC behaviors NM Importance MM Importance EL Importance Perceived Barriers to MM influence on ISPC behaviors MM Barriers NM Barriers EL Barriers Recommendations for improving MM Influence on ISPC behaviors NM Improve MM Improve EL Improve
5 5 5
14 10 18
15
102
5 5 5 5 5 5
25 23 13 9 19 13
13
17
4 5 4
4 6 7
15
33
5 5 5
8 16 9
15
47
5 5 5
23 12 12
64
Empirical data
Perceptions
Perceptions
Recommendations
Presentation of Data and Results of the Analysis How do Middle managers in the U.S. financial industry, influence IT professionals ISPC compliant behaviors, is the research question for this study. The purpose of the study was to gain a deeper understanding of how MM influence ISPC behaviors and add to the growing ISPC body of knowledge. Presentation of data begins with the participant’s perceptions of the MM’s responsibility to influence ISPC behaviors, the importance of improving MM influence on ISPC behaviors, and the barriers to MM influence on ISPC behaviors. Next, the experiences and observations are presented as empirical data on how MM influence the ISPC behaviors of IT professionals working in the US Financial Industry. Finally, the recommendations the experienced IT professionals had for improving MM influence on ISPC behaviors. Throughout the presentation of data and analysis results extracts from two main tables will be utilized. In Appendix B a table of the top five most frequently used words are organized by case topic. Appendix C includes a table of the representative quotations making up the empirical data. The representative quotations representing the empirical data for this study is split by participants organizational level group; EL, MM, and NM. The empirical data representative quotations were very lengthy therefore they have been provided as an Appendix. Additional focused excerpts from the representative quotations of the perceptions and recommendations of the participants are provided as visual aids throughout the data presentation sections. Perceptions For purposes of presenting the data collected relating to the perceptions IT professionals expressed about MM influence on ISPC behaviors, this section will be split into three categorical 65
sections. The first section will present data related to perceptions of responsibility. The second section will present perceptions of the importance of improving MM influence, and the third section presents the perceived barriers to MM influence. In each section, the three organizational levels will be represented by both word frequencies and support quotations from the participants. Word frequencies in the data provided for the first structured glance at the perceptions the IT professionals described with regards to MM influence on ISPC behaviors. Table 6 shows an extract of the top five frequently used words used by participants when responding to interview questions about their perceptions of MM influence on ISPC behaviors. Each organizational level set is represented, and the complete interview questions are provided in Appendix A. The colored text shows shared frequently used words. For instance, any frequently used words that appeared the same in the top 5 of the MM and EL participant sets are indicated with red colored text. The frequently used words shared between MM and NM are indicated with blue colored text. In Table 6, these were the only two similarity scenarios present. A complete legend note is provided with the full table in Appendix B.
66
Table 6. Perceptions - Top 5 Words Used Top 5 Word Frequency EL-Frequency MM-Frequency Directly 5 Cheerleader 8 Accountable 5 Ensuring 5 Understand 3 Enforce 4 Advising 2 Understand 4 Enforce 2 Processes 4
NM-Frequency Changes 16 Communicate 15 Handle 13 Assist 12 Deliver 9
Perceived Importance to improve MM Influence on ISPC behaviors
Extremely Control Developing Informing Remind
2 2 2 2 2
Changing Influencing Leader Lasting Protection
9 8 7 6 6
Measurement Communicate Constant Factors Validate
Perceived Barriers to MM Influence on ISPC behaviors
Knowledge Particular Continue Feedback Negative
8 2 2 2 2
Organization Objectives Enforce Report Operational
5 4 3 3 3
Communications 12 Operational 10 Production 9 Effective 7 Balance 7
Key Topics Perceived Responsibility of MM to Influence ISPC Behaviors
6 5 5 3 2
The perceived responsibility of MM to influence ISPC behaviors. The top five frequently used words that executives used to describe MM’s responsibility for influencing ISPC shows that they perceive MMs to be directly responsible and accountable. Executives also frequently indicated that MMs must understand, advise, and enforce ISPC behaviors. Table 7 is an extract of the representative quotes taken from the EL interviews. ELP1, ELP2, ELP3, and ELP4 expressed that MMs are responsible for observing compliance behaviors, ensuring that policies and procedures are being followed, enforcement, and holding their direct reports accountable. ELP1 and ELP5 both expressed that MMs should also be involved in development or improvement of the policies and processes. ELP5 further indicated that the MM should understand how the policies impact his or her direct reports.
67
Table 7. Representative Quotes – EL Perceived MM Responsibility Representative Quotations Executive Leaders - EL Perceived Responsibility of MM to Influence ISPC Behaviors "I think that’s two-fold. First of all, through observation, middle managers may observe people within their department or outside their departments who are following – or more importantly not following policies or procedures and addressed as such, either directly with the person or through management channels. The second thing they do is through their observations of how things are working, make suggestions on how to improve them." (ELP1) "…But overall, they should be responsible for ensuring that their teams and their organizations don’t fall underneath that, are responsible for forcing and adhere to the policy." (ELP2) "…Every single employee is responsible for complying with the policy but then the middle manager has sort of a heightened responsibility for holding his or her employees accountable." (ELP3) "I would say that the middle managers are directly responsible for ensuring that their employees understand the policies and procedures and that they also enforce them with their employees. I think the middle manager plays a very critical role and any security policy success or failure." (ELP4) "The middle managers I feel one, should be part of the team in which develops those policies, at least has a say in their writing as far as in getting their factor being updated. It should actually involve all levels of management. And the role of the middle manager is to understand how that directly impacts those within the more lower levels of his team in her team." (ELP5) The MM’s responses to the question of their responsibility to influence ISPC, shown in Table 8, indicated a varying degree of responsibility. MMP1 stated, “my job is to ensure that as we implement controls and processes and projects that we actually have solutions that meet our policies and standards.” MMP2 proclaimed himself a cheerleader while describing his responsibility to influence ISPC behaviors. MMP2 also indicated, “I don’t have any authority per se as a middle manager to enforce policies….” MMP3 described the MM responsibility to influence ISPC behaviors as “moderate” justifying this with “...Primarily because we have a topdown culture, so I would say moderate influence”. MMP4 described the MM responsibility as 68
very influential. She then explained that it is important “…Management itself pays attention to how things are prescribed to the organization.” MMP4 further explained, “If you don’t follow it how do you expect others to do the same?”. MMP5’s reply included a bit more detailed description of the MM’s responsibility to influence ISPC behaviors. She indicated that MM should “lead by example,” “ensuring that policies are followed,” “administering disciplinary actions” for noncompliance, and described it as a direct role in relation to influencing ISPC behaviors. Table 8. Representative Quotes – MM Perceived MM Responsibility Representative Quotations Middle Managers - MM Perceived Responsibility of MM to Influence ISPC Behaviors "... My job is to ensure that as we implement controls and processes and projects that we actually have solutions that meet our policies and standards." (MMP1) "I've become kind of a cheerleader for policy. I don't have any authority per se as a middle manager to enforce policies, so, with that in mind I can…I write them, I get them approved from our chief information security officer, but then when it comes to the enforcement, that's left typically to the direct reports or those individuals. So, now all I can do for influence is kind of become a cheerleader." (MMP2) "Moderate, primarily because we have a top-down culture and so I would say moderate influence." (MMP3) "I think I would describe it as very influential." (MMP4) "So it’s the core team that sets the policy or the standards. If you don’t follow it how do you expect others to do the same? I think this is where it is important than not just a team but management itself pays attention to how things are prescribed to the organization." (MMP4) "In a management role first and foremost influencing by leading by example certainly, also ensuring that the policies are followed on a day to day basis…" (MMP5) "Administering disciplinary action if policies are not followed. I have a direct role, ensuring that procedures are in place these are employee based in ensuring that the policies are followed." (MMP5)
69
The NM participants had much more task-oriented responses. In Table 6, top word frequencies the NM participants utilized words such as changes, communicate, handle, assist, and deliver. Their statements were much more comprehensive than the other groups when it came to be describing their perceptions related to the responsibilities MMs have in influencing ISPC behaviors. Their comprehensive representative responses are displayed in Table 9. NMP1 called the MM the “first line of defense,” and NMP2 similarly said, “It’s a huge part of responsibility they’re the frontline.” NMP2 also indicated that they have an impact “up and down the chain.” Participant NMP3’s perceptions included “since they have direct input with us, their role is pretty large in making sure that the policies are being followed….” She further explained that “they are also responsible for making sure that when there’s any type of training or information during different policy changes that get passed down the pipeline.” NMP3 also indicated that MMs are “held accountable” and discussed a scenario where the MMs have conflicting accountabilities such as production and compliance and this “ends up putting a lot of stress on them.” NMP4 participant also explained a scenario similar where the MM must make the decision to get the job done within budget and time constraints or follow policy to the letter. NMP4 also indicated that these types of decisions are in addition to MM’s responsibility to communicate. Finally, NMP5 stated, “I think the middle manager has a big influence in challenging and getting their staff to think from a security perspective….” He further explained that employees get into a rut at times with, “we’ve done that way forever, and the world is changing, and there are practices that teams have that they do without really thinking about things and so the middle 70
managers role is to or can be to get their team to think outside the normal way of doing things and are now no longer compliant with security…” NMP5 says the MM must “challenge them to think of new ways and different ways to accomplish what needs to be accomplished.
71
Table 9. Representative Quotes – NM Perceived MM Responsibility Representative Quotations Non-Manager - NM Perceived Responsibility of MM to Influence ISPC Behaviors "I will consider that this group is the first line of defense. Meaning they’re directly responsible for or have direct contact with individuals who must adherence to the policy." (NMP1) "It's a huge part of responsibility they're the frontline." (NMP2) "You know, your biggest risk is your weakest link, and that is usually going to be a permanent employee, your entry-level employee" (NMP2) "It’s really important role in one end even if it starts at the top, the executive level and stops or gets stagnated by the middle manager, that’s a huge level of exposure for everyone below that, if they’re not making that compliance and that strategic choice by the leadership to push and have that compliance are the center of focus of the day to day operation..." (NMP2) "I think that's something that needs worked on together up and down the chain"(NMP2) "I think since they have direct input with us, their role is pretty large in making sure that the policies are being followed…" (NMP3) "They are also responsible in making sure that when there’s any type of training or information during different policy changes that that gets passed down the pipeline." (NMP3) "They are also the go-between between us and different IT gurus if there is any issue..." (NMP3) "I think at the end of the day managers know that they are held accountable for it, so they try to play both sides, and it ends up putting a lot of stress on them and what I’ve seen constantly is that they are trying to be both sides, and I think they end up taking a lot of the brunt and a lot of the responsibilities." (NMP3) "I would say the middle managers responsibility in not only communication but then hard examples, this job takes 15 hours, we don’t take the data until this time, that individual, the people we have seated in those seats works eight hours and it will cost an additional three and a half to seven hours overtime for us to get this thing that’s time-constrained if we stay on sight but if we can sneak this in to their house they’ll do it for free." (NMP4) "I think the middle manager has a big influence in challenging and getting their staff to think from a security perspective, there are so many things that we do that are kind of the tell path that we’ve done that way forever and the world is changing and there’s practices that teams have that they do without really thinking about things and so the middle managers role is to, or can be to get their team to think outside the normal way of doing things that are now no longer compliant with security and to challenge them to think of new ways and different ways to accomplish what needs to be accomplished." (NMP5)
72
Perceived importance to improve MM influence on ISPC behaviors. Each IT professional organizational level set of participants did not align at all as shown in Table 6, top 5-word frequencies related to perceived importance to improve MM influence on ISPC behaviors. Unlike the perceived responsibilities that somewhat aligned between EL and MM with words such as enforce and understand; none of the participant sets had similar words used to describe the importance to improve MM influence. Even though the perceptions were described differently most seemed to agree that it is very important. The EL participant responses are shown in Table 10 and range from “critical” (ELP1), “extremely important” (ELP4), to “Yes, yes, I just don’t know how you improve their influence” (ELP3) when describing the importance of improving MM influence on ISPC behaviors. Most of the EL participants went on to reiterate the responsibilities that were important to improve. ELP1 expressed it as “… critical because they’ve sent an example in their own behavior and are in a position where they see a great deal”. ELP1 also indicated that the MM has “…the opportunity to remind people and make sure everyone is developing good habits.” ELP2 described the improvement of MM influence on ISPC behaviors as “very high in my list of things to do, ” and further explained that MM must be “on board and understanding IT control, policies, and standards to a high-level degree” to limit issues. ELP3 indicated that she thinks “all companies try to do that” but, she didn’t know how to improve the MM’s influence on ISPC. ELP4 proclaimed it was “extremely important” and added that “your middle managers are key to implementing those goals, policies, and those practices and ensuring that they become best practices….” It was noted that two of the 5 EL participants had identified development and implementation of policies, standards, and processes 73
in their perception responses. ELP5 did not provide an answer regarding the importance to improve the MMs influence, but in his opinion, he stated, "I believe they do have a role in at least informing or advising their senior management to be making them aware of the implications, potential risks." ELP5 also added a comment regarding noncompliance with policy and indicated if “the manager is doing everything within his power to promote compliance to policy then that’s an HR issue and should be taken up accordingly.”
74
Table 10. Representative Quotations – EL Perceived Importance to Improve MM Influence Representative Quotations Executive Leaders - EL Perceived Importance to improve MM Influence on ISPC behaviors "I think it’s critical because they’ve sent an example in their own behavior and are in a position where they see a great deal and have the opportunity to remind people and make sure that everyone is developing good habits." (ELP1) "So, I would describe that as one as, if it’s very high in my list of things to do, because in order to truly merge IT with business, you have to have those mid managers really on board and understanding IT control policies and standards to a high-level degree. If you do not have that level of participation, you do see a lot of fall back, when it comes to meeting the regulator requirements, meeting standards and controls, understanding how they should design things, forecasting problems before they go in contractual situation, such that." (ELP2) "Yes, yes. I just don't know how you improve their influence. " (ELP3) " I think that's all companies try to do that." (ELP3) "…Your middle managers are key to implementing those goals, policies and those practices and ensuring that they become best practices and that they're adhered to throughout the company." (ELP4) "…Extremely important." (ELP4) "I believe they do have a role in at least informing or advising their senior management to be making them aware of the implications, potential risks."(ELP5) "I mean if you've got a subordinate that is not willing to adhere to policy, and then the manager is doing everything within his power to promote compliance to policy then that’s a HR issue, and that should be taken up accordingly." (ELP5)
75
Middle manager perceptions on the importance to improve their influence on ISPC behaviors, representative quotes are shown in Table 11, were not all positive. For instance, MMP1 felt that it was more important to provide the MM with “proper tools and technology to easily collect and protect that data” explaining that this would help mitigate the risk of having to weigh meeting targets against compliance. Then MMP2 expressed that “influence is everything” but then described it as necessary to be “respected or liked” to get buy-in. MMP3 indicated it as important due to the changing regulatory environment and MMP5 didn’t indicate the importance but did indicate that “leading by example” would be a “positive impact.” MMP4 however, chose to explain that not all MMs were leaders and may not put in the effort to influence their teams. NMP4 further explained that the influence in that position “You are also influencing the top to make sure your employees get what they want, and you are also influencing your employees to make sure they understand what the top wants. She completed her answer with, “I think as a middle manager you are doing more of a job than most of the other folks are, so I think it would depend on the personality and on that person, themselves" (MMP4).
76
Table 11. Representative Quotations – MM Perceived Importance to Improve MM Influence Representative Quotations Middle Managers - MM Perceived Importance to improve MM Influence on ISPC behaviors "I think that the challenge is giving them proper tools and technology to easily collect and protect that data so that they don’t have to get in that circumstance where they are having to weigh meeting a monthly sales goal and efficiently collect data from people and get the job done. I think technology enablers are huge. Anytime you don’t have an enabler for a middle manager then you always put them in a position of- sometimes you even look in the other way." (MMP1) "Well, influence is everything…" (MMP2) "when working, if I'm not respected or liked by that middle manager or that other person they can decrease their likelihood of them wanting to help enforce something that I'm trying to spearhead." (MMP2) "It is very important to improve it primarily because rules and regulations they are a changing…" (MMP3) "I think they should but let me say one thing; I think it also depends on the individual. So, just because you are in a middle management role doesn’t mean you are a leader. So, it depends on that person too and how much effort they are putting into influencing their team or not influencing. I also think that when you are in that position your job is also to esteem. You are also influencing the top to make sure your employees get what they want, and you are also influencing your employees to make sure they understand what the top wants. So, I think as a middle manager you are doing more of a job than most of the other folks are so I think it would depend on the personality and on that person themselves." (MMP4) "I don’t know if it’s important to improve it, I think it’s important to make sure they have that influence." (MMP5)
77
NM participants also gave an indication that this is important and gave some insight into areas where they felt improvement was needed. The representative quotations for the NM participants are shown in Table 12. For instance, NMP1 said, “I believe there’s a weakness in this area and I believe there is also a solution.” Interestingly NMP1 much like MMP1 mentioned tools and technology as “important elements in improving the influence of middle managers.” NMP2 agreed that it is important to improve because they are “the line in between the executive manager making the large strategic decisions and the majority of the employees that are acting upon stuff every day.” Table 12. Representative Quotations – NM Perceived Importance to Improve MM Influence Representative Quotations Non-Manager - NM Perceived Importance to improve MM Influence on ISPC behaviors "I believe there's a weakness in this area and I believe there is also a solution. The use of available tools that are out there to validate if policies are being violated, frequent reviews, constant updates to upper management, key success factors, and establish accountability measurement are all important elements in improving the influence of middle managers." (NMP1) "Yes, I do think it’s important, and so I think I said it I think it’s pretty credible and because I said they are the line in between the executive manager making the large strategic decisions and the majority of the employees that are acting upon the stuff every day." (NMP2) "From my perspective, I think middle managers need to communicate more to the top of the situations that are truly going lower down in the chain."(NMP3) " I would say it is important and I would also say that there needs to be, and one of the most important factors is their willingness to communicate, you will sacrifice this for that, it will cost additional cost in production or production time which is still a hard cost and then allowing management to understand that." (NMP4) "They’re just being close to the process and the whole leading by example can really…, can really have a very positive impact on getting people to accept to change and accept being compliant with ISP." (NMP5).
78
NM participants 3 and 4 both indicated that it is important to improve the MM’s willingness to communicate both upward and downward. NMP4 further explained that the MM need to explain better to top what the impact in terms of impacting production and costs, so they would better understand how compliance and policies can increase costs and increase production time. NMP5’s statement gave some indication that MM influence may not always be there. NMP5 said, "They’re just being close to the process and the whole leading by example can really…, can really have a very positive impact on getting people to accept to change and accept being compliant with ISP." Perceived barriers to MM influence on ISPC behaviors. The last perception related question was to ask the participants to describe any barriers to MM influence on ISPC behaviors. Looking back to Table 6, the top 5-word frequencies, it shows that the number one word used by ELs to describe barriers is knowledge. EL participants provided a limited amount of feedback to this question, and Table 13 shows an extract of the representative quotations for EL participants and what they perceive these barriers to be.
79
Table 13. Representative Quotations – EL Perceived Barriers to MM Influence Representative Quotations Executive Leaders - EL Perceived Barriers to MM Influence on ISPC behaviors "There are times a more senior manager will dismiss someone’s concerns and perhaps marginalize on that and that becomes a matter of opinion at times. And often times, someone’s position and leverage can override a middle manager." (ELP1) "Well, lack of knowledge, lack of understanding of the policies, lack of clarity, switching policies." (ELP2) "I think that the main barrier, it’s just having them aware and educated in it." (ELP3) "Not all executive managers are open to feedback, not all of executive leadership is open to feedback…" (ELP4) "The only thing I can think of that comes to mind would be some kind of I guess political motivation that could influence or cause a manager to not adhere to a particular policy or to negatively...negative or noncompliance to a particular policy." (ELP5) ELP1 indicated that one barrier to MM influence on ISPC could include, “…someone’s position and leverage can override a middle manager." ELP1 spoke of policies as if they were interpreted differently and the interpretation could be a matter of opinion and therefore could be overridden by someone more senior. ELP2 was direct and to the point stating that the barriers were, “ Well, lack of knowledge, lack of understanding of the policies, lack of clarity, switching policies." ELP3 also agreed that a barrier could be “…having them aware and educated in it” when referring to polices and influencing compliance. ELP4 and ELP5 aligned with ELP1’s perception that a senior leader could be a barrier. Both ELP4 mentioned a barrier that “Not all executive managers are open to feedback, not all of the executive leadership is open to feedback…” and ELP5 spoke of “political motivations” as a barrier.
80
MM participants did not show alignment with EL participants when it came to the top 5 frequently used words to describe barriers to their influence on ISPC behaviors, illustrated in Table 6. MM participants spoke more about organizational culture, production goals, and resistance to change. Table 14 provides the representative quotations from the data on MM perceived barriers to influencing ISPC behaviors. MMP1 spoke of the challenge related to ways in which MMs are compensated. MMP1 stated, "I think the challenge there is sometimes even the middle managers are incentivized to meet deadlines or sales goals or things like that and if they don’t have the technology to allow them to easily and 100% securely handle certain types of data, they may choose to take some risk." While MMP2 identifies his lack of authority “…to enforce anything outside of my own direct reports." MMP3 spoke of tenure and credence were given to one person over another in regard to influence level. The conversation was very much like ELP1’s statement that interpretation of policy can produce a difference of opinions and an MM can be overridden by a superior. MMP4, as well as MMP5 responses, were more geared toward culture and human nature. MMP4 indicated that, “…sometimes it’s the culture or the subcultures within an organization or the way a manager perceives certain things…” and further explains there are many variables that could be a barrier. MMP5’s description was all about “human nature” and being “resistant to change.” MMP5 concluded stating the barrier could be that people “…get set in their ways they like doing things a certain way.”
81
Table 14. Representative Quotations – MM Perceived Barries to MM Influence Representative Quotations Middle Managers - MM Perceived Barriers to MM Influence on ISPC behaviors "I think the challenge there is sometimes even the middle managers are incentivized to meet deadlines or sales goals or things like that and if they don’t have the technology to allow them to easily handle certain types of data 100% securely, they may choose to take some risk." (MMP1) "The barrier for me that I face is I just don't have any authority as a middle manager to enforce anything outside of my own direct reports." (MMP2) "So, my only way to enforce anything is through cheerleading and through reaching out to the manager of the direct report in question, and then I hope they enforce it. And then it really depends on whether or not they feel it's important or not." (MMP2) "So just because of that tenure, they are given more credence than the person who is asking that report." (MMP3) "Yes, there absolutely is. I think that the workload, sometimes it’s the culture or the subcultures within an organization or the way a manager perceives certain things or doesn’t perceive certain things and their working styles. I think there are a lot of things that can come into play when you talk about how middle managers would not be able to influence certain department or sub-department and things like that." (MMP4) "...Its human nature I think to be resistant to change unless you’re very change-oriented person. And in the general population probably I think most people are resisting to change not necessarily unprocessed, they get set in their ways they like doing things a certain way." (MMP5 NM participants provided multiple insights when describing their perceptions of the barriers to MM influence on ISPC behaviors. The set produced a frequently used word match with MMs but not with EL participants. This does not, however, mean that they didn’t point out similar barriers. See Table 15 for the representative quotations of the NM participants asked to describe the barriers to MM influence on ISPC behaviors. NMs spoke of operational goals and inadequate training and communication challenges. NMP1 stated, “middle managers require certain knowledge, skills, and characteristics to address these challenges." NMP2 called out two 82
different barriers both of which have identified in previous sections on perceived responsibilities of MM influence. NMP2 brought up the need for having the right resources and “capabilities there” so operations are not impacted. He also indicated that a barrier is that the MMs, “should have more say in that policy and how it’s developed.” NMP3 simply states that a barrier is with the MM themselves and indicating that “I’ve seen middle management who don’t have respect to compliance to try to work around it.” NMP4 indicated that executive managers could be part of this problem that they need an understanding “…of a balance between security and production.” Finally, NMP5 introduced a variable not yet identified by other participants at any organizational level. NMP5 talked about, "physical proximity, our company is comprised of teams that are global, and often the manager does not sit with their staff, they’re across the world…”. This participant seemed very certain stating that this barrier can make it hard for the manager to “actively coach their staff.” NMP5 summed up very nicely the question and all the things discussed by stating, “I guess the whole area of security is a challenge that’s changing; standards are becoming more stringent so for the manager to stay aware of it and keep their staff thinking about it, it becomes a way of doing your job, and it’s just something that has to be done."
83
Table 15. Representative Quotations – NM Perceived Barriers to MM Influence Representative Quotations Non-Manager - NM Perceived Barriers to MM Influence on ISPC behaviors "I have seen some challenges – maybe we can call it a barrier - absolutely. They include inadequate trainings, and insufficient awareness and onboarding programs, and ineffective communications attempts. In addition, middle managers require certain knowledge, skills, and characteristics in order to address these challenges." (NMP1) "The barrier would be I guess the resources or having the capabilities there and not slow down the operational work too much." (NMP2) "They should have more say in that policy and how it’s developed., I would say from my experience that’s something that’s undervalued to the day to day operational input in security procedures and when they’re designed and developed." (NMP2) "I’ve seen middle management who don’t have respect to compliance to trying to work around it. My middle managers now, the ones that I work directly for, they are exactly the opposite, but that does cause us to have holdups. They won’t react because we do that, the person that’s next to me won’t get a late fee for submitting a report because they found a workaround and just went with it." (NMP3) "I think that there has to be a balance and understanding of executive managers of a balance between security and production…" (NMP4) "Physical proximity, our company is comprised of teams that are global and often times the manager does not sit with their staff, they’re across the world so consequently the practices that might creep in terms of badge use or other things." (NMP5) "That nature could creep in, and that’s a barrier in the sense that the manager can actively coach their staff." (NMP5). "I guess the whole area of security is a challenge that’s changing; standards are becoming more stringent so for the manager to stay aware of it and keep their staff thinking about it, it becomes a way of doing your job, and it’s just something that has to be done." (NMP5)
84
Empirical Data The experiences and observations provided by the participants were handled as the empirical data for this study. These data from the responses to what the participants have observed and experienced regarding MM influence on ISPC behaviors directly answer the research question for this study. The remainder of this section is organized by participant sets, where the sets are the participant organizational level for which they represent. Table 16 shows the top 5 words frequently used when describing the experiences and observations of MM influence on ISPC behaviors. Words that were frequently used by both EL and MM are shown in red text. Words that were frequently used by both MM and NM are shown in blue text. Note, no shared words were seen between EL and NM. Table 16. Empirical Data – Top 5 Words Used Key Topics MM Influence on ISPC behaviors - Experienced and Observed
Top 5 Word Frequency EL-Frequency MM-Frequency Actively 14 Drive # Controls 11 Changes # Requirements 11 Organization # Developing 10 Directly # Attitude 9 Controls #
NM-Frequency Communicate 29 Changes 25 Coaching 24 Directly 21 Leading 19
Executive leaders. The EL participants frequently described MMs as active in the descriptions of their experiences and observations of how MMs influence ISPC behaviors. EL participants also frequently talked about controls and requirements in their descriptions. The MM’s attitude and their role in developing policy and processes were also frequently mentioned. Each EL participant, however, had varied levels of experiences and observations of the MMs influence on ISPC behaviors. Appendix C includes the representative quotations for the five EL
85
participants. Each EL participant was asked to describe their experiences and observations of MM influence on ISPC behaviors. Participant ELP1 described experiences and observations of MMs both contributing to the development of the processes that enforce policies. ELP1 also indicated that the MM observes “existing practices, policies, and procedures” and often will “make suggestions to strengthen that policy or procedure.” In one example provided by ELP1, he indicated it was the responsibility of the MM to be the point of contact and investigator of possible noncompliance events if these pointed to his business unit. In the example, ELP1 explained, “I’ve seen instances for example where a network team monitoring sees a heavy outflow of information to what appears to be a destination, personal email accounts; raising that as a question through the IT risk group, so the business unit can investigate and make sure that it’s a true business use and not anything that’s outside of policy." ELP2 explained, “I do see them reaching out when they do have to meet these regulatory requirements, and say hey, I read it this way, but how is that interpreted and how is that align with our current risk framework.” However, ELP2 explained further that often until the requirements that must be followed are called out to the MM, “…they are a bit more worried about making the business go and making the business successful and achieving the goals of the business." ELP2 continued by pointing out that MMs are not measured on compliance but on business goals and performance, “So, at the end of the day, regulatory requirements and adherence to those standards and controls are last on the list, until you have to meet them for project-related need or related regulatory needs."
86
ELP3 explained that she has seen how “attitude and culture” plays a role in how MMs influence ISPC behaviors. She explained some MMs carry on as if compliance is not “high priority, ” and others .“…that may harp on it or talk about it a lot and wave it all the time.” ELP3 concluded that example by stating, “ So I wouldn't say it's anything direct, it's more about just attitude, demeanor, culture and the way they behave in terms of have I been influenced by people that I report to." Finally, ELP3 explained, I think people in my team or other teams, I've seen people call out or call to the attention of other people, higher people or people that could help them they say, "Hey. Look, this happened today. What should I do?" or "I don't think this is right, I saw this happening. What should I do now?" or something like that. (ELP3) ELP4 explained that, I have a very strong team of middle managers, and they give regular, we have b-weekly meetings, and they give regular feedback on ways we could improve, things we can do differently, things we should tighten up, so they definitely have an impact on me and the policies that we write and design. (ELP4) She further indicated that her MMs are often proactive by coming to her about some of their observations that could be the beginning of compliance issues to “sort of nip things in the bud, I guess you would say before they might get out of hand" (ELP4). This EL participant also indicated instances where an MM does not take compliance as seriously as another, and that can be seen as a negative influence on their direct reports. The final EL Participant, ELP5, described a similar scenario as the ELP1 did in regards to responding to noncompliance. ELP5 explained, For instance, monitoring if detection or if anything was detected or if an employee decided to do something outside of policy or not in compliance with a policy that the manager would then kind of want to bring that to the attention of the employee, working with senior management to determine the necessary course of action. (ELP5) ELP5 concluded by saying, 87
So, there is also an upside to where a manager can hear or at least enforce or significantly influence adherence to a particular policy where they're either doing it in the form of guidance, in the form of oversight, I guess direct involvement. (ELP5) It was clear that the EL participants had seen and experienced MM influence on ISPC behaviors in both a positive and negative manner. Middle managers. The MM participants also provided several examples of MM influence on ISPC behaviors from their experiences and observations. Table 16 shows the top 5 frequently used words MM participants used to describe these experiences and observations. The word; controls, was seen in the top 5 most frequently used words for both MM and EL participants. The words; changes and directly, were seen in the top 5 most frequently used words for both MM and NM There were no top 5 frequently used words matching between NM and EL participants. MMs descriptions of the MM influence on ISPC behaviors experienced and observed also frequently included words such as; drive and organization. All 5 the MM participants provided examples of experienced and observation of MM influencing ISPC behaviors. Not all 5 of the MM participants provided examples of what they personally do to influence ISPC behaviors. MMs provided the largest amount of data on this topic. It was interesting to note that MM participants provided the least data on this topic. For instance, table 5, found earlier in this chapter, shows the number of references per topic that was retrieved from the raw interview data. The term, references, is synonymous with the pertinent quotations collected from the interviews for each participant and organized in the data analysis framework by topic and organizational level. The MM participants provided 22 references while EL participants provided 32 references. The NM participant exceeded both with 48 applicable references. An overview of the participant's applicable references provided is explored further in Chapter 5. 88
Appendix C details the representative quotations from the MM participants when asked to describe their observations and experiences of MM influence on ISPC behaviors. MMP1 provided examples of actual tasks of validating compliance by explaining, “there’s a lot of focus on checking that we had lock desk, clean desk policies and things like that and managers did check on it, and they took action with their employees when they didn’t lock up.” MMP1added, Sometimes we did walkthroughs and looked for passwords written underneath things and stuff like that.” MMP1 expressed further, “from my experience here I think the managers are taught pretty well to establish a consistent guideline through the yearly training and security awareness (MMP1). He also indicated that security IT professionals did not need as much oversight as IT professionals in other areas due to “security people are a little bit more aware and self-aware of the requirements” (MMP1). MMP2’s responses gave the impression that his role in influencing ISPC behaviors was quite limited. MMP2 stated, “The only thing I've observed is kind of same thing that I'm able to do. It's just the reminders, it's our weekly one on ones with those individuals, trying to drive home cheerleading for those policies and procedures.” He further explained that there are small things he can do such as sending an email on the person’s computer if they forgot to lock it up and then for worse violations perhaps putting the individual on a performance improvement plan (PIP). MMP2 further explained, If they're on a PIP come bonus time, they don't get their bonus… I would hate to see an individual go on a PIP because they can't keep their desk clean or they have sensitive information out on their desk, and then we do have a clean desk policy and data classification, and that kind of falls into our yearly system's standards of conduct that every employee has to sign. (MMP2)
89
MMP3’s descriptions were also very minimal in the content of what he experienced and observed. Other than annually reviewing policies MMP3 indicated that they just “remind each other.” MMP4 had a bit more to describe and provided an example, if it’s a clean desk policy and the person is not doing or following the policy, then my job is to make sure that they do and have a conversation with them and try to understand from their perspective why it wasn’t done, and I just make sure they understand why it is important to the organization and why it needs to be done. (MMP4) MMP4 further explained that there had been multiple occasions not just related to clean desk policy but other policies where she stated, “So as a manager you just need to make sure they understand and again why it is important to the organization and why it needs to be done. There have been several instances like that.” MMP4 expressed the importance of understanding the policies and why we adhere them explaining, “You know everybody has a different level of understanding. If you are trying to talk to somebody in technical terminologies that are not in IT, they may not necessarily understand what is being said and why it’s important.” MMP5 provided multiple examples of MM influence both experienced and observed. One of the examples she provided was related to an observation of another manager. MMP5 explained, I worked with a manager who she had a lot of employees who were overweight, and again this is back in the day but would bring in fans, and somebody brought in a coffee pot, a lot of electronic equipment’s that could cause fires, cause issues to implement to the policy. She identified the need that that was going to be an issue and implemented a policy whereby it said we are not allowed to bring in anything unapproved to that was electronic to be used at the desks. (MMP5) It was clear that this participant had experienced and observed MM influence through involvement with developing processes to meet policy. Another example provided by MMP5 was an example of her own actions taken.
90
I initiated, and it sounds really simple but at the time it wasn’t and the big change, I implemented a process where everyone has shred box at their desk, and at the end of every day they would empty the shred box, and we arranged at the time for the first time to have locked shred bends within each team, within each floor because we were running multiple floors at that particular site. We were able to ensure that PII and the like was not left under for years on end. (MMP5) However, MMP5 concluded her description with an explanation that often MM will seek out help from policy owners or risk teams to gain a better understanding of the policies and how they relate to the work they are doing. This aligns with MMP4’s indication that understanding is important. Non-managers. Previously shown in Table 16, NM participants used two of the same top 5 frequently used words as did the MM participants. Directly and changes were used to describe both experiences and observations of MM influence on ISPC behaviors. Other words within that top 5 frequently used words list used by NM when describing MM influence included; communicate, coaching, and leading. The NM participants provided many insightful examples of what they experienced and what they observed. The representative quotations taken from the NM participant interviews are outlined in Appendix C. Recommendations The last question asked of each participant was designed to gather their recommendations of how to improve the MMs influence on ISPC behaviors. Each participant had at least one or two key recommendations for improving MM influence on ISPC behaviors. Table 17 is an extract from the Top 5 frequently used words identified in the participant's recommendations during data analysis. Only one word was shared between the participant sets. Communicate was frequently used by both EL participants and NM participants. In this section, the recommendations described by the participants will be organized by organizational level in the 91
same manner as the previous data presentation sections and will begin with EL participant’s recommendations, followed by MM participant’s recommendations, and conclude with the NM participant’s recommendations for improving MM influence on ISPC behaviors. Table 17. Recommendations – Top 5 Words Used Top 5 Word Frequency Key Topics Recommendations for Improving MM Influence on ISPC behaviors
EL-Frequency Actively 11 Communicate 10 Knowledge 8 Talking 6 Processes 5
MM-Frequency Changes 16 Organization 10 Directly 8 Report 7 Understand 7
NM-Frequency Measurement 6 Constant 5 Communicate 5 Factors 3 Validate 2
Executive leaders. Table 17 reflects the top five frequently used words used by the EL participants as they described their recommendations for improving MM influence on ISPC behaviors. EL participants expressed that MM should be actively involved in ISPC, they frequently talked of MM role to communicate and frequently mentioned, talking, knowledge and processes. For instance, ELP1 summed it up nicely with the following statement: I think just being active – I think they need to stay educated about what's happening and what these practices are and why. And actively be looking at that, talking to other employees, to peers – even to more senior managers and trying to help them understand the value of any security protocols in place and being vocal and heard. (ELP1) This was the only recommendation provided by ELP1 however, the majority of the remaining EL participants also indicate that education and awareness for MMs to improve their influence. Table 18 is an extract of the EL participants recommendations for improving MM influence on ISPC.
92
Table 18. Representative Quotations – EL Recommendations for Improving MM Influence EL - Representative Quotations Recommendations for Improving MM Influence on ISPC behaviors "I think just being active – I think they need to stay educated about what's happening and what these practices are and why. And actively be looking at that, talking to other employees, to peers – even to more senior managers and trying to help them understand the value of any security protocols in place and being vocal and heard." (ELP1) "A couple of recommendations, first of all they recommend and they partner with strategically with and IT technical resource from either IT risk, IT compliance or IT audit, truly make sure they are adhering to all the governance risk and compliances, so you have a good understanding of foundational concepts of information security policy..."(ELP2) "And I think lastly, having that open level of communications with those managers and being willing to truly communicate what they don’t know, I mean in a day, they no questions or dump questions really getting those managers to really step out of their shells on their business environment to reach out across the organization and to the technology partners and really ask those questions that they may be circle to ask in either a group setting or a setting where they may have influenced by their manager." (ELP2) "Yeah. I think structuring the training in a tiered way I think would help. Maybe if you're trying to improve the influence or improve the influence that the middle manager has, maybe you need to set up your training in that sort of a tiered way." (ELP3) "I think it would motivate them if you incentivize them to get the knowledge themselves, so they can impart it and also to be held accountable to imparting it. I don't necessarily love that but personally, but I think that would have the effect of increasing their influence."(ELP3) "I think that you have to get their buy-in, in order for them to…they have to believe it and they have to have the support of executive leadership because if they do not have support from executive leadership, if their executive leadership does not consider it a priority, then other things are going to take priority over security and compliance." (ELP4) "So, I think that it's very important that they have the support of their executive leadership and that it’s kind of reviewed on a regular basis, to ensure that we're following the correct practices going forward and that it's important to the company. It has to be important at the very top level for it to succeed all the way down through the ranks." (ELP4) "I think would improve I believe the only thing I could say is awareness and practicing what you preach and making it a part of the daily activities as opposed to something that they have to do. It needs to be the way they do things integrated into their processes. Yes, they need to set an example." (ELP5)
93
ELP2 recommended that the MM strategically partner with, IT technical resource from either IT risk, IT compliance, or IT audit, truly make sure they are adhering to all the governance risk and compliances, so you have a good understanding of foundational concepts of information security policy....” (ELP2) ELP2 also indicated that the MM must communicate better if they do not understand and ask more questions. ELP3 simply indicated that better training for the MM would be helpful and said, “I think it would motivate them if you incentivize them to get the knowledge themselves, so they can impart it and also to be held accountable to imparting it.” ELP4 indicates that MM must believe in ISPC and must have support from leadership if they want to improve stating, If their executive leadership does not consider it a priority, then other things are going to take priority over security and compliance. It has to be important at the very top level in order for it to succeed all the way down through the ranks. ELP5 gave one response stating, I think would improve, I believe the only thing I could say is awareness and practicing what you preach and making it a part of the daily activities as opposed to something that they must [sic] do. It needs to be the way they do things integrated into their processes. Yes, they need to set an example. (ELP5) Middle managers. As shown in Table 17, MM participants frequently used the words; changes, organization, directly, report, and understand when describing ways to improve MM influence on ISPC behaviors. Most of the MM responses mentioned elements of organizational culture. Specifically, human nature was identified to need change or improvement. For instance, MMP1 talked about providing a manager’s course and acquiring technology to collect compliance related data. He indicated that the course should, Educate [sic] them on the capabilities of some of the technology that would enable them to efficiently collect and protect data; some of the secure email channels and some of the other channels that data can be collected in.” (MMP1) 94
Table 19 shows an extract of the of the representative quotations from the MM participants interviews. MMP2 made some interesting points in relation to the organization hierarchy when responding to the recommendations question. Well, I think it's based on the position of that person on the organizational chart. And I feel it depends on that middle manager who they report to. So, I'm fortunate I report to the chief information officer, so I directly report to a C level. But I know some middle managers report to maybe a VP, a few more tiers. We're little bit flatter for organizational chart. (MMP2) So, I have that benefit so it's easy for me too because if well, someone doesn’t like something I can go to the CSO, and very easily get some backing behind from a high level. But I know not everyone has that convenience that I have. (MMP2) When asked how that is a recommendation for improvement he indicated that the MM needs to have that backing. MMP3 described a scenario where the culture of the organization could be a problem for instance in a “geographically dispersed” organization that was built from mergers or acquisitions. He further elaborated the following: We are geographically dispersed. So, we are not in the same city or state and so if Leader 1 brought in most of his friends, half of his direct reports and half of them, I wouldn’t say half. I would a large number of 250 personnel organization at least 50 of them came from Company B. So, it is very hard to break that culture. Very hard to break that culture. That’s the one that comes to my just attention daily. (MMP3) MMP3 however, did not make a recommendation as to how to fix the issues he faced. Only, indicated that the organizational culture type was a challenge. Both MMP4 and MMP5 expressed that the MM’s awareness, understanding, and demeanor towards the policies were where attention should be given. Both similarly indicated the MM himself must not be “resistant to change” (MMP5) and “understand it” (MMP4) well enough to have an influence on their employees. Overall the MMs provided insight into organizational culture, education, and leadership support as subjects of their recommendations for improving MM influence. 95
Table 19. Representative Quotations – MM Recommendations for Improving MM Influence MM - Representative Quotations Recommendations for Improving MM Influence on ISPC behaviors "I think targeting a manager’s course and with those behaviors can or should be, providing certain types of testing opportunities and then providing results back like fishing exercises and things like that, see that people’s email selection behavior is understood and when people don’t get it that they get an opportunity to help them understand instead of where the real fishing attack with some of the different trusting type tools that they have."(MMP1) "And educating them on the capabilities of some of the technology that would enable them to efficiently collect and protect data; some of the secure email channels and some of the other channels that data can be collected in."(MMP1) "Well, I think it's based on the position of that person on the organizational chart. And I feel it depends on that middle manager who they report to. So, I'm fortunate I report to the chief information officer, so I directly report to a C level. But I know some middle managers report to maybe a VP, a few more tiers. We're little bit flatter for an organizational chart." (MMP2) "So, I have that benefit so it's easy for me too because if well, someone doesn’t like something I can go to the CSO, and very easily get some backing behind from a high level. But I know not everyone has that convenience that I have." (MMP2) "Yeah we can improve their visibility, and that’s a tough one because unless the culture changes and everyone has as much of a say in protecting those innovations, it’s equal and it is unequal." (MMP3) "In my company, we have people primarily from the same external company, here is the example, if Leader came from, he didn’t come from Company A [sic], as example. If he came from Company B [sic], half of his direct reports he brought in with him from Company B [sic]. They, in turn, brought in people from Company B [sic]. So, unless hired by that club you don’t carry as much influence or weight. If they are hard to bring it as well." (MMP3) "We are geographically dispersed. So, we are not in the same city or state, and so if Leader 1 [sic] brought in most of his friends, half of his direct reports and half of the, I wouldn’t say half. I would a large number of 250 personnel organization at least 50 of them came from Company B [sic]. So, it is very hard to break that culture. Very hard to break that culture. That’s the one that comes to my attention daily." (MMP3)
96
Table 19. Representative Quotations – MM Recommendations Continued MM - Representative Quotations Recommendations for Improving MM Influence on ISPC behaviors "When it comes to compliance for a middle manager I think it is important for them to one, understand how the compliance affects them and their team and two, how can they make it so – yes, it is a compliance, but it doesn’t have to be another task that you have to do. And I am going to speak only from the perspective of an Information Security person. I think that we have tuns of policies that we need to comply with, but that does not mean that every time there is compliance it becomes another task to add on to. The influence that a middle manager can have on an employee is for them to at least understand it and make sure they can have the same impact on their employee. So, the employee or the direct reports understand that yes, it is compliance but it’s not -- I think it really depends. I think it depends on the person too and the manager himself." (MMP4) "Making sure that they themselves are not resisting to change, are not portraying being resisting to change. They for example when a change in policy comes down or say a change in procedure comes down, you’re having to do information security, you’re having to do with anything for that matter, not the role of the FTEs which sighting people do, not the role that oh my gosh [sic], another change, another thing from management and all that. Definitely, leading through that kind of example being positive about change and also whining why the change is important. I think communication is absolutely key to leading change and ensuring compliance." (MMP5) Non-managers. Continuing with the trend NM participants provided more descriptive recommendations for improving MM influence on ISPC behaviors. The NM and EL participants frequently used the word communication. Other frequently used words amongst the top 5 words used by NMs were; measurement, constant, factors, and validate. Table 20 illustrates the representative quotations within NM participant responses to the request for recommendations to improve the MM influence on ISPC.
97
Table 20. Representative Quotations – NM Recommendations for Improving MM Influence NM - Representative Quotations Recommendations for Improving MM Influence on ISPC behaviors "Definitely the review of tools available that will validate the compliance, so the process can be automated as much." (NMP1) " I will definitely stress the need for training of middle managers to better understand capabilities of these automated tools, and how to communicate and report results to upper management and employees. In addition to automated tools, middle managers should have adequate sponsors, budget, and resources in order to effectively influence policy compliance efforts." (NMP1) "I will say training is needed for everyone, but the training for middle managers has to be specialized rather than generic. Generic training does not address specifically enough how to address these policy issues. Generic is simply too generic." (NMP1) "My recommendation to what I see is… I say like training is a thing you just have to have as consistent on and off for middle managers, it may have it even have to think of the middle management little more, you know, you got to yell it across the board to some extent..."(NMP2) "I also would see things like is compliances as important as we talk about it is and that important to the overall business as we relate to the plan or role either appliances or major breaches or things along that line there needs to be something I think is under the evaluated most companies is the monitory value would do that and then having a way to gauge compliance at even middle manager, not just the executive level, but even the middle manager level will have kind of financial impendence to take them to vast topic upon. I think especially the business world in general money is usually the biggest single motivator; I think it’s kind of like putting your money where your mouth is kind of scenario when it comes to security." (NMP2) "The part of your bonus potential came from level of compliance like usually, bonus potential is usually on how the business does purely financially and because of the compliance is sometimes very hard to establish the exact monitory value… but you know, there are certain things you can know, like if you’re not compliant, first of all, you can lose customers, right, which can be a much bigger value than that small amount of bonuses which make people taking clients." (NMP2)
98
Table 20. Representative Quotations – NM Recommendations Continued NM - Representative Quotations Recommendations for Improving MM Influence on ISPC behaviors "I think communication. I think communication across the board. I think compliance and security has been so drilled down, the policy has also been drilled down, but I think the communication on how to get it done would be my recommendation. Don’t just hand someone a policy and go, “Here’s the policy, go follow it.” Explain what you should do if you can’t follow the policy if you get held up, you know what I mean?" (NMP3) "Educating about the policy is assuming that everything is in the policy; it is more of educating on what you do on a scenario that’s not in the policy." (NMP3) "I think policy needs to be updated pretty much every time you have a system change or a system update. Multiple companies that I’ve worked at that’s never happened and the when something goes wrong because it hasn’t been updated, it’s all to the middle managers to figure out, “Okay, what do we do now?” I think sometimes communicating to us, the lower people and up to the top, like for example if someone fails to follow a policy and it’s not updated, that should be instantly communicated to the people who are responsible for that system." (NMP3) "The highest it can be that the overriding goal is to get what I need now I have to get what I need in a reasonable manner of time-related to the constraints, labor, get security and then once you create that environment a middle manager can communicate that, until executives access that and don’t make production the number one priority." (NMP4) "I think most importantly is communicate, we don’t get the data here and making senior management aware of what it really takes to accomplish certain goals, if we’re going to eradicate all printed material what is the negative output of that, not just well rounded discussions that educate all parties, that’s what’s good with everyone listening, that’s what changes the world certainly. Sometimes those two goals can come in conflict, production, and protection." (NMP4) I think making it a regular or a periodic topic at team meetings is always helpful, to talk to the team about what challenges they have, what suggestions they have, what issues they might be running in to, particularly if that team may be involved with other people they work with to ensure that standards and practices and policies are being followed. (NMP5) "Let’s talk about the earlier suggestion other than to keep it in front of their staff to remind them certainly the middle manager is present then they should act upon issues they see in terms of coaching or taking whatever action is needed but it’s difficult in personal case because my manager is 5,000 miles away." (NMP5)
99
NMP1 recommend that improving the training for MMs making it “specialized rather than generic” and further explained, “Generic training does not address specifically enough how to address these policy issues. Generic is simply too generic.” NMP1 also indicated that perhaps automation of the tasks used to validate compliance would help and recommended training while explaining the importance of expressing compliance in a monetary way may also improve the MM’s influence. The part of your bonus potential came from level of compliance like. Usually, bonus potential is usually on how the business does purely financially and because of the compliance is sometimes very hard to establish the exact monitory value… but you know, there are certain things you can know, like if you’re not compliant, first of all, you can lose customers, right, which can be a much bigger value than that small amount, of bonuses which make people taking clients. (NMP2) NMP2 interestingly described this as “putting money where your mouth is kind of scenario” when wrapping up his response. NM participants P3, P4, and P5 each recommended that the MMs communications should be improved. They indicated that the MM is key to communicate the policies and changes in those policies both upward and downward. NMP3 shared: I think sometimes communicating to us, the lower people and up to the top, like for example if someone fails to follow a policy and it’s not updated, that should be instantly communicated to the people who are responsible for that system. (NMP3) NMP4 explained: I think most importantly is communicate, we don’t get the data here and making senior management aware of what it really takes to accomplish certain goals if we’re going to eradicate all printed material what is the negative output of that. Not just well-rounded discussions that educate all parties, that’s what’s good with everyone listening, that’s what changes the world certainly. Sometimes those two goals can come in conflict, production, and protection. (NMP4) and finally, NMP5 recommended:
100
I think making it a regular or a periodic topic at team meetings is always helpful, to talk to the team about what challenges they have, what suggestions they have, what issues they might be running in to, particularly if that team may be involved with other people they work with to ensure that standards and practices and policies are being followed. (NMP5) Summary In Chapter 4, a presentation of the data collected for the study on MM influence on ISPC behaviors of IT professionals working in the U.S. financial industry was provided. Tables 6, 16, and 17 displayed extracts of the participants top five most frequently used words when responding to the interview questions organized by topic and participant organizational level. The complete table is provided in Appendix B. It was noted that there were some shared frequently used words between NM and MM, MM and EL, and NM and EL. However, not one word was frequently used across all three participant groups. The representative quotations were not all the data collected but, key descriptions and examples that were pertinent to the study and directly reflected the way in which the participants described their perceptions, observations, experiences, and recommendations. The research question was answered directly by the empirical data collected from the sample participants. The core assumption of the study that MMs influence ISPC behaviors were found to be appropriate based on the results. The answer to how MMs influence ISPC behaviors of IT professionals in the U.S. financial industry was identified as actively observing, reminding, communication and some involvement in suggesting improvements and development of processes that meet the requirements of the policy. Overall the tasks reported were very similar across the sample; however, there were some variances the participant’s perceptions of the responsibility of the MM to influence ISPC. The biggest variance existed with the MM participants responses versus the EL and NM participants. 101
The researcher found the difference between the amount of data referenced within each organizational level set of participants as interesting. It was noted that more usable data were obtained from the NM participants and the least usable data were obtain from the MM participants. Another notable statement, “…two goals can come in conflict, production, and protection…” came from a recommendation from NMP4 that warrants some further considerations. The presentation of the data and analysis produced multiple examples of MM influence on ISPC behaviors as well as descriptions of the perceptions of the participants. Upon completion of the analysis and presentation, the data have been determined to be ready for comparison, summarization, and interpretation.
102
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS This chapter begins with a summary of the results starting out with the empirical data collected that directly answered the research question. The summary of results will continue with the perceptions of the participants and followed by the recommendations for improving MM influence on ISPC behaviors. The following sections include a discussion of the results and the conclusions made based on the results. A comparison of the findings with the theoretical framework and the previous literature will follow covering the applicable theories and variables identified applicable in the literature review. The remainder of the chapter includes a discussion of the limitations, the implications of the study, and the recommendations for further research. Chapter 5 will conclude with a summary of this dissertation and the conclusions made. Summary of the Results In Chapter 4 the data and the results of the data analysis were presented. In this chapter, a summary of the results has been presented. It is important to understand the purpose of this study was to develop a better understanding of how MM influence ISPC behaviors of IT professionals working in the U.S. financial sector. A gap was found in existing literature that linked MMs to influencing ISPC behaviors even though they were known to have a strong influence on the success or failure of strategic initiatives (Barton & Ambrosini, 2013; Jansen et al., 2014). In today’s financial sector multiple regulatory guidelines are imposed, and many risks are present. The opportunity for malicious intent is both profitable and common according to recent breach statistics (IBM, 2016; Verizon, 2016). Researchers and practitioners both indicate that employees pose one of the biggest risks to an organization (Bulgurcu et al., 2010; Chen et al., 2012; Guo et al., 2011; Myyry et al., 2009). Information security policies, procedures, and 103
processes are implemented to protect an organization’s assets, and the employees are responsible for following these. These factors make ISPC research significant to both scholars and practitioners. Existing literature indicated that variables such as organizational culture, security awareness, and leadership support and involvement were crucial to ISPC (Chen et al., 2012; Filatotchev & Nakajima, 2014; Hu et al., 2012). Newer research by Han, Kim, and Kim, (2017) which similarly looked at the topic of ISPC behaviors by exploring the constructs of psychological contract theory on ISPC also produced results showing security awareness and organizational culture as important variables. Similarly, a study by Yazdanmehr and Wang (2016) links social norms to ISPC behaviors and subsequently to organizational culture variables such as ethical climate. The results of this study, the existing literature and the still growing body of knowledge indicate that ISPC is still a current problem. Discussion of the Results The discussion of the results of this study of how MM influence ISPC behaviors of IT professionals working in the U.S. financial sector, is split into three sections. It begins with the empirical data collected. The empirical data directly answers the research question by providing real experiences and observations of the IT professionals from the U.S. financial industry. Next, the perceptions described by the participants as they relate to the perceived responsibility of MM to influence ISPC, the perceived importance to improve this influence, and the perceived barriers to this influence are discussed. Finally, the section ends with a discussion of the recommendations provided by the participants for improving MM influence on ISPC behaviors.
104
Empirical Data Upon review of the empirical data collected from the 15 participants, it was determined that the core assumption of this study was correctly assumed. The core assumption that MMs also influenced ISPC behaviors since they were known to influence strategic initiative acceptance was supported by the multiple examples of the observations and experiences of the participants. Each level group of participants; EL, MM, and NM, provided examples of actions that MM take such as advising, reminding, and communicating. The examples given by the participants can be divided into three categories. The three categories include actions, behaviors, and communication. Table 21 lists the A, B, and Cs of how MM influence the ISPC behaviors of IT professionals working in the U.S. financial industry. Located next to each entry, the organizational level group that the item was identified by is listed. The first category, actions (A) describe examples of tasks the participants described the MMs doing to influence ISPC. The second category behaviors (B) are behavioral examples of the participant's experiences and observations of MM influence on ISPC. The third category, Communication (C) was spun from the actions category as it was common amongst all levels and was determined to be a key category. The EL participants described more actions experienced and observed of MM influence on ISPC, more so than either MM or NM participants. EL participants also indicated that the MMs were involved in policy development. MMs did not indicate any involvement in development other than making suggestions for improvement. The link that MMs and NMs described to the policy was helping ensure the processes and procedures they were responsible for were meeting the policy requirements and making recommendations to improve or align. 105
Table 21. The ABC(s) of MM Influence on ISPC Behaviors Actions
Identified by
investigate anomalies in compliance assist in the development of policy assist in the development of processes to support policy guidance, oversight of employees monitoring - walkthroughs, checks, police complete annual training - validation direct report completion discipline, PIP, discuss performance train direct reports on policy, importance, and its relationship to the role develop ways for the department to be compliant, processes, procedures Behaviors
EL EL EL EL MM MM MM
NM Identified by
stress about protection vs production understand the policy and why it is important follow tone from the top depend on audits to validate compliance set an example, attitude, and practice Communications
NM MM MM NM EL Identified by
discuss policy, up and down suggest improvements upward ask questions to understand policy and impact reminders, meetings, one2one, team cheerleading for policies communicate policy, changes, and gaps communicate, talk about policy often general coaching
EL EL, MM EL EL, MM MM MM NM NM
NM
NM participants identified multiple stressors for the MM in relation to compliance. However, EL participants did not express anything other than MMs lead by example through their attitude and practice. NMs indicated that MM regularly struggle with a dilemma described as production versus protection. NM participants have experienced this struggle first hand and explained that MM are incentivized for meeting operational goals, not compliance. NM 106
participants explained that there are sometimes gaps in the processes and procedures developed to comply with policy and these gaps can slow down operational tasks. This put added stress upon the MM by putting them in a position to decide if they bypass the policy to get the job done and then correct later versus failing to meet deadlines and immediately address the issue. MM participants described minimal actions involved in influencing ISPC. They do not feel empowered to enforce policy for anyone other than their own direct reports and describe their role as cheerleading or policing. This conflicts directly with the EL participants experiences and somewhat aligns with the NM participants; however, the NM participants look to MMs to be the subject matter experts and have experienced MMs who have been active in developing procedures to meet policy requirements. Overall the experiences of the different levels were quite different. The MMs clearly did not have the same experiences themselves or observed the full engagement that the EL and NM participants described. Overall the research question was answered clearly by the ABCs listed in Table 21. The assumption that they do influence ISPC behaviors is valid. The clear differences in the descriptions of how MM influence ISPC between the MM group and the other two groups, EL and NM was somewhat surprising. This indicates that somewhere there is a disconnect and perhaps exploring the perceptions from these groups would help to identify better why there is such a discrepancy in these experiences and observations. Perceptions EL participants expressed their perceptions of MM influence to be multi-faceted. They believe the role MMs have is to not only to observe and correct but to provide feedback to EL and make suggestions for improvements. The EL participants all indicated that the MM is 107
responsible for the compliance of their employees. The EL participants that did not indicate seeing first hand that MMs are involved in the development of policy did indicate that this is how they perceived the MMs to be involved. The EL participants perceptions of the responsibility of MM to influence ISPC behaviors had a direct correlation with the descriptions of the experiences and observations that the EL participants had given. It is important to note in this case that they were asked first to describe their perceptions prior to being asked to describe their experiences and observations. Even if they had not experienced or observed MMs involved in the development of policy they still perceived them as having that responsibility. All EL participants perceived improving the MM influence on ISPC behaviors as tremendously important to improve; however, one expressed frustration with determining how to improve the MM influence. The barriers the EL participant’s perceived were directly related to organizational culture characteristics and insufficient knowledge and awareness. Organizational factors were also a barrier identified by MM participant. Insufficient knowledge and awareness were included in the NM participant’s descriptions of barriers to MM influence on ISPC behaviors. MM participants perceptions of their responsibilities were somewhat different from those described by the EL participants. The only real alignment with EL participant perceived responsibilities of MMs, was in the area of observation and correction. MMs indicated that it was their role to monitor the compliance with their direct reports, however, did not perceive that they had any authority to influence anyone outside their team. MMs did agree that it was
108
important to improve but spoke more of the barriers; however, one MM explained that not every MM has leadership qualities. MMs perceived several barriers to their influence on ISPC behaviors. They spoke of the need for tools to make monitoring compliance more efficient. They also spoke of factors that indicated organizational cultural as a barrier. One MM described an organizational culture built upon multiple business merging or acquiring other businesses. This type of business he indicated could introduce bias making the outsider less likely to get the attention or support needed in regards to influencing ISPC. Another IT middle manager spoke of human nature and resistance to change. MMs vaguely touched on the conflicts of operational goals versus compliance requirements, unlike the NM participants who mentioned it frequently. The NM participant groups gave a large amount of information regarding their perceptions of the responsibility of MMs in influencing ISPC behaviors. NM participants perceived the MM to be on the frontline of the compliance battle. NM participants even acknowledged themselves as the weak point in security. NMs indicated that other than observing and correcting compliance issues the MM was the communication link between them and other areas. The NMs also indicated that it was important to improve that influence on ISPC behaviors that the MM has. The NMs had some interesting perceived barriers they shared during the interviews. Some aligned with both the MM and ELs perceptions of the barriers to MM influence on ISPC behaviors. NMs and ELs perceptions aligned around training. They agreed that the barriers included insufficient awareness. NMs also talked about the need for appropriate tools for monitoring compliance which aligned with the MMs perceptions. On the top of the list for NMs 109
however, was the conflicting requirements between operational goals and compliance requirements. The NMs recommended that balance was needed and the gaps in policies needed to be addressed as well. Recommendations Recommendations aligned very well with the perceptions of responsibilities of and barriers to MM influence on ISPC behaviors. This held true through all three organizational level groups of participants. ELs recommend the MM be better educated, create strategic partnerships with the security and compliance teams, and keep communications open and flowing across, up, and down the organization. MMs however, spoke more about the tools needed to allow them to monitor better and getting leadership support in addition to training and communication. The organizational culture was mentioned in the leadership support improvements such as equalization of perceived input and removing favoritism or bias. NM participants recommended better training and explained specific training was needed to help the MM understand better the association between the policies and their goals. MMs also mentioned this understanding of policy and how policy impacts the day to day operations to reduce the impact of meeting goals. One NM participant took that a bit further by recommending that compliance is treated as an incentivized goal just as operational goals are. The NM also expressed the training and awareness needs of the MM to help them understand and identify gaps that could impact operations and work proactively to resolve instead of reacting after it becomes an issue.
110
Conclusions Based on the Results The first conclusion based on the results of this study was the successful identification of how MMs influence ISPC behaviors of the IT professionals working in the U.S. financial industry. This conclusion is based on the empirical data collected from 15 IT professionals working in the U.S. financial industry. The actions, behaviors, and communications were identified in Table 21, The ABCs of MM Influence on ISPC Behaviors. Although the list is minimal, it is definitive that MMs influence ISPC behaviors. The next conclusion is based on the minimal list of actions, behaviors, and communications that were identified by the participants. The conclusion is that the MMs influence on ISPC behaviors is not fully developed. The core assumption that because MMs play a vital role in strategic initiatives (Jansen et al., 2014), they also influence ISPC behaviors, is a valid assumption. However, the results of this study do not indicate that the MM influence on ISPC behaviors is as fully developed as their influence on strategy. The last conclusion made based on the results came from the differences in perceptions and experiences of the MM participants and the other participant groups, EL and NM. It appears that the MM does not have a clear picture of the expectations of leadership and does not feel empowered to influence ISPC behaviors as much as NM employees perceive them to. Comparison with Theoretical Framework and Previous Literature Previous literature has identified four theories that were frequently applied to ISPC behavioral research. A review of the four theories and how they fit with the results of this study is presented. Multiple variables were also identified in the previous literature. These variables
111
were found to be either ISPC predictors or factors that influence ISPC behaviors. A review of the variables identified in previous literature is also presented in this section. Applicable theory alignment. Protection motivation theory (PMT) was the first of the four theories reviewed in existing literature. This theory’s elements of threat appraisal and coping appraisal (Infinedo, 2012) were not immediately apparent in the experiences, observations, and perceptions collected from the study participants. However, a deeper evaluation of the behavior identified as a struggle between production and protection could very well be associated with PMT. It was pointed out that there are no incentives for protection only for production; therefore making that threat appraisal limited to the threat of not meeting production goals and receiving the incentive. Clearly, this is an imbalance that if PMT was to be the only theory applied would always weigh heavy on production over protection. The next theory reviewed was psychological contract theory (PCT). This theory has recently been directly linked to ISPC by researchers, Han et al. (2017). PCT is all about the relationships and those obligations that are developed because of that relationship. In the instance of MM and their direct report, each would have developed expectations of each other based on the type of relationship and even the social norms or in this case even the organizational culture that exists. Han et al.’s (2017) study successfully linked ISPC influence to psychological contracts within an organization. The participants in this study described their observations and experiences with MM influence on ISPC behaviors. The perceptions of responsibility, importance to improve, and barriers the participants provided included items that the participants had not observed or experienced first hand. For instance, an example an EL perceived that a middle manager should 112
be involved in the development of policy but did not report that role when describing what he or she had observed or experienced. This could be considered one of the expectations the EL developed because of the relationship with the MM. PCT can be used to understand the differences between the perceptions and empirical data for this study. The next applicable theory reviewed in existing literature was the theory of planned behavior (TPB). This theory, described simply, is concerned with intent. Sommestad et al. (2015) did not accept that understanding intent alone could predict ISPC. MM influence on ISPC behaviors could be impacting intent to comply; however, this study on MM influence did not explore intent. It was experienced, however, that the NM participants all expressed concern for ISPC making the researcher perceive that it was their intent to comply. Therefore, TPB could be considered in the analysis of data for this study if the purpose had been to study intent to comply, but instead, it was determined to be out of scope for this study. Finally, the fourth theory explored in the literature review was general deterrence theory (GDT). This theory has deep roots in research; however, recent studies are typically combining GDT with other theory constructs when exploring influence and motivations (Chen et al., 2012; Johnston et al., 2015; Lebek et al., 2014). The only alignment discovered within the results of this study was identified by the MMs responsibility to deal with noncompliance. An example given by one of the MMs was that they would use a performance improvement plan (PIP) on repeat offenders, this process includes making the employee ineligible for any possible raise or bonus incentives until the PIP has been resolved. The four theories reviewed were identified in existing literature as used most frequently in ISPC research (Hu et al., 2012; Lebek et al., 2014). For this study on MM influence on ISPC 113
behaviors, PCT and GDT were the only theories that could be directly used to explain some of the findings identified. The other known variables found in existing literature, however, were predominantly seen throughout the data collected. Alignment with variables in existing literature. Three key ISPC influencing variables were identified during the literature review in preparation for this research study. First, the organizational culture was identified in existing literature as a key influencer of ISPC behaviors with multiple studies supporting its importance. Next, was security awareness; this variable is, of course, a logical one. Many researchers and experts indicated that security awareness could influence ISPC behaviors (Bulgurcu et al., 2010; Knapp and Ferrante, 2012; Tsohou et al., 2015). The final key influencing variable reviewed in existing literature was top management influence. In this study of MM influence on ISPC behaviors top management is synonymous with executive leaders and coded as EL. Organizational culture was brought up by several participants in an indirect way. When asked about the barriers to MM influence on ISPC behaviors, all three participant groups included responses that were linked to elements of their organization’s culture. Previously in the literature review for this study, multiple elements of an organizational culture such as values, assumptions, norms, and others were listed. Some barriers mentioned by the participants directly relate to the elements of organizational culture. For example, an EL participant pointed out that some leaders are not open to feedback, and an MM participant mentioned the unspoken bias between groups that merged or joined an acquiring organization together. An NM participant indicated that the global status of her organization was a barrier due to the distances of the MM location to their direct reports. Each example given touched on elements of the organizational 114
culture such as assumptions, values, and norms. Therefore, this study supports the existing literature that indicates organizational culture has an influence on ISPC behaviors. Existing literature links security awareness activities as a way in which the elements of organizational culture can be influenced and improve ISPC behaviors (Paulsen & Coulson, 2011). The security awareness body of knowledge is vast. There are frameworks, methods of delivery choices, as well as supervisory authority regulations requiring annual compliance training at the minimum. Existing literature, however, does show a positive correlation between security awareness and improved compliance (Bauer, Bernroider, & Chudzikowski, 2017). The results of this study showed that both the EL participants and the NM participants recommended better security awareness training for MMs. EL participants explained the importance of MM understanding the policies and the impact they have on business. NM participants expressed that perhaps MMs should have more specialized security awareness training. One MM participant indicated that he was trained well by his company through the annual required training during his descriptions of his observations and experiences. Later this same participant recommended that better training should be provided to MMs. One other MM also included training her recommendations. The other MM participants presented more concern for organizational culture elements and leadership backing and support. The final key variable explored in existing literature was that of top management influence. Existing literature links leadership commitment and participation to successful ISPC (Andreisova, 2016; Barton et al., 2016; Hu et al., 2012). EL participants in this study provided very little information regarding their role in MM influence on ISPC behaviors except for the MM role to communicate upward. MM participants and NM participants; however, did indicate 115
the importance of the tone from the top. MM participants provided descriptions of taking issues to Leadership to acquire support when needing extra backing to drive compliance. Therefore, the interpretation of the results of this study supported the existing research indications of the importance of leadership commitment and participation. Interpretation of the Findings Previously 3 conclusions were made based on the results. The first conclusion was based on the interpretations of the empirical data. The answer to the research question of how MMs influence ISPC behaviors of IT professionals working in the U.S. financial industry was directly answered by that empirical data collected from the participants. Hierarchical differences were seen in the empirical data, in other words, the experiences and observations of the participants. It was useful to collect the perceptions of the participants to get a better view of these differences. The same hierarchical differences were seen within the perceptions of responsibility, importance, and barriers responses. The researcher sought to rationalize these differences by going back to existing literature and exploring the applicability of existing theory. The MM participants aligned with some of the perceptions of responsibility of the EL participants; however, mostly in the area of observing, ensuring, and enforcing ISPC behaviors. Their experiences and observations similarly align. But, EL participants perceived the MM to have an active role in the development of policies and those processes designed to align with policy. The EL participants even stated that they had experienced and observed this first hand. The fact that MM participants neither perceived, observed or experienced this role in development led to the search in existing literature. 116
A recent study by Han et al. (2017) described the link between PCT and ISPC influence which was helpful in developing an interpretation for this discrepancy. It is known that PCT is based on the psychological perceptions and expectations made in a relationship. This would explain the discrepancies in perceptions of responsibility between the EL and MM participants. An earlier study by Taylor and Brice (2012) pointed out a common assumption of executives is that once policies are in place and available to the organization that they are being followed. This finding from the Taylor and Brice (2012) study could explain the differences in perceptions of the EL compared to the MM and NM participants also. The MM participants provided the lowest volume of usable data in their responses for all question topics; perceptions, empirical data, and recommendations. Figure 2 reveals the percentage of usable data provided by participant level sets. The NM, IT professional participants, provided the greatest percent of the usable data for this study. Usable data is the data that were coded and analyzed as pertinent to the question the participant was asked minus any nonrelevant comments. The EL, IT professional participants pertinent data came in just slightly above the MM participants volume of data provided. The NM participants were very eager to talk about the shortcomings, the observations, and their perceptions of the MM on influence ISPC behaviors. This difference in the volume of feedback provided and the researcher’s perceptions that the MM and ELs struggled more with the questions and requiring
117
more explanation and probing questions led to the interpretation that perhaps the MMs influence on ISPC was underdeveloped.
Figure 2. Percentage of Usable Data Provided by Participant group This underdevelopment interpretation was also supported by the multiple recommendations from the participants at all levels that MMs needed more specialized training on ISPC. A conflicting condition was also brought forward in the data that MMs dealt with a dilemma often of production versus protection. This indicates that this underdeveloped role of MMs to influence ISPC not only resides upon the MMs shortcomings but also on the Executives. Clear identification of expectations of the MM in relation to ISPC and providing appropriate training on ISPC to the MMs are needed to prepare the MM better to influence ISPC behaviors. Limitations The limitations previously identified in Chapter 1 of this study, were directly related to the limitations of the sample and the method of purposeful sampling used. For this dissertation study, it was necessary to use a purposeful sample using specific criteria to ensure that the 118
participants would be able to provide experienced responses to the interview questions designed to answer the research question. This limitation was mitigated by the specific criteria developed for the study such as years of experience working in the U.S financial industry. The study could have benefited from a larger set of participants in the EL and NM categories in order to increase the volume of usable data retrieved from those two participant sets. This study although well suited for an exploratory qualitative study could also be done utilizing perhaps a case study approach or even a Delphi methodology. This would allow for a discussion and deeper dive into those perception and experienced differences. One of the things that could be done differently is to make sure that each organizational level had a participant from one organization. This study was limited to only two participants from one organization to avoid introducing bias based on organizational culture. However, after analysis, it was clear that the study could have been improved by having three participants one at each level and even within the same reporting line to identify if the discrepancies between the experiences and perceptions presented in the results. Implications for Practice There are three specific areas for which implications for practice were recognized. First, MMs and NMs indicated that the MM would benefit from tools to automate monitoring and analytics. Next, ELs and NMs indicated communications as important to MM influence on ISPC. There was a clear gap between what was perceived and what was experienced between all hierarchical levels of participants. Communications, especially around expectations, could improve this issue. Finally, based on the results, there should be more specialized training for MMs to better prepare them for influencing ISPC behaviors. 119
Tools to aid MM Results of this study indicated that the MM participants expressed the need for better tools to perform their responsibility of ensuring policies are being followed. All three participant groups identified in their perceptions and first-hand experiences that MMs ensure that policy is being followed by observing and monitoring. MMs indicated that tools to help with this would be beneficial to them. The MMs also mentioned understanding those tools that exist already is important. Since this was also presented as a recommendation for improvement, it would be a valid implication for practice. ELs participants expected the MMs to be involved in the development of policy and process design. But, MMs did not describe that task as part of their perceived or experience of MM influence on ISPC behaviors. The MMs did, however, overflow with descriptions of policing, observing, monitoring, and correcting. Perhaps this indicates that the MMs are so busy with the monitoring that they don’t have the capacity to participate in the development tasks. By providing automation or tools to allow the MM to monitor compliance more effectively and efficiently, it could free up more time for the MM to get more involved in those development activities. This involvement could also improve the way in which communications regarding business requirements and policy restraints could be enhanced. Improving Communications of the MM Communication of perceptions of MM responsibilities in relation to ISPC should be explored. Communication was clearly an expectation of all participants without regard to which level set they were in. It was clear the NM participants depend upon MMs to provide information about changes in policy. It was also clear that ELs depend upon MMs to provide 120
feedback on those policies and processes designed to bring business processes into compliance. However, MM communication requirements were not identified by the MM participants. The lack of alignment around the communication responsibilities of the MM should be addressed. Each level did indicate that there were some topics that were important for the MM when considering their influence on ISPC behaviors. NMs need to know about changes; ELs need to know about any issues or shortcomings of the controls and processes and NMs need more clearly defined expectations from leadership in regards to influencing ISPC. Perhaps training could improve the MMs effectiveness in this area. It is much easier to communicate something if you have an understanding of it. Otherwise, there could be an opportunity negatively influencing ISPC. Training Both existing literature and the results of this study support security awareness training importance in ISPC (Bauer et al., 2017; Brown, 2013; Tsohou et al., 2015). NM and EL participants of this study recommended it to improve MMs influence on ISPC behaviors. Implications for practice would be to provide specialized security awareness training for MMs. Determining what training is needed would need to be explored. According to the results of this study, training should include the organization's policies. This could help the MM understand the policies to give them the knowledge needed to apply the policies to the business processes. It is of course, unreasonable to consider a training program to review the entire information security policy library of an organization. But, teaching the MM how to understand the policy, how to identify the key deliverables that relate to his or her business processes, and whom to go to for support on policy alignment would indeed help the MM to meet some of the 121
EL and NM expectations. Training could also help to identify the EL’s position on production versus protection and lessen this burden of decision identified by participants. Recommendations for Further Research Two areas of recommendations are discussed in this section. First, the recommendations developed directly from the data are presented. Second, the recommendations to investigate issues that were brought to light by the study. The first area of recommendations developed directly from the data presented is related to the commonly identified need for specialized training for MMs. A deeper exploration of the tools that MMs claimed was needed to meet the expectations that ELs identified as part of MMs responsibility. The next topic recommended for further research is to explore the differences in perceptions seen between the different organizational level of the participant as well as the production versus protection issue that was identified. Recommendations Developed Directly from the Data Further research on how to provide appropriate training to MMs that will improve their influence on ISPC behaviors is recommended. Existing literature such as that by Humaidi and Balakrishnan (2015), Olusegun and Ithnin (2013), and Bauer et al. (2017) indicate the importance of security awareness as well as specialization of the security awareness program to the varied levels of users. However, the research is limited and does not clearly identify the how and what specifically should be included that would indeed help prepare the MM to influence ISPC compliance. It was identified in the results of this study that MMs felt they needed tools to help them with tasks such as monitoring, observing, and ensuring their direct reports are complying with 122
the security policies. Further research is recommended in this area to identify what tools are available and how they would help the MM become more effective in this area. There are multiple monitoring tools that organizations implement, but typically these are utilized by security or governance teams. Exploration of the feasibility of MM to utilize the existing tools or the costs of providing MMs these types of tools could also be an area where further research could be done to build a case for additional tools to be provided. Recommendations Developed From Issues Identified Two main issues arose during the analysis of the data from the participants. The first that became immediately apparent when reviewing and comparing the data from the different hierarchical levels of participants was that there was clearly discrepancies in experiences, observations, and perceptions between the ranks. Further research to understand these differences and how to align these groups better, would be beneficial to organizations. For that matter, further research could be done to identify if the alignment is indeed needed to improve ISPC. Finally, the issue that was brought to light during this study was identified as a dilemma of production versus protection that impacts MMs influence on ISPC behaviors. The data indicated that MMs are measured on their performance in meeting operational or production goals. Often this measurement leads to incentives such as an annual bonus or raises. Further research should be done to determine if adding compliance to the measurement and performance rating would help balance better this production vs. protection issue. Further research should be done to identify the impact this dilemma really has on ISPC and if it is an issue that if addressed could be beneficial to improving ISPC. 123
Conclusion The purpose of this study was to gain a better understanding of how MMs influence ISPC behaviors of IT Professionals working in the U.S. financial industry. The core assumption was that MMs do influence ISPC behaviors because they are already known to influence strategic initiatives. The study provided empirical data that described the way in which MMs influence ISPC behaviors. This was presented in a list of the actions, behaviors, and communications that the participants described from their first-hand experiences and observations. Additional questions were asked of the participants to describe their perceptions and their recommendations for improving that influence. These additional questions were important to the researcher in particular as the researcher’s own career is in the U.S. financial industry and recent career pathway has presented the need to improve the researcher’s influence on ISPC behaviors. The exploratory qualitative methodology allowed the researcher to utilize semi-structured interviews to explore the participant's experiences, observations, perceptions, and professional recommendations for improving MMs influence on ISPC behaviors. The data analysis was thematic, and findings were determined through inductive reasoning. Besides directly answering the research question by positively identifying how MMs are influencing ISPC behaviors, several other issues arose that implicates the need for further research. Those areas included the hierarchical differences in the results as well as the identified dilemma MMs face about weighing production versus protection goals. The researcher identified several implications for practice including developing an activity to identify the expected differences between hierarchical organizational levels. The researcher will explore this 124
further in the researcher’s own organization. Another implication for practice identified the need for specialized security awareness training for MMs to better prepare them for influencing ISPC. Existing literature provided multiple theories that were applicable to ISPC as well as the importance of leadership participation, organization cultural factors, and security awareness. The literature review allowed the researcher to identify a gap related to MM influence on ISPC. Even though existing literature indicated that MMs play a vital role in strategic initiatives in an organization (Barton & Ambrosini, 2013; Doos et al., 2015), the researcher did not find in existing literature a direct link between MMs and influencing ISPC. This study was designed to add to the existing body of knowledge on ISPC and address this gap. The study results have provided empirical data that describes how MMs are influencing ISPC behaviors of IT professionals in the U.S. financial industry and can be considered a contribution to filling the gap identified in existing literature.
125
References Agostino, D., Arena, M., & Arnaboldi, M. (2013). Leading change in public organisations: The role of mediators. Leadership & Organization Development Journal, 34(7), 596-615. Retrieved from http://dx.doi.org/10.1108/LODJ-12-2011-0123 Ajzen, I. (2012). The theory of planned behavior. In P. A. Van Lange A. W. Kruglanski & E. T. Higgins Handbook of theories of social psychology: volume 1 (Vol. 1, pp. 438-459). London: SAGE Publications Ltd. doi:10.4135/9781446249215.n22 Ajzen, I., Joyce, N., Sheikh, S., & Cote, N. G. (2011). Knowledge and the prediction of behavior: The role of information accuracy in the theory of planned behavior. Basic & Applied Social Psychology, 33(2), 101-117. doi:10.1080/01973533.2011.568834 Alfawaz, S., Nelson, K., & Mohannak, K. (2010). Information security culture: A behavior compliance conceptual framework. AISC ’10 Proceedings of the Eighth Australaisan Conference on Information Security, Brisbane, Australia, 105, 47-55. Retrieved from http://dl.acm.org/citation.cfm?id=1862275 Alhogail, A. & Mirza, A. (2014). A framework of information security culture change. Journal of Theoretical & Applied Information Technology, 64(2), 540-549. Retrieved from http://www.jatit.org/volumes/Vol64No2/30Vol64No2.pdf Alt, R., & Puschmann, T. (2012). The rise of customer-oriented banking - electronic markets are paving the way for change in the financial industry. Electronic Markets, 22(4), 203215. doi:10.1007/s12525-012-0106-2 Andreisova, L. (2016). Building and maintaining an effective compliance program. International Journal of Organizational Leadership, 5(1), 24-39. doi:10.19236/IJOL.2016.01.03 Anti-Phishing Working Group (APWG). (2013). Phishing activity trends report: 4th quarter 2012. Retrieved from http://docs.apwg.org/reports/apwg_trends_report_Q4_2012.pdf Aronson, D. H. (2013). SEC rule changes signal new regulatory environment for private securities offerings. Corporate Finance Review, 18(2), 13-22. Retrieved from http://www.bergersingerman.com/media-room/october-2013-corporate-finance-reviewsec-rule-changes-signal-new-regulatory-environment Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security commitment: A study of external influences on senior management. Computers & Security, 59, 9-25. Retrieved from http://dx.doi.org/10.1016/j.cose.2016.02.007 Barton, L. C. & Ambrosini, V. (2013). The moderating effect of organizational change cynicism on middle manager strategy commitment. International Journal of Human Resource Management, 24(4), 721-746. doi:10.1080/09585192.2012.697481 126
Barton, T. L., Shenkir, W. G., & Walker, P. L. (2009). ERM: The evolution of a balancing act. Financial Executive, 25(10), 10-14. Retrieved from http://www.financialexecutives.org/KenticoCMS/Financial-ExecutiveMagazine/2009_06/
[email protected]#axzz424UMaXEX Bateh, J., Thornton, B., Arbogast, G. W., & Farah, J. E. (2015). Social awareness and global concern for sustainability initiatives in the financial sector. Journal of Business Studies Quarterly, 7(1), 71-76. Retrieved from http://jbsq.org/wpcontent/uploads/2015/09/September_2015_7.pdf Bauer, S., Bernroider, E. W. N., & Chudzikowski, K. (2017). Prevention is better than cure! Designing information security awareness programs to overcome users' noncompliance with information security policies in banks. Computers & Security, 68(Supplement C), 145-159. Retrieved from https://doi.org/10.1016/j.cose.2017.04.009 Bennett, M. (2013). The financial industry business ontology: Best practice for big data. Journal of Banking Regulation, 14(3-4), 255-268. doi:10.1057/jbr.2013.13 Brown, J. (2013). Creating an ERM culture requires people. Financial Executive, 29(3), 61-63. Retrieved from http://www.financialexecutives.org Brown, T. (2015). A primer on data security. The CPA Journal, 85(5), 58-62. Retrieved from https://www.nysscpa.org/news/publications/the-cpa-journal/issue Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-A527. Retrieved from http://dx.doi.org/10.2753/MIS07421222290305 Cannoy, S. D. & Salam, A. F. (2010). A framework for health care information assurance policy and compliance. Communications of the ACM, 53(3), 126-131. doi:10.1145/1666420.1666453 Carr, D. (2014). The Paradox of Subjectivity: The Self in the Transcendental Tradition. New York: Oxford University Press Inc. Chanda, R., & Zaorski, S. (2013). Social media usage in the financial services industry: Toward a business-driven compliance approach. Journal of Taxation & Regulation of Financial Institutions, 26(5), 5-20. Retrieved from https://www.ici.org/pdf/13_seclaw_03.pdf Chaudhry, P. E., Chaudhry, S., & Reese, R. (2012). Developing a model for enterprise information systems security. Economics, Management & Financial Markets, 7(4), 587599. Retrieved from https://www.addletonacademicpublishers.com/contents-emfm
127
Chen, Y., Ramamurthy, K., & Wen, K. (2012). Organizations' information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157-188. doi:10.2753/MIS0742-1222290305 Chen, Y., Ramamurthy, K., & Wen, K. (2015). Impacts of comprehensive information security programs on information security culture. The Journal of Computer Information Systems, 55(3), 11-19. Retrieved from http://www.tandfonline.com/loi/ucis20#.Vq53uVnZz5f Christian, J. S. & Ellis, A. P. J. (2014). The crucial role of turnover intentions in transforming moral disengagement into deviant behavior at work. Journal of Business Ethics, 119(2), 193-208. doi:10.1007/s10551-013-1631-4 Chu, A. M. Y., Chau, P. Y. K., & So, M. K. P. (2015). Explaining the misuse of information systems resources in the workplace: A dual-process approach. Journal of Business Ethics, 131(1), 209-225. doi:10.1007/s10551-014-2250-4 Conyon, M., Judge, W. Q., & Useem, M. (2011, September). Corporate governance and the 2008-09 financial crisis. Corporate Governance: An International Review. 19(5), 399404. doi:10.1111/j.1467-8683.2011.00879.x. Cook, M. (2015, October 26). Big data means big business for banks. Arkansas Business, 32(43), p. 12. Retrieved from http://www.arkansasbusiness.com/ Cook, S. S., Probert, D., & Martin, S. (2009). The lived experience of information technology workers with Sarbanes Oxley compliance responsibilities. Journal of Global Business Issues, 3(1), 23-31. Retrieved from http://www.jgbi.org Corley, K. G. & Gioia, D. A. (2011). Building theory about theory building: What constitutes a theoretical contribution? Academy of Management Review, 36(1), 12-32. doi:10.5465/AMR.2011.55662499 Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention-behavior gap. Journal of Information Systems, 28(1), 209-226. doi:10.2308/isys-50704 Culhane, D. (2014). Regulations impacting corporate actions and best practices for implementation. Journal of Securities Operations & Custody, 7(1), 36-41. Retrieved from https://www.henrystewartpublications.com/jsoc/v7 D'Arcy, J. & Greene, G. (2014). Security culture and the employment relationship as drivers of employees' security compliance. Information Management & Computer Security, 22(5), 474. Retrieved from http://dx.doi.org/10.1108/IMCS-08-2013-0057
128
D'arcy, J. & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643-658. doi: 10.1057/ejis.2011.23 D'Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285-318. doi:10.2753/MIS0742-1222310210 Darwin, C. (1872). The expression of the emotions in man and animals. Retrieved from http://darwin-online.org.uk/content/frameset?pageseq=3&itemID=F1142&viewtype=text Döös, M., Johansson, P., & Wilhelmson, L. (2015). Beyond being present: Learning-oriented leadership in the daily work of middle managers. Journal of Workplace Learning, 27(6), 408-425. Retrieved from https://doi.org/10.1108/jwl-10-2014-0077 Etzioni, A. (2013). Compliance theory. In E. H. Kessler (Ed.), Encyclopedia of management theory (Vol. 2, pp. 133-134). Thousand Oaks, CA: SAGE Publications Ltd. doi: 10.4135/9781452276090.n41 Fakhri, B., Fahimah, N., & Ibrahim, J. (2015). Information security aligned to enterprise management. Middle East Journal of Business, 10(1), 62-66. Retrieved from http://dx.doi.org/10.5742/MEJB.2015.92601 Filatotchev, I., & Nakajima, C. (2014). Corporate governance, responsible managerial behavior and corporate social responsibility: Organizational efficiency versus organizational ligitimacy? Academy of Management Perspectives, 28(3), 289-306. Retrieved from https://doi.org/10.5465/amp.2014.0014 Filbeck, G., Gorman, R., & Zhao, X. (2011). SOX and the regulated firm. Journal of Accounting and Public Policy, 30(6), 526-550. doi: http://dx.doi.org/10.1016/j.jaccpubpol.2011.03.002 Flores, W. R., Sommestad, T., Holm, H., & Ekstedt, M. (2011). Assessing future value of investments in security-related IT governance control objectives -- Surveying IT professionals. Electronic Journal of Information Systems Evaluation, 14(2), 216-227. Retrieved from www.ejise.com/issue/download.html?idArticle=773 Gabriele, E. F. (2003). The Belmont ethos: The meaning of the Belmont principles for human subject protections. Journal of Research Administration, 34(2), 19-24. Retrieved from https://srainternational.org/journal-research-administration-archives Gale, N. K., Heath, G., Cameron, E., Rashid, S., & Redwood, S. (2013). Using the framework method for the analysis of qualitative data in multi-disciplinary health research. BMC Medical Research Methodology, 13(1), 1-8. doi:10.1186/1471-2288-13-117
129
Gebrasilase, T. & Lessa, L. F. (2011). Information security culture in public hospitals: The case of hawassa referral hospital. African Journal of Information Systems, 3(3), 72-86. Retrieved from http://digitalcommons.kennesaw.edu/ajis/vol3/iss3/1 Godlove, T. (2012). Examination of the factors that influence teleworkers' willingness to comply with information security guidelines. Information Security Journal: A Global Perspective, 21(4), 216-229. doi:10.1080/19393555.2012.668747 Goel, L., Hart, D., Junglas, I., & Ives, B. (2016). Acceptable IS use: Conceptualization and measurement. Computers in Human Behavior, 55, Part A, 322-328. Retrieved from http://dx.doi.org/10.1016/j.chb.2015.09.029 Gonzalez, R., Llopis, J., & Gasco, J. (2013). Information technology outsourcing in financial services. Service Industries Journal, 33(9/10), 909-924. doi:10.1080/02642069.2013.719888 Goodyear, L., Barela, E., & Jewiss, J. (eds.), (2014). Research methods for the social sciences: Qualitative inquiry in evaluation: From theory to practice. Somerset, NJ,: Wiley Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203-236. Retrieved from http://dx.doi.org/10.2753/MIS0742-1222280208 Haggard, D. L. & Turban, D. B. (2012). The mentoring relationship as a context for psychological contract development. Journal of Applied Social Psychology, 42(8), 19041931. doi:10.1111/j.1559-1816.2012. 00924.x Han, J., Kim, Y. J., & Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers & Security, 66, 52-65. doi:10.1016/j.cose.2016.12.016 Harding, N., Lee, H., & Ford, J. (2014). Who is “the middle manager”? Human Relations, 67(10), 1213-1237. doi:10.1177/0018726713516654 Herath, T. & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165. Retrieved from http://dx.doi.org/10.1016/j.dss.2009.02.005 Herath, T. & Rao, H. R. (2009b). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18(2), 106-125. doi: 10.1057/ejis.2009.6 Hovav, A. & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Information & Management, 49(2), 99-110. Retrieved from http://dx.doi.org/10.1016/j.im.2011.12.005 130
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615-660. doi:10.1111/j.1540-5915.2012.00361.x Humaidi, N. & Balakrishnan, V. (2015). Leadership styles and information security compliance behavior: The mediator effect of information security awareness. International Journal of Information and Education Technology, 5(4), 311-318. Retrieved from http://dx.doi.org/10.7763/IJIET.2015.V5.522 IBM. (2013). IBM security services cyber security intelligence index: Analysis of cyber attack and incident data from IBM's worldwide security operations (SEW03031-USEN-02). Somers, NY: IBM Corporation. Retrieved from http://www.viftech.com.pk/wpcontent/uploads/2015/05/SEW03031USEN.PDF.pdf IBM. (2014). IBM security services 2014 cyber security intelligence index: Analysis of cyber attack and incident data from IBM’s worldwide security operations (SEW03039-USEN02). Somers, NY: IBM Corporation. Retrieved from http://media.scmagazine.com/documents/82/ibm_cyber_security_intelligenc_20450.pdf IBM. (2015). IBM security services 2015 cyber security intelligence index: Analysis of cyber attack and incident data from IBM's worldwide security operations (SEW03073-USEN00). Somers, NY: IBM Corporation. Retrieved from http://www3.ibm.com/security/data-breach/2015-cyber-security-index.html IBM. (2016). IBM x-force threat intelligence index 2017(WGL03140-USEN-02). Somers, NY: IBM Corporation. Retrieved from https://www-01.ibm.com/common/ssi/cgibin/ssialias?htmlfid=WGL03140USEN& Identity Theft Resource Center. (2016). Data Breach Report: 2016 End of Year Report. Retrieved from ww.idtheftcenter.org/images/breach/2016/DataBreachReport_2016.pdf Idtheftcenter.org. (2014). Updated ITRC Breach Report 2013. Retrieved from http://www.idtheftcenter.org/images/breach/2013/UpdatedITRCBreachReport2013.pdf Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83-95. Retrieved from http://dx.doi.org/10.1016/j.cose.2011.10.007 Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 6979. Retrieved from http://dx.doi.org/10.1016/j.im.2013.10.001 Interligi, L. (2010). Compliance culture: A conceptual framework. Journal of Management and Organization, 16(2), 235-249. Retrieved from https://doi.org/10.1017/S1833367200002157 131
Jansen, V. R., Davis, A., & Venter, P. (2014). Making strategy work: The role of the middle manager. Journal of Management and Organization, 20(2), 165-186. doi: 10.1017/jmo.2014.33 Johnston, A. C. & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549-A544. Retrieved from http://www.misq.org/contents-34-3/ Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113-134. Retrieved from http://www.misq.org/contents-39-1 Kaal, W. A. (2016). The effect of Dodd-Frank act compliance cost on the private fund industry. Banking & Financial Services Policy Report, 35(2), 5-9. Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2629386 Kappelman, L., McLean, E., Luftman, J., & Johnson, V. (2013). Key issues of IT organizations and their leadership: The 2013 SIM IT trends study. MIS Quarterly Executive, 12(4), 227-240. Retrieved from https://www.researchgate.net/publication/263618863 Karlsson, F., Åström, J., & Karlsson, M. (2015). Information security culture - state-of-the-art review between 2000 and 2013. Information and Computer Security, 23(3), 246-285. Retrieved from https://doi.org/10.1108/ics-05-2014-0033 Kim, L. (2017). Cybersecurity awareness: Protecting data and patients. Nursing, 47(6), 65. Retrieved from https://doi.org/10.1097/01.nurse.0000516242.05454.b4 Kim, S. H., Yang, K. H., & Park, S. (2014). An integrative behavioral model of information security policy compliance [Special Issue]. The Scientific World Journal, 2014,1-12. Retrieved from http://dx.doi.org/10.1155/2014/463870 Knapp, K. J. & Ferrante, C. J. (2012). Policy awareness, enforcement and maintenance: Critical to information security effectiveness in organizations. Journal of Management Policy and Practice, 13(5), 66-80. Retrieved from http://www.nabusinesspress.com/JMPP/jmppgateway.html Kulkarni, B. (2009). Banking industry regulatory challenges: Moving from regulation-based to process-based compliance. COBIT Focus, 2009(2), 4-8. Retrieved from https://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT-Focus-Vol-22009.pdf Lambert, L. S. (2011). Promised and delivered inducements and contributions: An integrated view of psychological contract appraisal. Journal of Applied Psychology, 96(4), 695712. doi:10.1037/a0021692
132
Lebek, B., Uffen, J., Neumann, M., Hohler, B., & Breitner, M.H. (2014). Information security awareness and behavior: A theory-based literature review. Management Research Review, 37(12), 1049. Retrieved from http://dx.doi.org/10.1108/MRR-04-2013-0085 Lee, C., Lee, C. C., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59, 60-70. Retrieved from http://dx.doi.org/10.1016/j.cose.2016.02.004 Lempka, R., Stallard, P. D., (2013). Next generation finance: Adapting the financial services industry to changes in technology, regulation and consumer behaviour. Petersfield, Hampshire: Harriman House Ltd. Liu, C. (2015). Types of employee perceptions of information security using Q methodology: An empirical study. International Journal of Business and Information, 10(4), 557-575. Retrieved from http://ijbi.org/index.php/ijbi/article/view/131 Logan, S. A. (2015). The semantics of social constructivism. Synthese,192(8), 2577-2598. doi:10.1007/s11229-015-0674-8 Low, C. H., Bordia, P., & Bordia, S. (2016). What do employees want and why? An exploration of employees’ preferred psychological contract elements across career stages. Human Relations, 69(7), 1457-1481. doi:10.1177/0018726715616468 Lowry, P. B. & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433-463. doi:10.1111/isj.12043 Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193-273. doi:10.1111/isj.12063 Lukianenko, D., Mozhovyi, O., & Burmaka, M. (2015). Top management motivation in global corporations. International Economic Policy, 23(2), 5-27. Retrieved from iepjournal.com/journals_eng/23/2015_1_Lukianenko_Mozgovii_Burmaka.pdf Mamonov, S. & Benbunan-Fich, R. (2015). An empirical investigation of privacy breach perceptions among smartphone application users. Computers in Human Behavior, 49, 427-436. Retrieved from http://dx.doi.org/10.1016/j.chb.2015.03.019 Merriam, S. B. & Tisdell, E. J. (2015). Qualitative Research: A Guide to Design and Implementation (4th Edition). Somerset, NJ: Wiley.
133
Miracle, V. A. E. R. N. C. (2016). The Belmont report: The triple crown of research ethics. Dimensions of Critical Care Nursing July/August, 35(4), 223-228. doi: 10.1097/DCC.0000000000000186 Mohammed, D. (2015). Cybersecurity compliance in the financial sector. Journal of Internet Banking and Commerce, 20(1), 1-11. Retrieved from http://www.icommercecentral.com/open-access/cybersecurity-compliance-in-thefinancial-sector-.php?aid=50498 Moquin, R. & Wakefield, R. L. (2016). The roles of awareness, sanctions, and ethics in software compliance. The Journal of Computer Information Systems, 56(3), 261-270. Retrieved from https://doi.org/10.1080/08874417.2016.1153922financial-sector.php?aid=50498 Morgan, A. L. (2011). Investigating our experience in the world: A primer on qualitative inquiry. Knoxville: The University of Tennessee Press. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126-139. Retrieved from http://dx.doi.org/10.1057/ejis.2009.10 O’Reilly, K., Paper, D., & Marx, S. (2012). Demystifying grounded theory for business research. Organizational Research Methods, 15(2), 247-262. doi: 10.1177/1094428111434559 Oh, J., Park, J., & Rutherford, B. N. (2014). Management of frontline financial sales personnel. Journal of Financial Services Marketing, 19(3), 208-220. Retrieved from https://doi.org/10.1057/fsm.2014.19 Olusegun, O. J. & Ithnin, N. B. (2013). "People are the answer to security": Establishing a sustainable information security awareness training (ISAT) program in organization. International Journal of Computer Science and Information Security, 11(8), 57-64. Retrieved from http://www.ijcit.com/archives/volume4/issue1/Paper040107.pdf Parera, L. B. & Fernández-Vallejo, A. M. (2013). Changes in the role of middle manager: A historical point of view. International Journal of Information and Education Technology, 3(3), 362-365. Retrieved from http://dx.doi.org/10.7763/IJIET.2013.V3.298 Paulsen, C. & Coulson, T. (2011). Beyond awareness: Using business intelligence to create a culture of information security. Communications of the IIMA, 11(3), 35-54. doi:10.1098/rsta.2009.0027 Ponelis, S. R., & Britz, J. J. (2012). The elephant in the server room: Confronting the need for an ethics officer in the IT function. Journal of Information Ethics, 21(1), 27-39. doi:10.3172/JIE.21.1.27 134
Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179-214. doi:10.1080/07421222.2015.1138374 Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, R. T. (2014). Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & Management, 51(5), 551-567. Retrieved from http://dx.doi.org/10.1016/j.im.2014.03.009 Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. F. (2013). Insiders’ protection of organizational information assets: Development of a systematic-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189-A1189. Retrieved from http://misq.org/ Puhakainen, P. & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 767-A764. Retrieved from http://misq.org/ Raes, A. L., Heijltjes, M. G., Glunk, U., & Roe, R. A. (2011). The interface of the top management team and middle managers: A process model. Academy of Management Review, 36(1), 102-126. doi:10.5465/AMR.2011.55662566 Raman, S. R. (2009). Middle managers' involvement in strategic planning: an examination of roles and influencing factors. Journal of General Management, 34(3), 57-74. Retrieved from http://www.braybrooke.co.uk/ Ransbotham, S. & Mitra, S. (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1), 121-139. Retrieved from https://doi.org/10.1287/isre.1080.0174 Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91(1), 93-114. Retrieved from http://dx.doi.org/10.1080/00223980.1975.9915803 Ryan, S. & Harden, G. (2014). Job embeddedness of information technology professionals: The effects of gender. The Journal of Computer Information Systems, 54(4), 52-59. doi:10.1145/982372.982400 Safa, N. S., von Solms, R. v., & Futcher, L. (2016). Human aspects of information security in organisations. Computer Fraud & Security, 2016(2), 15-18. Retrieved from http://dx.doi.org/10.1016/S1361-3723(16)30017-3 Salmons, J. (2010). Online interviews in real time. Thousand Oaks, Calif.: SAGE Publications, Inc.
135
Schein, E. H. (1990) Organizational culture, American Psychologist, 45(2):109-19. Retrieved from https://doi.org/10.1037//0003-066x.45.2.109 Schein, E. H. (2010). The jossey-bass business & management series: Organizational culture and leadership (4). Hoboken, NJ: Jossey-Bass. Silic, M. & Back, A. (2014). Information security. Information Management & Computer Security, 22(3), 279-308. Retrieved from http://dx.doi.org/10.1108/IMCS-05-2013-0041 Siponen, M. & Vance, A. (2010). Neutralization: New insights into the problem of employee information security policy violations. MIS Quarterly, 34(3), 487-502. Retrieved from http://misq.org/contents-34-3/ Smircich, L. (1983). Concepts of Culture and Organizational Analysis. Administrative Science Quarterly, 28(3), 339-358. Retrieved from https://doi.org/10.2307/2392246 Sohrabi Safa, N., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. doi:10.1016/j.cose.2015.10.006 Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management & Computer Security, 22(1), 42-75. doi:10.1108/IMCS-082012-0045 Sommestad, T., Karlzén, H., & Hallberg, J. (2015). The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information and Computer Security, 23(2), 200-217. doi:10.1108/ics-04-2014-0025 Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296-302. Retrieved from http://dx.doi.org/10.1016/j.im.2011.07.002 Spears, J. L. & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503-A505. Retrieved from http://misq.org/ Stebbins, R. (2008). Exploratory research. In L. M. Given (Ed.), The Sage Encyclopedia of Qualitative Research Methods (pp. 327-331). Thousand Oaks, CA: Sage. Retrieved from http://dx.doi.org/10.4135/9781412963909.n166 Stewart, G. & Lacey, D. (2012). Death by a thousand facts. Information Management & Computer Security, 20(1), 29-38. doi:10.1108/09685221211219182 Sulkowski, L. (2012). Elements of organizational culture - Theoretical and methodological problems. Management, 16(2), 63. doi:10.2478/v10286-012-0056-y 136
Taylor, R. G. & Brice, J. Jr. (2012). Fact or fiction? A study of managerial perceptions applied to an analysis of organizational security risk. Journal of Organizational Culture, Communication and Conflict, 16(1), 1-23. Retrieved from http://www.alliedacademies.org/journal-of-organizational-culture-communications-andconflict/ Thomson, M. E. & von Solms, R. (1998). Information security awareness: Educating your users effectively. Information Management & Computer Security, 6(4), 167-173. Retrieved from https://doi.org/10.1108/09685229810227649 Tirgari, V. (2012). Information technology policies and procedures against unstructured data: A phenomenological study of information technology professionals. Academy of Information and Management Sciences Journal, 15(2), 87-106. Retrieved from http://www.alliedacademies.org/aimsj_public.php Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2012). Analyzing trajectories of information security awareness. Information Technology & People, 25(3), 327-352. doi:10.1108/09593841211254358 Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems, 24(1), 38-58. doi:10.1057/ejis.2013.27 Tsohou, A., Kokolakis, S., Lambrinoudakis, C., & Gritzalis, S. (2010). A security standards' framework to facilitate best practices' awareness and conformity. Information Management & Computer Security, 18(5), 350-365. Retrieved from http://dx.doi.org/10.1108/09685221011095263 Tufford, L., & Newman, P. (2012). Bracketing in qualitative research. Qualitative Social Work, 11(1), 80-96. doi:10.1177/1473325010368316 Vance, A., Lowry, P. B., & Eggett, D. (2013). Using accountability to reduce access policy violations in information systems. Journal of Management Information Systems, 29(4), 263-290. doi:10.2753/MIS0742-1222290410 Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(4), 190-198. doi:10.1016/j.im.2012.04.002 Verizon. (2014). 2014 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/DBIR/2014/?_ga=1.248333767.134453306.14524558 82 Verizon. (2015). 2015 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/DBIR/2015/ 137
Verizon. (2016). 2016 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ Walker, C. A. (2015). Social constructionism and qualitative research. Journal of Theory Construction & Testing, 19(2), 37-38. Retrieved from https://www.highbeam.com/doc/1P3-4107909561.html Wallace, L., Hui, L., & Cefaratti, M. A. (2011). Information security and Sarbanes-Oxley compliance: An exploratory study. Journal of Information Systems, 25(1), 185-211. doi:10.2308/jis.2011.25.1.185 Williams, S. P., Hardy, C. A., & Holgate, J. A. (2013). Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electronic Markets, 23(4), 341-354. doi:10.1007/s12525-013-0137-3 Willison, R. & Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1-20. Retrieved from http://misq.org/ Wooldridge, B., Schmid, T., & Floyd, S. W. (2008). The middle management perspective on strategy process: Contributions, synthesis, and future research. Journal of Management, 34(6), 1190-1221. doi:10.1177/0149206308324326 Workman, M. (2008). Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science & Technology, 59(4), 662-674. Retrieved from https://doi.org/10.1002/asi.20779 Yazdanmehr, A. & Wang, J. (2016). Employees' information security policy compliance: A norm activation perspective. Decision Support Systems, 92(Supplement C), 36-46. Retrieved from https://doi.org/10.1016/j.dss.2016.09.009 Yin, R. K. (2010). Qualitative research from start to finish. New York, NY: Guilford Press. Young, K. (2013). Financial industry groups' adaptation to the post-crisis regulatory environment: Changing approaches to the policy cycle. Regulation & Governance, 7(4), 460-480. doi: 10.1111/rego.12025
138
STATEMENT OF ORIGINAL WORK Academic Honesty Policy Capella University’s Academic Honesty Policy (3.01.01) holds learners accountable for the integrity of work they submit, which includes but is not limited to discussion postings, assignments, comprehensive exams, and the dissertation or capstone project. Established in the Policy are the expectations for original work, rationale for the policy, definition of terms that pertain to academic honesty and original work, and disciplinary consequences of academic dishonesty. Also stated in the Policy is the expectation that learners will follow APA rules for citing another person’s ideas or works. The following standards for original work and definition of plagiarism are discussed in the Policy: Learners are expected to be the sole authors of their work and to acknowledge the authorship of others’ work through proper citation and reference. Use of another person’s ideas, including another learner’s, without proper reference or citation constitutes plagiarism and academic dishonesty and is prohibited conduct. (p. 1) Plagiarism is one example of academic dishonesty. Plagiarism is presenting someone else’s ideas or work as your own. Plagiarism also includes copying verbatim or rephrasing ideas without properly acknowledging the source by author, date, and publication medium. (p. 2) Capella University’s Research Misconduct Policy (3.03.06) holds learners accountable for research integrity. What constitutes research misconduct is discussed in the Policy:
139
Research misconduct includes but is not limited to falsification, fabrication, plagiarism, misappropriation, or other practices that seriously deviate from those that are commonly accepted within the academic community for proposing, conducting, or reviewing research, or in reporting research results. (p. 1) Learners failing to abide by these policies are subject to consequences, including but not limited to dismissal or revocation of the degree. Statement of Original Work and Signature I have read, understood, and abided by Capella University’s Academic Honesty Policy (3.01.01) and Research Misconduct Policy (3.03.06), including Policy Statements, Rationale, and Definitions. I attest that this dissertation or capstone project is my own work. Where I have used the ideas or words of others, I have paraphrased, summarized, or used direct quotes following the guidelines set forth in the APA Publication Manual.
Learner name and date
Wendy Emanuelson
140
December 9, 2017
APPENDIX A. INTERVIEW QUESTIONS Introduction Questions
What role do you have within your organization? o Provide examples if needed for clarity. What relationship does your role have to the middle manager role being explored in this study? o Provide examples if needed for clarity. What type of information security policies are you familiar with within your organization? o Provide examples if needed for clarity. Provide the following instructions prior to questioning: o It is not necessary to utilize company names or identify people by names. It is preferred that names are not utilized and if given they will be stricken from the transcription of the interview. o If referencing multiple companies, they can utilize words like company 1, or 2, or manager or executive, 1 or 2, and so on. o If you do not understand any of the questions, please let the researcher know so clarification can be provided.
Role Based Questions
Role based on participant current organizational level.
Nonmanagement role. o o o o o o
How would you describe the middle managers’ responsibility as it relates to influencing ISPC compliant behaviors? How would describe an experience where a middle manager has influenced your ISPC compliant behavior? How would you describe an experience where you have observed a middle manager influencing someone else’s ISPC compliant behavior? What barriers have you seen that could prevent a middle manager from influencing yours or others ISPC compliant behaviors? How would you describe the importance of improving the influence middle managers have on ISPC behaviors? What recommendations do you have that could improve the middle manager’s influence on ISPC behaviors?
Middle management role. o
How would you as a middle manager describe your responsibilities as it relates to influencing ISPC compliant behaviors?
141
o o o o o
How would you describe an experience where you have influenced your direct reports ISPC compliant behaviors? How would you describe an experience where you have observed another middle manager influencing their direct reports’ ISPC compliant behaviors? What barriers have you seen that could prevent a middle manager from influencing yours or others ISPC compliant behaviors? How would you describe the importance of improving the influence middle managers have on ISPC behaviors? What recommendations do you have that could improve the middle manager’s influence on ISPC behaviors?
Executive leadership role. o o o o o o
How would you describe the middle manager’s responsibilities as it relates to influencing ISPC complaint behaviors? How would you describe an experience where you have observed a middle manager influencing ISPC compliant behavior? If a middle manager has ever influenced your ISPC behavior, how would you describe that experience? What barriers have you seen that could prevent a middle manager from influencing yours or others ISPC compliant behaviors? How would you describe the importance of improving the influence middle managers have on ISPC behaviors? What recommendations do you have that could improve the middle manager’s influence on ISPC behaviors?
142
APPENDIX B. TOP 5 WORD FREQUENCY Top 5 Word Frequency Key Topics Perceived Responsibility of MM to Influence ISPC Behaviors
MM Influence on ISPC behaviors Experienced and Observed
Perceived Importance to improve MM Influence on ISPC behaviors
Perceived Barriers to MM Influence on ISPC behaviors
Recommendations for Improving MM Influence on ISPC behaviors
EL / Frequency Directly 5 Accountable 5 Understand 3 Advising 2 Enforce 2 Actively 14 Controls 11 Requirements 11 Developing 10 Attitude 9 Extremely 2 Control 2 Developing 2 Informing 2 Remind 2 Knowledge 8 Particular 2 Continue 2 Feedback 2 Negative 2 Actively 11 Communicate 10 Knowledge 8 Talking 6 Processess 5
MM / Frequency Cheerleader 8 Ensuring 5 Enforce 4 Understand 4 Processes 4 Drive 34 Changes 34 Organization 25 Directly 25 Controls 20 Changing 9 Influencing 8 Leader 7 Lasting 6 Protection 6 Organization 5 Objectives 4 Enforce 3 Report 3 Operational 3 Changes 16 Organization 10 Directly 8 Report 7 Understand 7
NM / Frequency Changes 16 Communicate 15 Handle 13 Assist 12 Deliver 9 Communicate 29 Changes 25 Coaching 24 Directly 21 Leading 19 Measurement 6 Communicate 5 Constant 5 Factors 3 Validate 2 Communications 12 Operational 10 Production 9 Effective 7 Balance 7 Measurement 6 Constant 5 Communicate 5 Factors 3 Validate 2
Note, the colored text represents words shared between organizational level. Red represents duplication between EL and NM, Blue represents duplication between MM and NM, and Green indicates duplication between EL and NM frequently used words within a topic category.
143
APPENDIX C. REPRESENTATIVE QUOTATIONS -EMPIRICAL DATA MM Influence on ISPC behaviors - Experienced and Observed Executive Leaders - EL "...We’ve had discussions about a policy or a practice and I’ve had middle managers make suggestions to strengthen that policy or procedure, either as a direct result of activities or just something that they observed and thought, and those ideas have been incorporated into existing practices, policies, and procedures." (ELP1) "I definitely have – I’ve seen instances for example where a network team monitoring sees a heavy outflow of information to what appears to be a destination, personal email accounts; raising that as a question through the IT risk group, so the business unit can investigate and make sure that it’s a true business use and not anything that’s outside of policy." (ELP1) "I have seen them actively contribute to developing the templates for the tools that enforce the policy. For example, to your point of having to have a pin – the policy of software that protects the corporate data makes that a requirement. And there are many more – but middle managers have been active in developing the templates that are used. Those are reviewed and approved by typically the risk group. But they are often brought forward and suggested by middle managers in the technology piece." (ELP1) "I do see them reaching out when they do have to meet these regulatory requirements, and say hey, I read it this way, but how is that interpreted and how does that align with our current risk framework." (ELP2) "from all the organizations that I’ve seen, until you walk through, and I review a lot of organizations, until you tell them, Hey! You have to have a data classification policy, and you must continue these provision, and until you tell them that, hey you must adhere to these they are a bit more worried about making the business go and making the business successful, and achieving the goals of the business." (ELP2) "Most of them in their performance management matrix, they don’t be graded on how complaint they are to regulatory requirements, for example, most organizations, they don’t grade the business on the regularity requirements, they grade the business on how successful you are adhering to business schools, right. So, at the end of the day, regulatory requirements and adherence to those standards and controls are last on the list, until you have to meet them for project-related need or regulatory related needs." (ELP2)
144
" For me, I think I had a lot of different managers myself and to me, it goes back to the attitude and culture. So yes, I've had some that are more relaxed, more that's not a high priority to them, you can tell just because of their demeanor, their behavior or the things they don't say. And it's more about getting the job done and you kind of feel like, "I'm still going to do the right things because I'm a good person or a good employee." And you've got other managers that may harp on it or talk about it a lot and waive it all the time. And that makes you feel like, "Oh, I better be extra special careful." (ELP3) "So I wouldn't say it's anything direct, it's more about just attitude, demeanor, culture and the way they behave in terms of have I been influenced by people that I report to."(ELP3) " I think people in my team or other teams, I've seen people call out or call to the attention of other people, higher people or people that could help them they say, "Hey. Look, this happened today. What should I do?" or "I don't think this is right, I saw this happening. What should I do now?" or something like that." (ELP3) "Certainly, we have like my team, I have a very strong team of middle managers, and they give regular, we have bi-weekly meetings, and they give regular feedback on ways we could improve, things we can do differently, things we should tighten up, so they definitely have an impact on me and the policies that we write and design." (ELP4) "They also will come to me with any concerns that they're seeing within their team on areas where we should try to sort of nip things in the bud, I guess you would say before they might get out of hand" (ELP4) "So, the clean desk policy, for example, I have known middle managers who at the end of the day, 15 minutes before employee’s shift will end, they will walk around reminding people to clean off their desk before they leave for the end of the day." (ELP4) "In the past, I have seen that multiple times when I was on the operational side of the business. In the IT side of the business, it’s not as popular." (ELP4) "Okay, so, like for instance, if I’ve seen middle managers who don't take security and policies seriously and therefore that filters down throughout their team." (ELP4) "I think that a lot of times especially with the developers, they tend to put the delivery of the work first. They tend to put the cart before the horse so to speak. We have to get this developed, and we'll worry about the security and build around that later." (ELP4) "I have to say that one of the companies that I have worked with, they were very firm as far as when it came to handling data and how processes were adhered to. So, for instance, monitoring if detection or if anything was detected or if an employee decided to do something outside of policy or not in compliance with policy that the manager would then kind of want to bring that to the attention of the employee, working with senior management to determine the necessary course of action. " (ELP5) "So, there is also an upside to where a manager can hear or at least enforce or significantly influence adherence to a particular policy where they're either doing it in the form of guidance, in a form of oversight, I guess direct involvement. I've had we’re many…in my role being where I was, a manager influencing my subordinates or as a subordinate to another manager. So, I’ve had both sides." (ELP5) 145
MM Influence on ISPC behaviors - Experienced and Observed Middle Managers - MM "...There’s a lot of focus on checking that we had lock desk, clean desk policies and things like that and managers did check on it, and they took action with their employees when they didn’t lock up. I had managers [chuckle] lock your screen up, had managers sending emails to the team from their screen; there was all that complaint either but it made the point that you walked away from your desk, and somebody could have done something. If I got an email today, next time I walk away from my desk I will lock my screen. So I’ve seen managers do that, so I get the point. Usually it could be their team or an individual to be aware of a behavior and correct it." (MMP1) Sometimes we did walkthroughs and looked for passwords written underneath things and stuff like that." (MMP1) "From my experience here I think the managers are taught pretty well to establish a consistent guideline through the yearly training and security awareness. I hadn’t seen a lot of flexibility as managers would have to get involved too much at least in the areas that I’m involved in; of course, being involved in security people are a little bit more aware and self-aware of the requirements. " (MMP1) "The only thing I've observed is kind of same thing that I'm able to do. It's just the reminders, it's our weekly one-on-ones with those individuals, trying to drive home cheerleading for those policies and procedures." (MMP2) Yeah, so, to a point it's just like reminders directly to an individual. “Hey, you left your computer unlocked or hey…” whatever that might be. Emails kind of… and leaving your computer unlocked it’s kind of a funny thing and is quickly how quick you can change someone's behavior when they leave their computer unlocked by sending an email on their behalf. And that changes that behavior relatively quickly." (MMP2) "So, that one, once that fear kind of runs out like hey they’ll send an email, it kind of strikes a lot of that down. But for my direct reports, all I can do up until the point where maybe put them on a performance improvement plan, a PIP, in that it directly affects their yearly bonus. If they're on a PIP come bonus time, they don't get their bonus. I mean for some people that's a pretty big loss. I would hate to see an individual go on a PIP because they can't keep their desk clean or they have sensitive information out on their desk, and then we do have a clean desk policy and data classification, and that kind of falls into our yearly system's standards of conduct that every employee has to sign." (MMP2)
146
"Yes, so we have different security policies, and we have to adhere some ourselves, such as how we build our servers, how we build the tools, that allow us to perform any of those three functions. So certain standards of hardening, we have to harden our own asset. We can’t have the form password that we get something from Semantics; we can’t allow other people to manage the keys if we encrypt. So, that is what the things that we do." (MMP3) We have recurrent notifications that we have there on annual basis that we manage credit cards with bank. That we have to review the policies, and then, of course, people are people, so we remind each other. We actually, there might be something that someone overlooked, and we remind each other, but on an annual basis, we are required to meet the standards in the policy if that we are a bank." (MMP3) "Somewhere else then some of the same reminding each other, there may be something that we don’t normally do, and because this a first time someone else may remind us..."(MMP3) "For example, like you said if it’s a Clean Desk Policy and the person is not doing or following the policy, then my job is to make sure that they do and have a conversation with them and try to understand from their perspective why it wasn’t done, and I just make sure they understand why it is important t the organization and why it needs to be done." (MMP4) " I think in terms of the scope of the question, for example, let’s talk about- even if it’s not about Clean Desk Policy, if it’s just following a standard in security and a person really doesn’t understand why certain things are done in certain ways than as a manager I think it is important that when you understand why the employee is not following maybe it is as simple as “I don’t really understand what it means.” So as a manager you just need to make sure they understand and again why it is important to the organization and why it needs to be done. There have been several instances like that." (MMP4) " I think from my career and the organizations that I have worked for, and most of them have been bigger organizations, the tone has always come from the top, but sometimes you have to make an extra effort to get in compliance because of the organization and the individuals. You know everybody has a different level of understanding. If you are trying to talk to somebody in technical terminologies that are not in IT, they may not necessarily understand what is being said and why it’s important." (MMP4) "I worked with a manager who she had a lot of employees who weighed, and again this is back in the day but would bring in fans, and somebody brought in a coffee pot, a lot of electronic equipment’s that could cause fires, cause issues to implement to the policy. She identified the need that that was going to be an issue and implemented a policy whereby it said we are not allowed to bring in anything unapproved to that was electronic to be used at the desks." (MMP5) "Emailing, I’ve observed managers, and I’ve done it myself, emailing without proper protection. " (MMP5) "Well, yeah based on their business needs or contractual things are being enforced on them, then that’s where we see a lot of their influence, where they say, hey I have some requirements or I have specific requirements in data management or data classification, and the thing imposed on me, I don’t understand if this aligns with our policy, and so what they’ll do is, they will reach out to a lot of the information risk and security teams and ensure that does this align 147
with our policy and do we need to put more in the policy or to revise policy to meet this contractual requirement and or updated regulatory requirements." (MMP5) "I initiated - and it sounds really simple but at the time it wasn’t and the big change - I implemented a process where everyone has shred box at their desk, and at the end of every day they would empty the shred box, and we arranged at the time for the first time to have locked shred bends within each team, within each floor because we were running multiple floors at that particular site. We were able to ensure that PII and the like was not left under for years on end." (MMP5)
148
MM Influence on ISPC behaviors - Experienced and Observed Non-Manager - NM "For example, a middle manager will have a direct relationship with the policy to ensure regulatory statements are included in a policy and effectively communicated to all employees. This communication should be done through the training and awareness, and the onboarding process." (NMP1) "Middle managers are responsible because they are typically considered to be subject matter experts and the details of applicable laws, for example, have to specific; could be a state law and or a federal law, and it should be referenced or even included directly in the policy." (NMP1) "Depending on size and complexity of the environment, middle managers heavily rely on internal and external audits to validate effectiveness of the policy enforcement and communication efforts. If there's a new, let's say a revised policy that incorporates newest technology, newest concepts, then there is an immediate need to set up a baseline for measuring its effectiveness."(NMP1) "In the past, a manager designed the onboarding process for a newly hired employee. The process consisted of reviewing when all contents of the policy, its importance, and how a particular policy is related to a specific job role." (NMP1) "I got managers that have shown good examples going through in day to day conversations just pointing out a thing even though it’s not necessarily maybe an issue at that moment, but as you go through you mention it as we talk at it, and it becomes a conversation. I have seen my peers do them. I do them with my… you know am technically not a manager, I work with a lot of middle managers, so I see this in my organization the people that I work with on regular basis do this regularly." (NMP2) "There’s one that seems to come up the often, the clean desk policy and that’s like you know at the end of the day if you leave something out you are going to get an email and you are going to get a lecture from it." (NMP3) "If it comes to like system access, a lot of people might agree for Company 1 that I’m working with now, middle management is very much big on, at least in where I’m at now, “Let them know, let them know, they’ll get it handled, they’ll put it forward,” that kind of type thing. At the same time, it’s also, if there is a way you could do it yourself and not involve the whole entire world, they’ll be happy to, and they’ll let you know that “Thanks for handling that. Thanks for letting me know. Thanks for getting contact with the right people.” That kind of type." (NMP3) "The company I’m working, for now, Company 1, my managers try very, very, very hard to stay compliant with all the policies in place and there’s a ton of them. The managers do try very hard, and if something is going on they need to be aware of it, so they can communicate it and if they are not they get quite upset and quite annoyed. " (NMP3) "Especially password sharing, access to different things, when you are in a small company you don’t have as many people to be your backup, so you’ll have one person who is technically a backup for three or four people and those roles aren’t necessarily separated. So, you are trying to figure out, “Okay, well how I’m I going to be able to do a check run this week while 149
technically my access doesn’t let me do it?” Well, you log into somebody else’s thing and stuff like that. I’ve seen that a lot in smaller companies, they are still corporations that are still public companies, but they are just smaller offices. What I see now is very different in the sense that we try desperately to find a way not to do that. Are there instances where it does happen? Yeah." (NMP3) "And I think, at least for the company I’m working at now, my middle managers know that the responsibility falls on them, and they know that if they did something and if they, for example, told somebody to share a password and they got caught, or something like that and they weren’t upfront, and they were like this is something we’ve done and make sure this never happens again, it’s their butts. Executives aren’t going to be like, “Oh well, I just wanted you to get that report out, so it doesn’t matter.” It doesn’t work like that." (NMP3) "Managers facilitated lockers and found other ways for people to store personal items and when you would store hard data in these lockers and then again that would be an influence that you would come in the morning and if someone noticed you had left something out they would mention something to you and you would go and a few left in the evening and there was someone there to notice that there was something in your desk, would mention it to you." (NMP4) "Again I would say that the middle management facilitation locker was done predominantly in the negative way, I will give you a very specific, in the negative way if work wasn’t able to be accomplished while at the desk you could take it home, so you have that hard data going out because they needed to meet timelines, so what was the point of the clean desk policy?" (NMP4) "Specifically, in terms of just making awareness of clean desk policy, providing reminders when the policies first came out, ensuring that we comply with training requirements, the company I work with has a stringent security education program and so middle manager is very directly involved in ensuring that you’re trained to know what those policies are and trained to follow those policies." (NMP5) "Another example might be if they become aware or had become aware of a security breach to report those to appropriate channels." (NMP4) "I’ve seen middle managers, not my immediate middle managers but other middle managers provide some general coaching in reminders to staff for example clean desk policy or to lock their devices and in case of password changes that’s something really the middle manager doesn’t get involved in because the system automates that." (NMP5) "I have seen where accounts are shared of course if I work and I’ve also seen middle managers exchange information in a non-secure manner, I actually had to do a security incident based on that because it was something I was directly involved with." (NMP5)
150
