{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T09:46:34Z","timestamp":1780479994778,"version":"3.54.1"},"reference-count":29,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2006,1,1]],"date-time":"2006-01-01T00:00:00Z","timestamp":1136073600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006,1,1]]},"abstract":"Purpose<\/jats:title>This study proposes to put forward and test a theoretical model that demonstrates the influence of top management support on an organization's security culture and level of security policy enforcement.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The project used a combination of qualitative and quantitative techniques. The grounded theory approach was used to analyze responses to open\u2010ended questions answered by 220 certified information system security professionals. Using these responses, a survey instrument was developed. Survey results were analyzed using structural equation modeling.<\/jats:p><\/jats:sec>Findings<\/jats:title>Evidence suggests that top management support is a significant predictor of an organization's security culture and level of policy enforcement.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>During instrument validation, a special effort removed survey items that appeared overly intrusive to the respondents. In this endeavor, an expert panel of security practitioners evaluated all candidate items on a willingness\u2010to\u2010answer scale. While especially helpful in security, this scale may be used in other research domains.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>Practitioners should understand the impact of top management support on achieving security effectiveness. Based on the findings of this study, low levels of executive support will produce an organizational culture less tolerant of good security practices. Low levels of support will diminish the level of enforcement of existing security policies.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>Researchers developed original scales to measure levels of top management support, policy enforcement, and organizational culture. The scales demonstrated acceptable reliability and validity scores.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220610648355","type":"journal-article","created":{"date-parts":[[2006,6,29]],"date-time":"2006-06-29T23:49:52Z","timestamp":1151624992000},"page":"24-36","source":"Crossref","is-referenced-by-count":149,"title":["Information security: management's effect on culture and policy"],"prefix":"10.1108","volume":"14","author":[{"given":"Kenneth J.","family":"Knapp","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Thomas E.","family":"Marshall","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"R.","family":"Kelly Rainer","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"F.","family":"Nelson Ford","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","reference":[{"key":"key2022012220103419600_b1","unstructured":"Allen, B. (1968), \u201cDanger ahead! Safeguard your computer\u201d, Harvard Business Review, pp. 97\u2010101, November\/December."},{"key":"key2022012220103419600_b2","doi-asserted-by":"crossref","unstructured":"Bagchi, K. and Udo, G. (2003), \u201cAn analysis of the growth of computer and internet security breaches\u201d, Communications of the Association for Information Systems, Vol. 12 No. 46, pp. 1\u201029.","DOI":"10.17705\/1CAIS.01246"},{"key":"key2022012220103419600_b3","doi-asserted-by":"crossref","unstructured":"Brancheau, J.C., Janz, B.D. and Wetherbe, J.C. (1996), \u201cKey issues in information systems management: 1994\u201095 SIM results\u201d, Management Information Systems Quarterly, Vol. 20 No. 2, pp. 225\u201042.","DOI":"10.2307\/249479"},{"key":"key2022012220103419600_b4","unstructured":"Byrne, B.M. (2001), Structural Equation Modeling with Amos, Erlbaum, Mahwah, NJ."},{"key":"key2022012220103419600_b5","unstructured":"Computer Emergency Response Team (CERT) (2004), \u201cCERT statistics\u201d, available at: www.cert.org\/stats\/cert_stats.html#incidents (accessed May 2004)."},{"key":"key2022012220103419600_b6","doi-asserted-by":"crossref","unstructured":"Detert, J.R., Schroeder, R.G. and Mauriel, J.J. (2000), \u201cA framework for linking culture and improvement in organizations\u201d, Academy of Management Review, Vol. 25 No. 4, pp. 850\u201063.","DOI":"10.5465\/amr.2000.3707740"},{"key":"key2022012220103419600_b7","unstructured":"DeVellis, R.F. (2003), Scale Development. Theory and Applications, 2nd ed.,Vol. 26, Sage, Thousand Oaks, CA."},{"key":"key2022012220103419600_b8","doi-asserted-by":"crossref","unstructured":"Dutta, A. and McCrohan, K. (2002), \u201cManagement's role in information security in a cyber economy\u201d, California Management Review, Vol. 45 No. 1, pp. 67\u201087.","DOI":"10.2307\/41166154"},{"key":"key2022012220103419600_b9","doi-asserted-by":"crossref","unstructured":"Garg, A., Curtis, J. and Halper, H. (2004), \u201cQuantifying the financial impact of IT security breaches\u201d, Information Management & Computer Security, Vol. 11 No. 2, pp. 74\u201083.","DOI":"10.1108\/09685220310468646"},{"key":"key2022012220103419600_b10","doi-asserted-by":"crossref","unstructured":"Glaser, B.G. and Strauss, A.L. (1967), The Discovery of Grounded Theory: Strategies for Qualitative Research, Aldine Publishing, New York, NY.","DOI":"10.1097\/00006199-196807000-00014"},{"key":"key2022012220103419600_b11","unstructured":"Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004), 2004 CSI\/FBI Computer Crime and Security Survey, Computer Security Institute, San Francisco, CA."},{"key":"key2022012220103419600_b12","unstructured":"Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998), Multivariate Analysis, 5th ed., Pearson Education, Delhi."},{"key":"key2022012220103419600_b13","doi-asserted-by":"crossref","unstructured":"Hinkin, T.R. (1998), \u201cA brief tutorial on the development of measures for use in survey questionnaires\u201d, Organizational Research Methods, Vol. 1 No. 1, pp. 104\u201021.","DOI":"10.1177\/109442819800100106"},{"key":"key2022012220103419600_b14","unstructured":"Im, K.S. and Grover, V. (2004), \u201cThe use of structural equation modeling in IS research: review and recommendations\u201d, in Whitman, M.E. and Woszczynski, A.B. (Eds), The Handbook of Information Systems Research, Idea Group Publishing, Hershey, PA."},{"key":"key2022012220103419600_b15","doi-asserted-by":"crossref","unstructured":"Kankanhalli, A., Hock\u2010Hai, T., Bernard, C.Y.T. and Kwok\u2010Kee, W. (2003), \u201cAn integrative study of information systems security effectiveness\u201d, International Journal of Information Management, Vol. 23, pp. 139\u201054.","DOI":"10.1016\/S0268-4012(02)00105-6"},{"key":"key2022012220103419600_b16","doi-asserted-by":"crossref","unstructured":"Kaplan, B. and Duchon, D. (1988), \u201cCombining qualitative and quantitative methods in information systems research: a case study\u201d, Management Information Systems Quarterly, Vol. 12 No. 4, pp. 571\u201087.","DOI":"10.2307\/249133"},{"key":"key2022012220103419600_b17","doi-asserted-by":"crossref","unstructured":"Klein, A.S., Masi, R.J. and Weidner, C.K. (1995), \u201cOrganization culture, distribution, and amount of control and perceptions of quality\u201d, Group & Organization Management, Vol. 20 No. 2, pp. 122\u201048.","DOI":"10.1177\/1059601195202004"},{"key":"key2022012220103419600_b18","unstructured":"Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2004), Top Ranked Information Security Issues: The 2004 International Information Systems Security Certification Consortium (ISC)2 Survey Results, Auburn University, Auburn, AL."},{"key":"key2022012220103419600_b19","doi-asserted-by":"crossref","unstructured":"Kotulic, A.G. and Clark, J.G. (2004), \u201cWhy there aren't more information security research studies?\u201d, Information & Management, Vol. 41 No. 5, pp. 597\u2010607.","DOI":"10.1016\/j.im.2003.08.001"},{"key":"key2022012220103419600_b20","unstructured":"Miles, M.B. and Huberman, A.M. (1994), Qualitative Data Analysis, Sage, Thousand Oaks, CA."},{"key":"key2022012220103419600_b21","unstructured":"Nunnally, J. (1978), Psychometric Theory, McGraw\u2010Hill, New York, NY."},{"key":"key2022012220103419600_b22","unstructured":"Parker, D.B. (1981), Computer Security Management, Reston Publishing Company, Reston, VA."},{"key":"key2022012220103419600_b23","unstructured":"President (2003), \u201cNational strategy to secure cyberspace\u201d, available at: www.whitehouse.gov\/pcipb (accessed May 2004)."},{"key":"key2022012220103419600_b24","doi-asserted-by":"crossref","unstructured":"Segars, A.H. (1998), \u201cStrategic information systems planning success: an investigation of the construct and its measurement\u201d, Management Information Systems Quarterly, Vol. 22 No. 2, pp. 139\u201063.","DOI":"10.2307\/249393"},{"key":"key2022012220103419600_b25","doi-asserted-by":"crossref","unstructured":"Straub, D.W. (1990), \u201cEffective IS security: an empirical study\u201d, Information Systems Research, Vol. 1 No. 3, pp. 255\u201076.","DOI":"10.1287\/isre.1.3.255"},{"key":"key2022012220103419600_b26","doi-asserted-by":"crossref","unstructured":"Straub, D.W. and Welke, R.J. (1998), \u201cCoping with systems risk: security planning models for management decision making\u201d, Management Information Systems Quarterly, Vol. 22 No. 4, pp. 441\u201069.","DOI":"10.2307\/249551"},{"key":"key2022012220103419600_b27","unstructured":"Strauss, A. and Corbin, J. (1998), Basics of Qualitative Research. Techniques and Procedures for Developing Grounded Theory, 2nd ed., Sage, Thousand Oaks, CA."},{"key":"key2022012220103419600_b28","unstructured":"Van Tassel, D. (1972), Computer Security Management, Prentice\u2010Hall, Englewood Cliffs, NJ."},{"key":"key2022012220103419600_b29","doi-asserted-by":"crossref","unstructured":"Whitman, M.E. and Woszczynski, A.B. (2004), \u201cThe problem of common method variance in IS research\u201d, in Whitman, M.E. and Woszczynski, A.B. (Eds), The Handbook of Information Systems Research, Idea Group Publishing, Hershey, PA.","DOI":"10.4018\/978-1-59140-144-5"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220610648355","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220610648355\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220610648355\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:08:56Z","timestamp":1753402136000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/14\/1\/24-36\/173170"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,1,1]]},"references-count":29,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2006,1,1]]}},"alternative-id":["10.1108\/09685220610648355"],"URL":"https:\/\/doi.org\/10.1108\/09685220610648355","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2006,1,1]]}}}