Effects of Information Security Management Systems On Firm Performance
Effects of Information Security Management Systems On Firm Performance
Effects of Information Security Management Systems On Firm Performance
net/publication/341625936
CITATIONS READS
2 1,762
5 authors, including:
Nicolas Nkondock
University of Yaounde I
4 PUBLICATIONS 2 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Can Big Data and Predictive Analytics Improve Social and Environmental Sustainability? View project
All content following this page was uploaded by Georges Bell on 25 May 2020.
Email address:
*
Corresponding author
Received: August 10, 2019; Accepted: September 18, 2019; Published: September 29, 2019
Abstract: The purpose of this paper is to determine the aspects of the information security management system (ISMS)
on which decision-makers must act to achieve the performance targets. Information assets as core of any Information
systems (IS) should be taken seriously by a custom security. In this research, we conduct a case study specially using the
Delone and McLean’s IS success model. The hypotheses were tested by PLS-SEM of theSmartPLS software using survey
data collected among 136 IS and IT professionals. We found that the ISMS (system, service and information qualities,
maturity level of information security risk management process) and performance are directly related on one hand, and
indirectly by the IT capabilities of the company in the other hand. This shows that mastering security information
management risks process is crucial for an enterprise because it greatly contributes to organizational performance, improve
the IS’ support such as IT management, IT personal skills and IT infrastructure. This work has explored the feasibility of
using the IS success model on ISMS, a key world know element, where Africa is both the target of the informational
mobility, hackers and especially in the global economy. We consider the IS success model with 4 dependent variables
including maturity level of process.
Keywords: IS Success Model, ISMS, Maturity Level, IT Capability, Firm Performance
implemented and to potential threats. to provide a general definition and a measurement model of
The protection of the informational resources is a successful IS. After various criticisms of several researchers
fundamental responsibility of the corporate governance [3]. like Pitt et al. in [5] who recommend that service quality
The ISMS is so far important. It protects the information should be added as a dependent variable, Delone and
assets against threats that may affect its operation. It must be McLeandecide to revise their model ten years after. So, they
reactive and be able to adapt rapidly, in this changing proposed an improved model with six (06) variables which is
environment. a framework for measuring dependent variables that get
However, the adoption of the informational mobility and results about the success and quality of an IS. These variables
the rise of cybercrime expose companies to the greater are the following: system quality, Information quality,
informational risk whose non-inclusion in daily activities Service quality, Use of the system / intention to use, User
may result in serious consequences to a corporate crisis. satisfaction and Net benefits. In this new model, they
These consequences are likely to reduce the image and consider “net benefits” like the combination of “individual
operational performance of the company. impact” and “organizational impact”.
In the availability care of their services, telecom company The IS success model sustained that a system can be
for example get a second connection for emergency. This assessed based on the quality of the information provided and
connection called backup. It generally not as robust as the the delivered services, and the characteristics of the system
principal connection. It permits to guarantee interconnection itself. These factors affect users (satisfaction and intention to
between infrastructure in case of weakness of the principal use). After using the system, it will derive benefits for the
connection in order to permit availability 24/24 and 7/7 of user and therefore for the organization. These benefits in
their network. Therefore, maintaining customer satisfaction return motivate more users.
at the high level further. After adoption of a backup, it will be The service quality variable is a model himself; the
make choice on the quality of backup in order to maintain SERVQUAL. It is an instrument used to measure the service
key performance indicators at the satisfaction threshold fixed quality of acompany. According to the authors, quality of
by organization. This choice depends on the quality of the service is measured by observing the difference between the
personnel skills. perceived service quality and the expected by the customer
An observation made on the procurement department of a [6]. If this difference is positive, then its follow that the
great public works company allowed us to note a significant quality of service is good and service does not need instant
number of incidents due to improper prescription of products improvement. If the difference is negative, then its follow
to supply. Products ordered did not meet the technical that the quality of service is not good and the service need
requirements mentioned on the order form or required by the improvement.
technician. This situation may result in an increase of SERVQUAL has five (05) measurement indicators:
delivery costs for the supplier or a delay of delivery and Tangibles, Reliability, Responsiveness, Assurance and
execution of works for the enterprise. If the security Empathy. As far as it is a framework for any enterprise, there
guarantees the information integrity, then it should be able to is a possibility to make a self-evaluation of the service. This
solve this problem on this company. also allows internal continuous improvement of service
We can therefore ask how the improvement of the ISMS quality.
provides the improvement of the performance in a company? Resource-based theory was developed to sustain that a
The aim of our research is to demonstrate that the company that has resources is able to have a competitive
information security management is a source of performance advantage that can be maintained for a long term in order to
within a company. This will allow the adoption of a serious be performant. This advantage can be maintained because
and rigorous IS management system by any enterprise in our any company is able to protect itself against skills and
environment. The information systems security (ISS) doesn’t technology transfer or imitation [7]. Authors sustain that IT
appear as a center costs. Companies can now invest in the resources are necessary but not sufficient for good firm
security of their IS so as to create more value. performance. Similarly, only acquire IT resources does not
To answer our research question, we developed a research ensure good corporate performance. They define resources as
model and tested our hypotheses and the different mediation any skills and abilities, strategic property, assets or
effects. We first of all explored previous studies and then capabilities used to meet the market’s opportunities and
analyzed related theories in order to propose our research threats. Assets are tangibles (network infrastructure,
model. Thereafter, we presented our methodology and results, workstation, etc.) and intangibles (software, relationship with
and finally we discussed the results and presented the various stakeholders, etc.) [8]. The capability is the means which
implications of our work. allows to use these assets to achieve goals; such as technical
and managerial skills [9]. The resource-based theory allows
2. Theoretical Background us to easily specify the resources of a company, to easily
establish the link between resources and competitive
2.1. Theoretic Models advantage, so to measure resource benefits. This enable a
comparison between company.
The first Delone and McLean [4] IS success model aimed Regarding the resource-based theory, it appears that
American Journal of Operations Management and Information Systems 2019; 4(3): 99-108 101
resources are static while our environment is dynamic. quality and information quality) on administrative and
Taking into consideration that a company must always fit marketing performance. This interests us because the
one’s surroundings, raised the theory of dynamic management through business process is important [21]. The
capability. This theory sustain that resources should be relationship with suppliers is not always taken into account
developed and integrated within a company. In [10], one whereas they participate in achieving business goals. In
of the pioneer of this theory, define the dynamic capacity addition, the customer should always be satisfied and
as the ability to integrate, build and reconfigure internal because one of the strengths of a company is its image [22].
and external skills to adapt to rapid environment Gorla et al. conclude that IS have a positive effect on a firm
changings. As such, the dynamic capacity theory fills the performance. We can think one or all parts of IS have a
gap dynamically with a process orientation between positive effect on a firm performance.
resources and the environment [11]. We can say that the Given that risk management is a major and inevitable
resource-based theory facilitates the choice of resources activity of all ISMS [23], we propose to assessthe maturity of
while the dynamic capability enables the development and risk management process (RM-CMM) according to ISO
renewal of these resources. 27005, each in its entirety.
Regarding this observations, we can formulate the first
2.2. Research Model hypothesis H1: ISMS has a positive effect on a firm
A successful company is both effective and efficient. The performance.
firm performance can be measured at several levels: financial, The information security risk management process permit
social, administrative, marketing, etc. company to improve efficacy and efficiency of there is,
In our environment, at this numeric era where information therefore to improve their IT. The risk management tools like
security is indispensable like entire activity, many company MEHARI, EBIOS, propose recommendations on the
don’t take aware of their information values when this improvement of IT capabilities (infrastructure, application,
information are a company assets and permit all days to management, personnel skills, etc.). As the risk management
accomplish their purposes and be performant. In addition, is an important activity of ISMS, we can formulate de second
some authors say that Delone and McLean IS success model hypothesis H2: ISMS has a positive effect on the IT
may be apply to many sub-system types of an IS in [12, 13] capabilities.
by Gorla et al. Thus, we propose to use Delone and McLean Bharadwaj et al state that IT capabilities have a positive
IS success model to verify if ISMS in a company permit to be effect on the firm performance; on the firm organizational
performant. performance [24]; on the firm marketing performance [25].
The IS success model was subject of several scientific Bharadwaj et al distinguish IT tangible resources
articles. Some authors used the original model [14-17]. (infrastructure, human resources) and IT intangible resources
Others determined the factors of satisfaction and usage [18, (knowledge). Our research paper turn attention to tangibles
19].While others used it without consideration of some resources to avoid abstract elements like personnel skills,
variables such as user satisfaction, use and individual impact knowledge capability which are intangibles. Then, we can
in [20] and by Gorla et al. formulate third hypothesis H3: IT capabilities have a positive
We focused on the model used by Gorla et al. Their goal effect on firm performance.
was to measure the direct effect of IS (system quality, service Thus, our research model (Figure 1) is presented below.
The use of these cited different theories and concepts offer service and information quality. Thus, we obtain the specific
us opportunities for accurate and detailed verification of our research model below. This specific research model adds 11
research model with some dependent relations. Gorla et al research hypotheses to our paper.
say it is possible to explore the effects between system,
102 Harold Nguegang Tewamba et al.: Effects of Information Security Management Systems on Firm Performance
Constructs Number of indicators Average Ecart types Cronbach's alpha Composite reliability (CR) (AVE)
ISMS 20 4,452 1,573 0,962 0,966 0,586
IT Capacity 10 5,375 1,570 0,932 0,943 0,625
Performance 11 4,810 1,583 0,960 0,965 0,715
According to the different authors mentioned in respective Global analysis of the research model regarding the quality
references, the values of Cronbach's alpha and composite of our model is tested using the HTMT criterion. It measures
reliability (CR) are above 0.7. The values of AVE are above the discriminant validity of the constructs. This criterion is
0.5. Therefore, our constructs are reliable and have a good more appropriate than the Fornell-Larcker’s criterion and
internal consistency and convergent validity. cross-loadings analysis.
American Journal of Operations Management and Information Systems 2019; 4(3): 99-108 103
Table 2. Indicators of HTMT criterion. independent variables. We had 0.391 for the IT
HTMT CAPABILITY for 0.702 for PERFORMANCE. We conclude
Performance- IT Capacity 0,697 that this model has a good discriminant validity and is
ISMS 0,633 generally interesting.
ISMS 0,825 Concerning internal model analysis, the table 3 shows the
value of the Student statistic (t) are greater than 1.96;
Table 2 shows the values of HTMT below 0.85. This result
explaining the existence of a strong link between our
signifies that a construct is not explained by on or others. To
constructs. Moreover, the error probability of the links
have more insight of the predicative power of the model, we
between our constructs is very low. Therefore, all our
also analyzed the value of R². It is the proportion of the
hypotheses are accepted.
variability of the dependent variable explained by its
Table 3. Test results of our hypotheses.
According to the mediation effect analysis process for each link is greater than 1.96 by Hair et al., This means
proposed by Nitzl et al., we note that the direct and indirect that the IT CAPABILITY has a partial significant mediation
effect between the ISMS and PERFORMANCE are effect between ISMS and PERFORMANCE. This result was
significant (see Table 4) because the value of the t-statistic also confirmed with the testsof Baron and Kenny and Sobel.
Table 4. Test results of the mediation effects.
Table 5 shows averages and standard deviations of items for each sub-construct. The average of an item represents the main
response given by observations. The standard deviation is the distribution of observations following an item in [34].
Results of the internal model give in table 6 presents the hypothesis test. We note that only 02 out of 11 hypotheses have a t-
Student below 1.96 by Hair et al. Hypotheses H7 and H9 are rejected while the others are accepted.
The research model gives us the opportunity to test two Following the Baron and Kenny and Sobel test (see Table
mediation effects: System quality between RM-CMM and 7), it appears that System quality has a complete and
Administrative performance, and Service quality between significant mediation effect between RM-CMM and
RM-CMM and Administrative performance. Administrative performance.
Table 7. Test results of System quality mediation effect.
Similarly, Service quality has not a mediation effect between RM-CMM and Administrative performance (see Table 8).
confirm moreover the significant positive effect of IT some quality indicators of any system such as reliability,
capability on firm performance [35-37]. flexibility, ease of use and functionality. This result is
Several authors have come to the conclusion that somehow surprising because supplier management is one of
improving the security means taking into account the human the elements of the administrative performance. Information
factor and behavior, and improve the human resources security risk management calls us to emphasize on supplier
qualities [38, 39]. This is confirmed with that the management regarding contracts and services (content and
improvement of information security facilitates improving form, on-time, name and reference products). It increases the
the quality of information security personnel, thus IT firm’s performance. In this sense, we have think improving
capability. maturity level of information security risk management
50% of respondents are from the banking and directly improve administrative performance.
telecommunications sectors, and are IS, IT and security Information delivered by ISMS are assets in a company.
consultants. In our environment, IS are already highly As such, it is important that their quality is very good. This
developed in the Banking and telecommunications sectors. quality is guaranteed by the quality of the ISMS and the
Their vision of the ISMS importance in a company appears quality of services delivered by the ISMS. Indeed, a good
clearly in our findings. This means that any company should ISMS guarantees compliance; which allows the goodness of
therefore invest on information security because it the information’s presentation. Good ISMS services quality
contributes to their performance. helps employees to feel at ease and to be update.
When ISMS delivers good services, these are reliable and
5.1. Results’ Contribution they meet the customers’ needs and stakeholders’ satisfaction.
Improving the maturity of information security risk The direct net profit is the improvement of customer’s
management system implies continuously improvement of satisfaction. Indeed, ISMS designs its services taking into
the risk management process as those of ISO 27005. This consideration stakeholders’ requirements. For example,
improvement suggests the mastery of risk management tools customers want their data secured and the ISMS’s services
such as MEHARI. In an information security risk will encrypt them at any transaction. They will also
management process, once risks are identified, it needed to recommend periodic passwords changing. All this contributes
be treated. What makes reliable ISMS and increases its to customer satisfaction.
quality and its services. 5.2. Limits and Generalizations
Improving the maturity level of information security risk
management system improves the IT capability of a company. The first limitation of our study is at the level of
This result is not surprising because the change or performance measurement. We restricted our study on
improvement of IT capability is most noticeable in an administrative and marketing performance because they are
enterprise during the information security risk management aspects with less interest in companies of our environment.
process. For example, in the risk management, ISMS will This is not the case of financial performance which is the
concentrate on the security services audit in order to main indicator to measure performance in our environment.
determine the vulnerabilities of IS and at last make decision Then one might wonder if security allows a company to be
for delete this vulnerability. As part of an information financially efficient.
security audit that we conducted in a company, we Secondly, our study was limited to the Cameroonian
recommended training courses (ISO 27001 Lead environment and especially to IS, IT and security
Implementer certification) for the chief security officer as professionals. Yet all employees are concerned by
one of the objective of this company was to achieve an ISO information security as far as they participate at different
27001 certification as to reassure its customers in terms of level in securing information assets.
their information security. The third limitation is the small size of our study sample
It is clear that improving the ISMS quality has a positive although it was sufficient enough to produce acceptable
effect on improving the administrative performance. Indeed, results. The small size does not allow us to categorize
the fact that the ISMS is reliable and delivers its activities on analysis. It would have been interesting to know whether our
time is an advantage for the company’s core business, in hypotheses have the same significance in the bank or
which it should therefore be executed on time. Likewise, telecommunications sector, between operational employees
more flexible is the ISMS, more the global management and managers, people trained in information security or not,
system is. small or large company. This would have allowed us to make
Improving the maturity level of information security risk specific recommendations following each group.
management system helps but not directly improving Another limitation is the lack of precise detail on the
administrative performance. In fact, we noticed that the significance of the relationship that may exist between IT
System quality had a complete mediation effect between capability and performance sub-constructs. Indeed, it would
RM-CMM and Administrative performance. This means that have been interesting to analyze the relationship between IT
concentrating on information security risk management management, IT staff and administrative and marketing
without focusing on ISMS quality will not facilitate performance. Moreover, accurate analysis of the relationship
administrative performance. It will be important to focus on between the maturity level of information security risks and
106 Harold Nguegang Tewamba et al.: Effects of Information Security Management Systems on Firm Performance
suppliers’ management would be much expressive. information security audit and or ISO 27001 Lead
These limits are some elements we can rely on to improve Auditor certification.
this research. For example, we can increase the sample size 5. The continuous training of those managers because it is
and observe the changes of results. It will also be interesting important they update daily update their knowledge to
to analyze a particular category of respondents. adapt the security to the environment.
Our research draws attention to stakeholders on the 6. The IS department will formalize the ISMS process and
performance measurement. Indeed, the performance of a have a security dashboard to accurately measure their
company will no longer be financial. This remark draws our activity and the achievement of objectives.
attention on the fact that we can therefore measure the 7. A communication plan should be developed to facilitate
performance of non-profit organization. the acceptance and implementation of security measures.
At the level of the information security manager. Activities
6. Contributions must be done daily and expenditures allocated for security
needs justified. Generally, it plays a major role such as
This last section allows us to propose solutions for a better counselling, support, information, training and alert. It can
contribution of ISMS to the performance of a company. intervene directly on all or part of the company's IS. Indeed,
he must:
6.1. Managerial Implications 1. Master the various department of the company.
The main recommendation is the implementation of an 2. Master change management.
ISMS or the compliance with an existing ISMS, based on 3. Manage the information security risk.
ISO 27001standards. The findings showed the need to focus 4. Develop solutions for information security problems.
on the continuous improvement of the maturity level of 5. Implement or monitor the implementation of these
information security risk management process. This solutions.
improvement will facilitate a good quality of ISMS. This 6. Implement the business continuity plan.
recommendation will involve global requirements at several 7. Implement an information security dashboard.
levels of the company. 8. Calculate the information security return on invest.
At the level of the directorate. It is mainly a question of 6.2. Theoretical Implications
managing policy issues and facilitating the implementation of
ISMS. It is necessary to: In our research, we implemented the IS success model of
1. Lay the foundation for change management in the Delone and McLean on ISMS. The maturity level of process
integration project of an ISMS. is a quality management indicator of any system given that
2. Communicate constantly on net benefits of an ISMS in the quality management is based on process [40]. So we
the company. choose to use the maturity level of information security
3. Give some flexibility to the security manager that could management process as a separate variable. We noted that the
be related rather to the board of administration instead maturity level of process is very influential in an ISMS
of the CEO or CIO. This will facilitate him collecting within a company. Can we not improve Delone and McLean
data for security needs and implementing different IS success model concerning management systems? We will
solutions. then have four (04) dependent variables: system quality,
4. Allow the information security manager to intervene in information quality, service quality and maturity Level of
the choice and requirements of supplier’s services and process.
to propose content elements for the business insurance.
At the level of the chief information officer. Here, actors 7. Conclusion
must manage and master the ISMS process and particularly
the risk management according to the ISO 27005 standard, Actually, the ISMS, which encompasses people, processes
we recommend therefore: and IT systems, is the systemic approach whereby an
1. Creating key positions for the ISMS such as organization ensures the security of information by a risk
information security manager, information security risks management process.
manager and ISMS auditor. The main problem in Cameroon is the awareness of the
2. The information security manager will have a setting up the management of information assets security of
certification in information security management and or the enterprise because the losses are real, even if their
ISO 27001 Lead Implementer certifications: he must be frequency is negligible for some leaders who prefer curative
able to measure the security return on invest and have methods.
relevant information for the contribution of the security The measurement of performance is critical for a
to firm’s performance. company and for each of its departments. It is therefore
3. The information security risks manager must have an important to determine the aspects that facilitate the
ISO 27005 Risk Manager certification and master risks measurement of the performance of the information security
management tools such as MEHARI or EBIOS. department and its contribution to the overall performance
4. The auditor of ISMS must have a certification in of the company.
American Journal of Operations Management and Information Systems 2019; 4(3): 99-108 107
However, the resistance of the respondents did not [14] Ali, B. M. and Younes, B. (2013), The Impact of Information
facilitate our work. Otherwise, this could have improved our Systems on User Performance: An Exploratory Study.
model. We could have better defined the concepts of [15] Lin, H.-Y., Hsu, P.-Y. and Ting, P.-H. (2006), “ERP Systems
administrative performance and marketing performance in Success: An Integration of IS Success Model and Balanced
total agreement with Cameroonian companies. This will Scorecard.”, Journal of Research and Practice in Information
permit the use of more meaningful manifest variables for Technology, Vol. 38 No. 3, pp. 215–228.
decision makers to engage more quickly in the security of [16] Marina Trkman and Peter Trkman. (2009), “A wiki as
their information assets. This survey draws the attention of intranet: a critical analysis using the Delone and McLean
some managers on the importance of ISMS. model”, Online Information Review, Vol. 33 No. 6, pp.
1087–1102.
[17] Sedera, D., Tan, F. and Dey, S. (2007), “Identifying and
References Evaluating the Importance of Multiple Stakeholders
Perspective in Measuring ES-Success”, European Conference
[1] Calder, A. and Watkins, S. G. (2007), Risk Assessment for on Information Systems, Association of Information Systems -
Asset Owners, IT Governance Publishing, available at: AIS, Gothenburg Sweden, available at:
http://www.jstor.org/stable/j.ctt5hh5xt. http://eprints.qut.edu.au/10288/.
[2] ISO/IEC. (2013), ISO 27001 Information Technology — [18] Bharati, P. and Chaudhary, A. (2006), “Product Customization
Security Techniques — Information Security Management on the Web: An Empirical Study of Factors Impacting
Systems — Requirements. Choiceboard User Satisfaction”, Inf. Resour. Manage. J., Vol.
19 No. 2, pp. 69–81.
[3] Calder, A. and Watkins, S. G. (2010), Information Security
Risk Management for ISO27001/ISO27002, IT Governance [19] Kulkarni, U. R., Ravindran, S. and Freeze, R. (2006), “A
Publishing, available at: http://www.jstor.org/stable/j.ctt5hh7jd. Knowledge Management Success Model: Theoretical
Development and Empirical Validation”, Journal of
[4] Delone, W. H. and McLean, E. R. (1992), “Information Management Information Systems, Vol. 23 No. 3, pp. 309–
Systems Success: The Quest for the Dependent Variable”, Info. 347.
Sys. Research, Vol. 3 No. 1, pp. 60–95.
[20] Bradley, R. V., Pridmore, J. L. and Byrd, T. A. (2006),
[5] Pitt, L. F., Watson, R. T. and Kavan, C. B. (1995), “Service “Information Systems Success in the Context of Different
Quality: A Measure of Information Systems Effectiveness”, Corporate Cultural Types: An Empirical Investigation”,
MIS Quarterly, Vol. 19 No. 2, pp. 173–187. Journal of Management Information Systems, Vol. 23 No. 2,
pp. 267–294.
[6] Parasuraman, A., Zeithaml, V. and Berry, L. (1988),
“SERVQUAL: A Multiple-Item Scale for Measuring [21] Arsanjani, A., Bharade, N., Borgenstrand, M., Schume, P., Wood,
Consumer Perceptions of Service Quality”, Journal of J. K. and Zheltonogov, V. (2015), Business Process Management
Retailing, Vol. 64 No. 1, pp. 12–40. Design Guide Using IBM Business Process Manager, edited by
(Firm), S. B. O. and Organization, I. B. M. C. I. T. S., First
[7] Wade, M. and Hulland, J. (2004), “Review: The Resource- edition., IBM Corporation, International Technical Support
Based View and Information Systems Research: Review, Organization, Poughkeepsie, NY, available at:
Extension, and Suggestions for Future Research”, MIS https://briagg.rbc.edu/login?url=http://proquest.safaribooksonl
Quarterly, Vol. 28 No. 1, pp. 107–142. ine.com/?uiCode=cwm&xmlId=9780738440590.
[8] Bharadwaj, A. S. (2000), “A Resource-Based Perspective on [22] Ray, D., Haon, C. and Gotteland, D. (2001), “Effets médiateurs et
Information Technology Capability and Firm Performance: An modérateurs au sein de la relation satisfaction - fidélité : vers une
Empirical Investigation”, MIS Quarterly, Vol. 24 No. 1, pp. meilleure compréhension du rôle de l’image”.
169–196.
[23] Faris, S., Iguer, H., Medromi, H. and Sayouti, A. (2013),
[9] Akter, S., FossoWamba, S., Gunasekaran, A., Dubey, R. and “Conception d’une Plateforme de gestion des risques basée
Childe, S. J. (2016), “How to improve firm performance using sur les systèmes multi-agents et ISO 27005”.
big data analytics capability?”, International Journal of
Production Economics. [24] Anand, A. (2013), The Effect of IT Capabilities on Firm
Performance - Evidence from Healtcare Industry, Master of
[10] Teece, D. J., Pisano, G. and Shuen, A. (1997), “Dynamic Information Systems and Technology - Research thesis,
capabilities and strategic management”, Strategic School of Information Systems & Technology, University of
Management Journal, Vol. 18 No. 7, pp. 509–533. Wollongong.
[11] IS Theory. (2016), “Dynamic capabilities”, [25] Mithas, S., Ramasubbu, N., Krishnan, M. S. and Sambamurthy,
Http://is.theorizeit.org/, available at: V. (2004), “Information Technology Infrastructure Capability
http://is.theorizeit.org/wiki/Dynamic_capabilities (accessed 20 and Firm Performance: An Empirical Analysis”.
April 2016).
[26] Yin, R. (2011), “Case study research: Design and methods
[12] Urbach, N. and Müller, B. (2012), “The Updated DeLone and (4th Ed.)”, SAGE Publication.
McLean Model of Information Systems Success”.
[27] Hair, joseph, Hult, T., Ringle, C. and Sarstedt, M. (2014), A
[13] Gorla, N., Somers, T. M. and Wong, B. (2010), “Organizational Primer on Partial Least Squares Structural Equation Modeling
impact of system quality, information quality, and service quality”, (Pls-Sem).
J. Strateg. Inf. Syst., Vol. 19 No. 3, pp. 207–228.
108 Harold Nguegang Tewamba et al.: Effects of Information Security Management Systems on Firm Performance
[28] Henseler, J., Ringle, C. and Sarstedt, M. (2014), “A new [34] Bhattacherjee, A. (2012), “Social Science Research: Principles,
criterion for assessing discriminant validity in variance-based Methods, and Practices”, Textbooks Collection, Book 3.
structural equation modeling”, Springerlink.com.
[35] Addas, S. and Pinsonneault, A. (2007), “IT capabilities and
[29] Nunnaly and Bernstein. (1994), “Psychometric Theory, 3th firm performance: A resource-based, alliance perspective”,
edition”, McGraw-Hil, New York. Desautels Faculty of Management. McGill University.
[30] Baron, R. M. and Kenny, D. A. (1986), “The Moderator- [36] Iansiti, M. and Favaloro, G. (2006), Enterprise IT Capabilities
Mediator variable distinction in Social Psychological research: and Business Performance. Harvard Business School,
Conceptual, strategic, and statistical considerations”, Journal Keystone Strategy Inc.
of Personality and Social Psychology.
[37] Lazic, M. (2011), “IT Governance and Business Performance -
[31] Nitzl, C., Roldan, J. and Carrion, G. C. (2016), “Mediation A Resource Based Analysis”, PACIS 2011 Proceedings. Paper
Analysis in Partial Least Squares Path Modeling: Helping 103, available at: http://aisel.aisnet.org/pacis2011/103.
Researchers Discuss More Sophisticated Models”, Social
Science Research Network, available at: [38] Ashenden, D. (2008), “Information Security management: A
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2789370. human challenge?” Information Security Technical Report,
Vol. 13 No. 4, pp. 195–201.
[32] Preacher, K. J. and Hayes, A. F. (2008), “Asymptotic and
resampling strategies for assessing and comparing indirect [39] Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q.,
effects in multiple mediator models”, Behavior Research Warkentin, M. and Baskerville, R. (2013), “Future directions
Methods, Vol. 40 No. 3, pp. 879–891. for behavioral information security research”, Computers &
Security, Vol. 32, pp. 90–101.
[33] Sobel, M. E. (1982), “Asymptotic Confidence Intervals for
Indirect Effects in Structural Equation Models”, Sociological [40] Software Engineering Institute. (2010), CMMI® for
Methodology, Vol. 13, pp. 290–312. Development, Version 1.3, available at: http://www.sei.cmu.edu.
[41] Bender, O. (2008), Introduction À La Fidélisation En Entreprise.