{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T19:34:52Z","timestamp":1772134492634,"version":"3.50.1"},"reference-count":47,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2008,11,21]],"date-time":"2008-11-21T00:00:00Z","timestamp":1227225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,11,21]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The purpose of this paper is to empirically validate the conjectural relationship between managerial information security awareness (MISA) and managerial actions toward information security (MATIS).<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>A model is developed and the relationship between MISA and MATIS is tested using a large set of empirical data collected across different types and sizes of enterprises. The hypotheses of the research model are tested with regression analysis.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>The results of the study provide empirical support that MATIS is directly and positively related to MISA.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>The <jats:italic>R<\/jats:italic><jats:sup>2<\/jats:sup>, an estimate of the proportion of the total variation in the data set that is explained by the model, is relatively low. This fact implies that there are other constructs in addition to MISA that play a crucial role in determining MATIS. The paper suggests that intention to act and the risk\u2010cost tradeoff of the MATIS are other possible constructs that should be incorporated into future research. The conceptual model employed as a theoretical basis also suggests that other factors such as the environment in which an organization operates (e.g. industry) also plays a major role in determining information security decisions independently of MISA. Other possible limitations include the use of secondary data in the study.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>The results indicate that developing strategies to raise an organization's MISA should impact MATIS and thus improve information security performance.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The study provides empirical evidence supporting the unproven link between MISA and MATIS.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810920558","type":"journal-article","created":{"date-parts":[[2008,11,15]],"date-time":"2008-11-15T07:03:05Z","timestamp":1226732585000},"page":"484-501","source":"Crossref","is-referenced-by-count":36,"title":["Knowing is doing"],"prefix":"10.1108","volume":"16","author":[{"given":"Namjoo","family":"Choi","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dan","family":"Kim","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jahyun","family":"Goo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andrew","family":"Whitmore","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022020820381943600_b1","unstructured":"Abu\u2010Musa, A.A. (2002), \u201cComputer crimes: how can you protect your computerized accounting information system?\u201d, Journal of American Academy of Business, Vol. 2 No. 1, pp. 91\u2010101."},{"key":"key2022020820381943600_b2","doi-asserted-by":"crossref","unstructured":"Bickford, D.M. and Reynolds, N. (2002), \u201cActivism and service\u2010learning: reframing volunteerism as acts of dissent\u201d, Pedagogy: Critical Approaches to Teaching Literature, Language, Composition and Culture, Vol. 8 No. 2, pp. 229\u201052.","DOI":"10.1215\/15314200-2-2-229"},{"key":"key2022020820381943600_b3","doi-asserted-by":"crossref","unstructured":"Biglan, A. and Taylor, T.K. (2000), \u201cWhy have we been more successful in reducing tobacco use than violent crime?\u201d, American Journal of Community Psychology, Vol. 28 No. 3, pp. 269\u2010302.","DOI":"10.1023\/A:1005155903801"},{"key":"key2022020820381943600_b4","unstructured":"Chen, C.C., Shaw, R.S. and Yang, S.C. (2006), \u201cMitigating information security risks by increasing user security awareness: a case study of an information security awareness system\u201d, Information Technology, Learning, and Performance Journal, Vol. 24 No. 1, pp. 1\u201014."},{"key":"key2022020820381943600_b5","doi-asserted-by":"crossref","unstructured":"Churchill, G.A. (1979), \u201cA paradigm for developing better measures of marketing constructs\u201d, Journal of Marketing Research, Vol. 16 No. 1, pp. 64\u201073.","DOI":"10.1177\/002224377901600110"},{"key":"key2022020820381943600_b6","unstructured":"Cline, M. and Jensen, B.K. (2004), \u201cInformation security: an organizational change perspective\u201d, paper presented at The Tenth Americas Conference on Information Systems."},{"key":"key2022020820381943600_b7","doi-asserted-by":"crossref","unstructured":"Farahmand, F., Navathe, S.B., Sharp, G.P. and Enslow, P.H. (2005), \u201cA management perspective on risk of security threats to information systems\u201d, Information Technology and Management, Vol. 6 Nos 2\/3, pp. 203\u201025.","DOI":"10.1007\/s10799-005-5880-5"},{"key":"key2022020820381943600_b8","doi-asserted-by":"crossref","unstructured":"Fitzgerald, K.J. (1995), \u201cInformation security baselines\u201d, Information Management & Computer Security, Vol. 3 No. 2, pp. 8\u201012.","DOI":"10.1108\/09685229510088575"},{"key":"key2022020820381943600_b9","unstructured":"Forcht, K.A. (1994), Computer Security Management, Boyd and Fraser, Danvers, MA."},{"key":"key2022020820381943600_b10","unstructured":"Fowler, J. (1996), \u201cDeveloping the security culture at the SEISMED reference centers\u201d, in Barber, B., Treacher, A. and Louwerse, K. (Eds), Towards Security in Medical Telematics: Legal and Technical Aspects, IOS Press, Amsterdam, pp. 156\u201061."},{"key":"key2022020820381943600_b12","unstructured":"Furnell, S.M. and Clarke, N.L. (2005), \u201cOrganisational security culture: embedding security awareness, education and training\u201d, Proceedings of the 4th World Conference on Information Security Education (WISE 2005), 18\u201020 May, Moscow, Russia."},{"key":"key2022020820381943600_b11","doi-asserted-by":"crossref","unstructured":"Furnell, S.M., Gennatou, M. and Dowland, P.S. (2002), \u201cA prototype tool for information security awareness and training\u201d, Logistics Information Management, Vol. 15 Nos 5\/6, pp. 352\u20107.","DOI":"10.1108\/09576050210447037"},{"key":"key2022020820381943600_b13","doi-asserted-by":"crossref","unstructured":"Goodhue, D.L. and Straub, D.W. (1991), \u201cSecurity concerns of system users: a study of perceptions of the adequacy of security\u201d, Information & Management, Vol. 20 No. 1, pp. 13\u201027.","DOI":"10.1016\/0378-7206(91)90024-V"},{"key":"key2022020820381943600_b14","doi-asserted-by":"crossref","unstructured":"Gopal, R.D. and Sanders, G.L. (1997), \u201cPreventive and deterrent controls for software piracy\u201d, Journal of Management Information Systems, Vol. 13 No. 4, pp. 29\u201047.","DOI":"10.1080\/07421222.1997.11518141"},{"key":"key2022020820381943600_b15","unstructured":"Green, S.P. and Kamimura, M. (2003), \u201cTies that bind: enhanced social awareness development through interactions with diverse peers\u201d, paper presented at Annual Meeting of the Association for the Study of Higher Education, Portland, OR."},{"key":"key2022020820381943600_b16","doi-asserted-by":"crossref","unstructured":"Hawkins, S., Yen, D.C. and Chou, D.C. (2000), \u201cAwareness and challenges of internet security\u201d, Information Management & Computer Security, Vol. 8 No. 3, pp. 131\u201043.","DOI":"10.1108\/09685220010372564"},{"key":"key2022020820381943600_b17","doi-asserted-by":"crossref","unstructured":"Hu, Q. and Dinev, T. (2005), \u201cIs spyware an internet nuisance or public menace?\u201d, Communications of the ACM, Vol. 48 No. 8, pp. 61\u20106.","DOI":"10.1145\/1076211.1076241"},{"key":"key2022020820381943600_b18","unstructured":"Icove, D., Seger, K. and Vonstorch, W. (1995), Computer Crime: A Crimefighter's Handbook, O'Reilly & Associates, Inc., Sebastopol, CA."},{"key":"key2022020820381943600_b19","unstructured":"InformationWeek (2003), \u201cWhat's to come\u201d, InformationWeek, 10 November, p. 116."},{"key":"key2022020820381943600_b21","unstructured":"KIMI (2003), The Annual Survey 2003: The Small and Medium\u2010sized Enterprises' Informationalization Level Evaluation, Korean Information Management Institute for Small and Medium Enterprises, Seoul."},{"key":"key2022020820381943600_b20","doi-asserted-by":"crossref","unstructured":"Kankanhalli, A., Teo, H.H., Tan, B.C.Y. and Wei, K.K. (2003), \u201cAn integrative study of information systems security effectiveness\u201d, International Journal of Information Management, Vol. 23 No. 2, pp. 139\u201054.","DOI":"10.1016\/S0268-4012(02)00105-6"},{"key":"key2022020820381943600_b22","doi-asserted-by":"crossref","unstructured":"Loch, K.D., Carr, H.H. and Warkentin, M.E. (1992), \u201cThreats to information systems: today' reality, yesterday's understanding\u201d, Management Information Systems Quarterly, Vol. 17 No. 2, pp. 173\u201086.","DOI":"10.2307\/249574"},{"key":"key2022020820381943600_b23","unstructured":"McLean, K. (1992), \u201cInformation security awareness \u2013 selling the cause\u201d, Proceedings of the IFIP TC11\/Sec'92, Singapore, Vol. 92."},{"key":"key2022020820381943600_b24","doi-asserted-by":"crossref","unstructured":"Morwood, G. (1998), \u201cBusiness continuity: awareness and training programmes\u201d, Information Management & Computer Security, Vol. 6 No. 1, pp. 28\u201032.","DOI":"10.1108\/09685229810207425"},{"key":"key2022020820381943600_b25","unstructured":"Nunnally, J.C. (1967), Psychometric Theory, McGraw\u2010Hill, New York, NY."},{"key":"key2022020820381943600_b26","unstructured":"Nunnally, J.C. (1978), Psychometric Theory, 2nd ed., McGraw\u2010Hill, New York, NY."},{"key":"key2022020820381943600_b27","unstructured":"Nunnally, J.C. and Bernstein, I.H. (1994), Psychometric Theory, 3rd ed., McGraw\u2010Hill, New York, NY."},{"key":"key2022020820381943600_b28","unstructured":"Parker, D.B. (1981), Computer Security Management, Prentice\u2010Hall, Reston, VA."},{"key":"key2022020820381943600_b29","unstructured":"Parker, D.B. (1998), Fighting Computer Crime: A New Framework for Protecting Information, Wiley, New York, NY."},{"key":"key2022020820381943600_b30","doi-asserted-by":"crossref","unstructured":"Peltier, T.R. (2003), \u201cImplementing an information security awareness program\u201d, EDPACS, Vol. 33 No. 1, pp. 1\u201018.","DOI":"10.1201\/1079.07366981\/45423.33.1.20050701\/89329.1"},{"key":"key2022020820381943600_b31","unstructured":"Perry, W.E. (1985), Management Strategies for Computer Security, Butterworth\u2010Heinemann, Newton, MA."},{"key":"key2022020820381943600_b32","unstructured":"Puhakainen, P. (2006), \u201cDesign theory for information security awareness\u201d, PhD thesis, University of Oulu, Oulu."},{"key":"key2022020820381943600_b33","doi-asserted-by":"crossref","unstructured":"Rajagopalan, N. and Spreitzer, G. (1997), \u201cToward a theory of strategic change: a multi\u2010lens perspective and integrative framework\u201d, The Academy of Management Review, Vol. 22 No. 1, pp. 48\u201079.","DOI":"10.5465\/amr.1997.9707180259"},{"key":"key2022020820381943600_b35","doi-asserted-by":"crossref","unstructured":"Siponen, M.T. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management & Computer Security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022020820381943600_b36","doi-asserted-by":"crossref","unstructured":"Siponen, M.T. (2001), \u201cFive dimensions of information security awareness\u201d, Computers and Society, Vol. 31 No. 2, pp. 24\u20109.","DOI":"10.1145\/503345.503348"},{"key":"key2022020820381943600_b37","doi-asserted-by":"crossref","unstructured":"Siponen, M.T. and Iivari, J. (2006), \u201cIS security design theory framework and six approaches to the application of IS security policies and guidelines\u201d, Journal of the Association for Information Systems, Vol. 7 No. 7, pp. 445\u201072.","DOI":"10.17705\/1jais.00095"},{"key":"key2022020820381943600_b34","unstructured":"Siponen, M.T. and Kajava, J. (1998), Ontology of Organizational IT Security Awareness. From Theoretical Foundations to Practical Framework, IEEE Computer Society Press, Los Alamitos, CA."},{"key":"key2022020820381943600_b38","doi-asserted-by":"crossref","unstructured":"Snell, W.E.J. and Wooldridge, D.G. (1998), \u201cSexual awareness: contraception, sexual behaviors and sexual attitudes\u201d, Sexual and Marital Therapy, Vol. 13, pp. 191\u20109.","DOI":"10.1080\/02674659808406559"},{"key":"key2022020820381943600_b39","doi-asserted-by":"crossref","unstructured":"Spurling, P. (1995), \u201cPromoting security awareness and commitment\u201d, Information Management & Computer Security, Vol. 3 No. 2, pp. 20\u20106.","DOI":"10.1108\/09685229510792988"},{"key":"key2022020820381943600_b40","doi-asserted-by":"crossref","unstructured":"Stafford, T.F. and Urbaczewski, A. (2004), \u201cSpyware: the ghost in the machine\u201d, Communications of the Association for Information Systems, Vol. 14, pp. 291\u2010306.","DOI":"10.17705\/1CAIS.01415"},{"key":"key2022020820381943600_b41","doi-asserted-by":"crossref","unstructured":"Straub, D.W. (1990), \u201cEffective IS security: an empirical study\u201d, Information Systems Research, Vol. 1 No. 3, pp. 255\u201076.","DOI":"10.1287\/isre.1.3.255"},{"key":"key2022020820381943600_b42","doi-asserted-by":"crossref","unstructured":"Straub, D.W. and Nance, W.D. (1990), \u201cDiscovering and disciplining computer abuse in organization: a field study\u201d, Management Information Systems Quarterly, Vol. 14 No. 1, pp. 45\u201055.","DOI":"10.2307\/249307"},{"key":"key2022020820381943600_b43","doi-asserted-by":"crossref","unstructured":"Straub, D.W. and Welke, R.J. (1998), \u201cCoping with systems risks: security planning models for management decision making\u201d, Management Information Systems Quarterly, Vol. 22 No. 4, pp. 441\u201069.","DOI":"10.2307\/249551"},{"key":"key2022020820381943600_b44","doi-asserted-by":"crossref","unstructured":"Thomson, M.E. and Solms, R.V. (1998), \u201cInformation security awareness: educating our users effectively\u201d, Information Management & Computer Security, Vol. 6 No. 4, pp. 167\u201073.","DOI":"10.1108\/09685229810227649"},{"key":"key2022020820381943600_b45","unstructured":"Tillman, B. (2002), \u201cInternet privacy legislation emerges: new legislation could bring US privacy protection laws into step with those of the European Union (Legislative and Regulatory Update)\u201d, Information Management Journal, Vol. 36 No. 5, pp. 14\u201018."},{"key":"key2022020820381943600_b46","unstructured":"White, G.B., Fisch, E.A. and Pooch, U.W. (1996), Computer System and Network Security, CRC Press, Boca Raton, FL."},{"key":"key2022020820381943600_b47","doi-asserted-by":"crossref","unstructured":"Yeh, Q\u2010J. and Chang, A.J\u2010T. (2007), \u201cThreats and countermeasures for information system security: a cross\u2010industry study\u201d, Information & Management, Vol. 44 No. 5, pp. 480\u201091.","DOI":"10.1016\/j.im.2007.05.003"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810920558","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810920558\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810920558\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:07Z","timestamp":1753402147000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/5\/484-501\/185653"}},"subtitle":["An empirical validation of the relationship between managerial information security awareness and action"],"short-title":[],"issued":{"date-parts":[[2008,11,21]]},"references-count":47,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2008,11,21]]}},"alternative-id":["10.1108\/09685220810920558"],"URL":"https:\/\/doi.org\/10.1108\/09685220810920558","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2008,11,21]]}}}