{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T19:50:19Z","timestamp":1773431419575,"version":"3.50.1"},"reference-count":66,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2019,10,7]],"date-time":"2019-10-07T00:00:00Z","timestamp":1570406400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ITP"],"published-print":{"date-parts":[[2019,10,7]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>The purpose of this paper is to expand current knowledge about the security organizational practices and analyze its effects on the information security management performance.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>Based on the literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 111 responses from CEOs at manufacturing small- and medium-sized enterprises (SMEs) that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with EQS 6.1 software.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>Results validate that information security knowledge sharing, information security education and information security visibility, as well as security organizational practices, have a positive effect on the information security management performance.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title><jats:p>The consideration of organizational aspects of information security should be taken into account by academics, practitioners and policymakers in SMEs. Besides, the work helps validate novel constructs used in recent research (information security knowledge sharing and information security visibility).<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title><jats:p>The authors extend previous works by analyzing how security organizational practices affect the performance of information security. The results suggest that an improved performance of information security in the industrial SMEs requires innovative practices to foster knowledge sharing among employees.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>The literature recognizes the need to develop empirical research on information security focused on SMEs. Besides the need to identify organizational practices that improve information security, this paper empirically investigates SMEs\u2019 organizational practices in the security of information and analyzes its effects on the performance of information security.<\/jats:p><\/jats:sec>","DOI":"10.1108\/itp-06-2018-0261","type":"journal-article","created":{"date-parts":[[2019,6,12]],"date-time":"2019-06-12T11:20:35Z","timestamp":1560338435000},"page":"1262-1275","source":"Crossref","is-referenced-by-count":26,"title":["Organizational practices as antecedents of the information security management performance"],"prefix":"10.1108","volume":"32","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1469-220X","authenticated-orcid":false,"given":"Daniel","family":"P\u00e9rez-Gonz\u00e1lez","sequence":"first","affiliation":[]},{"given":"Sara Trigueros","family":"Preciado","sequence":"additional","affiliation":[]},{"given":"Pedro","family":"Solana-Gonzalez","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"4","key":"key2019092316142108800_ref001","doi-asserted-by":"crossref","first-page":"432","DOI":"10.1016\/j.cose.2009.12.005","article-title":"Improving information security awareness and behaviour through dialogue, participation and collective reflection: an intervention study","volume":"29","year":"2010","journal-title":"Computers & Security"},{"key":"key2019092316142108800_ref002","doi-asserted-by":"crossref","first-page":"567","DOI":"10.1016\/j.chb.2015.03.054","article-title":"Design and validation of information security culture framework","volume":"49","year":"2015","journal-title":"Computers in Human Behavior"},{"issue":"1","key":"key2019092316142108800_ref003","first-page":"74","article-title":"On the evaluation of structure equation models","volume":"16","year":"1998","journal-title":"Journal of the Academy of Marketing Science"},{"issue":"1","key":"key2019092316142108800_ref004","doi-asserted-by":"crossref","first-page":"138","DOI":"10.1016\/j.im.2013.11.004","article-title":"Incident-centered information security: managing a strategic balance between prevention and response","volume":"51","year":"2014","journal-title":"Information & Management"},{"issue":"3","key":"key2019092316142108800_ref005","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1108\/09685220510602013","article-title":"Information systems security from a knowledge management perspective","volume":"13","year":"2005","journal-title":"Information Management & Computer Security"},{"issue":"1","key":"key2019092316142108800_ref006","doi-asserted-by":"crossref","first-page":"25","DOI":"10.25300\/MISQ\/2018\/13245","article-title":"Impact of information technology infrastructure flexibility on mergers and acquisitions","volume":"42","year":"2018","journal-title":"MIS Quarterly"},{"key":"key2019092316142108800_ref007","unstructured":"Cantabria Institute of Statistics (ICANE) (2016), \u201cDirectory of companies and establishments of Cantabria\u201d, available at: www.icane.es (accessed April 26, 2019)."},{"issue":"2","key":"key2019092316142108800_ref008","doi-asserted-by":"crossref","first-page":"198","DOI":"10.1287\/isre.1080.0180","article-title":"Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems","volume":"20","year":"2009","journal-title":"Information System Research"},{"issue":"3","key":"key2019092316142108800_ref009","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1108\/02635570610653498","article-title":"Organizational factors to the effectiveness of implementing information security management","volume":"106","year":"2006","journal-title":"Industrial Management & Data Systems"},{"issue":"5","key":"key2019092316142108800_ref010","doi-asserted-by":"crossref","first-page":"366","DOI":"10.1016\/j.ijinfomgt.2008.01.015","article-title":"Aligning information technology and business strategy with a dynamic capabilities perspective: a longitudinal study of a Taiwanese semiconductor company","volume":"28","year":"2008","journal-title":"International Journal of Information Management"},{"issue":"6","key":"key2019092316142108800_ref011","doi-asserted-by":"crossref","first-page":"752","DOI":"10.1177\/0165551517748288","article-title":"Information security: listening to the perspective of organisational insiders","volume":"44","year":"2018","journal-title":"Journal of Information Science"},{"issue":"6","key":"key2019092316142108800_ref012","doi-asserted-by":"crossref","first-page":"605","DOI":"10.1057\/s41303-017-0059-9","article-title":"Organizational information security policies: a review and research framework","volume":"26","year":"2017","journal-title":"European Journal of Information Systems"},{"issue":"1","key":"key2019092316142108800_ref013","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"issue":"2","key":"key2019092316142108800_ref014","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1046\/j.1365-2575.2001.00099.x","article-title":"Current directions in IS security research: towards socio-organizational perspectives","volume":"11","year":"2001","journal-title":"Information Systems Journal"},{"issue":"1","key":"key2019092316142108800_ref015","first-page":"55","article-title":"Aligning the information security policy with the strategic information systems plan","volume":"25","year":"2005","journal-title":"Computers & Security"},{"issue":"2","key":"key2019092316142108800_ref016","doi-asserted-by":"crossref","first-page":"348","DOI":"10.1108\/ITP-08-2016-0194","article-title":"Towards a user-centric theory of value-driven information security compliance","volume":"31","year":"2018","journal-title":"Information Technology & People"},{"key":"key2019092316142108800_ref017","volume-title":"Managing in the Next Society","year":"2002"},{"issue":"5","key":"key2019092316142108800_ref018","doi-asserted-by":"crossref","first-page":"672","DOI":"10.1016\/j.ijinfomgt.2014.06.006","article-title":"Information management for the internationalization of SMEs: an exploratory study based on a strategic alignment perspective","volume":"34","year":"2014","journal-title":"International Journal of Information Management"},{"key":"key2019092316142108800_ref019","unstructured":"European Commission (2018), \u201cScience, research and innovation performance of the EU 2018: strengthening the Foundations for \u2019Europe\u2019s future\u201d, European Commission, Luxembourg, available at: https:\/\/bit.ly\/2EV6QU3 (accessed May 9, 2019)."},{"issue":"5","key":"key2019092316142108800_ref020","doi-asserted-by":"crossref","first-page":"339","DOI":"10.1108\/09685221011095254","article-title":"Designing and aligning e-Science security culture with design","volume":"18","year":"2010","journal-title":"Information Management & Computer Security"},{"issue":"4","key":"key2019092316142108800_ref021","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1016\/j.istr.2013.03.004","article-title":"Toward web-based information security knowledge sharing","volume":"17","year":"2013","journal-title":"Information Security Technical Report"},{"key":"key2019092316142108800_ref022","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2014.03.004","article-title":"Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture","volume":"43","year":"2014","journal-title":"Computers & Security"},{"issue":"3","key":"key2019092316142108800_ref023","doi-asserted-by":"crossref","first-page":"382","DOI":"10.1177\/002224378101800313","article-title":"Structural equation models with unobservable variables and measurement error: algebra and statistics","volume":"18","year":"1981","journal-title":"Journal of Marketing Research"},{"issue":"2","key":"key2019092316142108800_ref024","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1007\/s11187-018-0016-6","article-title":"Regional knowledge, entrepreneurial culture, and innovative start-ups over time and space \u2013 an empirical investigation","volume":"51","year":"2018","journal-title":"Small Business Economics"},{"key":"key2019092316142108800_ref025","unstructured":"Gartner (2017), \u201cForecast: Information Security, Worldwide, 2015-2021, 3Q17 Update\u201d, Gartner Research, available at: www.gartner.com\/en\/documents\/3825766 (accessed May 5, 2019)."},{"issue":"5","key":"key2019092316142108800_ref026","first-page":"335","article-title":"Economic aspects of information security: an emerging field of research","volume":"8","year":"2006","journal-title":"Information Systems Frontiers"},{"issue":"4","key":"key2019092316142108800_ref027","doi-asserted-by":"crossref","first-page":"377","DOI":"10.1108\/09685220810908796","article-title":"Implementation and effectiveness of organizational information security measures","volume":"16","year":"2008","journal-title":"Information Management & Computer Security"},{"key":"key2019092316142108800_ref028","volume-title":"An\u00e1lisis Multivariante","year":"1999"},{"issue":"1","key":"key2019092316142108800_ref029","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1108\/OIR-11-2015-0358","article-title":"Why not comply with information security? An empirical approach for the causes of non-compliance","volume":"41","year":"2017","journal-title":"Online Information Review"},{"key":"key2019092316142108800_ref030","volume-title":"Information Technology \u2013 Security Techniques \u2013 Information Security Management Systems \u2013 Requirements","author":"ISO\/IEC 27001","year":"2005"},{"issue":"3","key":"key2019092316142108800_ref031","doi-asserted-by":"crossref","first-page":"305","DOI":"10.1016\/j.comcom.2010.02.011","article-title":"Cryptanalysis and security enhancement of a \u2018more efficient & secure dynamic ID-based remote user authentication scheme\u2019","volume":"34","year":"2011","journal-title":"Computer Communications"},{"issue":"4","key":"key2019092316142108800_ref032","first-page":"303","article-title":"An evaluation methodology of enterprise security management systems","volume":"11","year":"2005","journal-title":"International Journal of Operations and Quantitative Management"},{"issue":"2","key":"key2019092316142108800_ref033","doi-asserted-by":"crossref","first-page":"37","DOI":"10.4018\/jisp.2007040103","article-title":"Information security effectiveness: conceptualization and validation of a theory","volume":"1","year":"2007","journal-title":"International Journal of Information Security and Privacy"},{"issue":"10","key":"key2019092316142108800_ref034","doi-asserted-by":"crossref","first-page":"1631","DOI":"10.1016\/j.jss.2007.01.015","article-title":"Common defects in information security management system of Korean companies","volume":"80","year":"2007","journal-title":"Journal of Systems and Software"},{"issue":"1","key":"key2019092316142108800_ref035","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1108\/09685221011035223","article-title":"Understanding and transforming organizational security culture","volume":"18","year":"2010","journal-title":"Information Management & Computer Security"},{"issue":"6","key":"key2019092316142108800_ref036","doi-asserted-by":"crossref","first-page":"707","DOI":"10.1016\/j.im.2003.08.008","article-title":"An integrative model of computer abuse based on social control and general deterrence theories","volume":"41","year":"2004","journal-title":"Information & Management"},{"issue":"1","key":"key2019092316142108800_ref037","first-page":"58","article-title":"An integrated framework for information security management","volume":"30","year":"2009","journal-title":"Review of Business"},{"key":"key2019092316142108800_ref038","article-title":"A holistic approach for enriching information security analysis and security policy formation","year":"2010"},{"issue":"1","key":"key2019092316142108800_ref039","doi-asserted-by":"crossref","first-page":"285","DOI":"10.25300\/MISQ\/2018\/13853","article-title":"Toward a unified model of information security policy compliance","volume":"42","year":"2018","journal-title":"MIS Quarterly"},{"key":"key2019092316142108800_ref040","volume-title":"The Impact of the Global Crisis on SME and Entrepreneurship Financing and Policy Responses","author":"OECD","year":"2009"},{"key":"key2019092316142108800_ref041","doi-asserted-by":"crossref","DOI":"10.1787\/fin_sme_ent-2016-en","volume-title":"Financing SMEs and Entrepreneurs 2016: An OECD Scoreboard","author":"OECD","year":"2016"},{"key":"key2019092316142108800_ref042","volume-title":"OECD Economic Surveys: Spain","author":"OECD","year":"2017"},{"key":"key2019092316142108800_ref043","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers & Security"},{"issue":"2","key":"key2019092316142108800_ref044","doi-asserted-by":"crossref","first-page":"159","DOI":"10.1287\/isre.1070.0159","article-title":"Antecedents of IS strategic alignment: a nomological network","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"issue":"4","key":"key2019092316142108800_ref045","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"8","key":"key2019092316142108800_ref046","doi-asserted-by":"crossref","first-page":"816","DOI":"10.1016\/j.cose.2009.05.008","article-title":"Self-efficacy in information security: its influence on end users\u2019 information security practice behaviour","volume":"28","year":"2009","journal-title":"Computers & Security"},{"issue":"1","key":"key2019092316142108800_ref047","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1111\/grow.12280","article-title":"Innovating in less developed regions: what drives patenting in the lagging regions of Europe and North America","volume":"50","year":"2019","journal-title":"Growth and Change"},{"key":"key2019092316142108800_ref048","doi-asserted-by":"crossref","first-page":"442","DOI":"10.1016\/j.chb.2015.12.037","article-title":"An information security knowledge sharing model in organizations","volume":"57","year":"2016","journal-title":"Computers in Human Behavior"},{"issue":"5","key":"key2019092316142108800_ref049","doi-asserted-by":"crossref","first-page":"644","DOI":"10.1108\/JEIM-07-2013-0052","article-title":"Identifying factors of \u2018organizational information security management\u2019","volume":"27","year":"2014","journal-title":"Journal of Enterprise Information Management"},{"issue":"1","key":"key2019092316142108800_ref050","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1108\/09685220010371394","article-title":"A conceptual foundation for organizational information security awareness","volume":"8","year":"2000","journal-title":"Information Management & Computer Security"},{"issue":"5","key":"key2019092316142108800_ref051","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/j.im.2008.12.007","article-title":"Information security management standards: problems and solutions","volume":"46","year":"2009","journal-title":"Information & Management"},{"issue":"2","key":"key2019092316142108800_ref052","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1016\/j.im.2013.08.006","article-title":"Employees\u2019 adherence to information security policies: an exploratory field study","volume":"51","year":"2014","journal-title":"Information & Management"},{"issue":"2","key":"key2019092316142108800_ref053","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: an empirical investigation","volume":"43","year":"2010","journal-title":"Computer"},{"issue":"2","key":"key2019092316142108800_ref054","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1016\/j.ijinfomgt.2015.11.009","article-title":"Information security management needs more holistic approach: a literature review","volume":"36","year":"2016","journal-title":"International Journal of Information Management"},{"issue":"3","key":"key2019092316142108800_ref055","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1287\/isre.1.3.255","article-title":"Effective IS security: an empirical study","volume":"1","year":"1990","journal-title":"Information Systems Research"},{"key":"key2019092316142108800_ref056","first-page":"3736","article-title":"Lessons learned from an information security incident: a practical recommendation to involve employees in information security","year":"2018"},{"issue":"2","key":"key2019092316142108800_ref057","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1007\/s12525-012-0120-4","article-title":"Cloud computing in industrial SMEs: identification of the barriers to its adoption and effects of its application","volume":"23","year":"2013","journal-title":"Electronic Markets"},{"issue":"4","key":"key2019092316142108800_ref058","doi-asserted-by":"crossref","first-page":"299","DOI":"10.1016\/S0167-4048(03)00406-1","article-title":"A taxonomy for information security technologies","volume":"22","year":"2003","journal-title":"Computers & Security"},{"issue":"1","key":"key2019092316142108800_ref059","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1108\/09685220910944722","article-title":"An integrated view of human, organizational, and technological challenges of IT security management","volume":"17","year":"2009","journal-title":"Information Management & Computer Security"},{"issue":"1","key":"key2019092316142108800_ref060","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1016\/j.ijinfomgt.2003.12.003","article-title":"In defense of the realm: understanding the threats to information security","volume":"24","year":"2004","journal-title":"International Journal of Information Management"},{"key":"key2019092316142108800_ref061","doi-asserted-by":"crossref","unstructured":"Zakaria, O. (2006), \u201cInternalisation of information security culture amongst employees through basic security knowledge\u201d, in Fischer-H\u00fcbner, S., Rannenberg, K., Yngstr\u00f6m, L. and Lindskog, S. (Eds), Security and Privacy in Dynamic Environments, Kluwer Academic Publishers, Boston, MA, pp. 437-441.","DOI":"10.1007\/0-387-33406-8_38"},{"issue":"4","key":"key2019092316142108800_ref062","doi-asserted-by":"crossref","first-page":"422","DOI":"10.1002\/sec.331","article-title":"A survey of cybercrimes","volume":"5","year":"2012","journal-title":"Security and Communication Networks"},{"key":"key2019092316142108800_ref063","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1016\/j.cose.2014.01.001","article-title":"Protecting organizational competitive advantage: a knowledge leakage perspective","volume":"42","year":"2014","journal-title":"Computers & Security"},{"issue":"3","key":"key2019092316142108800_ref064","doi-asserted-by":"crossref","first-page":"509","DOI":"10.1007\/s10796-015-9608-8","article-title":"Organizational information security as a complex adaptive system: insights from three agent-based models","volume":"19","year":"2017","journal-title":"Information Systems Frontiers"},{"key":"key2019092316142108800_ref065","volume-title":"Information Technology \u2013 Security Techniques \u2013 Guidelines for Cybersecurity","author":"ISO\/IEC 27032","year":"2012"},{"key":"key2019092316142108800_ref066","doi-asserted-by":"crossref","unstructured":"Park, S. and Ruighaver, T. (2008), \u201cStrategic approach to information security in organizations\u201d, Proceedings of the 2008 International Conference on Information Science and Security (ICISS 2008) in Seoul, IEEE Computer Society, Washington, DC, January 10\u201312, pp. 26-31.","DOI":"10.1109\/ICISS.2008.44"}],"container-title":["Information Technology &amp; People"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ITP-06-2018-0261\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ITP-06-2018-0261\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:54:59Z","timestamp":1753394099000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/itp\/article\/32\/5\/1262-1275\/185005"}},"subtitle":["An empirical investigation"],"short-title":[],"issued":{"date-parts":[[2019,10,7]]},"references-count":66,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2019,10,7]]}},"alternative-id":["10.1108\/ITP-06-2018-0261"],"URL":"https:\/\/doi.org\/10.1108\/itp-06-2018-0261","relation":{},"ISSN":["0959-3845"],"issn-type":[{"value":"0959-3845","type":"print"}],"subject":[],"published":{"date-parts":[[2019,10,7]]}}}