Information security in SMEs: determinants of CEOs’ protective and supportive behaviors
Résumé
This research addresses the determinants of CEOs’ actions regarding the information
security (ISS) of small and medium enterprises (SMEs). This article aims to (a) identify factors
influencing CEOs’ ISS actions, (b) examine the relevance of protection motivation theory
(PMT) in explaining top management support (TMS, i.e., supportive actions), and (c) find
potential differentiated effects on protective vs. supportive actions.
The results of a questionnaire-based survey (N=200) show that the PMT and social influence
constructs, while explaining a significant amount of variance, exert differentiated
effects: in contrast with protective actions, which are influenced mainly by self-efficacy, SME
CEOs’ supportive actions are strongly affected by the social influence of peers (partners and
competitors) and customers.
At a theoretical level, this research validates the relevance of the PMT framework for
the study of TMS determinants in the context of ISS. This study is also the first to distinguish
between these two types of actions and offers new insights on CEOs’ ISS-related behavior
literature. For practitioners, the results imply that even when CEOs do not exert protective
actions, it is important to build on their professional relations to trigger and enhance their
supportive actions.