Toward a better understanding of SMB CEOs ' Information Security Behavior : Insights from Threat or Coping appraisal

This study presents an empirical investigation of factors affecting SMB CEOs decision to improve or not their company's information security (ISS). We developed a research model by adopting the protection motivation theory (PMT) to investigate the effect of threat and coping appraisal on protective actions. We conducted a questionnaire-based survey with SMB CEOs. Prior studies using PMT have never been focused on SMB CEOs behavior, and we postulate that in SMBs where there is no CIO or even IT people, CEO’s actions are of utmost importance for achieving a satisfying ISS.


Introduction
Many threats to information security (ISS) come from employees' behavior which are not compliant with information security policies (Chu & Chau, 2014;Siponen et al., 2014), ISS organizational rules or even guidelines or requirements (Ifinedo, 2012;Workman et al., 2008).However, numerous surveys and studies have confirmed that managerial support is essential in obtaining adherence of employees to ISS (Avolio, 2000;Johnston & Hale, 2009).In addition, employees' involvement and propensity to act are directly dependent on managers' concrete actions (Dong et al., 2009;Forcht & Ayers, 2000).
To date, little attention has been given to top management's role.Withal, many scholars advocated that ISS should be addressed at the top management level (Markus, 1983;Longeon & Archimbaud, 1999;Friend & Pagliari, 2000;Knapp et al., 2006).
The MIS literature repeatedly shows that managers must not only be aware but also be personally involved.Managers' involvement is essential in the implementation, maintenance and success of ISSrelated actions (Johnston & Hale, 2009).Rockart & Crescenzi (1984) declared that managers must recognize that information is a strategic resource and that "senior executives are increasingly feeling the need to become informed, energized, and engaged in information systems" (p.3).Top managers must be considered as the starting point for satisfactory ISS (Robinson & Volonino, 2004).According to Longeon & Archimbaud (1999): "determining and supervising the security policy are top management concerns.Nothing valuable can be done without the manager, provided that he knows all the challenges involved." (p. 19).However, some managers are poorly involved or are poorly acting in their company's ISS, leading to potentially disastrous consequences.
Few studies aimed at understanding CEOs' participation and actions in ISS (Dong, 2008;Zwikael, 2008;Barlette, 2012).Moreover, studies dedicated to factors influencing action, their incidence on ISS, and major actions that are incumbent to managers usually focus on medium or large business executives (Lee and Larsen, 2009;Vance et al., 2012).
This study investigates ISS in French SMBs.In 2013, SMBs (less than 250 employees) accounted for 99.8% of all enterprises active in the EU28 non-financial business sector, representing 66.8% of total employment, including a large part of small (less than 50 employees) and micro-enterprises (less than 10) (European Commission, 2014).ISS surveys have revealed that SMBs are far behind larger companies in implementing protection because they lack technical (Labodi & Michelberger, 2010) and financial resources (Lee & Larsen, 2009).SMBs have to face important issues: (1) it is more difficult for SMBs to recruit and keep ICT or ISS specialists (Monnoyer, 2003;Pritchard, 2010), (2) ongoing risk assessment is often lacking (Gupta & Hammond, 2005), and (3) many SMB managers are not sufficiently aware of ISS issues (Mitchell et al., 1999) and consider information security to be a 'large business' concern (Rees, 2010).The unfortunate truth is that SMBs are as muchand in some cases moreat risk from security breaches that could threaten their organization (Rees, 2010).Therefore, SMBs and their managers constitute a specific case for ISS research.In this study we test protection motivation theory (PMT) on SMB CEOs and observe what factors explain their intention to engage in protective actions for their firm.This paper is structured as follows: in section two, the literature review will lead to our model and hypotheses development.Third section introduces our methodology.We present our results in the fourth section and discuss them in section five.In the last section, we sum up our main results and introduce our next study.

Research background
In this section, we will introduce successively protection motivation theory, then our model and hypotheses.

Protection motivation theory (PMT)
PMT (Rogers, 1983) is one of the most powerful explanatory theories for predicting an individual's intention to engage in protective actions (Anderson & Agarwal, 2010).PMT can be divided into two major components: threat appraisal and coping appraisal factors.

Threat appraisal
The perception of threat is defined as the anticipation of a psychological, sociological or physical violation or harm to oneself or others (Lazarus, 1991;Workman et al., 2008).People perceiving this threat will adjust their behavior according to the amount of risk they are willing to accept.This adjustment is based on the perceived severity of cost and damage associated with the threat and their perceived vulnerability related to the threat.
Perceived vulnerability is the conditional probability that the threatening event will occur provided that no adaptive behavior is performed or there is no adaptation of an existing behavior (Lee & Larsen, 2009).The more perceived vulnerability to a security breach the more ISS behaviors people will exert (Ryan, 2004), the opposite can be also true, e.g.perceived invulnerability can lead to less ISS behaviors (Bulgurcu et al., 2010;Ryan, 2004).
Perceived severity corresponds to the perception of the severity of the consequences of an ISS problem, because ISS measures were insufficient or ineffective (Ifinedo, 2012;Liang & Xue, 2010).It includes for example the perceived level of company's loss of activity, loss of data, financial losses and the eventual side effects (e.g.loss of image).This perceived severity will lead people to behave in a more cautious manner if this perception increases, but the reverse effect also exists, e.g.people will be less cautious if the perceived severity diminishes (Bulgurcu et al., 2010;Herath & Rao, 2009).

Coping appraisal
Coping behavior will depend on the control perceived by people on this behavior, their perceived capabilities, and the effort they will expend to accomplish that behavior (Bandura, 1977).Three components will influence this coping appraisal: response efficacy, self-efficacy and response cost.
Response efficacy corresponds to the beliefs about the perceived benefits of the behavior exerted by the individual (Rogers, 1983).If people perceive the available coping mechanisms as adequate, for example because available security measures are improving (Kankanhalli et al., 2003), they are less likely to omit an ISS-related behavior.On the contrary, if people have a negative perception of the efficacy of the necessary behavior, because no matter what they do security breaches will go on increasing, they will be more likely to omit this behavior (Workman et al., 2008).
Self-efficacy is defined as "people's beliefs about their capabilities to produce designated levels of performance that exercise influence over events that affect their lives" (Bandura, 1994, p. 81).
Prior research has demonstrated people are more motivated to cope with or perform IT security behaviors as the level of their self-efficacy increases (Workman et al., 2008).
Response cost resembles to the physical and cognitive efforts necessary for the adaptive response (Lian & Xue, 2010).It can correspond to money or time to invest in the behavior or the security measure, the inconvenience or the difficulty of the behavior itself.This perceived effort is put into balance with the perceived value of the ISS-related behavior (Workman et al., 2008).

Figure 1. The theoretical model
Threat appraisal: An increase in perceived severity and vulnerability leads to greater intention to behave in a healthier manner.Therefore we postulated (see Fig. 1):  H1: Perceived severity of potential information security threats influences positively and significantly SMB CEOs' intention to perform information securityrelated actions. H2: Perceived vulnerability from potential information security threats influences positively and significantly SMB CEOs' intention to perform information securityrelated actions.
Coping appraisal: according to PMT, it consists of self-efficacy, response-efficacy and response cost.
Response efficacy, in the context of our research, refers to the CEOs' belief in whether performing information security-related actions can enhance their company's security and reduce security flaws.
We postulated:  H3: Response efficacy to potential information security threats influences positively and significantly SMB CEOs' intention to perform information securityrelated actions.
Self-efficacy referred here to CEOs' belief in their ability to perform information security-related actions.We believe that self-efficacy to potential information security threats has a positive and significant impact on CEOs' intention to perform information security-related actions.
We therefore postulated:  H4: Self-efficacy to potential information security threats influences positively and significantly SMB CEOs' intention to perform information security-related actions.
Response cost represents any costs (e.g.time, monetary, difficulty, complexity, effort) associated with taking the adaptive coping response.Hence, we postulated:  H5: Response cost influences negatively SMB CEOs' intention to perform information security-related actions.
Gender has been found to be important in IT contexts (Venkatesh et al., 2003).Therefore we postulated:  H6: Male SMB CEOs have a greater intention to perform information security-related actions than female CEOs.
Age showed significant differences in the involvement of managers and their perception of troubles affecting their company's IS (Stevens et al., 1978, Venkatesh et al., 2003).Thus, we posited: intention to perform information securityrelated actions.Lee and Larsen (2009) did not identify that the size had any significant influence on the behavioral intention.Anyway, we posit that the smaller the size of the company, the more important the role of the CEO in the management of information security.Thus, we postulate that a larger firm's size is negatively related with CEO's behavioral intention to take or implement I.S. security measures.
 H8: Company's size influences negatively SMB CEOs' intention to perform information security-related actions.

Research design
The research model was tested using a field survey.We administrated the questionnaire to SMB CEOs.Each participant received an email explaining the purpose of our study, including a link to our webbased questionnaire.A total of 258 responses were returned between December 2014 and January 2015.
After removing incomplete and invalid responses, we obtained 177 usable responses.Response rates for information security-related surveys are usually low (Kotulic & Clark, 2004).In addition, SMB CEOs are very difficult to contact by email and time is a scarce resource for them (Wolcott et al., 2008).
All items, except nominal variables, were measured using 7-point Likert scales anchored at 1="Strongly disagree" and 7="Strongly agree".The questions included in our instrument were first pre-tested through face-to-face interviews with SMB CEOs (N=14).Based on CEOs' feedback, the readability of the questions was improved.
The questionnaire itself was created using Qualtrics tool.In the beginning of the questionnaire, an introductory text defined information security and specifying that only CEOs of businesses with less than 250 employees were authorized to respond.Participation in the study was voluntary and respondents were assured that individual responses would be treated with anonymity and confidentiality.

Measures
Our purpose was to determine the influence of antecedents on behavioral intention.All the items of the questionnaire are described in Appendix A.

Dependent variable
The dependent variable Behavioral Intention (Int.) was calculated through a factorized construct (Cronbach's alpha = 0.904) composed of two items, Int1 and Int2.

Independent variables
The independent variables were divided into two groups.To measure threat appraisal, we observed perceived vulnerability (Vuln.)and perceived severity (Sev.).To measure coping appraisal, we used three variables: response efficacy (Eff.R.), selfefficacy (Eff.S.), response cost (Cost.).All items exhibited a reliability score over 0.7, which is considered as satisfying.

Control variables
As control variables, we included Gender, Size and Age.We included gender in the form of a dummy variable (male = 0; female = 1).Size was measured through a scale according to the European classification of firms: less than ten employees (micro-enterprises = 1), ten up to 49 employees (small enterprises = 2) and 50 up to 250 employees (medium enterprises = 3).Age represents the respondent's age.

Data analysis
To test the hypotheses, a multiple regression analysis was performed using the statistical analysis software SPSS (version 21).In doing so, we performed regressions of the control variables size, age and gender as well as the independent variables, on CEO's behavioral intention, our model's dependent variable.The common method bias was controlled by a Harman's single factor test (Podsakoff et al., 2003).The most covariance explained by one factor in our data is 17.6 percent; hence CMV bias was not a problem for our data.

Results
As showed in table 2, the main part of the respondents were male (about three quarters).Our proportion of 25 percent of female CEOs is close to the 29 percent European figure (European Union, 2014).
Sizes of companies were distributed as follows: 58.8 percent micro-enterprises with less than ten employees, 29.4 percent businesses between 10 and 49 employees, and 11.9 percent of medium-sized businesses.Our sample shows a slight under representation of the smallest businesses compared to European figures (OECD, 2013), but remains closer than previous studies dedicated to information security in SMBs (Gupta and Hammond, 2004;Lee and Larsen, 2009).
The average age was around 40 years old (see Table 3).4 presents the regression results.We integrated the control variables in Model 1 to determine their effects.Model 1 reports no significant effects: neither the firm size, gender nor CIO's age impact significantly the behavioral intention.In Model 2, to test all hypotheses, we included the different independent variables to examine to which degree they determine behavioral intention.

Variable
The results of the F-test (F = 8.26; p < .001)are significant.Hence, we can reject the null hypothesis, concluding that there is strong evidence that the expected values in the groups differ.
We also evaluated the reliability by examining the multicollinearity of measures to determine their variance inflation factor (VIF).All VIF were less than 2, therefore we can say that all indicators have an acceptable reliability.As shown in Table 4 and as illustrated in Figure 2, the total explained variance is 18.5 percent.Perceived vulnerability (β = 0.232; p < .001),Response efficacy (β = 0.292; p < .001)and Selfefficacy (β = 0.189; p < .01)serve as significant determinants of behavioral intention to implement security measures.These findings support hypotheses H1, H3 and H4.

Variables
Response cost (β = 0.187; p < .01)had an opposite influence contrary to what was expected, thus H5 is not supported.
The influence of Perceived severity was nonsignificant, thereby H2 is not supported.
None of our control variables, Gender, Age and Size showed any significant effect, therefore H6, H7 and H8 are not supported.

Discussion
Table 5 shows the previous studies we identified dealing with the Protection Motivation Theory.If we compare our respondents with all the previous studies in table 5, only Lee and Larsen's study was dedicated to executives (yet nearly 60 percent were IS-experts) and to SMBs (yet less than 500 employees).

Papers
We posited that for the smallest sizes of businesses, as no CIO exists in the company, CEO's importance is reinforced in the management of information security.
Our study is clearly different from the previous ones because:  SMBs of our sample follow the European definition: "Less than 250 employees", with an average size of 27 employees (vs.192 employees for Lee and Larsen's study);  We focused exclusively on CEOs ;  Deterrence theory was not used because we contend that it is more relevant to explain employees' behavior than CEOs' one ;  As 'behavioral intention', we used the implementation of IS security measures, as CEOs take part and/or support the creation and the implementation of security policies whereas compliance can be seen as more passive and more requested from employees.
Perceived vulnerability had a strong and significant positive influence on ISS behavioral intention.This confirms the results of Ryan (2004) and Bulgurcu et al. (2010) concerning CEOs.The more company's I.S. is perceived as vulnerable, the more CEOs tend to develop or apply ISS policies and procedures in their companies.
Response efficacy and self-efficacy had a positive influence on SMB CEOs' ISS behavioral intention: our study extends the results of Kankanhalli et al. (2003), showing that when CEOs have a positive perception of the efficacy of their behavior, they intend to be more secure and to implement ISS measures.Our results are also in line with the results of Ifinedo (2012) and Lee and Larsen (2009) as we confirmed that behavioral intention is mainly influenced by coping appraisal.
Another interesting result is that if IS-experts accounted for nearly 60% of Lee and Larsen's study respondents (2009), 40 percent were non IS-experts (CEOs, CFOs and COOs1 ).They could assess strong differences between IS experts and non-IS experts.
As very often CEOs are far from being IS experts, our results are also consistent with the fact that behavioral intention of non-IS experts is more influenced by coping appraisal, while behavioral intention of IS experts is more influenced by threat appraisal (Lee and Larsen, 2009, p. 184).Therefore, the fact that perceived severity had a weak and nonsignificant influence in our study is also in line with Lee & Larsen's findings.
The size of the company was not relevant to explain CEO's behavioral intention to take or implement security measures: this means that when the CEO is alone or even if a dedicated function exists (CIO or other employee who takes in charge information security), the CIO's level of intention to act doesn't vary significantly.Therefore, our study confirms the importance of CEOs' role in SMBs' ISS.
Surprisingly, response cost influenced positively the CEO's behavioral intention, which is counterintuitive and contradictory to previous studies results.Such result means that the more CEOs feel costly their behavior in terms of efforts or inconveniences, the more important their behavioral intention.We can suppose that CEOs feel that information security is not only important, but also implies vital and compulsory changes in their SMBs.Response cost could be, in this case, linked with the perception of ISS as a strategic issue and with the level of CEOs' commitment in their businesses.Studying the link between response cost, CEOs' commitment and the related stakes, would be an interesting avenue for future research.
To conclude with this discussion, in our study the strongest effect was exerted by response efficacy, explaining 30 percent of behavioral intention variance.Self-efficacy and response cost also proved to have a significant although lower effect.

Limitations
Although this study's findings provide meaningful implications, our study has some limitations.
First, our research used a web-based questionnaire, which may have introduced response bias because people outside the target population may fill out the questionnaire, or people in the target population could submit more than one response: even if we partially addressed this problem by controlling the respondent's IP address, by eliminating companies' sizes over 250 employees, some non-CEOs could have filled our questionnaire.
Second, this study only examined positive actions instead of maladaptive actions which may require further investigation.
Third, we could not assess the effects of certain variables such as industry type or the fact that a company is IT-intensive or not (Lee and Larsen, 2009).
To end, this study did not examine actual ISS-related behavior.It would be interesting to compare the behaviors of taking or implementing security measures in large companies (Workman et al., 2008) with actual behaviors in SMBs.

Implications for researchers and practitioners
This study confirmed the importance of CEOs' role in SMBs' ISS.SMB CEOs must realize that they sometimes just have to communicate on the importance of information security or set an example (such as shredding confidential documents), and security measures are not systematically expensive or cumbersome.As numerous meetings and seminars are organized for entrepreneurs, trainings or communications during those events could integrate some advice and insist on good practices related to ISS.
For researchers, we showed that even if it is relevant to study employees' behaviors -to decrease negative behaviors and improve positive behaviors -it is of utmost importance to dedicate more research on SMB CEOs as they constitute a specific and important population, and as it has been proved that their actions influence employees' behavior and have a strong impact on SMBs' overall security (Barlette, 2012).

Conclusion
The involvement of CEOs in implementing security measures is important for improving the level of information security in SMBs.We tested a model based on protection motivation theory (PMT) using data collected from 177 French SMB CEOs.
The results showed that response efficacy had the strongest effect, explaining 30 percent of behavioral intention variance.Self-efficacy and response cost also proved to have a positive and significant impact on CEOs' intention to implement information security measures.On the contrary, perceived vulnerability did not have a significant impact on the behavioral intention to implement these measures.
We highlighted some of the reasons why CEOs' ISS behavior was so important in SMBs in general and more particularly in the smallest ones where the CEO cannot rely on an internal IT expert.
It will be also interesting to identify actual actions, especially who takes ISS in charge in SMBs, and for which size of SMB.For example, we could identify thresholds were IT people or a CIO exist, or in the smallest SMBs, employees assuming this charge informally.This could be a trigger for CEO-specific behavior or at least provide insight on their ISSrelated behavior.
The next step of this study will consist in working with a more important dataset, including social influence and other variables and the notion of direct (doing) and indirect behavior (supporting the person who does, when the CEO does not act).

Table 1 :
Constructs and reliability of measurement items

Table 2 :
Demographic characteristics of the sample (N=177)

Table 3 :
Descriptive statistics and correlations

Table 4 :
Multiple regression analysis: Dependent Variable = Behavioral IntentionCIO's behavioral intention is significantly influenced by perceived vulnerability, and by coping appraisal (response efficacy, self-efficacy and response cost).

Table 5 :
Previous studies and characteristics