Management of Technical Security Measures: An Empirical Examination of Personality Traits and Behavioral Intentions

Transcription

1 th Hawaii International Conference on System Sciences Management of Technical Security Measures: An Empirical Examination of Personality Traits and Behavioral Intentions Jörg Uffen Leibniz Universität Hannover Michael H. Breitner Leibniz Universität Hannover Abstract Organizations are investing substantial resources in technical security measures that aim at preventively protecting their information assets. The way management or information security executives deals with potential security measures varies individually and depends on personality traits and cognitive factors. Based on the Theory of Planned Behavior, we examine the relationship between the personality traits of conscientiousness, neuroticism and openness with attitudes and intentions towards managing technical security measures. The highly relevant moderating role of compliance factors is also investigated. The hypothesized relationships are analyzed and validated using empirical data from a survey of 174 information security executives. Findings suggest that conscientiousness is important in determining the attitude towards the management of technical security measures. In addition, the findings indicate that when executives are confronted with information security standards or guidelines, the personality traits of conscientiousness and openness will have a stronger effect on attitude towards managing security measures than without moderators. 1. Introduction The proliferation of interconnected networks results in a variety of complex, multinational information security risks. Research studies emphasize management s increasing concerns about the protection of organizational information assets [1]. Hence, it is important that today s organizations determine how to employ effective technical security measures to secure organizational networks against external threats [2]. The management of (technical) security measures is defined as a part of daily tasks of an information security executive, whose activities, such as administration or running Virtual Private Networks (VPN), or being suspicious of and reacting to current security breaches aim at hindering network attacks. But the way information security executives deal with potential information security measures varies individually and depends on personality and other cognitive factors [1],[3]. Individual management differences have become an important area of focus in information security research. For example, Sharma and Yetton [4] investigated the positive influence of management on an employee s cognitive beliefs, attitudes, and behavioral patterns when dealing with information security. Ashenden [5] emphasized the need for managing soft skills to effectively change organizational culture and to improve communication between end-users, information security executives, and senior managers. Little effort has yet been made to examine the influence of individual differences and attitudes or behavioral patterns among information security executives. In information systems (IS) research, a useful way to integrate individual differences into IS models and theories is the adoption of the Five Factor Model (FFM) [6],[7]. Drawing on the wellestablished and widely accepted Theory of Planned Behavior (TPB) [1] we demonstrate the potential influence of personality traits on an information security executive s attitude or beliefs towards managing technical security measures. In addition, standards and guidelines that support information security executives in their daily tasks are becoming more and more important [8]. In order to obtain a better understanding of the external factors that might affect an information security executive s attitude towards management of security measures, compliance, as a potential moderator between personality traits and attitudes was included. We explore the following research questions by testing an integrated model: 1. Which and how do personality traits of an information security executive affect their attitude towards managing technical security measures? 2. To what extent are compliance factors potential moderators between personality traits and attitude towards managing technical security measures? The roles and responsibilities of executives in information security have been shown to be the main predictors of success [1]. In this context, personality traits can illustrate how individual differences determine the strength of an individual s attitude in a specific context [7]. Incorporating personality traits /12 $ IEEE DOI /HICSS

2 with a focus on cognitive processes of information security executives has largely been ignored. 2. Theoretical Foundations 2.1 Information Security Researchers and practitioners have addressed information security from multiple perspectives, including the design and implementation of security measures and socio-organizational treatments [9],[10]. The aim of information security management is to maximize the number of prevented and deterred security breaches [10] by adopting an efficient set of technical security measures [2]. Organizations typically deploy technical security measures, also referred to as countermeasures or security mechanisms [9],[10], including firewalls, anti-virus protection, VPN and encryption tools, making it increasingly difficult to attack a network and gain access to sensitive organizational information. The activities of information security executives include for example administration, running, and monitoring of effective security devices that impede unauthorized access [11]. Because information security management must balance the needs of information access and information protection [2], continuously changing requirements in complex situations present challenges [13]. In addition, compliance components, such as legal requirements, international standards and internal security policies, must be taken into account [8]. By adopting information security management standards and guidelines, organizations can commit to securing their organizational networks against external threats [8]. For example, ISO/IEC presents a set of requirements for establishing, implementing, operating, reviewing, and improving the organization s information security management. In this paper information security practices such as standards and guidelines are refered to as compliance factors. They support executives in their decision making process while managing security measures. One important point is that the way an executive acts in different situations depends on individual differences and varies from person to person [3]. Individual differences play a ubiquitous role in the information security domain. Some researchers have started to investigate these issues at the management level. For example, an executive s perceptions of security risks have been shown to strongly influence the decision-making process [1]. Further, there is evidence that an information security executive s sensitivity towards security activities and advanced security software is associated with a higher perceived effectiveness of information security [1], [11]. Since information security standards guide information security executives in their activities, we expect that such compliance factors will influence their behavior. Compliance factors can be the basis for changes in attitudes and behavior. Therefore, there appears to be some sort of relationship between compliance factors and an executive s individual differences, cognitive processes, and behavioral factors towards the management of technical security measures. 2.2 Personality Traits and the Theory of Planned Behavior Researchers incorporated numerous cognitive and personality-related variables in a variety of IS models. Personality psychologists use classification systems that summarize individual differences in personality into fundamental facets of each human being. These traits determine cognitive and behavioral patterns that remain stable across situations [14]. The most frequently used taxonomy in personality research is the FFM [15]. The following general labels and contents have been established in personality research [14],[15]: (a) extraversion is the degree to which an individual is positively emotional, assertive, ambitious, and social; (b) agreeableness is the tendency to be trustful, straightforward, helpful, and willing to cooperate; (c) persistence, self-control, self-discipline, and dutifulness represent conscientiousness; (d) openness to experience indicates an appreciation for variety of creativity, flexibility, adventurousness, and imagination; and finally, (e) anxiety, pessimism, impulsiveness and personal insecurity are related to neuroticism. The FFM has been used with great predictive power in management, psychology, and IS research. Research studies that focus on the human factors of information security tend to emphasize user or employee behavior. For example, in their study, Shropshire et al. [16] showed that two selected FFM criteria impact information security compliance behaviors. Results establish that agreeableness and conscientiousness are strongly connected with an end-user s intention to comply with an organizational security policy. Junglas et al. [17] proposed a link between personality traits and privacy concerns in location-based services. Using Protection Motivation Theory, which explains the coping process with potential threats by predicting a variety of protective behaviors, the authors investigated how conscientiousness, agreeableness, and openness affect an individual s concern for privacy. Goswami et al. [18] examined the impact of conscientiousness and openness on decision-maker mindfulness in the

3 adoption of IT innovations. The results demonstrate that both personality traits are important in determining their mindfulness. Although the application of specific personality traits in relation to different behavioral information security factors has been similarly investigated in related literature, empirical studies that address an information security executive s personality when managing information security are still lacking. To understand the link between an information security executive s personality and his or her actual behavior while managing technical security measures, cognitive processes must be taken into account. As proposed by [7], the influence of personality traits on behavior is mediated by cognitions, as implied by the TPB. The TPB is the most widely applied model of goal-specific cognition and is widely supported by research studies for its predictive power [7],[9],[19]. According to Ajzen [19], the TPB, an extension of the Theory of Reasoned Action (TRA), implies that intentions are proximal cognitive antecedents of actions or behavior [20]. Intentions index the motivation to perform a specific action and are determined by three constructs: attitudes, subjective norm, and perceived behavioral control. In general, attitudes represent an individual s overall evaluation of a specific behavior. Because attitude constitutes an individual s behavioral beliefs towards a specific context, we focus on an attitude s impact on behavioral intention towards management of technical security measures. In our case, attitude describes an information security executive s belief that taking technical security measures is a desirable behavior that helps to enhance information security in an organization. In other words, if an executive perceives the result of a certain behavior as being positive, he or she will form positive attitudes towards the specific technical security measure. As mentioned above, organizations have different types of technical security measures in place. Therefore, we decided to determine attitude by regarding multiple security measure rather than a single one. Because there is little research in this field yet, we believe that a more global focus on technical security measures is beneficial for researchers and practitioners alike. In information security research, the adoption of TPB or core constructs of TPB such as attitude [7],[21] is well established (for a list see e.g. [9],[12]). But only few studies have investigated the relation between FFM or personality traits in general and core constructs of TPB. Fishbein and Ajzen [20] recognized the potential importance of external behavioral influence factors that are outside the TPB [20]. They explicitly stated that personality is a type of external variable that influences a specific behavior indirectly through the cognitive constructs contained within the TPB [19],[20]. Therefore, the relationship between personality traits and cognitive behavioral models have received more and more attention in IS research. For example, [7] and [22] used the Technology Acceptance Model (TAM), which is based on TRA. The authors found that the FFM constructs can be useful predictors of attitudes and beliefs. Wang incorporated FFM into the IS continuance model to examine the influence of personality traits on an individual s IS continuance intention [23]. However, this research suggests that FFM and cognitive influences on behavior, as determined by the TPB constructs of attitude and intention might be integrated into a single model. 3. Research Model and Hypotheses Our integrated model proposes an explanation of the relationship between personality and an executive s attitude and intention towards the management of security measures (Figure 1). Personality trait Conscientiousness Neuroticism Openness Compliance Figure 1. Integrated model Attitude towards technical security measures Intention towards technical security measures Prior meta-analytic studies demonstrated that some FFM traits are more relevant in explaining attitudes in specific job tasks than others [15]. These suggest that agreeableness and extraversion are positively related to jobs that involve considerable social and interpersonal interaction [15]. According to its facets, agreeableness which is characterized as being helpful and collaborating, and extraversion, characterized as being outgoing, social and talkative, are relevant in situations with interpersonal interaction such as security awareness training. Due to the technical perspective of our research paper, which focuses less on interpersonal interaction, we decided to exclude these two FFM constructs from our model and instead focused on conscientiousness, neuroticism, and openness. In prior research, these were theorized to be more appropriate with a technology focus [24]. Conscientiousness is associated with competence, persistence, self-control, and reasonable and

4 consensual acting in compliance with norms and rules [14]. Prior research suggests that conscientiousness is the most important trait in information security behavior [16]. Further, conscientiousness and general job performance have been shown to be positively related to each other [15]. Goswami et al. [18] demonstrated that conscientiousness has a strong influence on mindfulness in IT innovations. Bansal [6] emphasized a positive relationship between conscientiousness and security concerns. Information security management and, in particular, management of technical security measures, which present ever changing requirements and challenges, require a high level of attention and professionalism [13]. Conscientious information security executives tend toward purposeful planning, keep things well organized and prioritize tasks before prematurely employing inefficient security measures. In particular, conscientious information security executives are more likely to carefully consider situations in which employing of technical security measures could make their work more efficient. If this cognitive processing results in a positive attitude, then conscientiousness increases this, which in turn affects and magnifies the behavioral intentions. Hence, we hypothesize that the more conscientious an information security executive appears to be, the more likely he or she is to consider the outcomes of employing technical security measures. H1: Conscientiousness is positively related to the attitude towards management of security measures Openness is a personality trait that is associated with experience of new situations, flexibility, intelligence, propensity to try new ideas, and imaginativeness [14],[17]. Openness concerns the motivational tendency to reflect on ideas, critically examine information, and solve puzzles [18]. In contrast to the results from Barrick et al., which indicate that openness is not relevant to many work criteria [15], openness, with its facets of a broader life experience and broader and deeper scope of awareness [17] is expected to be important in managing technical security measures. For example, openness has been shown to be positively associated to mindfulness, and in the same context, the cognitively differentiated interpretation of information in multiple scenarios (e.g. [18]). As a result of such awareness, open information security executives are more sensitive to innovative technical security measures, for example. These facets and cognitive processes are expected to lead to positive attitudes towards managing them. Given the fact that highly open information security executives would most likely consider security measures to have positive value, we hypothesize that openness is positively related to attitude. H2: Openness is positively related to the attitude towards management of security measures. The counterpart of neuroticism, emotional stability, has been shown to be a valid predictor of job performance which has a positive effect on project outcomes [15]. Neurotic individuals tend to be hostile, pessimistic, and uncertain, which leads to feelings of stress. Empirical studies demonstrated that neurotic individuals tend to be more risk averse [25] and less suited to higher level jobs that are more complex and stressful [26]. When people manage technical security measures, risky situations require sophisticated reactions that are not premature [27]. Information security executives must understand priorities, opportunities, and needs while focusing on technical security measures and they must be able to critically examine the current implementation status. Research has shown that emotionally stable individuals are likely to view innovative technical advances in their job as helpful and important [7]. As a result, neurotic information security executives tend to view technical security measures as stressful and with pessimism. If a security breach is not detected early, neurotics will form negative attitudes about the adopted technical security measure. Therefore, if a highly neurotic information security executive tends to view the management of security measures as being stressful and worrisome, he or she will form negative attitudes, because it is believed that a potential action cannot make a difference in securing information assets. H3: Neuroticism is negatively related to the attitude towards management of security measures. The concept of personality traits and their influence on attitude does not occur in a vacuum. In line with recent trends towards increased compliance requirements, the influence of compliance on the relationship between an information security executive s personality and his or her attitudes is examined. In the context of this paper, executives beliefs may be influenced by external factors such as information security standards or guidelines if these beliefs match their attitude and behavioral intention. For example, guidelines and standards present useful recommendations that support an information security executive in managing technical security measures [28]. But guidelines and standards are generic in scope and do not focus on any specific security measure. Therefore, following these standards and guidelines, such as ISO 27002, cannot

5 be seen as a direct behavior indicator. First, we must determine whether their adoption provides positive value in enhancing the attitude towards managing technical security measures. Since personality traits are shown to influence attitude [7],[20], we hypothesize that compliance must be seen as an indicator that moderates the relationship between the examined personality traits and a person s attitude towards the management of security measures. The importance of moderating effects between personality traits and cognitive processes has been highlighted by several researchers [17],[29]. Personality traits are stable across time [14], thus other external factors are more likely to moderate the affect of these traits on attitudes towards management of security measures. This leads to the assumption that compliance factors are useful moderators in enhancing our model. H4: The influence of conscientiousness on attitude towards management of security measures is moderated by compliance factors. H5: The influence of openness on attitude towards management of security measures is moderated by compliance factors. H6: The influence of neuroticism on attitude towards management of security measures is moderated by compliance factors. This study s aim is to provide a general link between personality traits, attitude, and their respective behaviors. Therefore, behavioral intentions are incorporated into our integrated model. Assessing intentions rather than actual behavior is grounded theoretically and technically. Several authors have shown a strong and consistent relationship between both constructs [30],[31]. In addition, technical measurement is argued to be difficult due to the sensitive context of information security (e.g. [3],[9]) and the large and diverse sample sizes [32]. A relationship between attitude and behavioral intentions has been shown in various research studies [9],[22],[32]. Because information security executives seek cognitive consonance between feelings and actions [9], having a positive attitude towards technical security measures will form tendencies to perform related behaviors. Therefore the following is hypothesized: H7: Attitude towards management of security measures is positively related to behavioral intentions towards management of security measures. 4. Research Methodology 4.1 Explorative Data Collection We chose survey methodology to collect empirical data and to test the revised model statistically. Using online networking websites with an exclusively professional focus (Xing, CIO, ITHeads) we identified 889 possible participants. We chose this approach to elicit a wide representation by industry and company size. We contacted information security executives, for example Chief Information Security Officers, from Germanspeaking countries via private messaging or . We explicitly limited the survey to a national sample due to underlying cultural differences or different national regulatory requirements, which might cause different attitudes towards the relevance of technical security measures. Further, in order to increase attention to our study, we used closed groups in the above-mentioned professional networks and solicited participation. The survey was hosted in a secure environment and participation was anonymous and confidential. All questionnaires were completed with a web-based survey. Of the 889 preselected participants, 174 responses could be considered reliable. Due to several difficulties in collecting empirical data in this sensitive context [39], the response rate of more than 19% is reasonable. The demographics are presented in Table 1. Table 1. Demographic information Gender (N=174) and respondent's age (N=170) n % n % Male Less than Female > Less than 30 years > > years > > years > > years > > 60 years > Respondent's educational level (N=163) Company size - number of employees (N=146) Level of ivolvement in information security (N=169) PhD Directly involved Diploma/Master Indirectly involved Others Not involved at all Operationalization of Constructs All personality traits were measured using the NEO-FFI format by Costa and McCrae [14]. Prior research suggested that the NEO-FFI is a reliable and valid instrument for FFM measurement [14],[15]. The TPB constructs of attitude and intention towards technical security measures were operationalized based on prior research studies from [9] and [21]. These studies were primarily targeted to internet users behavior towards the adoption of technical

6 security measures and items have already been empirically validated. The compliance measure was developed in reference to prior literature from [28] and [33], who based their works on ISO 17799:2005 (which has been revised and renamed to ISO 27002). All constructs were measured reflectively with multiple items using a five-point Likert scale. To improve content validity, the questionnaire was discussed and verified with local IS managers and faculty members. Table 2 lists the measurement items used to measure these constructs. Item INT1 INT2 INT3 INT4 INT5 Table 2. Operationalization of constructs Dimension I intend to support technical issues of information security in my organization I intend to receive information about current global security issues within the next 30 days I plan to check for shortcommings within technical information security environment I intend to carry out my responsibilities in consideration of technical security issues I predict that I will check for lack of integrity, availability and confidentiality within the next 3 months ATT1 From my point of view, physical barriers are a useful tool to prevent unauthorized physical access and environmental contamination ATT2 Security measures such as implementing anti-virus software, firewalls, or backup systems are important in my organization ATT3 Working with backup and recovery systems is enjoyable ATT4 Technical security measures make work more interesting CP1 CP2 5. Results Information security standards for example ISO / IEC enhance my daily work process The use of formal mechanism such as policies, procedure and processes enforce information security compliance 5.1 Data Analysis Empirical data was analyzed via structural equation modeling (SEM) in order to reflect latent independent and dependent variables. We used the software packages of SmartPLS (version 2.0.M3) and SPSS (version ) for measurement validation and SEM testing. Partial least squares (PLS) is a component-based approach for predicting theoretical relationships and is well suited for explorative models [34]. Since we hypothesized moderation effects in our model, we followed guidelines from Chin et al. [35] to test our SEM. Table 3. Means, standard deviations, and AVE and correlations between items and constructs M SD AVE CO NE OP ATT INT CP CO CO CO NE NE NE OP OP OP ATT ATT ATT ATT INT INT INT INT INT CP CP Notes: M=Mean; SD=Standard Deviation; CO=Conscientiousness; NE=Neuroticism; OP=Openness; ATT=Attitude; INT=Intention; CP=Compliance First, to ensure measurement quality, convergent validity, discriminant validity, individual item reliability and composite reliability are examined. With regard to individual item reliability and convergent validity of constructs, we conducted a principal component analysis (PCA) with varimax rotation to examine how well the measurement items relate to their respective underlying construct. According to Chin [36] acceptable measurement item loadings are above 0.707, indicating that these items represent at least 50 percent of the construct variance. Some items did not load highly on their respective underlying construct. Items that had low factor loadings or cross loaded with other factors were removed from the analysis. Final factor analysis indicated that all factor loadings were related to their respective underlying construct, with factor loadings of at least In social science and IS studies, a minimum loading of 0.4 is commonly used and accepted [17],[22],[37]. Here, all measurements items show convergent validity and are higher than the 0.4 cutoff value. Also, they are near and above the level. All items were significantly related to their

7 respective underlying construct at p<0.001, except OP1, OP2, and OP3, which were statistically significant at p<0.05. In addition, the Average Variance Extracted (AVE) for each construct was assessed to be greater than the minimum recommended value of 0.50 [35],[37] (Table 3). To establish discriminant validity, the square root of AVE for each construct was compared with the inter-correlation values of the other constructs [35],[37]. Reflective measures are sufficiently valid when square roots of the AVE are higher than the correlation between the constructs, indicating that more variance is shared between the construct and its underlying items than with any other construct [36]. As illustrated in the diagonal of the correlation matrix in Table 4, all constructs in the model satisfy these criteria. Table 4. Means, standard deviations, scale reliabilities, and intercorrelations M SD α CR CO NE OP ATT INT CP Notes: Bolded diagonal elements are the square roots of AVE; α=cronbach s Alpha; CR=Composite Reliability The internal consistency and reliability of each construct was measured by calculating composite reliability (CR) [38] and Conbach s Alpha (α). As shown in Table 4, all constructs have a CR that is above the recommended minimum level of 0.70 [34]. Cronbach s Alpha values are above and very close to the minimum threshold of 0.70 [34] and therefore measurement items show adequate reliability assessment scores. The SEM is estimated with the 174 responses. Bootstrapping with re-samples is performed to investigate the statistical significance of path coefficients by applying a t-test. To test the moderating effect of compliance, three interaction terms were created by multiplying the indicators of the independent constructs with a hypothesized moderator [35]. The standardized path coefficients, significance, and the value of explained variance for the SEM are shown in Table 5. The SEM, which was calculated including the moderating effects, explains 20.0% (F=105.63, p<0.001) of the variance in attitude and 19.9% (F=42.73, p<0.001) of the variance in intention towards management of technical security measures; both values are significantly different from zero. By including the moderation effect of compliance on the relationship between personality traits and attitude, the model explains an additional 6% (ΔR²=0.058, F=16.90, p<0.001) of the variance in attitude. Therefore the discussion of results focuses on the SEM with moderating effects. Table 5. Summary of hypotheses tests Dependent Independent Path Hyp.No. variable variable R² coefficient T-value Sig. ATT 0.20 H1 (+) CO p<0.01 H2 (+) OP n.s. H3 (-) NE n.s. H4 (+) CP x CO p<0.05 H5 (+) CP x OP p<0.01 H6 (+) CP x NE n.s. INT 0.19 H7 (+) ATT p<0.001 Out of the seven hypotheses, four were supported. As predicted by TPB and consistent with our expectations and the results from prior studies in information security research (e.g. [9],[21],[32]) an information security executive s intention is strongly influenced by their attitude (β=0.450; p<0.001). An information security executive s attitude towards the management of technical security measures is positively influenced by conscientiousness (β=0.204; p<0.01), but contrary to our prediction the relationship between the other two personality traits and attitude is found to be insignificant (H2: β=-0.108, n.s.; H3: β=0.040, n.s.). As hypothesized, compliance has a moderating effect on the relationship between personality traits and attitude in two cases (H4: β=0.154, p<0.05; H6: β=0.241, p<0.01). No moderating effect on the relationship between neuroticism and attitude could be identified (β=0.066, n.s.) Discussion The results show that the integration of personality traits into behavioral theories (in our case TPB) can have varying results. On the one hand, the results of our study indicate that conscientiousness is significantly related to information security executives attitudes towards the management of technical security measures. This result is not surprising, because conscientiousness has been shown to be a valid predictor in, for example, job performance [15]. Information security executives who score high in conscientiousness believe that managing technical security measures provides a positive value in their job tasks. In addition, compliance was hypothesized to have a moderating effect on the relationship between conscientiousness

8 and attitudes towards managing security measures. The results indicate that when executives are confronted with standards or guidelines of information security, conscientiousness will have a stronger effect on attitude. Contrary to our expectations, neuroticism and openness do not have a statistically significant relationship to attitude towards management of security measures. Openness was hypothesized to have a positive relationship, neuroticism a negative relationship with attitude. In personality research, researchers often face identical problems with the non-significance of the neuroticism construct and information security is an organization-sensitive topic [39]. As Junglas et al. [17] explained in their research study, neuroticism shows its facets only in affective situations. This indicates that neuroticism is only significant in a trait-relevant situational cue [17]. Management of security measures does not initiate affective cues. Further, compliance factors are given less weight by neurotic information security executives when it comes to managing technical security measures. Open information security executives react flexibly and critically examine changes in existing requirements, norms, and rules. This justifies the strong moderating effect of the compliance factors in the hypothesized direction, since standards and guidelines assist an information security executive in, for example, critically examining the current implementation status of technical security measures. Even if these standards and guidelines are generic in scope, the relationship between openness and attitudes towards technical security measures becomes stronger under the influence of these factors. Contrary to our expectations, the relationship between openness and attitude towards the management of security measures does not have statistical support. According to Devaraj et al. [7] and despite Ajzen s [19] expectations that personality is presented as an external variable within TPB, one reason could be, that openness can have a direct impact on intentions towards the management of security measures. In consideration of potential external variables that might affect the relationship between openness and attitude, the moderating effect of compliance has shown that the relationship between both constructs might be more complex Implications This paper provides an insight into the influence of personality traits on the management of technical security measures. Knowing that personality traits are stable over time, short-term effects that mainly influence the cognitive processes of an information security executive in his or her decision have been shown to be a potential moderator between the relationship of a specific personality trait and attitude. Rather than focusing the management of security measures, this model might be applicable in another information security area. For example, the influence of agreeableness and extraversion on the human factor of information security for security awareness trainings can be examined. From a practical perspective, the findings indicate that guidelines and standards can support information security executives in their daily tasks. Further, if an organization understands the behavioral traits of its information security executives, it can improve the effectiveness of security measures. For example, this paper sheds light on the types of information security executives who have positive attitudes towards technical security measures. These attitudes can be enhanced in a case in which organizations use information security standards or guidelines. Thus, organizations should measure the personality traits of their information security executives. Depending on the results, stronger regulation, supervision, and control procedures can enhance the level of information security. These results might also help organizations in selecting new IT team members whose key focus should be the management of security measures. Analysis of personality traits together with other human resources (HR) tools can help HR and/or IS managers to find the right person for that position. 6. Limitations and Future Research The study is subject to following limitations. First, the explanatory power of our model (R² = 0.20) might seem low. But it has to be noted, that in social science research studies that incorporate personality traits into research models, an R² value in the range of 10-20% is quite acceptable [17]. In measuring personality traits, it is not always possible to get a higher R². In addition, the relationships between neuroticism and openness with attitude are not significant. These relationships must be focused on in more detail for additional external factors in future research. Opportunities in research include the incorporation of additional external factors such as moderators of the personality-attitude relationship. Institutional size, the number and complexity of concurrent security measures or cultural differences as group-level moderating factors, might explain a better relationship between personality traits and attitude. Further, the survey is based on self-reported information that measures behavioral intentions rather than actual behavior. Due to the sensitive context, it may be difficult to obtain data about actual

9 behavior in, for example, real situations that are relevant to information security. To focus more on the gap between behavioral intention and actual behavior, and to link that with personality traits, one option to alleviate this limitation is the use of scenario techniques [32]. Providing richer information about hypothetical information security situations and indirectly asking about attitudes towards technical security measures lead to a better impression of a person s true intention. Another limitation of this paper may be that the compliance construct is measured with abstraction. The pre- and post integration into the above-mentioned scenario might provide a detailed explanation about the relationship between personality traits and their influence on attitudes. A further limitation is that participants are from German-speaking countries. If we consider cultural and legal differences, it is likely that information security executives in other countries might have different attitudes about or reactions to the protection of information assets. Further empirical data was collected with no special focus on industry or organizational size. In order to increase generalizability, follow-up studies that expand to include an international context by integrating cultural differences and examine the effects of the size and type of organization are recommended. The use of single-session, self-reported data can be a potential weakness with regard to self-selection and common-method bias. We try to minimize these effects in the following way: in the online survey, respondents were not allowed to back-track. The pages of the survey items were presented in a random manner to discourage participants from figuring out the relationship between the dependent and independent constructs that we were trying to establish. Second, the anonymous nature of the survey would also mitigate the probability that respondents provided answers they believe we expected or self-serving answers. Future research can focus on this bias by using a larger and more international sample. In addition, this model might even serve as the basis for an agent-based dynamic simulation for greater insight into the variability of cognitive processes caused by personality traits. 7. Conclusion This paper served as an initial attempt to investigate the relationship between the personality traits of conscientiousness, neuroticism and openness to attitude towards management of technical security measures. Incorporating personality traits from executives perspective into TPB constructs of attitude and intention towards management of security measures has largely been ignored. In addition, compliance factors were incorporated as potential moderators of the relationship between the personality traits and attitude. Results indicate that conscientiousness positively influences an information security executive s attitude towards the management of security measures. This relationship is positively moderated by compliance. Neuroticism and openness are not found to be statistically influential on the attitude, but the relationship between openness and attitude can be positively moderated by compliance. 8. References [1] D.W. Straub, and R.J. Welke, Coping with system risk: Security planning models for management decision making, MIS Quarterly 22(4), 1998, pp [2] Hu. Cavusoglu, S. Raghunathan, and Ha. Cavusoglu, Configuration of an interaction of information security technologies: The case of firewalls and intrusion detection systems, Information Systems Research 20(2), 2009, pp [3] C. Vroom, and R. von Solms, Towards information security behavioural compliance, Computer & Security 23(3), 2004, pp [4] R. Sharma, and P. Yetton, The contingent effects of management support and task interdependence on successful information systems implementation, MIS Quarterly 27(4), 2003, pp [5] D. Ashenden, Information security management: A human challenge?, Information Security Technical Report 13(4), 2008, pp [6] G. Bansal, Security concerns in the nomological network of trust and Big5: First order vs. second order, Proc. of the 32 nd International Conference on Information Systems, Shanghai, 2011, paper 9. [7] S. Devaraj, R.F. Easley, and J.M. Crant, How does personality matter? Relating the Five-Factor Model to Technology Acceptance and Use, Information Systems Research 19(1), 2008, pp [8] M. Siponen, and R. Willison, Information security management standards: Problems and solutions, Information & Management 46(5), 2009, pp [9] C.L. Anderson, and R. Agarwal, Practicing Safe Computing: A multimethod empirical examination of home computer user behavioral intentions, MIS Quarterly 34(3), 2010, pp [10] J. D Arcy, A. Hovav, and D. Galletta, User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, Information Systems Research 20(1), 2008, pp [11] A. Krankanhalli, A. Hock-Hai, C.Y.T. Bernard, and W. Kwok-Kee, An integrative study of information

10 systems security effectiveness, International Journal of Information Management 23(2), pp [12] S. Aurigemma, and R. Panko, A composite framework for behavioral compliance with information security policies, Proc. of the 45 th Hawaii International Conference on System Sciences, 2012, pp [13] J.M. Torres, J.M. Sarriegi, J. Santos, and N. Serrano, Managing information systems security: Critical success factors and indicators to measure effectiveness, Proc. of the 9 th International Conference on Information Security, Samos Island, 2006, pp [14] P.T.Jr. Costa, and R.R. McCrae, Revised NEO Personality Inventory (NEO-PI-R) and NEO Five Factor Inventory (NEO-FFI) professional manual, Psychological Assessment Resources, Odessa, [15] M.R. Barrick, M.K. Mount, and T.A. Judge, Personality and performance at the beginning of the new millennium: What do we know and where do we go next?, International Journal of Selection and Assessment, 9(1), 2001, pp [16] J. Shropshire, M. Warkentin, A.C. Johnston, and M.B. Schmidt, Personality and IT security: An application of the five-factor model, Proc. of the 12 th Americas Conference on Information Systems, Acapulco, 2006, pp [17] I.A. Junglas, N.A. Johnson, and C. Spitzmüller, Personality Traits and Concern of Privacy: An empirical Study in the Context of Location-Based Services, European Journal of Information Systems, 17(4), 2008, pp [18] S. Goswami, H.H. Teo, and H.C. Chan, Decisionmaker mindfulness in IT adoption: The role of informed culture and individual personality, Proc. of the 30 th International Conference on Information Systems, Phoenix, 2009, Paper 203. [19] I. Ajzen, Theory of Planned Behavior, Organizational Behavior and Human Decision Processes 50(2), 1991, pp [20] M. Fishbein, and I. Ajzen, Belief, attitude, intention and behavior, John Wiley, New York, [21] A.C. Johnston, and M. Warkentin, Fear appeals and information security behaviors: An empirical study, MIS Quarterly 34(3), 2010, pp [22] O. Nov, and C. Ye, Personality and technology acceptance: Personal innovativeness in IT, openness, and resistance to change, Proc. of the 41 st Hawaii International Conference on System Sciences, 2008, Paper 448. [23] W. Wang, How personality affects continuance intention: An empirical investigation of instant messaging, Proc. of the 14 th Pacific Asia Conference on Information Systems, Taipei, 2010, Paper 113. [24] I.A. Junglas, C. Spitzmüller, A research model for studying privacy concerns pertaining to location-based services, Proc. of the 38 th Hawaii International Conference on System Sciences, 2005, pp [25] M. Lauriola, and I.P. Levin, Personality traits and risky decision-making in a controlled experimental task: An exploratory study, Personality and Individual Differences 31, 2001, pp [26] P.E. Spector, S.M. Jex, and P.Y. Chen, Relations of incumbent affect-related personality traits with incumbent and objective measures of characteristics of jobs, Journal of Organizational Behavior 16(1), 1995, pp [27] E. Karahanna, and R.T. Watson, Information system leadership, IEEE Transactions on Engineering Management 53(2), 2006, pp [28] Q. Ma, and J.M. Pearson, ISO 17799: Best practices in information security?, Communications of the AIS, Vol. 15, 2005, pp [29] R.P. Tett, and D.D. Burnett, A personality trait-based interactionist model of job performance, Journal of Applied Psychology 88(3), 2003, pp [30] V. Venkatesh, M.G. Morris, G.B. Davis, and F.D. Davis, User acceptance of information technology: Toward a unified view, MIS Quarterly 27(3), 2003, pp [31] T.L. Webb, P. Sheeran, Does Changing Behavioral Intentions Engender Behavior Change? A Meta-Analysis of the Experimental Evidence, Psychological Bulletin 132(2), 2006, pp [32] B. Bulgurucu, H. Cavusoglu, and I. Benbasat, Information Security Compliance: An empirical study of rationality-based beliefs and information security awareness, MIS Quarterly 34(3), 2010, pp [33] M.S. Saleh, A. Alrabiah, and S.H. Bakry, Using ISO 17799:2005 information security management: A STOPE view with six sigma approach, International Journal of Network Management Vol. 17, 2007, pp [34] D. Gefen, D.W. Straub, and M.C. Boudreau, Structural equation modeling and regression: guidelines for research practice, Communications of the Association for Information Systems 4(7), 2000, pp [35] W.W. Chin, B.L. Marcolin, and P.R. Newsted, A partial least squares latent variable modeling approach for measuring interaction effects: Results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study, Information Systems Research 14(2), 2003, pp [36] W.W. Chin, Issues and opinion on structural equation modeling, MIS Quarterly 29(3), 1998, pp. vii-xvi. [37].W. Straub, M.C. Boudreau, and D. Gefen, Validation guidelines for IS positivist research, Communications of the AIS 13, 2004, pp [38] C. Fornell, and D.F. Larcker, Evaluating structural equation models with unobservable variables and measurement error, Journal of Marketing Research 18, 1981, pp [39] A.G. Katoulic, and J.G. Clark, Why there aren t more information security research studies, Information & Management 41, 2004, pp