Antecedents of information security activities: Drivers, enablers, and constraints

Information security-related activities, such as documenting policies, safeguarding assets, monitoring for breaches, and gaining user compliance, are important for organizations wishing to protect their information against adverse threats. However, fully instituting these activities seems to be challenged, given ongoing reports of organizations experiencing information security breaches. As explained in institutional theory, breaches can undermine the organization’s reputation and legitimacy in the eyes of many stakeholders. In this research, we examined institutional forces, along with organization-innovation related enablers and constraints, as predictors of higher levels of assimilation of information security-related activities. Consistent with prior research in the areas of institutional and innovation theory, the research examined mimetic, normative, and coercive forces, as well as the organization’s compatibility with, and the perceived complexity of, the security-related activities. We also control for both organization structure and size as control variables. We found two of the three institutional forces were significant, as were complexity, compatibility and the control variables. The practical implications of our research are that coercive forces, i.e. legal, governmental, and parent company requirements, provide the greatest positive influence on instituting these activities. Normative forces, based in interorganizational relationships with and industry and its organizations also contribute, but not to coercive forces. Perceived compatibility of activities enable, and complexity constrains higher levels of assimilation, thus the degree to which activities are adapted into existing practices could help in introducing and achieving greater levels of assimilation.