Infromation Security Leadership Related
-
Upload
kenneth-mo -
Category
Documents
-
view
221 -
download
0
Transcript of Infromation Security Leadership Related
-
7/24/2019 Infromation Security Leadership Related
1/254
LEADERSHIP STYLES AND INFORMATION SECURITY IN SMALL
BUSINESSES: AN EMPIRICAL INVESTIGATION
by
Debasis Bhattacharya
A Dissertation Presented in Partial Fulfillment
of the Requirements for the Degree
Doctor of Business Administration
UNIVERSITY OF PHOENIX
April 2008
-
7/24/2019 Infromation Security Leadership Related
2/254
3324059
3324059
2008
Copyright 2008by
Bhattacharya, Debasis
All rights reserved
-
7/24/2019 Infromation Security Leadership Related
3/254
2008 by DEBASIS BHATTACHARYAALL RIGHTS RESERVED
-
7/24/2019 Infromation Security Leadership Related
4/254
-
7/24/2019 Infromation Security Leadership Related
5/254
-
7/24/2019 Infromation Security Leadership Related
6/254
v
ABSTRACT
Small businesses often display a lack of concern towards cybercrime and information
security problems. A lack of concern usually results in delayed or incorrectly
implemented security measures, which increases vulnerability to cybercrime. The first
purpose of this quantitative, descriptive, correlational research study was to empirically
investigate leadership styles and assess the level of concern regarding information
security problems within small businesses that belong to particular chambers of
commerce or trade associations within the state of Hawaii. The second purpose of this
study was to determine the degree of a possible relationship between leadership styles
and the level of concern towards information security problems within these small
businesses. The 122 small business participants in the study completed the Multifactor
Leadership Questionnaire and the Small Business Security Questionnaire to test whether
a statistically significant correlation exists between particular leadership styles and the
level of concern regarding information security problems. The results of this study
showed a significant correlation between transactional and transformational leadership
styles and the level of concern towards information security problems within small
businesses. This research suggests that small businesses leaders need to demonstrate
more than one leadership style to broaden their preparation against a range of information
security issues and problems. The findings may be applicable to small business leaders
who proactively search for a cost-effective and optimal combination of leadership styles,
technologies, and policies that will mitigate the evolving threats of cybercrime and
information security problems.
DEDICATION
Deleted: Section Break (Next
-
7/24/2019 Infromation Security Leadership Related
7/254
-
7/24/2019 Infromation Security Leadership Related
8/254
-
7/24/2019 Infromation Security Leadership Related
9/254
viii
TABLE OF CONTENTS
LIST OF TABLES.............................................................................................xvi
LIST OF FIGURES .........................................................................................xviii
CHAPTER 1: INTRODUCTION.........................................................................1
Background of the Problem.................................................................................. 2
Statement of the Problem......................................................................................5
Purpose of the Study............................................................................................. 6
Dependent and Independent Variables .................................................................7
Intervening Variables............................................................................................ 8
Significance of the Study......................................................................................9
Significance of the Study to Leadership.............................................................10
Nature of the Study............................................................................................. 10
Research Questions............................................................................................. 16
Research Question 1 ....................................................................................17
Research Question 2 ....................................................................................17
Research Question 3 ....................................................................................17
Hypotheses.......................................................................................................... 18
Hypothesis 1 ................................................................................................ 19
Hypothesis 2 ................................................................................................ 19
Hypothesis 3 ................................................................................................ 19
Theoretical Framework.......................................................................................20
Leadership Theories..................................................................................... 21
Information Security Management Theories...............................................23
-
7/24/2019 Infromation Security Leadership Related
10/254
ix
Definition of Terms............................................................................................. 24
Assumptions........................................................................................................ 26
Scope and Limitations.........................................................................................27
Delimitations....................................................................................................... 28
Summary.............................................................................................................28
CHAPTER 2: LITERATURE REVIEW............................................................ 30
Literature Review Search.................................................................................... 31
Historical Overview............................................................................................ 33
Evolution of Leadership Theories and Models...................................................34
Trait Theories............................................................................................... 35
Behavioral Theories.....................................................................................35
Servant Leadership Theory..........................................................................36
Situational Leadership Theory.....................................................................37
Contingency Theory .................................................................................... 37
Path-Goal Theory.........................................................................................38
Theory of Transformational Leadership.............................................................38
Transformational Leadership (Independent Variable).................................39
Transactional Leadership (Independent Variable).......................................40
Passive-Avoidant Leadership (Independent Variable)................................41
Evolution of Cybercrime and Information Security ........................................... 42
Comparison with Traditional Crime............................................................42
Evolving Legislation against Cybercrime ...................................................44
Efforts of Law Enforcement against Cybercrime........................................45
-
7/24/2019 Infromation Security Leadership Related
11/254
x
Role of E-Commerce................................................................................... 45
Information Security Theories and Related Research ........................................ 46
Cultural Theory and Risk Management....................................................... 47
Economic Model of Information Security...................................................48
Integrated System Theory of Information Security.....................................49
Current Findings and Alternative Viewpoints ....................................................50
Leadership Theories in the 21stCentury ............................................................. 50
Kouzes and Posners Model ........................................................................51
Pseudo Transformational Leadership .......................................................... 51
Innovation and Performance........................................................................52
Leadership Styles within Small Businesses.................................................53
Information Security Management in the 21stCentury....................................... 54
Security Assessments................................................................................... 54
Preventative Security................................................................................... 55
Intrusion Detection ......................................................................................58
Incident Response........................................................................................59
Physical Security ......................................................................................... 60
Insider Access Abuse................................................................................... 61
Outsourcing Cyber Security ........................................................................63
Information Security Within Small Businesses ..................................................63
Significance of Small Businesses to the US Economy................................65
Categories of Small Businesses and Information Security..........................66
Information Security Problems (Dependent Variables) ..............................67
-
7/24/2019 Infromation Security Leadership Related
12/254
-
7/24/2019 Infromation Security Leadership Related
13/254
xii
Pearsons Correlation and Multiple Regression Analysis ...........................95
Validity and Reliability....................................................................................... 96
Internal Validity........................................................................................... 97
External Validity.......................................................................................... 98
Reliability Analysis ..................................................................................... 99
Summary.............................................................................................................99
CHAPTER 4: RESULTS.................................................................................. 101
Study Process....................................................................................................102
Sample Participants ...................................................................................102
Survey Development ................................................................................. 103
Pilot Testing...............................................................................................104
Data Collection..........................................................................................105
Post-survey Interviews............................................................................... 106
Reliability Analysis ...................................................................................107
Post-hoc Confirmatory Factor Analysis ....................................................107
Non-Response Bias Analysis..................................................................... 108
Descriptive Statistical Analysis ........................................................................108
Independent Variables ............................................................................... 109
Dependent Variables.................................................................................. 113
Intervening Variables................................................................................. 114
Other Security Variables............................................................................119
Results of Research Questions and Hypothesis................................................122
Research Question 1 and Hypothesis 1 .....................................................122
-
7/24/2019 Infromation Security Leadership Related
14/254
xiii
Research Question 2 and Hypothesis 2 .....................................................128
Research Question 3 and Hypothesis 3 .....................................................133
Multiple Regression Analysis...........................................................................136
Predictors of Insider Access Abuse ...........................................................136
Predictors of Power Failure .......................................................................137
Predictors of Data Integrity .......................................................................138
Predictors of Data Availability .................................................................. 139
Predictors of Data Theft.............................................................................140
Predictors of Data Sabotage.......................................................................141
Summary of Predictors for Seven Security Concerns ...............................141
Predictors across Leadership Styles, Technology and Procedures............143
Qualitative Data for Triangulation.................................................................... 144
Summary of Findings........................................................................................146
Conclusions.......................................................................................................150
CHAPTER 5: CONCLUSIONS AND RECOMMENDATIONS....................151
Conclusions.......................................................................................................152
Literature Review ......................................................................................152
Assumptions .............................................................................................. 155
Limitations.................................................................................................156
Delimitations.............................................................................................. 157
Reliability ..................................................................................................157
Intervening Variables................................................................................. 158
Other Security Variables............................................................................158
-
7/24/2019 Infromation Security Leadership Related
15/254
xiv
Research Question 1 and Hypothesis 1 .....................................................160
Research Question 2 and Hypothesis 2 .....................................................163
Research Question 3 and Hypothesis 3 .....................................................166
Implications.......................................................................................................168
Implications for Global Leadership...........................................................168
Implications for Small Business Leaders ..................................................170
Recommendations............................................................................................. 172
Recommendation 1: Leadership Styles Assessment..................................172
Recommendation 2: Information Security Assessment.............................174
Recommendation 3: Application of Cybercrime Leadership ....................176
Recommendations for Future Research..................................................... 179
Summary........................................................................................................... 181
Conclusions.......................................................................................................181
REFERENCES .................................................................................................182
APPENDIX A: INFORMED CONSENT FORM............................................ 197
APPENDIX B: COPY OF SURVEY INSTRUMENTS ..................................199
APPENDIX C: PERMISSION TO USE MLQ ................................................202
APPENDIX D: PERMISSION TO USE SECURITY SURVEY.....................204
APPENDIX E: HUMAN RESEARCH SUBJECTS CERTIFICATION.........206
APPENDIX F: RELIABILITY ANALYSIS....................................................209
APPENDIX G: FREQUENCY TABLES......................................................... 211
APPENDIX H: CHI-SQUARE TESTS............................................................214
APPENDIX I: PEARSONS CORRELATIONS............................................. 217
-
7/24/2019 Infromation Security Leadership Related
16/254
xv
APPENDIX J: MULTIPLE REGRESSION ANALYSIS................................ 221
APPENDIX K: SMALL BUSINESS SECURITY CHECKLIST.................... 225
APPENDIX L: POST-HOC CONFIRMATORY FACTOR ANALYSIS....... 229
APPENDIX M: NON-RESPONSE BIAS ANALYSIS...................................232
APPENDIX N: RESOURCES FOR CYBERCRIME VICTIMS .................... 234
-
7/24/2019 Infromation Security Leadership Related
17/254
xvi
LIST OF TABLES
Table 1 14 Dependent Variables...........................................................................7
Table 2 Three Independent Variables................................................................... 8
Table 3 Five Intervening Variables ...................................................................... 8
Table 4 Full Range Leadership Model with Nine Factors .................................14
Table 5Literature Surveyed in Support of the Research Questions ...................32
Table 6 Variables, Research Questions, and Survey Items ................................91
Table 7 Structure of Online Survey..................................................................104
Table 8 Post-Survey Interview Questions ........................................................ 106
Table 9 Independent Variables: Three Leadership Styles ...............................109
Table 10 Descriptive Statistics of Independent Variables...............................110
Table 11 Descriptive Statistics of Factors within each Leadership Style........ 113
Table 12 Descriptive Statistics of 14 Dependent Variables.............................114
Table 13 Intervening Variables .......................................................................115
Table 14Intervening Variable: Connectivity Options ......................................118
Table 15 Access to Computers and Networks..................................................119
Table 16 Information Security Policies and Procedures.................................120
Table 17 Information Security Technologies...................................................120
Table 18 Data Importance............................................................................... 121
Table 19 Information Security Experiences within Past 12 Months................122
Table 20 Pearson's Correlations - Transformational Leadership Style ..........123
Table 21 Pearson's Correlations - Transformational Leadership Factors ..... 125
Table 22 Multiple Regression Analysis - Predictors of Data Secrecy.............126
-
7/24/2019 Infromation Security Leadership Related
18/254
xvii
Table 23 Multiple Regression Analysis - Predictions of Data Availability ..... 127
Table 24 Pearson's Correlations - Transactional Leadership Style ................130
Table 25 Pearson's Correlations - Transactional Leadership Factors ...........132
Table 26 Pearson's Correlations - Passive-Avoidance Leadership Style........ 134
Table 27 Pearson's Correlations Passive-Avoidance Leadership Factors ..135
Table 28 Multiple Regression Analysis - Predictors of Insider Access Abuse 136
Table 29 Multiple Regression Analysis - Predictors of Power Failure...........137
Table 30 Multiple Regression Analysis - Predictors of Data Integrity ...........138
Table 31 Multiple Regression Analysis - Predictors of Data Availability....... 139
Table 32 Multiple Regression Analysis - Predictors of Data Theft.................140
Table 33 Multiple Regression Analysis - Predictors of Data Sabotage ..........141
Table 34 Summary of Predictors for Seven Security Problems .......................142
Table 35 Summary of Post-Survey Interview Responses .................................144
Table 36 Summary of Findings for Research Questions .................................147
Table 37 Summary of Findings for Research Hypothesis................................148
Table 38 Summary of Significant and Noteworthy Findings ...........................149
Table 39 Cybercrime Leadership using Leadership Style Score .....................176
Table 40 Example of Cybercrime Leadership .................................................177
Table 41 Cybercrime Leadership, Technology and Policy..............................178
-
7/24/2019 Infromation Security Leadership Related
19/254
xviii
LIST OF FIGURES
Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology........ 48
Figure 2. Computer Security Incidents in the US (CSI/FBI, 2006). ..................65
Figure 3. Technologies Used by Businesses in the US (CSI/FBI, 2006). ..........72
Figure 4. Map of Research Methodology and Design........................................ 85
Figure 5. Histogram of Transformational Leadership Styles ...........................111
Figure 6. Histogram of Transactional Leadership Styles .................................111
Figure 7. Histogram of Passive-Avoidance Leadership Styles ........................112
Figure 8. Business Area.................................................................................... 115
Figure 9. Number of Employees ...................................................................... 116
Figure 10. Annual Revenues ............................................................................116
Figure 11. Number of Computers..................................................................... 117
Figure 12.Leadership Augmentation Model for Cybercrime..........................169
Figure 13. Cybercrime Leadership Framework Overview for Small Business170
Figure 14. Cybercrime Leadership Framework Details for Small Business .... 171
Figure 15. Assessment of Key Leadership Factors .......................................... 173
Figure 16. Computation of Leadership Style Scores........................................174
Figure 17. Basic Information Security Assessment (Easttom, 2006)............... 175
-
7/24/2019 Infromation Security Leadership Related
20/254
-
7/24/2019 Infromation Security Leadership Related
21/254
-
7/24/2019 Infromation Security Leadership Related
22/254
-
7/24/2019 Infromation Security Leadership Related
23/254
4
Small business owners are often entrepreneurs who set the company vision,
demonstrate problem-solving and decision-making capabilities, take risks, and launch
strategic initiatives (Fernald, Solomon, & Tarabishy, 2005). According to one study of
194 small businesses (O'Regan, Ghobadian, & Sims, 2005), effective leadership styles is
likely to lead to better business performance. ORegan et al. claimed that small
businesses that emphasize any specific leadership style show better performance than
businesses with weak or uncertain leadership styles.
According to the available literature on small businesses, leadership, and
information security, no previous research focuses on the possible relationship between
leadership styles and information security problems. This study intended to fill this void.
This study assessed the leadership styles of small business leaders and the influence
leadership styles exerted upon information security experiences and problems. This
research study offers three potential benefits: (a) an assessment of the prevalent small
business leadership styles in the state of Hawaii; (b) a more precise identification of the
specific leadership styles that best mitigate information security threats and problems;
and (c) guidance for small business owners on the most effective leadership styles against
information security threats.
Using the Multifactor Leadership Questionnaire (MLQ) survey from Bass and
Avolio (2004) and the Small Business Security Survey (Ryan, 2000), this study examined
the leadership styles within a sample of small businesses that belong to various chambers
of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of
Hawaii. Chapter 2 discusses the theoretical aspect of leadership styles and information
security problems in more detail.
-
7/24/2019 Infromation Security Leadership Related
24/254
-
7/24/2019 Infromation Security Leadership Related
25/254
6
Purpose of the Study
The first purpose of this quantitative, descriptive, correlational research study was
to investigate leadership styles and assess the level of concern towards information
security problems within small businesses that belong to various chambers of commerce
(CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of Hawaii. The
second purpose of this study was to determine the degree of a possible relationship
between leadership styles and the level of concern towards information security problems
within small businesses.
The research design of the study involved a pilot study, online survey, and phone
interviews to triangulate data from survey respondents. The online survey used two peer-
reviewed, valid, and reliable surveys. The two surveys included the Multifactor
Leadership Questionnaire (Bass & Avolio, 2004) and the Small Business Security Survey
(Ryan, 2000). The specific study population included 2825 small businesses located in
the state of Hawaii, with 500 or fewer employees (SBA, 2007), that belonged to various
chambers of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the
state of Hawaii.
Leedy and Ormrod (2001) claimed that quantitative descriptive design involves
exploring possible correlations among two or more phenomena (p.191). Data was
analyzed using descriptive statistics, correlational analysis, and multiple regression
methods. The research design accomplished the goals of the study by providing empirical
evidence regarding the potential relationship between three independent variables
(transformational, transactional, passive-avoidant leadership styles) and 14 dependent
variables (information security problems).
-
7/24/2019 Infromation Security Leadership Related
26/254
7
Dependent and Independent Variables
There are 14 dependent variables. As shown in Table 1, each represented a
specific information security problem that a small business may face (Ryan, 2000).
Using a Likert scale, the study examined the level of concern for each security problem.
Table 1
14 Dependent Variables
Information security problem Examples of problem in small businesses
Insider access abuse Unauthorized login by employees
Viruses Programs that enter through attachments in email
Power failure Loss of data due to abrupt shutdown of computers
Software problems Vulnerable software due to absence of patches
Data integrity Corruption of customer list or sales data
Transaction integrity Corruption of financial transaction with bank
Outsider access abuse Unauthorized entry by former employees
Data secrecy Confidentiality of payroll information
Data availability Availability of access to time sheet data
Data theft Theft of confidential employee information
Data sabotage Intentional destruction of financial data
User errors Accidental erasure of data by untrained user
Natural Disaster Damage to computer systems from floods
Fraud Impersonation and deceit used to elicit information
The three independent variables, as shown in Table 2, were the transformational,
transactional, and passive-avoidant leadership styles as defined by Bass and Avolio
-
7/24/2019 Infromation Security Leadership Related
27/254
-
7/24/2019 Infromation Security Leadership Related
28/254
-
7/24/2019 Infromation Security Leadership Related
29/254
-
7/24/2019 Infromation Security Leadership Related
30/254
-
7/24/2019 Infromation Security Leadership Related
31/254
-
7/24/2019 Infromation Security Leadership Related
32/254
-
7/24/2019 Infromation Security Leadership Related
33/254
-
7/24/2019 Infromation Security Leadership Related
34/254
15
face, as shown in Table 1. This study examined five intervening variables, shown in
Table 3, to determine if intervening variables influenced the level of concern regarding
information security problems.
A multidisciplinary array of applications supports the validity and reliability of
the two study instruments (Bass & Avolio, 2004), as does pre-testing and application in a
dissertation project (Ryan, 2000) and a subsequent study reported in a peer-reviewed
journal (Gupta & Hammond, 2005). Bass and Avolio noted that internal consistency
rating, using Cronbachs coefficient alpha, were above .70 for all scales except for active
management-by-exception. Gupta and Hammond (2005) reported that their reliability
tests on the Small Business Security Questionnaire resulted in Cronbach coefficient alpha
values ranging from 0.64 to 0.785. In other words, both instruments were reliable.
The Pass Power Analysis and Sample Size (PASS) 2005 software was used for
statistical power analysis to determine the probability of avoiding Type II errors (Rubin
& Babbie, 2005). According to Rubin and Babbie (2005), a Type II error occurs if we
fail to reject a false null hypothesis (p. 604). Assuming a significance level of .05 and a
medium effect size with r2= 0.09, the power of the test of significance of correlation for
sample size of 200 is .99. Using the same parameters of medium effect size, the power of
test of significance of correlation for sample size of 100 is .86. The result indicated that
the probability of committing a Type II error is 0.01 (1 - .99) for samples larger than 200
and 0.14 (1 - .86) for a sample size of 100, assuming a medium effect size with r2= 0.09
and at .05 significance level.
The generalization of this studys results will be enhanced if the selected research
design, methodology, and systematic sampling approach fit well with the purpose of the
-
7/24/2019 Infromation Security Leadership Related
35/254
16
study (Creswell, 2003). According to Triola (2004), the more the survey respondents
correlate with the general population, the higher the confidence level in the accuracy and
validity of the data will be. The focus on a state like Hawaii allowed the researcher to
select small businesses with diverse business profiles (CoCHawaii, 2007).
The survey was conducted online using Zoomerang (2007), an established,
commercial online survey provider. The estimated time to complete the online survey
was 10 minutes. The estimated 30-minute in-depth interviews with the 10 randomly
selected small business owners were conducted over the telephone. The data was
exported to SPSS version 16.0 for Windows software to perform descriptive statistical
analysis, correlation analysis, and multiple regression analysis. Correlation analysis and
multiple regression analysis provided information to answer the research questions and
related hypotheses.
Research Questions
Creswell (2003) stated that research questions are interrogative statements or
questions that the investigator seeks to answer (p. 108). According to Rubin and Babbie
(2005), research questions need to be posed in a way that can be answered by observable
evidence (p. 117). Research questions should be feasible, but not so narrow that they are
no longer worth investigating (Rubin & Babbie). This study included 14 dependent
variables and three independent variables as shown above in Tables 1 and 2 respectively.
The following research questions guided this study and established the hypotheses
through quantitative data collection and analysis.
-
7/24/2019 Infromation Security Leadership Related
36/254
-
7/24/2019 Infromation Security Leadership Related
37/254
-
7/24/2019 Infromation Security Leadership Related
38/254
19
Hypothesis 1
H10: There is no relationship between the transformational leadership style score
and the level of concern for information security problems within small
businesses.
H1a: There is a relationship between the transformational leadership style score
and the level of concern for information security problems within small
businesses.
Hypothesis 2
H20: There is no relationship between the transactional leadership style score and
the level of concern for information security problems within small businesses.
H2a: There is a relationship between the transactional leadership style score and
the level of concern for information security problems within small businesses.
Hypothesis 3
H30: There is no relationship between the passive-avoidant leadership style score
and the level of concern for information security problems within small
businesses.
H3a: There is a relationship between the passive-avoidant leadership style score
and the level of concern for information security problems within small
businesses.
H1awas tested to determine if there was a statistically significant relationship
between the transformational leadership style score of small businesses and the level of
concern for information security problems. H2awas tested to determine if a statistically
significant relationship existed between the transactional leadership style score of small
-
7/24/2019 Infromation Security Leadership Related
39/254
-
7/24/2019 Infromation Security Leadership Related
40/254
21
For many decades, research on leadership has centered on such questions as
autocratic versus democratic leadership, directive versus participative decision-making,
task versus relationship focus, and initiation versus consideration behavior (Bass, 1990).
Bass controversially noted that with increased globalization, business re-engineering, and
organizational transformations, the greater the need for increased research on leadership
development in individuals, groups, and large organizations. As observed, little research
exists on the impact of leadership styles on information security within small businesses,
despite the increase in cybercrime targeting small businesses.
This study complements and extends the previous literature on small business
leadership styles and information security problems. The subsequent discussion gives an
overview of the leadership theories and ideas about effective information security
management that contributes to this studys theoretical framework. Chapter 2 elaborates
further on theories and ideas.
Leadership Theories
This study focused on the relationship between leaders and followers within small
businesses. In small businesses, defined as organizations with 500 or fewer employees
(SBA, 2007), the leadership styles of business owners and key employees influence the
performance of the entire organization more directly than in larger companies. Burns
(1979) proposed a theory that leadership is comprised of transactional and transforming
components. Burns defined transactional leadership as a form of leadership that involves
a system of exchange between leaders and followers. Contingent reward and management
by exception are elements of this exchange system (Burns).
-
7/24/2019 Infromation Security Leadership Related
41/254
-
7/24/2019 Infromation Security Leadership Related
42/254
23
Information Security Management Theories
The management of information security concerns within small businesses draws
upon theories on employee motivation, expectancy of outcomes, culture, economics, and
integrative theories of economic security. Herzberg, Mausner, and Snyderman (1959)
constructed a two-dimensional paradigm of factors to reflect employees perceptions of
job satisfaction. According to Herzberg et al., hygiene factors included company policies,
supervision of employees, interpersonal relationships, working conditions, salaries,
benefits, and job security. The absence of hygiene factors can cause job dissatisfaction,
but the presence of hygiene factors does not necessarily motivate employees or create job
satisfaction. Motivation factors include achievement, recognition, responsibility,
possibility of growth, relationships with supervisors, and job security (Herzberg et al.).
Vrooms (1964) expectancy theory extended Herzbergs theory of motivation by
claiming that a factors degree of influence is based on the importance an individual
places on that factor. According to Vroom, if an individual believed that a certain
outcome is possible, his or her expectation of that outcome is high. The degree of
motivation is higher when an individual realizes that a certain level of performance leads
to a desired outcome (Vroom). Vrooms theory is important to the prevention of
information security threats and the detection of existing vulnerabilities within small
businesses. Assuming that small business owners value information security prevention
and vigilance, small business employees can expect their safe computing practices to lead
to lower incidents of attacks and cybercrime.
Because small businesses are constantly changing in the 21stcentury, the
motivation of employees to remain vigilant against cybercrime is important (Baker &
-
7/24/2019 Infromation Security Leadership Related
43/254
24
Wallace, 2007). According to Baker and Wallace, the management of information
security is an ongoing process that requires the continuous motivation and vigilance of
employees. Related theories about cultural factors described the impact of social
assumptions and constraints on the worldviews of the individual (Torbjorn, Oltedal,
Moen, & Hroar, 2004). According to Torbjorn et al., worldviews can influence the
approach to risk evaluation and information security management.
Gordon and Loeb (2002) provided controversial insight into the incremental
benefits of information security, and proposed that an optimal choice of information
security investments justifies the incremental benefits. Hong, Yen-Pin, Loui, and Tang
(2003) proposed an integrated system theory of information security management based
on core underlying information policy, risk management, management system, and
contingency theories. Chapter 2 gives additional details concerning information security
theories.
Definition of Terms
The following operational terms and definitions provide a clear understanding of
their uses within the context of this study:
1. Bot-network: Computers hijacked by cybercriminals, without the knowledge of their
owners, to forward spam and viruses to computers over the internet (Easttom, 2006).
2. Cybercrime: According to the US Department of Justice (CC&IPS, 2006), cybercrime
is any violation of criminal law that involve a knowledge of computer technology
for their perpetration, investigation, or prosecution. This broad definition of
cybercrime includes computer crimes committed solely through the internet, such as
dissemination of viruses and worms. However, according to the US Department of
-
7/24/2019 Infromation Security Leadership Related
44/254
25
Justice, this legal definition also includes traditional crimes like child pornography,
hate crimes, fraud, and identity theft that are committed via the internet (CC&IPS).
3. Denial of service attack: This cybercrime makes information systems unavailable to
users. It often results in lost revenue and productivity (Easttom, 2006).
4. Information Security: According to Ryan (2000), information security is that set of
technologies, policies, procedures, and engineering principles that contribute to
protecting the confidentiality, integrity, and availability of information systems and
assets. Information security detects attempts to compromise the confidentiality,
integrity, or availability of information systems or assets; and recovering from
problems with or attacks upon information systems or assets (p. xix xx).
5. Leadership Styles: A general term used in this study to categorize the various
dimensions of leadership articulated in the full range leadership model of Bass and
Avolio (2004). As mentioned previously, leadership styles include transformational,
transactional, and passive-avoidant styles (the studys proposed independent
variables).
6. Multifactor Leadership Questionnaire (MLQ): The latest version of the survey
instrument from Bass and Avolio (2004) examined various leadership styles within
organizations. The MLQ measured the studys proposed independent variables.
7. Phishing: Unauthorized attempts to gain personal information for criminal gain
(Easttom, 2006).
8. Small Business: According to the United States Small Business Administration (SBA,
2007), and for the purposes of this proposed study, an organization located within the
United States with 500 or fewer employees.
-
7/24/2019 Infromation Security Leadership Related
45/254
26
9. Small Business Security Questionnaire: Initially developed by Ryan (2000) as part of
a doctoral dissertation on information security issues within small businesses in the
USA. This survey, subsequently administered in other studies and reported in peer-
reviewed journals, measured the studys proposed dependent variables.
10.Spam: Unsolicited electronic messages sent to online recipients (Easttom, 2006).
11.Security Breach: A violation of security policy or defenses (Easttom, 2006).
12.Virus: Malicious software that invades without authorization (Easttom, 2006).
Assumptions
This quantitative, descriptive, correlational research study drew upon four
assumptions. The first assumption was that owners and leaders of small businesses would
take the appropriate amount of time to participate in the online survey, and that they
would give honest answers. The two sections of the survey included questions on
leadership styles, and information security experiences and problems. The estimated time
to complete the entire online survey was 10 minutes or less.
The second assumption was that the systematic sampling of 800 small businesses
from the study population of 2,825 members of various chambers of commerce or trade
associations would yield an adequate number of respondents for gathering
comprehensible, honest, and reliable data. Generally, online surveys are thought to have
higher response rates than paper-based ones, as online users are more receptive to filling
out online surveys that completing paper forms and returning them via postal mail (Rubin
& Babbie, 2005).
The third assumption involved retaining the confidentiality and privacy of the
selected survey participants. Since the survey would ask for disclosure of security issues
-
7/24/2019 Infromation Security Leadership Related
46/254
27
and concerns within small businesses, protecting the confidentiality and privacy of the
small business participant was important. Study participants did not want their identities
disclosed to potential competitors or cybercriminals. Thus, study response data was not
linked to any identifying information about the study participants and businesses.
The fourth assumption was that adherence to social science research guidelines
would avert any threats to the physical, emotional, or economic wellbeing of the study
participants. Since the survey examined leadership styles of small business leaders, the
study assumed that the participants would not incur emotional harm in responding to the
questions about their leadership styles. Since the survey involved disclosing information
security concerns within the small business, the study assumed that no economic harm
would occur to the small business because of their responses to the survey questions.
Scope and Limitations
The studys scope was limited to the potential relationship that may exist between
leadership styles and information security concerns within small businesses who are
members of the various chambers of commerce and trade associations within Hawaii.
Consequently, results of this study limited generalization of the results to mid-sized and
larger organizations with more than 500 employees. The geographic location of the study
participants in the state of Hawaii also limited the generalization of the results to small
businesses located elsewhere in the United States as well as those overseas.
The online survey involved self-reporting and self-evaluation. Therefore, there
was no mechanism to control the validity of the results. The study assumed the honesty
and reliability of the participants. The reliability and validity of the survey was limited by
the nine leadership factors contained in the full range leadership model and the
-
7/24/2019 Infromation Security Leadership Related
47/254
-
7/24/2019 Infromation Security Leadership Related
48/254
-
7/24/2019 Infromation Security Leadership Related
49/254
-
7/24/2019 Infromation Security Leadership Related
50/254
-
7/24/2019 Infromation Security Leadership Related
51/254
-
7/24/2019 Infromation Security Leadership Related
52/254
33
Records of past hearings in the US House of Representatives (State of small
business security, 2006) represented important sources of evidence-based information on
the state of US cybercrime, as did recent reviews of websites that vendors like Symantec
(2007), McAfee (2007) and Microsoft (2007) use to provide small businesses with data,
security software, and services. United States federal statutes on cybercrime constituted a
key source of scholarly data. The websites of government organizations like the United
States Small Business Administration (SBA, 2007) and the US Federal Bureau of
Investigation (FBI, 2005) published critical information on the current state of small
businesses in the United States.
This literature review encompassed 182 peer-reviewed articles, all published after
2003. The majority of articles covered topics on leadership and information security. This
literature review also covered 32 relevant dissertations and 38 popular books published
after 2003. Finally, the websites of four US government organizations, one global
standards organization, nine technology vendors, one Congressional hearing on small
businesses, and surveys from three companies were examined.
Historical Overview
This study builds on the full range leadership model of Bass and Avolio (2004).
According to Bass and Avolio, leaders displayed more than one style in a particular
situation. Because this study focused on leadership styles and their impact on
information security concerns within small businesses, it also builds upon the cost-benefit
model proposed by Gordon and Loeb (2006a). The historical overview that follows
traces the evolution of pertinent leadership theories and models, offers a detailed
explanation of the transformational and transactional leadership style, and charts the
-
7/24/2019 Infromation Security Leadership Related
53/254
-
7/24/2019 Infromation Security Leadership Related
54/254
35
relationship with followers and helps to move them towards a common goal. A business
leader needs to demonstrate superior managerial qualities as well as leadership qualities.
A leader cannot lead by example unless he or she is also a good manager. Employees
follow an effective leader not because they have to but because they want to do so. A
manager who is not also an effective leader must rely upon formal authority alone to
ensure that employees accomplish their tasks (Kotter).
Trait Theories
As mentioned previously, trait theories of leadership focused on inner traits or
qualities of leaders who distinguished them from the rest of the population. Leadership
characteristics, which involved influence, intelligence, power, and energy, were assumed
inborn. Trait theories stress the qualities of the leader without covering the traits of
followers (Northouse, 2004). Research has failed to identify a consistent set of traits that
worked for all leaders and all situations faced by leaders (Hersey & Blanchard, 1996).
Trait theory lends credence to the assumption that business organizations work better if
the managers in authority have designated leadership profiles and roles (Northouse).
Hersey and Blanchard claimed that while personalities and profiles are important
elements of leadership style, the trait theory seems to be a model of the past.
Behavioral Theories
After trait theories became popular in the early 20thcentury, the pendulum swung
to behavioral theories. Behavioral theories attempted to identify the behaviors that create
effective leadership (Wren, 1995). The leadership literature identified two types of
behavioral styles: (a) task behaviors, and (b) relationship behaviors (Bass, 1990). Task
-
7/24/2019 Infromation Security Leadership Related
55/254
36
behaviors focus on the tasks and actions needed to be effective, while relationship
behaviors focus on the working relationship between leader and followers (Bass).
Theory X, an early behavioral leadership model from the American social
psychologist McGregor (1960), centered on command and control over a group of
subordinates. According to McGregor, employees generally dislike work and wish to
avoid it as much as possible. Managers should tightly control subordinates through clear,
unambiguous commands and expectations. Theory X is applicable to a command and
control environment in which leaders direct and expect conformity. This model is
relevant only to organizations involving a hierarchy of management and employees, and
in which control of employees is critical to company success (McGregor).
McGregors Theory Y (1960) focused on soft-management principles. Theory Y
proposed most employees equation of work with leisure; the ability of motivated
employees to direct themselves without managerial control and punishment; and the
importance of job satisfaction to employees and their performance. In sharp contrast to
Theory X, Theory Y proposed that flexibility and self-control, not authoritarian
management, are critical for good employee performance (McGregor).
Servant Leadership Theory
Almost a decade after McGregors Theory X and Y, Greenleaf (2002) developed
the controversial servant leadership model. The fundamental premise of the servant
leadership model is that the leader serves the employees who he or she leads and that this
service to the employees is the basic purpose of leadership (Spears & Lawrence, 2002).
An exemplary leader is primarily a servant, an individual whose goal is to serve others
(Greenleaf).
-
7/24/2019 Infromation Security Leadership Related
56/254
37
In defining the leaders purpose, the servant leader model sharply and radically
departed from Theories X, Y, and other leadership models of the day (Spears &
Lawrence, 2002) . Greenleaf (2002) proposed this theory against the backdrop of the
Vietnam War and its effects on American society. Greenleaf concluded that because large
institutions were misleading their employees, institutional leaders would do well to serve
their employees and thereby become more effective.
Situational Leadership Theory
Developed after the servant leader model, the situational theory of Hersey and
Blanchard (1996), highlighted the business situation and environment faced by the leader.
According to Hersey and Blanchard, leadership style should be matched to the
psychological or job maturity of the subordinates, which can vary from one employee to
the next. Psychological maturity involves self-confidence, and job maturity refers to the
attainment of relevant job skills. As subordinates mature, the leader should delegate more
tasks and responsibilities (Hersey & Blanchard).
According to the situational theory of leadership, a leader operated differently
based on the underlying situation or context (Hersey & Blanchard, 1996). For example,
situations such as economic downturn or threatened hostile takeover prompt the leader to
change tactics and behavior in the interest of the employees, shareholders, and customers.
The situational leadership model differed from behavioral and servant leadership theories
in its emphasis on context, situation, and employee maturity (Hersey & Blanchard).
Contingency Theory
Contingency theory matched leadership style to an underlying situation (Bass,
1990). Fiedler (1967) articulated the original contingency theory, which proposed no
-
7/24/2019 Infromation Security Leadership Related
57/254
-
7/24/2019 Infromation Security Leadership Related
58/254
-
7/24/2019 Infromation Security Leadership Related
59/254
40
2. Idealized Behaviors (IB): Communicates the leaders sense of power and
confidence and build respect among the followers.
3. Inspirational Motivation (IM): The transformational leader motivates
followers by providing meaning and inspiration; is articulate and enthusiastic
about their future; and expresses a compelling vision that persuades followers
to work for success.
4. Intellectual Stimulation (IS): The transformational leader emphasizes
innovation and creativity by questioning assumptions, reframing problems,
and approaching old problems with new solutions. He or she stimulates
followers intellects by encouraging the use of creativity and problem-solving
capabilities.
5. Individual Consideration (IC): The transformational leader considers each
follower an individual with potential, as opposed to just another member of
the group. By acting as coach and mentor, the leader helps each individual
follower grow to full potential.
Transactional Leadership (Independent Variable)
According to Bass (1990) transactional leadership involved an exchange between
the leader and followers in which the leader rewarded or disciplined followers in
exchange for their actions. Bass and Avolio (2004) described transactional leadership as
behaviors associated with constructive and corrective transactions (p. 97).
Transactional leaders defined clear performance expectations from their followers and
expected achievement of specific goals to in exchange for rewards. Bass and Avolio
defined transactional leadership as having the following two factors.
-
7/24/2019 Infromation Security Leadership Related
60/254
-
7/24/2019 Infromation Security Leadership Related
61/254
42
or difficulty; and prefers to remain on the sidelines when important issues or
concerns arise.
Evolution of Cybercrime and Information Security
With the proliferation of the internet, the rate of cybercrime has increased (Gupta
& Hammond, 2005). The impact of cybercrime has also expanded in scope and
complexity to include all types of businesses, including small businesses (Adamkiewicz,
2005). As the technology needed to commit cybercrimes becomes more common, the
perpetrators drop in average age and grow more sophisticated (Kshetri, 2006). The
distributed and open nature of the internet is both a benefit for consumers and a hindrance
to tracking down cybercriminals (Wall, 2004).
Since computers are connected to each other in an open and distributed fashion, it
has become easier for criminals to hide behind the computers of authorized and
legitimate users (Kreuter, 2003). According to Kreuter, impersonating the identity of a
real user allowed cybercriminals to use a legitimate identity to commit a crime against an
unsuspecting small business owner. In unraveling cybercrime, law enforcement agencies
have to uncover the identity of the perpetrator (Kreuter). This study examines the various
impacts of cybercrime on small businesses in the United States.
Comparison with Traditional Crime
Key similarities and differences exist between cybercrime and crime carried out
by traditional means without the use of computer technology (Kshetri, 2006). The online
nature of cybercrime allows for criminals to survey potential victims from afar and attack
them when they least suspect an intrusion (Wall, 2004). Wall noted that software viruses,
spyware, and malware could embed themselves in the computer systems of small
-
7/24/2019 Infromation Security Leadership Related
62/254
43
businesses and track their activities and transactions. Covert surveillance of a small
business could lead to theft of information without the awareness of the small business
owner (Wall). Eventually, upon detection of the crime, the cybercriminals may have
already obtained damaging and confidential information about the business (Kshetri).
The nature of cybercrime allows a cybercriminal to damage thousands of small
businesses in a short period, across many legal jurisdictions (Kreuter, 2003). The actual
damage to each individual business may be small, but the collective damage across all
businesses is often large (Kshetri, 2006). Kshetri claimed that cybercrime is frequently
asymmetric and perpetuated against many businesses by a few cybercriminals. Thus law
enforcement agencies are challenged to find a cost-effective response that benefits all the
victims and prosecute the criminal (Wall, 2005).
Cybercrime differs from the traditional model of crime in which a few criminals
target a few victims in one jurisdiction, thereby allowing law enforcement to respond
with an effective investigation and prosecution of the offenders (Kshetri, 2006).
Traditionally, criminals have acted in their own geographical location and eventually
prosecuted by their own local law enforcement agencies in the local jurisdiction
(Kshetri). Another key difference between cybercrime and traditional crime, according to
the US FBI, is the reluctance of the victim to report the offense to authorities (CSI/FBI,
2006). One likely explanation is that public disclosure of cybercrime is often
embarrassing to small or large businesses (Wall, 2005). According to Wall, disclosure
could lead to a downturn in consumer confidence and trust.
In contrast to traditional criminal activities, cybercrime allows young and
inexperienced criminals with no more than basic software tools and computer technology
-
7/24/2019 Infromation Security Leadership Related
63/254
44
skills to create havoc among all types of business (Wall, 2005). Inexperienced criminals,
often juveniles, create viruses that damage to the computer systems of corporations and
governments (Radnofsky, 2006). Smith (2004) claimed that coordinated, sophisticated
attacks by organized cybercriminal gangs often targeted financial information of online
and traditional businesses. According to Smith, modern types of cybercrime caused
different forms of damage, but they are equally harmful to all types of business.
Evolving Legislation against Cybercrime
Legislation against cybercrime has been evolving since 1996, when the internet
became a commercial tool for small and large businesses (CC&IPS, 2006). Various
federal laws in the US protect citizens and businesses against cybercrime (Swartz, 2006).
The US PATRIOT Act of 2001 amended the original National Information Infrastructure
Act of 1996. Additional amendments are contained in the Cyber Security Enhancement
Act of 2002, signed on November 25, 2002 as part of the Homeland Security Act of
2000, and in the Computer Software Privacy and Control Act, signed on April 30, 2004.
The United States joined the European Convention on Cybercrime on September 29,
2006, and the law came into force on January 1, 2007 (CC&IPS).
Statutes and their enforcement against global cybercriminals by the US
Department of Justice (CC&IPS, 2006) are key benefits to US businesses. For example,
United States Code Title 18 1029 and 1030 provide protection against the fraudulent
use of access devices and computers (CC&IPS, 2006). However, as cybercrime becomes
more frequent and complex, legislation often lags behind the exploits of cybercriminals.
For example, the state of Indiana passed the Data Breach Law in 2006 (Swartz, 2006)
after an increase in the incidence of business and home computer data breaches.
-
7/24/2019 Infromation Security Leadership Related
64/254
45
Efforts of Law Enforcement against Cybercrime
As the incidence of cybercrime increases, so do the efforts of US law enforcement
agencies against its perpetrators (Wall, 2005). Wall claimed that US agencies such as the
US FBI and the US Secret Service are vigilant against cybercrime and have the authority
to prosecute criminals who perpetuate it. A website to report internet crime, the Internet
Crime Complaint Center (IC3, 2006), is a collaboration between the US FBI and the
National White Collar Crime Center (NW3C, 2006). Various websites and collaborations
between federal agencies and civilian organizations provide small businesses with
various avenues to report and prosecute perpetrators of cybercrime (Wall).
Role of E-Commerce
The proliferation of the internet since 1996 has allowed small businesses to
market their products and services to a wider range of customers (Desai, Richards, &
Desai, 2003). E-commerce transactions developed new trusts and relationships with
customers by the use of new tools like privacy seals and statements (Moores, 2005).
Online practices have led to new business models that use the internet for marketing,
sales, support, and service.
A global customer is one who purchases goods or services outside the immediate
geographical location of a small business (Hassan, Alexander, & Daniel, 2003). Global
customers and transactions often face export and import regulations, language and
currency differences, and other cultural and linguistic barriers (Hassan et al.). According
to Hassan et al., as e-commerce proliferates, issues concerning the receipt of foreign
payments increase in importance and complexity.
-
7/24/2019 Infromation Security Leadership Related
65/254
46
Quality customer service is important for all customers, regardless of whether
they make purchases online or from a local store (Desaiet al., 2003). According to Desai
et al., as e-commerce and global trade increase, small businesses need to include
information on global business practices, rules, and regulations in their knowledge
management infrastructure. Increase in global business knowledge allows small
businesses to effectively sell and service global customers (Hassanet al., 2003).
As small businesses expand their customer base beyond their countries, they are
exposed to cybercriminals from all over the world (Warren & Hutchinson, 2003).
According to Warren and Hutchinson, e-commerce involves working with partners and
suppliers from all over the world, and creates a greater need for authentication and
reliability in communications and transactions. Globalization increases the potential for
cybercrime from all over the world, and small businesses are vulnerable like any other
businesses (Desaiet al., 2003).
Information Security Theories and Related Research
Information security has become a leading issue of concern to many large and
small organizations over the past decade (Albrechtsen, 2007). Several research studies
focused on the application of technology solutions to managing information security
(Albrechtsen, 2007; Baker & Wallace, 2007; Chang & Lin, 2007). According to Baker
and Wallace, organizations often focus more on technological approaches to managing
information security, as opposed to a holistic approach to securing technology,
processes, people, and other organizational factors (p. 37). A holistic approach is
appropriate for small businesses as well as large organizations (Baker & Wallace).
-
7/24/2019 Infromation Security Leadership Related
66/254
47
According to a qualitative study by Albrechtsen (2007), users reported that they
are motivated by information security concerns but do not consistently and reliably
perform many preventative security actions. Albrechtsen also claimed that the
documented requirements of information security policies and procedures, along with
general awareness campaigns, have little effect on actual user actions and awareness. The
implication is that organizations need to do more to change user behavior rather than
merely instituting company policies and procedures to manage information security.
Chang and Lin (2007) examined the impact of company culture on information security
management within businesses in Taiwan. According to Chang and Lin, in addition to
technology, policies, and procedures, human and cultural factors are also important to
information security management.
Cultural Theory and Risk Management
Cultural theory proposes that people interact socially based on their social
constraints and understandings of the world (Douglas & Wildavsky, 1982). Douglas and
Wildavsky claimed that individuals form worldviews and opinions based on their social
and cultural contexts and assumptions. Worldviews could include their assumptions and
opinions on risk management and information security concerns (Tsohou, Karyda, &
Kokolakis, 2006). The grid/group typology proposed by Douglas and Wildavsky (1982)
displays a combination of social relations and cultural biases (see Figure 1). The
horizontal group axis refers to the extent to which an individual is incorporated into pre-
defined and bounded units of society, while the vertical grid axis denotes the degree to
which an individual is constrained by external prescriptions and social restraints
(Torbjorn et al., 2004).
-
7/24/2019 Infromation Security Leadership Related
67/254
48
Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology.
Worldviews with high group and high grid values are associated with hierarchical
cultures, which emphasize the importance of preserving social order and status (Torbjorn
et al., 2004). According to Torbjorn et al., worldviews with high grid but low group
values are associated with egalitarian cultures, which emphasize charismatic leadership,
suspicion of authority, preference for role changes, and a sense of equality. Worldviews
with low grid and low group values originate in individualistic cultures, which emphasize
personal freedoms, role choices, short-term thinking and decision-making, and a high
tolerance for risk. Worldviews with low group and high grid values tend to come from
fatalistic cultures, which emphasize minimal personal autonomy, low tolerance for risk,
and a low degree of social control (Torbjorn et al.).
Economic Model of Information Security
Gordon and Loeb (2002) indicated that the full implementation of every possible
information security control is not an optimal and efficient use of an organizations
-
7/24/2019 Infromation Security Leadership Related
68/254
49
resources. According to Gordon and Loeb, organizations should invest in security only
when the marginal benefit of the implementation equals the incremental cost. Gordon and
Loeb (2002, 2006b) provided a cost-benefit model to determine an optimal budget for
information security within an organization. Initially Gordon and Loeb (2006a) focused
on three questions. (1.) How much should an organization spend on information security?
(2.) How should an organization allocate its information security budget to specific
problems? (3.) What is the economic cost of information security breaches?
Hausken (2006) extended the work of Gordon and Loeb by proposing that the
best way to model the probability of an information security breach is by using a logistic
function that first exhibits increasing, then decreasing, returns and benefits (Gordon &
Loeb, 2006a). Gordon and Loeb remarked on the paucity of available research and data
on the benefits of information security investment. This study addressed the economic
model for small businesses that are financially constrained in their ability to combat
cybercrime, but cannot remain ambivalent and unresponsive.
Integrated System Theory of Information Security
Despite the prevalence of information security technologies, few information
security studies exist in the scholarly literature (Hong et al., 2003). According to Hong et
al., the lack of information security theory implied few empirical studies that examined
the effectiveness of information security technologies, policies, and procedures. Hong et
al. proposed an integrated theory that combined existing security policy, risk
management, control and auditing, management system, and contingency theories.
Hongs integrated theory covered several management activities that included the
establishment of security policies and procedures, risk assessment, information security
-
7/24/2019 Infromation Security Leadership Related
69/254
-
7/24/2019 Infromation Security Leadership Related
70/254
51
presence of the whole flock of geese increases the flying range of the birds beyond what
is possible for each bird flying alone. If a goose falls out of formation, it suddenly feels
the pressure and risk of flying alone and quickly gets back into formation. When the lead
goose gets tired, it rotates back and another goose takes its place. Leadership is common
to all the geese in the formation (Belasco & Stayer).
Kouzes and Posners Model
Kouzes and Posner (2003) named five key practices for achieving exemplary
leadership.
1. Challenge the existing process and status quo, but explore new ways.
2. Create a shared vision by looking ahead to the future and sharing the goals.
3. Encourage action within the organization by listening and motivating others.
4. Lead by example by knowing the goals and plan of the organization.
5. Encourage others to grow and prosper by rewarding their accomplishments.
Kouzes and Posner (2003) claimed that leadership is an observable, learnable set
of practices. According to the authors, teaching leadership to employees within an
organization is possible, and credibility is the foundation of leadership. Employees at all
levels of an organization, even within small businesses, can achieve exemplary leadership
capabilities. Kouzes and Posner stressed that leadership is a relationship between those
who choose to lead and those who choose to follow. Followership is important to the
leader and the organization (Kouzes & Posner).
Pseudo Transformational Leadership
Pseudo transformational leadership is behavior that is often self-centered and
unethical (Kouzes, 2003). In the 21stcentury, many examples exist of leaders who appear
-
7/24/2019 Infromation Security Leadership Related
71/254
52
transformational, but are in reality are pseudo transformational leaders focused on their
own success (Harland & Harrison, 2005). Numerous examples of pseudo
transformational leadership have appeared in the media during the scandals that have
erupted in companies like Enron, Arthur Anderson and WorldCom (Harland & Harrison,
2005; Lussier & Achua, 2004).
Bass and Avolio (2004) contended that despite the examples of pseudo
transformational leaders in the media, most knowledge workers in the 21stcentury
organization are unwilling to work with such leaders. Knowledge workers are willing to
follow the path and examples set by true transformational leaders and not those pseudo
transformational leaders consumed by greed (Bass & Avolio). Current reality suggests
that transformational leadership is the roadmap for aspiring leaders in the 21stcentury,
and that followers should look to genuinely transformational leaders for their future.
Innovation and Performance
Innovation is the creative ability to create new products, processes, organizations,
thinking, and vision and to assimilate new concepts into an existing organization
(Christensen, 1997). According to Drucker (2004), innovation is the core competency of
the modern century, and many sources of innovation are available to a business
enterprise. Drucker claimed that innovation originated from the core vision of the
company. If the entire company believed in change, innovation naturally resulted from its
vision. In addition to vision, core values and competencies are equally important for
success (Drucker).
Christensen (1997) described disruptive technologies and proposes that the
dilemma for innovators is to distance themselves from loyal customers so that they could
-
7/24/2019 Infromation Security Leadership Related
72/254
53
think and act out of the box. Christensen believed that traditional innovation involved
the exploitation of change or crises, and that the successful business of today incorporates
innovation even when the business is already successful and performing well. The core
vision of the company can embody innovation by perpetuating revolutionary ideas and
processes (Drucker, 2004).
Leadership Styles within Small Businesses
Organizations in the 21stcentury differ very much from those in the time of Plato
and even those of a hundred years ago in industrialized nations. Drucker (2004)
highlighted five qualities of the modern global business organization.
1. Lean. The number of employees is not as important as their productivity.
2. Flat. The hierarchy of managers extends to a few levels below the CEO.
3. Global. Vast geographical distances and differences in cultures and business
practices separate employees.
4. Adaptive. Company goals, processes, and objectives change every few years.
5. Competition. Fierce competition surfaces from unexpected sources.
Given emerging trends in the nature of business organizations, Drucker (2004)
proposed that contemporary leaders needed to stress the following actions.
Set the focus on common vision, goals, and objectives.
Coach employees and foster a team environment.
Set an example to fellow employees.
Take calculated risks that benefit the company.
Have the guts and resolve to survive a company crisis.
Efficiently execute tasks needed to achieve a goal.
-
7/24/2019 Infromation Security Leadership Related
73/254
54
Information Security Management in the 21stCentury
Although cybercrime has proliferated over the past decade, so have the
mechanisms to combat its effects (Day, 2003). Although many mechanisms involve
technology and tools, manual policies and procedures are also an integral part of efforts
against cybercrime (Easttom, 2006). Businesses of all sizes, including small businesses,
implement various mechanisms to protect their information security from cybercriminals
(Wall, 2005). This section provides details on seven security mechanisms commonly
found in small businesses.
Security Assessments
Security assessmentssize up the security risks and threats faced by a small
business (Easttom, 2006). An information security risk is a potential negative impact that
can occur to an information system; an information security threat is the actual damage
that can occur due to a risk (Day, 2003). According to Day, vulnerabilities within a
computer system in a small business could allow cybercriminals to exploit the risk and
carry out the threat. As such, security assessments attempt to discover vulnerabilities
within computer systems in order to reduce the risks (Day). A vulnerability assessment is
systematic identification and validation of the possible vulnerabilities that may exist
within a business organization (Blyth & Thomas, 2005).
The overall goal of security assessments and audits is to ensure that small
businesses are trained, knowledgeable, and aware of the threats (Blyth & Thomas, 2005).
According to Blyth and Thomas, increased awareness ensures that the information
systems of small businesses meet three basic requirements. Basic requirements include
-
7/24/2019 Infromation Security Leadership Related
74/254
55
availability, integrity, and confidentiality (DeZulueta, 2004). Availability ensures that a
system is accessible and usable upon demand by an authorized user or entity.
Integrity ensures completeness, wholeness, and readability of information,
meaning that data remains unchanged by an unauthorized user in ways that are not
detectable by authorized users (DeZulueta, 2004). Finally, confidentiality ensures that a
system is not accessed by unauthorized users (Ma, 2004). Numerous examples in the
security literature discuss assessments for records protection (William, 2005), audits and
security in the e-commerce era (Anderson, Hansen, Lowry, & Summers, 2006; Zhao,
Yen, & Chang, 2004), and the importance of security assessments in specific industries
like banking (Abu-Musa, 2004).
The literature on security assessments targeted specifically at small businesses is
sparse (Gupta & Hammond, 2005). However, the mainstream literature provides ample
guidance for small businesses that are limited by costs, security skills, and time
constraints. Various checklists (Day, 2003; Easttom, 2006; Szor, 2005) provide simple
and practical guides to implement security assessments, even within small businesses.
This study examined the problem that small businesses are often unaware of security
threats and risks, until the occurrence of an actual security breach.
Preventative Security
Business organizations prefer to prevent security breaches because security
breaches disrupt business performance and dampen consumer confidence (Greg Hanna,
2005a). The literature provides ample examples of software solutions to prevent security
breaches, including practical uses of anti-virus software (Campbell, 2004; Szor, 2005) as
well as a case study (Sherif & Gilliam, 2003) of virus prevention. Other technologies like
-
7/24/2019 Infromation Security Leadership Related
75/254
56
firewalls (Day, 2003), anti-spam products, and anti-spyware technology (Gibson, 2005;
Stafford, 2005; Thompson, 2005; Zhang, 2005) can be used by small businesses as well
as personal home users (Hazari, 2005).
Major vendors like Symantec (2007) recommend application of software patches,
but patches themselves are at risk from hackers and cybercriminals (Marshall & Heffes,
2005). Basic email safety is important and removing suspicious attachments is critical to
any business (Day, 2003; Easttom, 2006). Precautions against modular malicious codes,
especially those distributed through the internet, are becoming increasingly important
(Easttom). According to the Symantec Threat Report (Symantec, 2007), modular
malicious code accounted for 88% of the top 50 malicious code reported in the second
half of 2005. Securing wireless networks, which are common to small businesses, is
important in order to ensure that identity thieves and competitors do not pilfer data
(Gregory Hanna, 2005b; Kruh, 2003; Pietro & Mancini, 2003).
The literature also points out that preventative measures cannot mitigate all types
of security risks. In 2003, the Bugbear.B worm infected thousands of computers despite
anti-virus and personal firewall technology (Maroncelli & Karpin, 2003). Custom Trojan
programs that elude anti-virus programs (M. Blake, 2003) can penetrate the defenses of
small businesses. In addition to technology and tools, the literature emphasizes the use of
security policies, procedures, training and rules to prevent security breaches (Gellis,
2004) and future threats and disasters (Trim, 2005) in enterprises. For example,
improperly disposing of old computers and hard drives allows cybercriminals instant
access to sensitive company information (Lunsford, Robbins, & Bizarro, 2004). Day
(2003) provided a checklist, one that is also appropriate for small businesses, regarding
-
7/24/2019 Infromation Security Leadership Related
76/254
57
awareness of current security issues and threats and performance of regular tests on all
computers and security devices.
The literature also provides techniques for small businesses to backup and
safeguard their business data on external hard disks (McCarthy, 2006). It describes the
dangers of online storage (Mulligan, Schwartz, & Mondal, 2006), and the need to use
strong passwords and frequently change them on the basis of security policies (Harrison,
2006; Wakefield, 2004b). The literature recommends avoiding the reuse of passwords
(Blake, Kenneth, & Helmut, 2004) and controlling the use of the internet (Taillon, 2004).
A formal and established security policy that is appropriate for small businesses helps
them to enforce their preventative actions and measures (Rees, Bandyopadhyay, &
Spafford, 2003).
The ISO/IEC 17799:2005 set of standards (ISO/IEC, 2005) covers security
policy, the organization of information security, asset management, human resources
security, physical and environmental security, communications and operations
management, information systems acquisition, development and maintenance, incident
management, business continuity management and compliance (p. 1). The
comprehensive guide from ISO/IEC is applicable to small businesses as they assess their
internal networks and policies. The latest version of ISO/IEC 17799:2005 is specifically
tuned to the needs of e-commerce and global trade, and small businesses can use best
practices (Saint-Germain, 2005) to prepare for the deployment of ISO/IEC 17799:2005
(Peltier, 2003).
Overall, the literature recommended a combination of technology, processes, and
policies to prevent the incidence of cybercrime. The literature review helped to address
-
7/24/2019 Infromation Security Leadership Related
77/254
58
the core problem assessed by this studynamely, that many small businesses display a
lack of concern towards information security and unrealistically expect that performing
basic preventative measures alone protects against all forms of threats. This study
examined the relationship between of leadership styles within small businesses and the
level of concern towards information security problems.
Intrusion Detection
While preventative measures are useful and necessary to preempt a security
breach, they cannot cover all types of security threats. Ongoing intrusion detection
systems find patterns in misuse and attempted intrusions and warn network
administrators of an impending attack (Day, 2003). Intrusion detection technology needs
to be complemented with human policies and procedures, and physical security that
responds to notifications of an impending attack (Sherif & Ayers, 2003; Sher