Infromation Security Leadership Related

LEADERSHIP STYLES AND INFORMATION SECURITY IN SMALL
BUSINESSES: AN EMPIRICAL INVESTIGATION

by
Debasis Bhattacharya
A Dissertation Presented in Partial Fulfillment

of the Requirements for the Degree
Doctor of Business Administration
UNIVERSITY OF PHOENIX
April 2008
3324059
Copyright 2008 by
Bhattacharya, Debasis
All rights reserved
2008
3324059
2008 by DEBASIS BHATTACHARYA

ALL RIGHTS RESERVED
v
ABSTRACT
Small businesses often display a lack of concern towards cybercrime and information
security problems. A lack of concern usually results in delayed or incorrectly
implemented security measures, which increases vulnerability to cybercrime. The first
purpose of this quantitative, descriptive, correlational research study was to empirically
investigate leadership styles and assess the level of concern regarding information
security problems within small businesses that belong to particular chambers of
commerce or trade associations within the state of Hawaii. The second purpose of this
study was to determine the degree of a possible relationship between leadership styles
and the level of concern towards information security problems within these small
businesses. The 122 small business participants in the study completed the Multifactor
Leadership Questionnaire and the Small Business Security Questionnaire to test whether
a statistically significant correlation exists between particular leadership styles and the
level of concern regarding information security problems. The results of this study
showed a significant correlation between transactional and transformational leadership
styles and the level of concern towards information security problems within small
businesses. This research suggests that small businesses leaders need to demonstrate
more than one leadership style to broaden their preparation against a range of information
security issues and problems. The findings may be applicable to small business leaders
who proactively search for a cost-effective and optimal combination of leadership styles,
technologies, and policies that will mitigate the evolving threats of cybercrime and
information security problems.
Deleted: Section Break (Next Page)
DEDICATION
vi
This dissertation is dedicated to my family and friends, who supported me with

guidance and encouragement. To each and every one of them, I am extremely grateful.
vii
ACKNOWLEDGMENTS
I would like to acknowledge the help and guidance from my dissertation
committee: my mentor, Dr. Therese Kanai; my committee members, Dr. Sanford
Friedman and Dr. Aleta Best. I also appreciate Dr. Julie Ryan for giving me permission to
use the security survey. I would like to thank my mother, Dr. Gauri Bhattacharya, for
providing the inspiration and motivation. I thank my friends and colleagues who assisted
me in the survey and data collection process. Finally, I would like to acknowledge my
learning team and cohort for their friendship and support during the doctoral program.
viii
TABLE OF CONTENTS
LIST OF TABLES............................................................................................. xvi
LIST OF FIGURES .........................................................................................xviii
CHAPTER 1: INTRODUCTION ......................................................................... 1
Background of the Problem .................................................................................. 2
Statement of the Problem...................................................................................... 5
Purpose of the Study ............................................................................................. 6
Dependent and Independent Variables ................................................................. 7
Intervening Variables............................................................................................ 8
Significance of the Study ...................................................................................... 9
Significance of the Study to Leadership ............................................................. 10
Nature of the Study ............................................................................................. 10
Research Questions............................................................................................. 16
Research Question 1 .................................................................................... 17
Hypotheses.......................................................................................................... 18
Hypothesis 1 ................................................................................................ 19
Hypothesis 2 ................................................................................................ 19
Hypothesis 3 ................................................................................................ 19
Theoretical Framework....................................................................................... 20
Leadership Theories..................................................................................... 21
Information Security Management Theories ............................................... 23
ix
Definition of Terms............................................................................................. 24
Assumptions........................................................................................................ 26
Scope and Limitations......................................................................................... 27
Delimitations....................................................................................................... 28
Summary ............................................................................................................. 28
CHAPTER 2: LITERATURE REVIEW ............................................................ 30
Literature Review Search.................................................................................... 31
Historical Overview ............................................................................................ 33
Evolution of Leadership Theories and Models................................................... 34
Trait Theories............................................................................................... 35
Behavioral Theories..................................................................................... 35
Servant Leadership Theory.......................................................................... 36
Situational Leadership Theory..................................................................... 37
Contingency Theory .................................................................................... 37
Path-Goal Theory......................................................................................... 38
Theory of Transformational Leadership ............................................................. 38
Transformational Leadership (Independent Variable)................................. 39
Transactional Leadership (Independent Variable)....................................... 40
Passive-Avoidant Leadership (Independent Variable) ................................ 41
Evolution of Cybercrime and Information Security ........................................... 42
Comparison with Traditional Crime............................................................ 42
Evolving Legislation against Cybercrime ................................................... 44
Efforts of Law Enforcement against Cybercrime........................................ 45
x
Role of E-Commerce ................................................................................... 45
Information Security Theories and Related Research ........................................ 46
Cultural Theory and Risk Management....................................................... 47
Economic Model of Information Security................................................... 48
Integrated System Theory of Information Security ..................................... 49
Current Findings and Alternative Viewpoints .................................................... 50
Leadership Theories in the 21st Century ............................................................. 50
Kouzes and Posners Model ........................................................................ 51
Pseudo Transformational Leadership .......................................................... 51
Innovation and Performance........................................................................ 52
Leadership Styles within Small Businesses................................................. 53
Information Security Management in the 21st Century....................................... 54
Security Assessments................................................................................... 54
Preventative Security ................................................................................... 55
Intrusion Detection ...................................................................................... 58
Incident Response........................................................................................ 59
Physical Security ......................................................................................... 60
Insider Access Abuse................................................................................... 61
Outsourcing Cyber Security ........................................................................ 63
Information Security Within Small Businesses .................................................. 63
Significance of Small Businesses to the US Economy................................ 65
Categories of Small Businesses and Information Security.......................... 66
Information Security Problems (Dependent Variables) .............................. 67
xi
Impact of Regulations and Standards on Information Security................... 71
Security Vendors and Resources Available to Small Business ................... 72
Gaps in the Literature .................................................................................. 74
Conclusion .......................................................................................................... 76
Summary ............................................................................................................. 79
CHAPTER 3: METHOD .................................................................................... 80
Research Design.................................................................................................. 80
Research Questions............................................................................................. 82
Hypothesis........................................................................................................... 82
Hypothesis 1 ................................................................................................ 83
Hypothesis 2 ................................................................................................ 83
Hypothesis 3 ................................................................................................ 83
Appropriateness of Design.................................................................................. 84
Population ........................................................................................................... 86
Sampling Frame .................................................................................................. 87
Informed Consent, Confidentiality, and Geographic Location........................... 88
Instruments.......................................................................................................... 89
Data Collection ................................................................................................... 92
Data Analysis ...................................................................................................... 94
Descriptive Statistics and Chi-Square Tests ................................................ 94
xii
Pearsons Correlation and Multiple Regression Analysis ........................... 95
Validity and Reliability....................................................................................... 96
Internal Validity........................................................................................... 97
External Validity.......................................................................................... 98
Reliability Analysis ..................................................................................... 99
Summary ............................................................................................................. 99
CHAPTER 4: RESULTS.................................................................................. 101
Study Process .................................................................................................... 102
Sample Participants ................................................................................... 102
Survey Development ................................................................................. 103
Pilot Testing............................................................................................... 104
Data Collection .......................................................................................... 105
Post-survey Interviews............................................................................... 106
Reliability Analysis ................................................................................... 107
Post-hoc Confirmatory Factor Analysis .................................................... 107
Non-Response Bias Analysis..................................................................... 108
Descriptive Statistical Analysis ........................................................................ 108
Independent Variables ............................................................................... 109
Dependent Variables.................................................................................. 113
Intervening Variables................................................................................. 114
Other Security Variables............................................................................ 119
Results of Research Questions and Hypothesis ................................................ 122
Research Question 1 and Hypothesis 1 ..................................................... 122
xiii
Multiple Regression Analysis ........................................................................... 136
Predictors of Insider Access Abuse ........................................................... 136
Predictors of Power Failure ....................................................................... 137
Predictors of Data Integrity ....................................................................... 138
Predictors of Data Availability .................................................................. 139
Predictors of Data Theft............................................................................. 140
Predictors of Data Sabotage....................................................................... 141
Summary of Predictors for Seven Security Concerns ............................... 141
Predictors across Leadership Styles, Technology and Procedures............ 143
Qualitative Data for Triangulation.................................................................... 144
Summary of Findings........................................................................................ 146
Conclusions....................................................................................................... 150
CHAPTER 5: CONCLUSIONS AND RECOMMENDATIONS.................... 151
Conclusions....................................................................................................... 152
Literature Review ...................................................................................... 152
Assumptions .............................................................................................. 155
Limitations................................................................................................. 156
Delimitations.............................................................................................. 157
Reliability .................................................................................................. 157
Intervening Variables................................................................................. 158
Other Security Variables............................................................................ 158
xiv
Implications....................................................................................................... 168
Implications for Global Leadership ........................................................... 168
Implications for Small Business Leaders .................................................. 170
Recommendations............................................................................................. 172
Recommendation 1: Leadership Styles Assessment.................................. 172
Recommendation 2: Information Security Assessment............................. 174
Recommendation 3: Application of Cybercrime Leadership .................... 176
Recommendations for Future Research..................................................... 179
Summary ........................................................................................................... 181
Conclusions....................................................................................................... 181
REFERENCES ................................................................................................. 182
APPENDIX A: INFORMED CONSENT FORM ............................................ 197
APPENDIX B: COPY OF SURVEY INSTRUMENTS .................................. 199
APPENDIX C: PERMISSION TO USE MLQ ................................................ 202
APPENDIX D: PERMISSION TO USE SECURITY SURVEY..................... 204
APPENDIX E: HUMAN RESEARCH SUBJECTS CERTIFICATION......... 206
APPENDIX F: RELIABILITY ANALYSIS.................................................... 209
APPENDIX G: FREQUENCY TABLES......................................................... 211
APPENDIX H: CHI-SQUARE TESTS............................................................ 214
APPENDIX I: PEARSONS CORRELATIONS ............................................. 217
xv
APPENDIX J: MULTIPLE REGRESSION ANALYSIS................................ 221
APPENDIX K: SMALL BUSINESS SECURITY CHECKLIST.................... 225
APPENDIX L: POST-HOC CONFIRMATORY FACTOR ANALYSIS ....... 229
APPENDIX M: NON-RESPONSE BIAS ANALYSIS ................................... 232
APPENDIX N: RESOURCES FOR CYBERCRIME VICTIMS .................... 234
xvi
LIST OF TABLES
Table 1 14 Dependent Variables........................................................................... 7
Table 2 Three Independent Variables................................................................... 8
Table 3 Five Intervening Variables ...................................................................... 8
Table 4 Full Range Leadership Model with Nine Factors ................................. 14
Table 5 Literature Surveyed in Support of the Research Questions................... 32
Table 6 Variables, Research Questions, and Survey Items ................................ 91
Table 7 Structure of Online Survey.................................................................. 104
Table 8 Post-Survey Interview Questions ........................................................ 106
Table 9 Independent Variables: Three Leadership Styles ............................... 109
Table 10 Descriptive Statistics of Independent Variables ............................... 110
Table 11 Descriptive Statistics of Factors within each Leadership Style........ 113
Table 12 Descriptive Statistics of 14 Dependent Variables............................. 114
Table 13 Intervening Variables ....................................................................... 115
Table 14 Intervening Variable: Connectivity Options...................................... 118
Table 15 Access to Computers and Networks.................................................. 119
Table 16 Information Security Policies and Procedures................................. 120
Table 17 Information Security Technologies................................................... 120
Table 18 Data Importance ............................................................................... 121
Table 19 Information Security Experiences within Past 12 Months................ 122
Table 20 Pearson's Correlations - Transformational Leadership Style.......... 123
Table 21 Pearson's Correlations - Transformational Leadership Factors ..... 125
Table 22 Multiple Regression Analysis - Predictors of Data Secrecy............. 126
xvii
Table 23 Multiple Regression Analysis - Predictions of Data Availability ..... 127
Table 24 Pearson's Correlations - Transactional Leadership Style................ 130
Table 25 Pearson's Correlations - Transactional Leadership Factors ........... 132
Table 26 Pearson's Correlations - Passive-Avoidance Leadership Style........ 134
Table 27 Pearson's Correlations Passive-Avoidance Leadership Factors .. 135
Table 28 Multiple Regression Analysis - Predictors of Insider Access Abuse 136
Table 29 Multiple Regression Analysis - Predictors of Power Failure........... 137
Table 30 Multiple Regression Analysis - Predictors of Data Integrity ........... 138
Table 31 Multiple Regression Analysis - Predictors of Data Availability....... 139
Table 32 Multiple Regression Analysis - Predictors of Data Theft ................. 140
Table 33 Multiple Regression Analysis - Predictors of Data Sabotage .......... 141
Table 34 Summary of Predictors for Seven Security Problems....................... 142
Table 35 Summary of Post-Survey Interview Responses ................................. 144
Table 36 Summary of Findings for Research Questions ................................. 147
Table 37 Summary of Findings for Research Hypothesis................................ 148
Table 38 Summary of Significant and Noteworthy Findings ........................... 149
Table 39 Cybercrime Leadership using Leadership Style Score ..................... 176
Table 40 Example of Cybercrime Leadership ................................................. 177
Table 41 Cybercrime Leadership, Technology and Policy.............................. 178
xviii
LIST OF FIGURES
Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology........ 48
Figure 2. Computer Security Incidents in the US (CSI/FBI, 2006). .................. 65
Figure 3. Technologies Used by Businesses in the US (CSI/FBI, 2006). .......... 72
Figure 4. Map of Research Methodology and Design........................................ 85
Figure 5. Histogram of Transformational Leadership Styles ........................... 111
Figure 6. Histogram of Transactional Leadership Styles ................................. 111
Figure 7. Histogram of Passive-Avoidance Leadership Styles ........................ 112
Figure 8. Business Area.................................................................................... 115
Figure 9. Number of Employees ...................................................................... 116
Figure 10. Annual Revenues ............................................................................ 116
Figure 11. Number of Computers..................................................................... 117
Figure 12. Leadership Augmentation Model for Cybercrime .......................... 169
Figure 13. Cybercrime Leadership Framework Overview for Small Business 170
Figure 14. Cybercrime Leadership Framework Details for Small Business .... 171
Figure 15. Assessment of Key Leadership Factors .......................................... 173
Figure 16. Computation of Leadership Style Scores........................................ 174
Figure 17. Basic Information Security Assessment (Easttom, 2006)............... 175
1
CHAPTER 1: INTRODUCTION
Globalization and increased reliance on the internet has forced many
organizations to rely on computer and networking technology for the storage of valuable
company and personal information (Easttom, 2006). Many small businesses have
embraced internet technologies to reach out to their customers, partners, and employees
from around the world (Day, 2003). Proliferation of online activity and e-commerce has
attracted the attention of existing criminal organizations and a new breed of
cybercriminals (Gupta & Hammond, 2005).
Cybercriminals engage in online attacks that exploit vulnerabilities and
deficiencies within the cyber defenses of organizations (Szor, 2005). Because of size,
resource, and skill constraints, small businesses are often ill-prepared to combat the
emerging threats of cybercrime (Ryan, 2000). Small business owners and key employees
with effective leadership styles can help prioritize actions needed to combat cybercrime
and mitigate information security concerns (Northouse, 2004). Conversely, ineffective
leadership styles can lead to passive or reactive measures against cybercrime, which can
lead to business damages and losses (Gupta & Hammond, 2005).
The first purpose of this quantitative, descriptive, correlational research study was
to investigate leadership styles and assess the level of concern towards information
security problems within small businesses that belong to various chambers of commerce
or trade associations within the state of Hawaii. The second purpose of this study was to
determine the degree of a possible relationship between leadership styles and the level of
concern towards information security problems within small businesses. Chapter 1
describes the problem and purposes of this study, presenting its research questions,
2
hypothesis, theoretical framework, nature, and significance. This chapter also describes
terms, assumptions, limitations, and delimitations of the research. Chapter 1 concludes
with a summary of key points and an introduction to Chapter 2.
Background of the Problem
Studies identified several major categories of cybercrime that affect small
businesses in the United States (Anat & John, 2003; Easttom, 2006; Reid, 2003). Spam
(unsolicited email) crowds company inboxes and carries with it the threat of malicious
attachments and viruses that can cause further damage (Reid). Small businesses contend
with viruses, executable programs that can replicate themselves speedily and stealthily on
many computers (Easttom). Virus detection software can protect against cybercrime, yet
computers without the necessary software are susceptible to virus attacks (Campbell,
2004). According to the US CSI/FBI Survey (2006) virus attacks constituted the single
biggest threat of financial loss to United States (US) businesses. Denial of Service attacks
intend to overwhelm the computer networks of a target business (Anat & John). For
example, cyber extortionists may launch a DoS attack on a network that provides email
service to many thousands of small businesses (Lepofsky, 2006).
Phishing, a deceptive strategy to gain personal information the target might not
otherwise divulge, is an increasingly common form of computer attack (Easttom, 2006).
According to Easttom, incidents of phishing are rising more rapidly than other forms of
cyber attacks. In a phishing attack, the victim unsuspectingly provides banking, financial,
or personal information to a website that impersonates a real one. For example, a fake
website from a bank controlled by cyber criminals may trick unsuspecting small
businesses into disclosing key online banking information. Loss of information usually
3
leads to identity theft and allows the cyber criminals to obtain new credit cards or transfer
funds out of illegally accessed bank accounts (Diller-Haas, 2004). Over the first six
months of 2006, the security software vendor Symantecs Probe Network (Symantec,
2007) detected 157,477 unique phishing messages totalan average of 865 unique
phishing messages per day. According to Symantec (2007), the phishing results
represented an 81% increase over the messages detected in the last half of 2005, and a
61% increase over those detected in the first half of 2005.
Bot (short for robot) networks are threats against business organizations and home
users (Easttom, 2006). According to Easttom, a bot program installs itself on a system,
thus enabling a cybercriminal to have remote control of the computer. Bot-controlled
computers, assembled into a bot network, can spawn large-scale attacks against a target
victim (Day, 2003). Symantec (2007) reported that the United States had over one quarter
of all the worlds bot-infected computers between July and December of 2005. Botinfected computers, many of which belong to small businesses in the United States, may
someday provide a foundation for cyber terrorism (Foltz, 2004).
Cybercrimes against small businesses can be perpetrated by ex-employees who
still have secure access to company computer systems (Furnell, Jusoh, & Katsabas,
2006). Employees or workers may be the weakest link in the security infrastructure of a
business (Hall, 2003). According to Hall, malicious activities on the part of employees or
ex-employees can significantly disrupt small business activities. Competitors and rivals
as well can use methods such as bot-nets to damage the operations and reputation of a
small business (Knight, 2004).
4
Small business owners are often entrepreneurs who set the company vision,
demonstrate problem-solving and decision-making capabilities, take risks, and launch
strategic initiatives (Fernald, Solomon, & Tarabishy, 2005). According to one study of
194 small businesses (O'Regan, Ghobadian, & Sims, 2005), effective leadership styles is
likely to lead to better business performance. ORegan et al. claimed that small
businesses that emphasize any specific leadership style show better performance than
businesses with weak or uncertain leadership styles.
According to the available literature on small businesses, leadership, and
information security, no previous research focuses on the possible relationship between
leadership styles and information security problems. This study intended to fill this void.
This study assessed the leadership styles of small business leaders and the influence
leadership styles exerted upon information security experiences and problems. This
research study offers three potential benefits: (a) an assessment of the prevalent small
business leadership styles in the state of Hawaii; (b) a more precise identification of the
specific leadership styles that best mitigate information security threats and problems;
and (c) guidance for small business owners on the most effective leadership styles against
information security threats.
Using the Multifactor Leadership Questionnaire (MLQ) survey from Bass and
Avolio (2004) and the Small Business Security Survey (Ryan, 2000), this study examined
the leadership styles within a sample of small businesses that belong to various chambers
of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of
Hawaii. Chapter 2 discusses the theoretical aspect of leadership styles and information
security problems in more detail.
5
Statement of the Problem
Current research indicates that the information systems of small businesses in the
United States are vulnerable to cybercrime (Adamkiewicz, 2005; Baker & Wallace, 2007;
Gupta & Hammond, 2005; O'Rourke, 2003). Computer security breaches disrupt
businesses, causing annual revenue losses of over $200 million in the United States
(Norah, 2004). According to the US Federal Bureau of Investigations (FBI) 2005 The
Cyber Crime Survey of 24,000 US organizations asserted that cybercrime may cost
businesses in the United States an estimated $67 billion in annual losses (FBI, 2005).
The problem is small businesses often display a lack of concern towards
information security problems (Gupta & Hammond, 2005). A lack of concern usually
results in delayed or incorrectly implemented security measures, which increases
vulnerability to cybercrime (Andress, 2003; DeZulueta, 2004). In an empirical study of
1000 small businesses in the Lynchburg, Virginia area, Gupta and Hammond suggested
that ineffective leadership styles might influence the lack of concern towards information
security problems. The authors noted limited empirical evidence regarding the effect of
leadership styles and the level of concern towards information security problems.
This quantitative, descriptive, correlational study examined the problem by
determining whether and to what degree any relationship exists between leadership styles
(independent variables) and the level of concern for information security problems
(dependent variables). The general population for the study included small businesses
located in the state of Hawaii. The results of this study provides small business leaders
with information useful in assessing their level of concern and determining which
leadership styles are the most effective in mitigating information security problems.
6
Purpose of the Study
(CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of Hawaii. The
second purpose of this study was to determine the degree of a possible relationship
between leadership styles and the level of concern towards information security problems
within small businesses.
The research design of the study involved a pilot study, online survey, and phone
interviews to triangulate data from survey respondents. The online survey used two peerreviewed, valid, and reliable surveys. The two surveys included the Multifactor
Leadership Questionnaire (Bass & Avolio, 2004) and the Small Business Security Survey
(Ryan, 2000). The specific study population included 2825 small businesses located in
the state of Hawaii, with 500 or fewer employees (SBA, 2007), that belonged to various
chambers of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the
state of Hawaii.
Leedy and Ormrod (2001) claimed that quantitative descriptive design involves
exploring possible correlations among two or more phenomena (p.191). Data was
analyzed using descriptive statistics, correlational analysis, and multiple regression
methods. The research design accomplished the goals of the study by providing empirical
evidence regarding the potential relationship between three independent variables
(transformational, transactional, passive-avoidant leadership styles) and 14 dependent
variables (information security problems).
7
Dependent and Independent Variables
There are 14 dependent variables. As shown in Table 1, each represented a
specific information security problem that a small business may face (Ryan, 2000).
Using a Likert scale, the study examined the level of concern for each security problem.
Table 1
14 Dependent Variables
Information security problem Examples of problem in small businesses
Insider access abuse
Unauthorized login by employees
Viruses
Programs that enter through attachments in email
Power failure
Loss of data due to abrupt shutdown of computers
Software problems
Vulnerable software due to absence of patches
Data integrity
Corruption of customer list or sales data
Transaction integrity
Corruption of financial transaction with bank
Outsider access abuse
Unauthorized entry by former employees
Data secrecy
Confidentiality of payroll information
Data availability
Availability of access to time sheet data
Data theft
Theft of confidential employee information
Data sabotage
Intentional destruction of financial data
User errors
Accidental erasure of data by untrained user
Natural Disaster
Damage to computer systems from floods
Fraud
Impersonation and deceit used to elicit information

The three independent variables, as shown in Table 2, were the transformational,
transactional, and passive-avoidant leadership styles as defined by Bass and Avolio
8
(2004). The study hypothesized that effective leadership styles (the independent
variables, listed in Table 2) would foster concern for information security problems (the
dependent variables, listed in Table 1) within small businesses.
Table 2
Three Independent Variables
Leadership styles
Examples in small businesses
Transformational leadership Visionary, dynamic owner

Transactional leadership
Leader focused on costs and benefits
Passive-avoidant leadership
Absentee, unavailable leader

Intervening Variables
The research was statistically controlled by five intervening variables derived

from the Small Business Security Survey (Ryan, 2000), as shown in Table 3.
Table 3
Five Intervening Variables
Variable name
Examples in small businesses
Business area
Industry as in Agriculture, Transportation or Mining
Number of employees Ranges from 1 to 500

Annual revenue
Ranges from less than $500,000 to more than $5 million
Number of computers
Ranges from less than five to more than 100 computers
Connectivity
Various types as in Internet, Intranet, E-Commerce
Creswell (2003) stated that intervening variables mediate the effects of the
independent variable on the dependent variable (p. 94). Analysis of the responses based
9
on such intervening variables helped determine if intervening variables influenced the
level of concern about information security problems (dependent variables).
Significance of the Study
This study provided a deeper understanding of the impact that specific leadership
styles have within small businesses on information security experiences and problems.
The results of this study is potentially useful to small business owners and entrepreneurs,
who are frequently so focused on achieving company success that they may not pay
attention to critical details of information security (Gupta & Hammond, 2005).
Identification of the most effective leadership styles for preventing and combating
cybercrime and information security breaches could help small business owners to avert
information security breaches and cyber attacks.
Small businesses often adopt reactive measures to cybercrime (Andress, 2003).
According to Andress, reactive (as opposed to proactive) or otherwise ineffective
leadership styles might further increase vulnerability to cybercrime. Small businesses
continually face time, resource, and financial constraints (Gupta & Hammond, 2005).
Gupta and Hammond claim that despite such constraints, effective leadership styles may
enable a proactive, well-prioritized approach to information security assessment,
readiness, and prevention. The findings of this study helps increase the overall stability
and success of small businesses by decreasing the chances of an information security
breach. For example, the study identified the prevailing leadership styles in small
businesses in Hawaii, identified the most effective leadership styles for mitigating threats
to information security, and filled the current literature void regarding leadership styles
and information security experiences and problems within small businesses.
10
Significance of the Study to Leadership
This study enables small business owners and entrepreneurs to understand which
leadership styles best foster mitigation of information security problems and concerns. As
mentioned previously, the current literature lacks research on transformational and
transactional leadership styles and their impacts on information security experiences and
problems with small businesses. This studys significance to leadership will lie in its
abilities to help close the important literature gap on small business information security
and to guide small business leaders who wish to practice the most effective leadership
styles for protecting information security.
As small businesses embrace globalization and the internet, their owners may
benefit from encouragement to investigate which leadership styles best mitigate
information security concerns (Bass & Avolio, 2004). Such investigations can have three
objectives: (1.) to identify adaptive small business leadership styles, namely those styles
that help to prioritize needed improvements in cyber defenses and to detect
vulnerabilities; (2.) to create a shared vision and awareness among small business
employees about the need for safe computing practices; and (3.) to inspire employee
collaboration and vigilance against cybercrime.
Nature of the Study
This research study used a quantitative, descriptive, correlational methodology to
investigate a possible relationship between leadership styles of small business owners
(independent variables) and the level of concern for information security problems
(dependent variables) within their companies. Two previously validated and broadly used
research survey instruments were used: the Multifactor Leadership Questionnaire (MLQ)
11
survey instrument (Bass & Avolio, 2004) and the Small Business Security Survey
instrument (Ryan, 2000).
The population for this study consisted of a sample of small businesses that
belong to various chambers of commerce (CoCHawaii, 2007) or trade associations (SBH,
2007) within the state of Hawaii. Businesses that belonged to more than one organization
were included only once in the study population, in order to avoid duplication. The study
defined a small business as one with 500 or fewer employees, the commonly accepted
definition according to the United States Small Business Administration (US SBA)
(SBA, 2007). The data from the US SBA indicated that the majority of companies within
Hawaii are small businesses. According to the Chamber of Commerce of Hawaii, over
75% or 825 of its 1100 members are small businesses (CoCHawaii). The Chamber of
Commerce, established in 1850, is Hawaiis largest advocate of small businesses. The
Small Business Hawaii trade association, founded in 1975, also advocates for small
companies and has 2000 members (SBH).
A pilot study was conducted with 10 small businesses who are members of a
chamber of commerce or a trade association in Hawaii. The pilot study participants,
randomly selected from the study population were small business owners who fulfilled
the eligibility criteria of the study population. The randomly selected 10 businesses
represented different industries, and had different number of employees. Five businesses
belonged to the Chamber of Commerce of Hawaii and five members belonged to the
Small Business Hawaii trade association.
Over a two-week period, an online survey was distributed to all 10 participants
through email. The instructions in the email directed the participants to an online survey
12
hosted by a commercial provider of online surveys. The researcher followed up any
survey responses needing clarification with phone calls. The pilot study intended to
ensure that the participants clearly understood the survey questions; that the survey was
adequate for answering the research questions; and that the online survey was userfriendly enough for participants to complete it in 10 minutes.
The online survey was improved from the pilot study version and administered to
a systematic sample of 800 businesses chosen from the study population of 2825 small
businesses. To validate the survey findings, the data was triangulated with data from one
other source. According to Rubin and Babbie (2005), Triangulation deals with
systematic error by using several different research methods to collect the same
information (p. 181). The additional data for triangulation and validation of the survey
results was drawn from in-depth interviews with 10 business leaders randomly chosen
from participants who had submitted valid and complete responses to the online survey.
According to Rubin and Babbie (2005), a descriptive research paradigm provides
details on the subjects relative to two or more variables. According to the authors, the
correlational research method investigates the possible degree and direction of a
relationship between the independent and the dependent variables. If the degree of
correlation is strong, the hypothesis bears more credibility. Conversely, if the degree of
correlation is weak, the hypothesis bears less credibility (Rubin & Babbie).
Such an approach fit the purposes of this study. The selected research method fit
the primary objective of this study: to explore possible relationships between leadership
styles (independent variables) and level of concern for information security problems
(dependent variables). The objective of this study was not to establish causal
13
relationships between the independent and dependent variables. Thus, a causalcomparative design was not appropriate here. Since the creation a control group of small
business leaders without any leadership styles was impractical, an experimental or quasiexperimental study was also inappropriate.
Creswell (2003) defined a quantitative research method as one in which the
investigator employs strategies of inquiry such as surveys and collects data on
predetermined instruments that yield statistical data (p. 18). Quantitative study design
describes and explains the relationships among variables; qualitative study design
explores and illuminates the meanings of data collected from the field (Creswell).
Qualitative design typically explores and understands a central phenomenon in the
development of a theory (Creswell). Since this studys objective was be to explore
possible relationships among existing variables in their natural environment, without
applying any treatments, qualitative study design was inappropriate here.
The theoretical framework of this research study was based on the full range
leadership model of Bass and Avolio (2004). The study used the MLQ instrument that
includes a Likert scale to measure three specific leadership styles (defined here as
independent variables) of small business owners (Bass & Avolio, 2004). The MLQ
instrument assesses three leadership styles by investigating nine behavioral factors.
Through extensive factor analysis in 2003, Bass and Avolio (2004) have identified the
five behavioral factors of the transformational leadership style as follows: idealized
attributes (IA), idealized behaviors (IB), inspirational motivation (IM), intellectual
stimulation (IS), and individualized consideration (IC).
14
Through confirmatory factor analysis, Bass and Avolio also have identified two
behavioral factors of transactional leadership style: contingent reward (CR) and
management-by-exception (active) (MBEA). Finally, their factor analysis determined the
two behavioral factors of laissez-faire or passive-avoidant leadership style: passive
management-by-exception (passive) (MBEP) and laissez-faire (LF). Table 4 displays the
full range leadership model with nine factors of leadership.
Table 4
Full Range Leadership Model with Nine Factors
Leadership styles
Factors within leadership style
Transformational leadership Idealized attributes (IA)

Idealized behavior (IB)
Inspirational motivation (IM)
Intellectual stimulation (IS)
Individualized consideration (IC)
Transactional leadership
Contingent reward (CR)

Management-by-exception (active) (MBEA)
Passive-avoidant leadership
Management-by-exception (passive) (MBEP)

Laissez-faire (LF)
Information security issues and concerns (defined in this research as a dependent

variable) was examined through the Small Business Security Survey (Ryan, 2000).
According to Ryan, the Small Business Security Survey uses a Likert scale to measure
the level of concern for14 information security problems that small businesses commonly
15
face, as shown in Table 1. This study examined five intervening variables, shown in
Table 3, to determine if intervening variables influenced the level of concern regarding
information security problems.
A multidisciplinary array of applications supports the validity and reliability of
the two study instruments (Bass & Avolio, 2004), as does pre-testing and application in a
dissertation project (Ryan, 2000) and a subsequent study reported in a peer-reviewed
journal (Gupta & Hammond, 2005). Bass and Avolio noted that internal consistency
rating, using Cronbachs coefficient alpha, were above .70 for all scales except for active
management-by-exception. Gupta and Hammond (2005) reported that their reliability
tests on the Small Business Security Questionnaire resulted in Cronbach coefficient alpha
values ranging from 0.64 to 0.785. In other words, both instruments were reliable.
The Pass Power Analysis and Sample Size (PASS) 2005 software was used for
statistical power analysis to determine the probability of avoiding Type II errors (Rubin
& Babbie, 2005). According to Rubin and Babbie (2005), a Type II error occurs if we
fail to reject a false null hypothesis (p. 604). Assuming a significance level of .05 and a
medium effect size with r2 = 0.09, the power of the test of significance of correlation for
sample size of 200 is .99. Using the same parameters of medium effect size, the power of
test of significance of correlation for sample size of 100 is .86. The result indicated that
the probability of committing a Type II error is 0.01 (1 - .99) for samples larger than 200
and 0.14 (1 - .86) for a sample size of 100, assuming a medium effect size with r2 = 0.09
and at .05 significance level.
The generalization of this studys results will be enhanced if the selected research
design, methodology, and systematic sampling approach fit well with the purpose of the
16
study (Creswell, 2003). According to Triola (2004), the more the survey respondents
correlate with the general population, the higher the confidence level in the accuracy and
validity of the data will be. The focus on a state like Hawaii allowed the researcher to
select small businesses with diverse business profiles (CoCHawaii, 2007).
The survey was conducted online using Zoomerang (2007), an established,
commercial online survey provider. The estimated time to complete the online survey
was 10 minutes. The estimated 30-minute in-depth interviews with the 10 randomly
selected small business owners were conducted over the telephone. The data was
exported to SPSS version 16.0 for Windows software to perform descriptive statistical
analysis, correlation analysis, and multiple regression analysis. Correlation analysis and
multiple regression analysis provided information to answer the research questions and
related hypotheses.
Research Questions
Creswell (2003) stated that research questions are interrogative statements or
questions that the investigator seeks to answer (p. 108). According to Rubin and Babbie
(2005), research questions need to be posed in a way that can be answered by observable
evidence (p. 117). Research questions should be feasible, but not so narrow that they are
no longer worth investigating (Rubin & Babbie). This study included 14 dependent
variables and three independent variables as shown above in Tables 1 and 2 respectively.
The following research questions guided this study and established the hypotheses
through quantitative data collection and analysis.
17
Research Question 1
R1: What is the relationship between the transformational leadership style and the
level of concern for information security problems within small businesses?
Research Question 2
R2: What is the relationship between the transactional leadership style and the
Research Question 3
R3: What is the relationship between the passive-avoidant leadership style and the
According to Creswell (2003), the independent and dependent variables must be
measured separately (p. 109). The study employed the Multifactor Leadership
Questionnaire or MLQ (Bass & Avolio, 2004) to measure the three independent variables
and the Small Business Security Survey (Ryan, 2000) to measure the 14 dependent
variables. The MLQ measures a broad range of leadership styles from the ineffective to
the effective (Bass & Avolio).
At their most ineffective, leaders display the laissez-faire leadership stylethat is,
they avoid responsibility and action (Bass & Avolio, 2004). At their most effective,
leaders display the transformational style, consisting of behaviors that generate higher
levels of organizational performance. The Small Business Security Survey (Ryan, 2000)
measures the level of concern for 14 separate information security problems that are
common to small businesses. The following hypotheses were tested to answer the
research questions.
18
Hypotheses
Quantitative research is essentially about testing the hypothesis and arriving at
the conclusion to either reject or not reject the null hypothesis (Rubin & Babbie, 2005).
Creswell (2003) described hypotheses as predictions the researcher holds about the
relationship among variables (p. 108). Creswell claimed that testing the hypotheses
requires statistical procedures like correlation analysis and multiple regression analysis
that enable the investigator to draw inferences about the population from the study
sample (p.108). Hypotheses are necessary to determine the degree of any correlational
relationship that may exist among the three independent variables and the 14 dependent
variables (Rubin & Babbie). The hypotheses in this study provided the necessary
framework to investigate the degree to which each of the three leadership styles
influenced the level of concern for information security experiences and problems within
small businesses in the designated study population.
The research study employed three statistical hypotheses to measure the
relationship(s) among three independent variables (three leadership styles) and 14
dependent variables (information security problems). The H0 represented the null
hypothesis and Ha the alternative hypothesis. According to Creswell (2003), the null
hypothesis makes a prediction that in the general population, no relationship or no
difference exists between groups on a variable (p. 109). The following hypotheses were
tested, based on a quantitative research methodology, to answer the research questions.
19
Hypothesis 1
H10: There is no relationship between the transformational leadership style score
and the level of concern for information security problems within small
businesses.
H1a: There is a relationship between the transformational leadership style score
businesses.
Hypothesis 2
H20: There is no relationship between the transactional leadership style score and
the level of concern for information security problems within small businesses.
H2a: There is a relationship between the transactional leadership style score and
Hypothesis 3
H30: There is no relationship between the passive-avoidant leadership style score
businesses.
H3a: There is a relationship between the passive-avoidant leadership style score
businesses.
H1a was tested to determine if there was a statistically significant relationship
between the transformational leadership style score of small businesses and the level of
concern for information security problems. H2a was tested to determine if a statistically
significant relationship existed between the transactional leadership style score of small
20
businesses and the level of concern for information security problems. H3a was tested to
determine if there was a statistically significant relationship between passive-avoidant
leadership style score of small businesses and the level of concern for information
security problems.
Correlation analysis determines the degree to which any relationship exists
between independent and dependent variables (Rubin & Babbie, 2005). According to
Rubin and Babbie, correlation analysis also determines whether the relationship is
positive or negative. The Pearsons correlation coefficient factor yields an r-value that
determines the significance and extent of the relationship between the independent and
dependent variables (Simon, 2006). Regression analysis was performed only when a
statistically significant relationship was found between the independent and dependent
variables. The results of the statistical tests provided answers to the research questions.
Theoretical Framework
The purpose of this study was to determine the degree of a possible relationship
within small businesses. The theoretical framework for this study begins with House
(1971) and the path-goal theory and Burns (1979) theory on transactional and
transformational leadership. Burns theory was updated by Bass (1990) and eventually
extended to include the full range of leadership styles (Bass & Avolio, 2004). This
studys theoretical framework on leadership includes Basss proposition that leadership
styles varies according to the underlying business situation. This framework is also based
on Herzbergs (1959) motivation-hygiene theory, Vrooms (1964) expectancy theory, and
Gordons and Loebs (2002) economic model on information security.
21
For many decades, research on leadership has centered on such questions as
autocratic versus democratic leadership, directive versus participative decision-making,
task versus relationship focus, and initiation versus consideration behavior (Bass, 1990).
Bass controversially noted that with increased globalization, business re-engineering, and
organizational transformations, the greater the need for increased research on leadership
development in individuals, groups, and large organizations. As observed, little research
exists on the impact of leadership styles on information security within small businesses,
despite the increase in cybercrime targeting small businesses.
This study complements and extends the previous literature on small business
leadership styles and information security problems. The subsequent discussion gives an
overview of the leadership theories and ideas about effective information security
management that contributes to this studys theoretical framework. Chapter 2 elaborates
further on theories and ideas.
Leadership Theories
This study focused on the relationship between leaders and followers within small
businesses. In small businesses, defined as organizations with 500 or fewer employees
(SBA, 2007), the leadership styles of business owners and key employees influence the
performance of the entire organization more directly than in larger companies. Burns
(1979) proposed a theory that leadership is comprised of transactional and transforming
components. Burns defined transactional leadership as a form of leadership that involves
a system of exchange between leaders and followers. Contingent reward and management
by exception are elements of this exchange system (Burns).
22
Burns (1979) defined transforming leadership as a form in which the leader
encourages the needs of the followers for charisma, individualized consideration, and
intellectual stimulation from him or her. Burns understood transformational and
transactional leadership as the two ends of a continuum ranging from extraordinary to
ordinary, respectively. This theory was controversial and debated in its time because it
implied that leaders could be either transactional or transforming but not both.
Bass (1990) updated Burns theory by changing the term transforming to
transformational leadership. Bass contended that leaders could display more than one
leadership style; they could even show a combination of transactional and
transformational styles. Believing that leadership is the key to effective organizational
performance, Bass argued the need to consider both underlying situations and leadership
styles when evaluating the effectiveness of an organization. According to Bass (1990), it
becomes clear that an adequate analysis of leadership involves a study not only of leaders
but of situations (p. 76). Small businesses in the United States and around the world
frequently face situations of threat and attack to information security (Wall, 2004).
This study fills a gap in the current leadership literature by focusing on the
leadership styles of small business owners and key employees and the influence of
leadership on the effective management of information security concerns given
constraints in finances, resources, and size. This study used the full range leadership
model (Bass & Avolio, 2004) to investigate a wide range of small business leadership
styles that could influence the ability to manage information security concerns.
23
Information Security Management Theories
The management of information security concerns within small businesses draws
upon theories on employee motivation, expectancy of outcomes, culture, economics, and
integrative theories of economic security. Herzberg, Mausner, and Snyderman (1959)
constructed a two-dimensional paradigm of factors to reflect employees perceptions of
job satisfaction. According to Herzberg et al., hygiene factors included company policies,
supervision of employees, interpersonal relationships, working conditions, salaries,
benefits, and job security. The absence of hygiene factors can cause job dissatisfaction,
but the presence of hygiene factors does not necessarily motivate employees or create job
satisfaction. Motivation factors include achievement, recognition, responsibility,
possibility of growth, relationships with supervisors, and job security (Herzberg et al.).
Vrooms (1964) expectancy theory extended Herzbergs theory of motivation by
claiming that a factors degree of influence is based on the importance an individual
places on that factor. According to Vroom, if an individual believed that a certain
outcome is possible, his or her expectation of that outcome is high. The degree of
motivation is higher when an individual realizes that a certain level of performance leads
to a desired outcome (Vroom). Vrooms theory is important to the prevention of
information security threats and the detection of existing vulnerabilities within small
businesses. Assuming that small business owners value information security prevention
and vigilance, small business employees can expect their safe computing practices to lead
to lower incidents of attacks and cybercrime.
Because small businesses are constantly changing in the 21st century, the
motivation of employees to remain vigilant against cybercrime is important (Baker &
24
Wallace, 2007). According to Baker and Wallace, the management of information
security is an ongoing process that requires the continuous motivation and vigilance of
employees. Related theories about cultural factors described the impact of social
assumptions and constraints on the worldviews of the individual (Torbjorn, Oltedal,
Moen, & Hroar, 2004). According to Torbjorn et al., worldviews can influence the
approach to risk evaluation and information security management.
Gordon and Loeb (2002) provided controversial insight into the incremental
benefits of information security, and proposed that an optimal choice of information
security investments justifies the incremental benefits. Hong, Yen-Pin, Loui, and Tang
(2003) proposed an integrated system theory of information security management based
on core underlying information policy, risk management, management system, and
contingency theories. Chapter 2 gives additional details concerning information security
theories.
Definition of Terms
The following operational terms and definitions provide a clear understanding of
their uses within the context of this study:
1. Bot-network: Computers hijacked by cybercriminals, without the knowledge of their
owners, to forward spam and viruses to computers over the internet (Easttom, 2006).
2. Cybercrime: According to the US Department of Justice (CC&IPS, 2006), cybercrime
is any violation of criminal law that involve a knowledge of computer technology
for their perpetration, investigation, or prosecution. This broad definition of
cybercrime includes computer crimes committed solely through the internet, such as
dissemination of viruses and worms. However, according to the US Department of
25
Justice, this legal definition also includes traditional crimes like child pornography,
hate crimes, fraud, and identity theft that are committed via the internet (CC&IPS).
3. Denial of service attack: This cybercrime makes information systems unavailable to
users. It often results in lost revenue and productivity (Easttom, 2006).
4. Information Security: According to Ryan (2000), information security is that set of
technologies, policies, procedures, and engineering principles that contribute to
protecting the confidentiality, integrity, and availability of information systems and
assets. Information security detects attempts to compromise the confidentiality,
integrity, or availability of information systems or assets; and recovering from
problems with or attacks upon information systems or assets (p. xix xx).
5. Leadership Styles: A general term used in this study to categorize the various
dimensions of leadership articulated in the full range leadership model of Bass and
Avolio (2004). As mentioned previously, leadership styles include transformational,
transactional, and passive-avoidant styles (the studys proposed independent
variables).
6. Multifactor Leadership Questionnaire (MLQ): The latest version of the survey
instrument from Bass and Avolio (2004) examined various leadership styles within
organizations. The MLQ measured the studys proposed independent variables.
7. Phishing: Unauthorized attempts to gain personal information for criminal gain
(Easttom, 2006).
8. Small Business: According to the United States Small Business Administration (SBA,
2007), and for the purposes of this proposed study, an organization located within the
United States with 500 or fewer employees.
26
9. Small Business Security Questionnaire: Initially developed by Ryan (2000) as part of
a doctoral dissertation on information security issues within small businesses in the
USA. This survey, subsequently administered in other studies and reported in peerreviewed journals, measured the studys proposed dependent variables.
10. Spam: Unsolicited electronic messages sent to online recipients (Easttom, 2006).
11. Security Breach: A violation of security policy or defenses (Easttom, 2006).
12. Virus: Malicious software that invades without authorization (Easttom, 2006).
Assumptions
This quantitative, descriptive, correlational research study drew upon four
assumptions. The first assumption was that owners and leaders of small businesses would
take the appropriate amount of time to participate in the online survey, and that they
would give honest answers. The two sections of the survey included questions on
leadership styles, and information security experiences and problems. The estimated time
to complete the entire online survey was 10 minutes or less.
The second assumption was that the systematic sampling of 800 small businesses
from the study population of 2,825 members of various chambers of commerce or trade
associations would yield an adequate number of respondents for gathering
comprehensible, honest, and reliable data. Generally, online surveys are thought to have
higher response rates than paper-based ones, as online users are more receptive to filling
out online surveys that completing paper forms and returning them via postal mail (Rubin
& Babbie, 2005).
The third assumption involved retaining the confidentiality and privacy of the
selected survey participants. Since the survey would ask for disclosure of security issues
27
and concerns within small businesses, protecting the confidentiality and privacy of the
small business participant was important. Study participants did not want their identities
disclosed to potential competitors or cybercriminals. Thus, study response data was not
linked to any identifying information about the study participants and businesses.
The fourth assumption was that adherence to social science research guidelines
would avert any threats to the physical, emotional, or economic wellbeing of the study
participants. Since the survey examined leadership styles of small business leaders, the
study assumed that the participants would not incur emotional harm in responding to the
questions about their leadership styles. Since the survey involved disclosing information
security concerns within the small business, the study assumed that no economic harm
would occur to the small business because of their responses to the survey questions.
Scope and Limitations
The studys scope was limited to the potential relationship that may exist between
leadership styles and information security concerns within small businesses who are
members of the various chambers of commerce and trade associations within Hawaii.
Consequently, results of this study limited generalization of the results to mid-sized and
larger organizations with more than 500 employees. The geographic location of the study
participants in the state of Hawaii also limited the generalization of the results to small
businesses located elsewhere in the United States as well as those overseas.
The online survey involved self-reporting and self-evaluation. Therefore, there
was no mechanism to control the validity of the results. The study assumed the honesty
and reliability of the participants. The reliability and validity of the survey was limited by
the nine leadership factors contained in the full range leadership model and the
28
Multifactor Leadership Questionnaire (Bass & Avolio, 2004). The scope of information
security concerns was limited by the 14 problems listed in the Small Business Security
Survey (Ryan, 2000). The study did not address any leadership styles and information
security problems outside the scope of the two survey instruments. The nature of the
research problem and research methodology helped guide the proposed studys overall
validity and reliability (see Chapter 3).
Delimitations
This study confined itself to a survey of small businesses that are located in the
state of Hawaii and in addition are members of various chamber of commerce or trade
association in Hawaii. This study focused on the full range leadership model, which
encompasses the transformational, transactional, and passive-avoidant leadership styles
(Bass & Avolio, 2004). Three leadership styles comprised three independent variables. In
addition, the study examined the influence of three leadership styles on the level of
concern for 14 information security problems (or 14 dependent variables) outlined in the
Small Business Security Survey (Ryan, 2000).
Summary
Chapter 1 discussed the need to investigate the relationship between the
leadership styles and the level of concern for information security problems within small
businesses who are members of the various chamber of commerce (CoCHawaii, 2007) or
the trade associations (SBH, 2007) within Hawaii. The research problem focused on
cybercrime and information security within small businesses and the impact of
ineffective leadership styles on information security problems (Adamkiewicz, 2005;
Baker & Wallace, 2007; Gupta & Hammond, 2005; O'Rourke, 2003). According to the
29
US FBIs 2005 Cyber Crime Survey of 24,000 US organizations, cybercrime costs
businesses in the United States an estimate of $67 billion annually (FBI, 2005). A
background discussion provided details on the research problem and related concerns to
small businesses in the United States. Little research exists on the influence of small
business leadership styles on the level of concern for information security problems
(Gupta & Hammond).
This chapter also discussed the purpose of the research study along with the
research method, research design, research variables, the general and specific population
group, and the geographic location of the study. Details on the research study provided
information about the research questions and hypothesis, and the theoretical framework
that includes leadership theories and relevant theories to manage information security
concerns. Additional discussion included important issues, perspectives, and
controversies in the field of leadership styles and its impact on information security.
Chapter 1 concluded with a discussion on the assumptions, scope, limitations, and
delimitations of the research study. Chapter 2 will present a literature review of
leadership theories and cultural theories and risk management, integrated systems theory,
and the economics of information security. The primary objective of Chapter 2 is to
review of the literature that will form the studys theoretical framework.
30
CHAPTER 2: LITERATURE REVIEW

By displaying a lack of concern and ignoring security threats, small business
leaders often display ineffective leadership styles that increase vulnerability to
cybercrime (Gupta & Hammond, 2005). The first purpose of this quantitative,
descriptive, correlational research study was to investigate leadership styles and assess
the level of concern towards information security problems within small businesses that
belong to the various chamber of commerce and trade organizations within Hawaii. The
second purpose of this study was to determine the degree of a possible relationship
within small businesses.
Chapter 2 presents the theoretical literature pertinent to the influence of leadership
styles on information security concerns within small businesses. It opens with a historical
overview of such relevant topics as the evolution of leadership theories, transformational
leadership theories, and cultural and information security theories and research. A
discussion of current findings and alternative viewpoints follows with particular
attention to 21st-century transformational leadership, current problems in information
security that impact small businesses, and mechanisms for managing information
security experiences and concerns.
Although leadership styles have been researched for decades (Bass & Avolio,
2004), there have been few studies on their implications for information security within
small businesses. This research study fills the literature gap regarding leadership styles
and their influence on information security problems within small businesses.
31
Literature Review Search
Two objectives guided this literature search. The first was to investigate studies
and scholarly articles that examine small business leadership styles and their impact on
information security issues, breaches, and attacks. The second objective was to determine
whether and to what extent particular leadership styles correlate with the level of concern
for information security problems within small businesses.
Research on leadership styles and theories were conducted through University of
Phoenix sources including ProQuest, EBSCOhost, InfoTrac, and ProQuest Digital
Dissertations. The information security research covered such scholarly software journals
as Information Management and Computer Security, Risk Management, and scholarly
legal journals like American Criminal Law Review. The research also covered rigorous,
comprehensive, information security surveys such as the annual Global Information
Security Survey (GISS, 2006) from Ernst and Young and the annual survey that the US
Federal Bureau of Investigation (FBI, 2005) and the Computer Security Institute
(CSI/FBI, 2006) jointly administer to over 600 security professionals in the United States.
This literature review used generalized academic searches to survey scholarly
literature. Internet database searches on leadership theories employed such keywords as
leader, leadership theories, leadership development, transformational, transactional, and
passive-avoidant leadership. Important keywords for information security searches
included computer security, cybercrime, small businesses, e-commerce and information
security. Searches discovered recent scholarly articles, research documents, peerreviewed journals, books, and dissertations on the subject of leadership, cybercrime, and
information security. Table 5 below displays the different sources of documentation.
32
Table 5
Literature Surveyed in Support of the Research Questions
Peer -
Vendors (V),
reviewed
Doctoral
Surveys (S)
Area of research
articles
Books
Dissertations
and Govt (G)
Total
Security Assessments
12
1 (S), 1 (V)
17
Leadership Styles
51
13
11
2 (V)
79
Leadership and
55
12
18
3 (V)
90
Preventative Security
1 (S), 3 (V)
15
Intrusion Detection
Incident Response
11
12
Physical Security
11
12
Employee Monitoring
Outsourcing
Small Business Metrics
Significance
Security Mechanisms
Gaps in Literature
Total
182
Information Security
Transformational
Leadership
38
32
11
1 (G)
1 (G)
2(G), 1 (S)
11
1 (G)
17
269
33
Records of past hearings in the US House of Representatives (State of small
business security, 2006) represented important sources of evidence-based information on
the state of US cybercrime, as did recent reviews of websites that vendors like Symantec
(2007), McAfee (2007) and Microsoft (2007) use to provide small businesses with data,
security software, and services. United States federal statutes on cybercrime constituted a
key source of scholarly data. The websites of government organizations like the United
States Small Business Administration (SBA, 2007) and the US Federal Bureau of
Investigation (FBI, 2005) published critical information on the current state of small
businesses in the United States.
This literature review encompassed 182 peer-reviewed articles, all published after
2003. The majority of articles covered topics on leadership and information security. This
literature review also covered 32 relevant dissertations and 38 popular books published
after 2003. Finally, the websites of four US government organizations, one global
standards organization, nine technology vendors, one Congressional hearing on small
businesses, and surveys from three companies were examined.
Historical Overview
This study builds on the full range leadership model of Bass and Avolio (2004).
According to Bass and Avolio, leaders displayed more than one style in a particular
situation. Because this study focused on leadership styles and their impact on
information security concerns within small businesses, it also builds upon the cost-benefit
model proposed by Gordon and Loeb (2006a). The historical overview that follows
traces the evolution of pertinent leadership theories and models, offers a detailed
explanation of the transformational and transactional leadership style, and charts the
34
development of several various theories of motivation, business culture, and information
security applicable to small businesses.
Evolution of Leadership Theories and Models
Leadership theories have existed for centuries. From the time of Plato well into
the 20th century, theories have focused on leadership traits, or innate characteristics often
thought to be present from birth in leaders. Leadership trait theories tended to favor the
ruling classes in society because they implied that leaders were born and not cultivated.
In his 1513 book on the Italian aristocracy, Machiavelli proposed that leadership arose
from a combination of innate traits and available opportunities (Northouse, 2004).
However, from the 1950s into the present, trait theories of leadership have given way to
behavioral models (Yukl, Gordon, & Taber, 2002), which proposed that leaders can be
cultivated from ordinary persons and identified the qualities which need to be cultivated.
To understand any contemporary leadership model, a definition of leadership and
an understanding of the distinction between a manager and a leader are necessary.
According to Wren (1995), leadership is a multi-faceted, interactive process by which
leaders and followers mutually interact to meet specific goals. Kotter (1990) claimed that
the position of manager is about setting and meeting organizational goals through the
functions and authority vested in it. A manager typically plans, organizes, directs, and
controls employees as well as the functions of the business (Kotter).
The qualities of a good business leader differ somewhat from those of a good
business manager. For one, a leader motivates and inspires others through interpersonal
relationships, while a manager executes a company plan to meet a specific and
predetermined set of goals (Kotter, 1990). According to Kotter, a leader has an ongoing
35
relationship with followers and helps to move them towards a common goal. A business
leader needs to demonstrate superior managerial qualities as well as leadership qualities.
A leader cannot lead by example unless he or she is also a good manager. Employees
follow an effective leader not because they have to but because they want to do so. A
manager who is not also an effective leader must rely upon formal authority alone to
ensure that employees accomplish their tasks (Kotter).
Trait Theories
As mentioned previously, trait theories of leadership focused on inner traits or
qualities of leaders who distinguished them from the rest of the population. Leadership
characteristics, which involved influence, intelligence, power, and energy, were assumed
inborn. Trait theories stress the qualities of the leader without covering the traits of
followers (Northouse, 2004). Research has failed to identify a consistent set of traits that
worked for all leaders and all situations faced by leaders (Hersey & Blanchard, 1996).
Trait theory lends credence to the assumption that business organizations work better if
the managers in authority have designated leadership profiles and roles (Northouse).
Hersey and Blanchard claimed that while personalities and profiles are important
elements of leadership style, the trait theory seems to be a model of the past.
Behavioral Theories
After trait theories became popular in the early 20th century, the pendulum swung
to behavioral theories. Behavioral theories attempted to identify the behaviors that create
effective leadership (Wren, 1995). The leadership literature identified two types of
behavioral styles: (a) task behaviors, and (b) relationship behaviors (Bass, 1990). Task
36
behaviors focus on the tasks and actions needed to be effective, while relationship
behaviors focus on the working relationship between leader and followers (Bass).
Theory X, an early behavioral leadership model from the American social
psychologist McGregor (1960), centered on command and control over a group of
subordinates. According to McGregor, employees generally dislike work and wish to
avoid it as much as possible. Managers should tightly control subordinates through clear,
unambiguous commands and expectations. Theory X is applicable to a command and
control environment in which leaders direct and expect conformity. This model is
relevant only to organizations involving a hierarchy of management and employees, and
in which control of employees is critical to company success (McGregor).
McGregors Theory Y (1960) focused on soft-management principles. Theory Y
proposed most employees equation of work with leisure; the ability of motivated
employees to direct themselves without managerial control and punishment; and the
importance of job satisfaction to employees and their performance. In sharp contrast to
Theory X, Theory Y proposed that flexibility and self-control, not authoritarian
management, are critical for good employee performance (McGregor).
Servant Leadership Theory
Almost a decade after McGregors Theory X and Y, Greenleaf (2002) developed
the controversial servant leadership model. The fundamental premise of the servant
leadership model is that the leader serves the employees who he or she leads and that this
service to the employees is the basic purpose of leadership (Spears & Lawrence, 2002).
An exemplary leader is primarily a servant, an individual whose goal is to serve others
(Greenleaf).
37
In defining the leaders purpose, the servant leader model sharply and radically
departed from Theories X, Y, and other leadership models of the day (Spears &
Lawrence, 2002) . Greenleaf (2002) proposed this theory against the backdrop of the
Vietnam War and its effects on American society. Greenleaf concluded that because large
institutions were misleading their employees, institutional leaders would do well to serve
their employees and thereby become more effective.
Situational Leadership Theory
Developed after the servant leader model, the situational theory of Hersey and
Blanchard (1996), highlighted the business situation and environment faced by the leader.
According to Hersey and Blanchard, leadership style should be matched to the
psychological or job maturity of the subordinates, which can vary from one employee to
the next. Psychological maturity involves self-confidence, and job maturity refers to the
attainment of relevant job skills. As subordinates mature, the leader should delegate more
tasks and responsibilities (Hersey & Blanchard).
According to the situational theory of leadership, a leader operated differently
based on the underlying situation or context (Hersey & Blanchard, 1996). For example,
situations such as economic downturn or threatened hostile takeover prompt the leader to
change tactics and behavior in the interest of the employees, shareholders, and customers.
The situational leadership model differed from behavioral and servant leadership theories
in its emphasis on context, situation, and employee maturity (Hersey & Blanchard).
Contingency Theory
Contingency theory matched leadership style to an underlying situation (Bass,
1990). Fiedler (1967) articulated the original contingency theory, which proposed no
38
universal leadership style, but a need to match leadership styles to a specific business
situation. Fiedler based his theory on the Least Preferred Coworker (LPC) scale and its
measurement of three distinct leadership situations: leader-follower trust and relations;
task structure, or the clarity and complexity of task components; and position power,
which reflects the leaders importance and status (Bass, 1990). Fiedler recognized that
the underlying situation was important, just as leadership styles, and that a match
between leadership style and underlying situation resulted in effective leadership.
Path-Goal Theory
House (1971) proposed the path-goal theory to emphasize the influence of leader
behavior on the performance and satisfaction of the followers. The path-goal theory
examined the effectiveness of four leadership styles: directive, supportive, participative,
and achievement-oriented (House). The directive style benefits followers in ambiguous
situations. Supportive leadership is effective for followers engaged in repetitive, standard
tasks. The participative style of leadership improves followers job satisfaction and
performance, especially when their job tasks are unclear. The achievement-oriented style
enables followers to meet challenging goals and objectives (House). The path-goal
theorys evolution over the past few decades occasioned the development of the
transformational leadership theory (Bass, 1990).
Theory of Transformational Leadership
The transformational leadership model by Bass (1990) asks followers to
transcend their own self-interests for the good of the group, organization, or society; to
consider their longer-term needs to develop themselves, rather than their needs of the
moment; and to become more aware of what is really more important (p. 53). The
39
transformational leadership model represented an advance over its predecessors. Burns
(1979), after studying the lives of various political leaders from various nations, initially
proposed the transformational model.
Burns (1979) found that leaders could lead by amoral or moral values. According
to Burns, the amoral leaders, like Hitler and Mussolini, wielded enormous power through
the transactional style of leadership. Amoral leadership involved an exchange between
leader and followers of one thing for another, such as giving citizens favors in return for
votes. According to Burns, amoral leaders were not truly leaders, and moral leaders could
be either transactional or transformational. Transactional moral leaders led with honesty
and responsibility but valued the process of reaching the goal over the goal itself (Burns).
Burns suggested that a transformational moral leader believed in liberty and equality and
valued the goal itself over the business process.
Transformational Leadership (Independent Variable)
Bass and Avolio (2004) defined transformational leadership as a process of
influence in which leaders change their associates awareness of what is important, and
move them to see themselves and the opportunities and challenges in a new way (p. 96).
According to Bass and Avolio, transformational leadership strived to achieve the highest
level of performance and job satisfaction from the followers. As mentioned previously,
Bass and Avolio identified five factors of transformational leadership in their full range
leadership model.
1. Idealized Attributes (IA): Includes the abilities to instill pride in followers
and go beyond self-interest for the good of the group.
40
2. Idealized Behaviors (IB): Communicates the leaders sense of power and
confidence and build respect among the followers.
3. Inspirational Motivation (IM): The transformational leader motivates
followers by providing meaning and inspiration; is articulate and enthusiastic
about their future; and expresses a compelling vision that persuades followers
to work for success.
4. Intellectual Stimulation (IS): The transformational leader emphasizes
innovation and creativity by questioning assumptions, reframing problems,
and approaching old problems with new solutions. He or she stimulates
followers intellects by encouraging the use of creativity and problem-solving
capabilities.
5. Individual Consideration (IC): The transformational leader considers each
follower an individual with potential, as opposed to just another member of
the group. By acting as coach and mentor, the leader helps each individual
follower grow to full potential.
Transactional Leadership (Independent Variable)
According to Bass (1990) transactional leadership involved an exchange between
the leader and followers in which the leader rewarded or disciplined followers in
exchange for their actions. Bass and Avolio (2004) described transactional leadership as
behaviors associated with constructive and corrective transactions (p. 97).
Transactional leaders defined clear performance expectations from their followers and
expected achievement of specific goals to in exchange for rewards. Bass and Avolio
defined transactional leadership as having the following two factors.
41
1. Contingent Reward (CR): The transactional leader clearly sets expectations
and goals and rewards followers who achieve specific goals. He or she assists
followers in achieving specific goals, providing feedback and enabling the
entire team to reach their pre-defined levels of performance.
2. Management-by-Exception: Active (MBEA): Leaders clarify the standards for
compliance, and monitor followers who are not meeting specific standards.
Leaders take corrective action when their followers fall short of their
expectations and standards, and focus on tracking mistakes and errors.
Passive-Avoidant Leadership (Independent Variable)
According to Bass and Avolio (2004), the passive-avoidant leadership style is
characterized by passivity and reactivity. Passive-avoidant leaders avoided specifying
agreements, clarifying expectations, and providing goals for their followers. A passive
style has the negative effect of misleading followers, which is the opposite of the desired
outcome (Bass & Avolio). Bass and Avolio defined two factors for passive-avoidant
leadership.
1. Management-by-Exception: Passive (MBEP): The passive-avoidant leader
often fails to intervene until the situation becomes serious or threatening. He
or she generally remains passive until things go wrong. He or she expects
followers to work without guidance and without any intervention unless they
make mistakes.
2. Laissez-Faire (LF): The leader who exhibits the laissez-faire factor is often
absent during the course of important decisions. He or she avoids or delays
making key decisions; and is not available to followers during times of stress
42
or difficulty; and prefers to remain on the sidelines when important issues or
concerns arise.
Evolution of Cybercrime and Information Security
With the proliferation of the internet, the rate of cybercrime has increased (Gupta
& Hammond, 2005). The impact of cybercrime has also expanded in scope and
complexity to include all types of businesses, including small businesses (Adamkiewicz,
2005). As the technology needed to commit cybercrimes becomes more common, the
perpetrators drop in average age and grow more sophisticated (Kshetri, 2006). The
distributed and open nature of the internet is both a benefit for consumers and a hindrance
to tracking down cybercriminals (Wall, 2004).
Since computers are connected to each other in an open and distributed fashion, it
has become easier for criminals to hide behind the computers of authorized and
legitimate users (Kreuter, 2003). According to Kreuter, impersonating the identity of a
real user allowed cybercriminals to use a legitimate identity to commit a crime against an
unsuspecting small business owner. In unraveling cybercrime, law enforcement agencies
have to uncover the identity of the perpetrator (Kreuter). This study examines the various
impacts of cybercrime on small businesses in the United States.
Comparison with Traditional Crime
Key similarities and differences exist between cybercrime and crime carried out
by traditional means without the use of computer technology (Kshetri, 2006). The online
nature of cybercrime allows for criminals to survey potential victims from afar and attack
them when they least suspect an intrusion (Wall, 2004). Wall noted that software viruses,
spyware, and malware could embed themselves in the computer systems of small
43
businesses and track their activities and transactions. Covert surveillance of a small
business could lead to theft of information without the awareness of the small business
owner (Wall). Eventually, upon detection of the crime, the cybercriminals may have
already obtained damaging and confidential information about the business (Kshetri).
The nature of cybercrime allows a cybercriminal to damage thousands of small
businesses in a short period, across many legal jurisdictions (Kreuter, 2003). The actual
damage to each individual business may be small, but the collective damage across all
businesses is often large (Kshetri, 2006). Kshetri claimed that cybercrime is frequently
asymmetric and perpetuated against many businesses by a few cybercriminals. Thus law
enforcement agencies are challenged to find a cost-effective response that benefits all the
victims and prosecute the criminal (Wall, 2005).
Cybercrime differs from the traditional model of crime in which a few criminals
target a few victims in one jurisdiction, thereby allowing law enforcement to respond
with an effective investigation and prosecution of the offenders (Kshetri, 2006).
Traditionally, criminals have acted in their own geographical location and eventually
prosecuted by their own local law enforcement agencies in the local jurisdiction
(Kshetri). Another key difference between cybercrime and traditional crime, according to
the US FBI, is the reluctance of the victim to report the offense to authorities (CSI/FBI,
2006). One likely explanation is that public disclosure of cybercrime is often
embarrassing to small or large businesses (Wall, 2005). According to Wall, disclosure
could lead to a downturn in consumer confidence and trust.
In contrast to traditional criminal activities, cybercrime allows young and
inexperienced criminals with no more than basic software tools and computer technology
44
skills to create havoc among all types of business (Wall, 2005). Inexperienced criminals,
often juveniles, create viruses that damage to the computer systems of corporations and
governments (Radnofsky, 2006). Smith (2004) claimed that coordinated, sophisticated
attacks by organized cybercriminal gangs often targeted financial information of online
and traditional businesses. According to Smith, modern types of cybercrime caused
different forms of damage, but they are equally harmful to all types of business.
Evolving Legislation against Cybercrime
Legislation against cybercrime has been evolving since 1996, when the internet
became a commercial tool for small and large businesses (CC&IPS, 2006). Various
federal laws in the US protect citizens and businesses against cybercrime (Swartz, 2006).
The US PATRIOT Act of 2001 amended the original National Information Infrastructure
Act of 1996. Additional amendments are contained in the Cyber Security Enhancement
Act of 2002, signed on November 25, 2002 as part of the Homeland Security Act of
2000, and in the Computer Software Privacy and Control Act, signed on April 30, 2004.
The United States joined the European Convention on Cybercrime on September 29,
2006, and the law came into force on January 1, 2007 (CC&IPS).
Statutes and their enforcement against global cybercriminals by the US
Department of Justice (CC&IPS, 2006) are key benefits to US businesses. For example,
United States Code Title 18 1029 and 1030 provide protection against the fraudulent
use of access devices and computers (CC&IPS, 2006). However, as cybercrime becomes
more frequent and complex, legislation often lags behind the exploits of cybercriminals.
For example, the state of Indiana passed the Data Breach Law in 2006 (Swartz, 2006)
after an increase in the incidence of business and home computer data breaches.
45
Efforts of Law Enforcement against Cybercrime
As the incidence of cybercrime increases, so do the efforts of US law enforcement
agencies against its perpetrators (Wall, 2005). Wall claimed that US agencies such as the
US FBI and the US Secret Service are vigilant against cybercrime and have the authority
to prosecute criminals who perpetuate it. A website to report internet crime, the Internet
Crime Complaint Center (IC3, 2006), is a collaboration between the US FBI and the
National White Collar Crime Center (NW3C, 2006). Various websites and collaborations
between federal agencies and civilian organizations provide small businesses with
various avenues to report and prosecute perpetrators of cybercrime (Wall).
Role of E-Commerce
The proliferation of the internet since 1996 has allowed small businesses to
market their products and services to a wider range of customers (Desai, Richards, &
Desai, 2003). E-commerce transactions developed new trusts and relationships with
customers by the use of new tools like privacy seals and statements (Moores, 2005).
Online practices have led to new business models that use the internet for marketing,
sales, support, and service.
A global customer is one who purchases goods or services outside the immediate
geographical location of a small business (Hassan, Alexander, & Daniel, 2003). Global
customers and transactions often face export and import regulations, language and
currency differences, and other cultural and linguistic barriers (Hassan et al.). According
to Hassan et al., as e-commerce proliferates, issues concerning the receipt of foreign
payments increase in importance and complexity.
46
Quality customer service is important for all customers, regardless of whether
they make purchases online or from a local store (Desai et al., 2003). According to Desai
et al., as e-commerce and global trade increase, small businesses need to include
information on global business practices, rules, and regulations in their knowledge
management infrastructure. Increase in global business knowledge allows small
businesses to effectively sell and service global customers (Hassan et al., 2003).
As small businesses expand their customer base beyond their countries, they are
exposed to cybercriminals from all over the world (Warren & Hutchinson, 2003).
According to Warren and Hutchinson, e-commerce involves working with partners and
suppliers from all over the world, and creates a greater need for authentication and
reliability in communications and transactions. Globalization increases the potential for
cybercrime from all over the world, and small businesses are vulnerable like any other
businesses (Desai et al., 2003).
Information Security Theories and Related Research
Information security has become a leading issue of concern to many large and
small organizations over the past decade (Albrechtsen, 2007). Several research studies
focused on the application of technology solutions to managing information security
(Albrechtsen, 2007; Baker & Wallace, 2007; Chang & Lin, 2007). According to Baker
and Wallace, organizations often focus more on technological approaches to managing
information security, as opposed to a holistic approach to securing technology,
processes, people, and other organizational factors (p. 37). A holistic approach is
appropriate for small businesses as well as large organizations (Baker & Wallace).
47
According to a qualitative study by Albrechtsen (2007), users reported that they
are motivated by information security concerns but do not consistently and reliably
perform many preventative security actions. Albrechtsen also claimed that the
documented requirements of information security policies and procedures, along with
general awareness campaigns, have little effect on actual user actions and awareness. The
implication is that organizations need to do more to change user behavior rather than
merely instituting company policies and procedures to manage information security.
Chang and Lin (2007) examined the impact of company culture on information security
management within businesses in Taiwan. According to Chang and Lin, in addition to
technology, policies, and procedures, human and cultural factors are also important to
information security management.
Cultural Theory and Risk Management
Cultural theory proposes that people interact socially based on their social
constraints and understandings of the world (Douglas & Wildavsky, 1982). Douglas and
Wildavsky claimed that individuals form worldviews and opinions based on their social
and cultural contexts and assumptions. Worldviews could include their assumptions and
opinions on risk management and information security concerns (Tsohou, Karyda, &
Kokolakis, 2006). The grid/group typology proposed by Douglas and Wildavsky (1982)
displays a combination of social relations and cultural biases (see Figure 1). The
horizontal group axis refers to the extent to which an individual is incorporated into predefined and bounded units of society, while the vertical grid axis denotes the degree to
which an individual is constrained by external prescriptions and social restraints
(Torbjorn et al., 2004).
48
Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology.

Worldviews with high group and high grid values are associated with hierarchical
cultures, which emphasize the importance of preserving social order and status (Torbjorn
et al., 2004). According to Torbjorn et al., worldviews with high grid but low group
values are associated with egalitarian cultures, which emphasize charismatic leadership,
suspicion of authority, preference for role changes, and a sense of equality. Worldviews
with low grid and low group values originate in individualistic cultures, which emphasize
personal freedoms, role choices, short-term thinking and decision-making, and a high
tolerance for risk. Worldviews with low group and high grid values tend to come from
fatalistic cultures, which emphasize minimal personal autonomy, low tolerance for risk,
and a low degree of social control (Torbjorn et al.).
Economic Model of Information Security
Gordon and Loeb (2002) indicated that the full implementation of every possible
information security control is not an optimal and efficient use of an organizations
49
resources. According to Gordon and Loeb, organizations should invest in security only
when the marginal benefit of the implementation equals the incremental cost. Gordon and
Loeb (2002, 2006b) provided a cost-benefit model to determine an optimal budget for
information security within an organization. Initially Gordon and Loeb (2006a) focused
on three questions. (1.) How much should an organization spend on information security?
(2.) How should an organization allocate its information security budget to specific
problems? (3.) What is the economic cost of information security breaches?
Hausken (2006) extended the work of Gordon and Loeb by proposing that the
best way to model the probability of an information security breach is by using a logistic
function that first exhibits increasing, then decreasing, returns and benefits (Gordon &
Loeb, 2006a). Gordon and Loeb remarked on the paucity of available research and data
on the benefits of information security investment. This study addressed the economic
model for small businesses that are financially constrained in their ability to combat
cybercrime, but cannot remain ambivalent and unresponsive.
Integrated System Theory of Information Security
Despite the prevalence of information security technologies, few information
security studies exist in the scholarly literature (Hong et al., 2003). According to Hong et
al., the lack of information security theory implied few empirical studies that examined
the effectiveness of information security technologies, policies, and procedures. Hong et
al. proposed an integrated theory that combined existing security policy, risk
management, control and auditing, management system, and contingency theories.
Hongs integrated theory covered several management activities that included the
establishment of security policies and procedures, risk assessment, information security
50
controls, security control systems, and management policies and procedures. The
integrated systems theory suggested an information security architecture that is consistent
with organizational goals and objectives (Hong et al.).
The integrative theory on information security may apply more to larger
organizations than small businesses (Yang, Yang, & Wu, 2005). According to Yang et
al., small organizations are generally resource poor (in terms of technological and
financial resources), less developed in structure and functions, and more sensitive to
outside pressure (p. 350). Due to the budget and resource constraints that they face,
small businesses may not be suitable for successful implementation of the integrated
systems theory (Yang et al.).
Current Findings and Alternative Viewpoints
Title searches for the Current Findings section include transformational and
transactional leadership, small businesses, cybercrime, cybercriminals, and information
security management. This section includes a review of the contemporary literature on
leadership and information security published within the last five years. This section also
includes alternative viewpoints on contemporary leadership and information security
concerns within small businesses. Given the changing and dynamic nature of information
security, an examination of the current gaps in the literature regarding small business
leadership styles and information security problems is important.
Leadership Theories in the 21st Century
Definitions of leadership have evolved over the past few decades. One
contemporary definition on leadership emphasizes consensus and team play. Belasco and
Stayer (1993) compared leadership to a flock of geese flying in a V formation. The
51
presence of the whole flock of geese increases the flying range of the birds beyond what
is possible for each bird flying alone. If a goose falls out of formation, it suddenly feels
the pressure and risk of flying alone and quickly gets back into formation. When the lead
goose gets tired, it rotates back and another goose takes its place. Leadership is common
to all the geese in the formation (Belasco & Stayer).
Kouzes and Posners Model
Kouzes and Posner (2003) named five key practices for achieving exemplary
leadership.
1. Challenge the existing process and status quo, but explore new ways.
2. Create a shared vision by looking ahead to the future and sharing the goals.
3. Encourage action within the organization by listening and motivating others.
4. Lead by example by knowing the goals and plan of the organization.
5. Encourage others to grow and prosper by rewarding their accomplishments.
Kouzes and Posner (2003) claimed that leadership is an observable, learnable set
of practices. According to the authors, teaching leadership to employees within an
organization is possible, and credibility is the foundation of leadership. Employees at all
levels of an organization, even within small businesses, can achieve exemplary leadership
capabilities. Kouzes and Posner stressed that leadership is a relationship between those
who choose to lead and those who choose to follow. Followership is important to the
leader and the organization (Kouzes & Posner).
Pseudo Transformational Leadership
Pseudo transformational leadership is behavior that is often self-centered and
unethical (Kouzes, 2003). In the 21st century, many examples exist of leaders who appear
52
transformational, but are in reality are pseudo transformational leaders focused on their
own success (Harland & Harrison, 2005). Numerous examples of pseudo
transformational leadership have appeared in the media during the scandals that have
erupted in companies like Enron, Arthur Anderson and WorldCom (Harland & Harrison,
2005; Lussier & Achua, 2004).
Bass and Avolio (2004) contended that despite the examples of pseudo
transformational leaders in the media, most knowledge workers in the 21st century
organization are unwilling to work with such leaders. Knowledge workers are willing to
follow the path and examples set by true transformational leaders and not those pseudo
transformational leaders consumed by greed (Bass & Avolio). Current reality suggests
that transformational leadership is the roadmap for aspiring leaders in the 21st century,
and that followers should look to genuinely transformational leaders for their future.
Innovation and Performance
Innovation is the creative ability to create new products, processes, organizations,
thinking, and vision and to assimilate new concepts into an existing organization
(Christensen, 1997). According to Drucker (2004), innovation is the core competency of
the modern century, and many sources of innovation are available to a business
enterprise. Drucker claimed that innovation originated from the core vision of the
company. If the entire company believed in change, innovation naturally resulted from its
vision. In addition to vision, core values and competencies are equally important for
success (Drucker).
Christensen (1997) described disruptive technologies and proposes that the
dilemma for innovators is to distance themselves from loyal customers so that they could
53
think and act out of the box. Christensen believed that traditional innovation involved
the exploitation of change or crises, and that the successful business of today incorporates
innovation even when the business is already successful and performing well. The core
vision of the company can embody innovation by perpetuating revolutionary ideas and
processes (Drucker, 2004).
Leadership Styles within Small Businesses
Organizations in the 21st century differ very much from those in the time of Plato
and even those of a hundred years ago in industrialized nations. Drucker (2004)
highlighted five qualities of the modern global business organization.
1. Lean. The number of employees is not as important as their productivity.
2. Flat. The hierarchy of managers extends to a few levels below the CEO.
3. Global. Vast geographical distances and differences in cultures and business
practices separate employees.
4. Adaptive. Company goals, processes, and objectives change every few years.
5. Competition. Fierce competition surfaces from unexpected sources.
Given emerging trends in the nature of business organizations, Drucker (2004)
proposed that contemporary leaders needed to stress the following actions.
Set the focus on common vision, goals, and objectives.
Coach employees and foster a team environment.
Set an example to fellow employees.
Take calculated risks that benefit the company.
Have the guts and resolve to survive a company crisis.
Efficiently execute tasks needed to achieve a goal.
54
Information Security Management in the 21st Century
Although cybercrime has proliferated over the past decade, so have the
mechanisms to combat its effects (Day, 2003). Although many mechanisms involve
technology and tools, manual policies and procedures are also an integral part of efforts
against cybercrime (Easttom, 2006). Businesses of all sizes, including small businesses,
implement various mechanisms to protect their information security from cybercriminals
(Wall, 2005). This section provides details on seven security mechanisms commonly
found in small businesses.
Security Assessments
Security assessments size up the security risks and threats faced by a small
business (Easttom, 2006). An information security risk is a potential negative impact that
can occur to an information system; an information security threat is the actual damage
that can occur due to a risk (Day, 2003). According to Day, vulnerabilities within a
computer system in a small business could allow cybercriminals to exploit the risk and
carry out the threat. As such, security assessments attempt to discover vulnerabilities
within computer systems in order to reduce the risks (Day). A vulnerability assessment is
systematic identification and validation of the possible vulnerabilities that may exist
within a business organization (Blyth & Thomas, 2005).
The overall goal of security assessments and audits is to ensure that small
businesses are trained, knowledgeable, and aware of the threats (Blyth & Thomas, 2005).
According to Blyth and Thomas, increased awareness ensures that the information
systems of small businesses meet three basic requirements. Basic requirements include
55
availability, integrity, and confidentiality (DeZulueta, 2004). Availability ensures that a
system is accessible and usable upon demand by an authorized user or entity.
Integrity ensures completeness, wholeness, and readability of information,
meaning that data remains unchanged by an unauthorized user in ways that are not
detectable by authorized users (DeZulueta, 2004). Finally, confidentiality ensures that a
system is not accessed by unauthorized users (Ma, 2004). Numerous examples in the
security literature discuss assessments for records protection (William, 2005), audits and
security in the e-commerce era (Anderson, Hansen, Lowry, & Summers, 2006; Zhao,
Yen, & Chang, 2004), and the importance of security assessments in specific industries
like banking (Abu-Musa, 2004).
The literature on security assessments targeted specifically at small businesses is
sparse (Gupta & Hammond, 2005). However, the mainstream literature provides ample
guidance for small businesses that are limited by costs, security skills, and time
constraints. Various checklists (Day, 2003; Easttom, 2006; Szor, 2005) provide simple
and practical guides to implement security assessments, even within small businesses.
This study examined the problem that small businesses are often unaware of security
threats and risks, until the occurrence of an actual security breach.
Preventative Security
Business organizations prefer to prevent security breaches because security
breaches disrupt business performance and dampen consumer confidence (Greg Hanna,
2005a). The literature provides ample examples of software solutions to prevent security
breaches, including practical uses of anti-virus software (Campbell, 2004; Szor, 2005) as
well as a case study (Sherif & Gilliam, 2003) of virus prevention. Other technologies like
56
firewalls (Day, 2003), anti-spam products, and anti-spyware technology (Gibson, 2005;
Stafford, 2005; Thompson, 2005; Zhang, 2005) can be used by small businesses as well
as personal home users (Hazari, 2005).
Major vendors like Symantec (2007) recommend application of software patches,
but patches themselves are at risk from hackers and cybercriminals (Marshall & Heffes,
2005). Basic email safety is important and removing suspicious attachments is critical to
any business (Day, 2003; Easttom, 2006). Precautions against modular malicious codes,
especially those distributed through the internet, are becoming increasingly important
(Easttom). According to the Symantec Threat Report (Symantec, 2007), modular
malicious code accounted for 88% of the top 50 malicious code reported in the second
half of 2005. Securing wireless networks, which are common to small businesses, is
important in order to ensure that identity thieves and competitors do not pilfer data
(Gregory Hanna, 2005b; Kruh, 2003; Pietro & Mancini, 2003).
The literature also points out that preventative measures cannot mitigate all types
of security risks. In 2003, the Bugbear.B worm infected thousands of computers despite
anti-virus and personal firewall technology (Maroncelli & Karpin, 2003). Custom Trojan
programs that elude anti-virus programs (M. Blake, 2003) can penetrate the defenses of
small businesses. In addition to technology and tools, the literature emphasizes the use of
security policies, procedures, training and rules to prevent security breaches (Gellis,
2004) and future threats and disasters (Trim, 2005) in enterprises. For example,
improperly disposing of old computers and hard drives allows cybercriminals instant
access to sensitive company information (Lunsford, Robbins, & Bizarro, 2004). Day
(2003) provided a checklist, one that is also appropriate for small businesses, regarding
57
awareness of current security issues and threats and performance of regular tests on all
computers and security devices.
The literature also provides techniques for small businesses to backup and
safeguard their business data on external hard disks (McCarthy, 2006). It describes the
dangers of online storage (Mulligan, Schwartz, & Mondal, 2006), and the need to use
strong passwords and frequently change them on the basis of security policies (Harrison,
2006; Wakefield, 2004b). The literature recommends avoiding the reuse of passwords
(Blake, Kenneth, & Helmut, 2004) and controlling the use of the internet (Taillon, 2004).
A formal and established security policy that is appropriate for small businesses helps
them to enforce their preventative actions and measures (Rees, Bandyopadhyay, &
Spafford, 2003).
The ISO/IEC 17799:2005 set of standards (ISO/IEC, 2005) covers security
policy, the organization of information security, asset management, human resources
security, physical and environmental security, communications and operations
management, information systems acquisition, development and maintenance, incident
management, business continuity management and compliance (p. 1). The
comprehensive guide from ISO/IEC is applicable to small businesses as they assess their
internal networks and policies. The latest version of ISO/IEC 17799:2005 is specifically
tuned to the needs of e-commerce and global trade, and small businesses can use best
practices (Saint-Germain, 2005) to prepare for the deployment of ISO/IEC 17799:2005
(Peltier, 2003).
Overall, the literature recommended a combination of technology, processes, and
policies to prevent the incidence of cybercrime. The literature review helped to address
58
the core problem assessed by this studynamely, that many small businesses display a
lack of concern towards information security and unrealistically expect that performing
basic preventative measures alone protects against all forms of threats. This study
examined the relationship between of leadership styles within small businesses and the
level of concern towards information security problems.
Intrusion Detection
While preventative measures are useful and necessary to preempt a security
breach, they cannot cover all types of security threats. Ongoing intrusion detection
systems find patterns in misuse and attempted intrusions and warn network
administrators of an impending attack (Day, 2003). Intrusion detection technology needs
to be complemented with human policies and procedures, and physical security that
responds to notifications of an impending attack (Sherif & Ayers, 2003; Sherif, Ayers, &
Dearmond, 2003). The now-extensive literature on intrusion detection technology
primarily covers technologies and policies for large corporations and organizations, with
sparse details on usage in small businesses.
A review of the literature provides details on detection of known and unknown
intrusions by artificial anomalies (Fan, Miller, Stolfo, Lee, & Chan, 2004). In addition,
the literature provides details on the quantification of network intrusion losses (Kros,
Foltz, & Metcalf, 2004), the maintenance of privacy in intrusion detection (Sodiya,
Longe, & Akinwale, 2005), the value of an intrusion detection architecture (Cavusoglu,
Mishra, & Raghunathan, 2005), and improved techniques for intrusion detection (Rawat,
Gulati, & Pujari, 2004; Sodiya & Longe, 2005; Ye, Farley, & Lakshminarasimhan,
2006). The concept of perimeter defense (Day, 2003) is important because it outlines the
59
security perimeter of a small business network. The systems and information within the
outside perimeter represent a critical area for the business to defend against
cybercriminals.
Despite the focus on large organizations, the literature on intrusion detection
systems also offers potentially useful, relevant information to small businesses.
Documentation from vendors gives details on commercial systems targeted at small
businesses. The literature addresses the same key problem as this study: the lack of
concern and the reliance by small businesses on a narrow range of preventative measures.
Incident Response
Despite its use of preventative and intrusion detection technology, a small
business can still incur security breaches and sustain damage to its information systems
(Day, 2003). Day provided details on how businesses should respond quickly based on
written policies and procedures. Day recommended avoiding an overreaction, which
could damage business reputation and customer confidence. Documenting any incident is
essential as it yields critical information for law enforcement and digital forensic analysis
(Prosise, Mandia, & Pepe, 2003). Forensic analysis, which is usually a service provided
by external consultants, can unravel the details of the incident and provide clues for the
investigators who collect evidence to prosecute the cybercriminal (Carrier, 2005).
Finally, the US Department of Justice operates an online facility that allows for easy
reporting of cybercrime incidents (IC3, 2006).
Although the reviewed literature little guidance specifically for small businesses,
it offers their owners many potentially useful tips and techniques (Day, 2003; Easttom,
2006; Szor, 2005) . It addresses yet another key problem identified in this study: the
60
reluctance of small businesses to react appropriately to security incidents and inform
local law enforcement authorities of the breach (Day). According to Day, such behaviors
on the part of small business prevent local authorities from responding to and
apprehending the criminals.
As the literature review also revealed, law enforcement has been slow to catch
up with cybercriminals (Bhaskar, 2006), which may explain the reluctance of small
businesses to seek help from authorities. However, the US House of Representatives is
improving legislation to deter cybercrime and increase the penalties for it, especially
crimes involving copyright violations and software piracy (Delaney, Goldstein,
Gutterman, & Wagner, 2003). Delaney claimed small businesses needed to incorporate
an effective incident response plan that included reporting and collaboration with local
and federal law enforcement authorities.
Physical Security
While cybercrime is often committed through networks, physical attacks can
involve individuals with access to facilities and servers (Day, 2003). According to Day,
such attacks include casual crimes in which an individual steals hardware (laptops, for
example) or software without realizing the impact of his or her actions. They also include
targeted criminal activities in which individuals deliberately enter secure premises and
damage or steal servers and other hardware (Day). The literature on physical security
provides simple checklists and guidelines that can be useful for small businesses (Day,
2003; Easttom, 2006). The literature also describes examples of damage caused by
human factors like user negligence and carelessness (Orshesky, 2003). According to
Orshesky, small businesses need to be vigilant about online and physical threats.
61
Day (2003) and Easttom (2006) recommended several simple but effective
preventative measures: putting servers on secure racks, organizing and securing cables,
and installing fire prevention equipment and procedures. Preventative measures,
complemented with physical security procedures like restricted access to secure areas,
can help small businesses to alleviate risks to physical security (Day). However, security
precautions require investments in capital and resources that are often beyond the scope
of small businesses (Easttom). The literature provides some models for evaluating the
return on IT security investments (Cavusoglu et al., 2004), but is restricted to medium
and large corporations with established budgets and information security policies.
A review of legal cases brought against individuals by the US Department of
Justice (CC&IPS, 2006) reveals several cases of ex-employees targeting the systems of
their former employers. According to CC&IPS, such cases point to a lack of policies and
safeguards against disgruntled former employees who potentially have access to sensitive
data and hardware as well as the intent and motivation to cause damage to their former
employers. The best preventative measures against online security can fail in the presence
of a physical attacker who has access to secure facilities and familiarity with the business
(Day, 2003). The reviewed literature on physical security addresses still another key
problem dealt with by this study: small businesses inadequate protection from cyber
threats that involve humans and physical security.
Insider Access Abuse
With the proliferation of the internet and computer networks, many employees
now have unrestricted access to company and online information (Desai et al., 2003;
Larson, Larson, & Greenlee, 2003; Moores, 2005; Roussos & Moussouri, 2004). Internet
62
access helps productivity and information access benefits to organizations, but it also
creates security risks and creates the potential for inappropriate and illegal downloads
(Desai et al.). Most employees of small businesses are aware that their usage of
computers at work constitutes business use and that an employer is legally capable of
monitoring it (Nord, McCubbins, & Nord, 2006). A balance between preserving the
privacy of the individual employee and the security interests of the business is important
(Wakefield, 2004a). According to Wakefield, illegal practices as downloading child
pornography, committing identity theft or fraud, and disclosing confidential company
information to competitors, is dangerous to any small business.
The literature on employee monitoring includes new and improved techniques to
monitor anomalies in employee usage (Yu, Mishchenko, Felizhanko, & Shchegoleva,
2004), and extensive discussions of the need for privacy during online e-commerce
transactions and employee internet access (Desai et al., 2003; Larson et al., 2003;
Moores, 2005; Roussos & Moussouri, 2004). The literature also covers privacy issues
involving wireless devices (Pietro & Mancini, 2003) and the retirement of old computers
(Lunsford et al., 2004). The literature review indicates that privacy is an issue for
employees and employers alike (Moores). However, according to Moores, when the
employer owns the computer systems used by the employee, the security requirements of
the former often override the privacy needs of the latter in business settings. Overall, the
reviewed literature is applicable to the core problem of this study in that small businesses
are often unaware of the potential for damage from employee misuse and negligence or
the deliberate and criminal actions of disgruntled ex-employees (Yu et al.).
63
Outsourcing Cyber Security
Due to the rising threats of cybercrime and increasing costs of hiring and retaining
employees skilled in networking and cyber security, many organizations outsource their
security functions to external vendors (Day, 2003; Easttom, 2006). Outsourcing of
security functions usually accompanies other functions like internet service and webbased application services (Day). According to Day, along with email and storage access,
Internet Service Providers (ISPs) in the US provide businesses with basic firewall and
email account spam filtering services. Application services providers (ASPs) provide
hosted applications like financial and human resources software that are available to
businesses over the internet (Easttom). According to Easttom, the hosted software
provided by ASPs is often economical and feasible for small and medium businesses.
In addition to providing software over the internet, ASPs provide basic cyber
security against data loss and other consequences of malicious software (Day, 2003;
Easttom, 2006). In addition to obtaining security services from ISPs and ASPs, many
small and medium businesses enlist security consultants to perform security assessments
and functions (Day, 2003). Day cautioned that outsourcing of security services does not
relieve the small business of its basic responsibility for the overall security of the system.
For example, small business computer systems are still vulnerable to physical sabotage
from employees or ex-employees (Day).
Information Security Within Small Businesses
Cybercrime is not only relevant to large corporations, but to the millions of small
businesses in the United States (Gupta & Hammond, 2005). According to the US Small
Business Administration and the Small Business Act, a small business is an
64
independently owned entity and not dominant in its field of operation (SBA, 2007). The
US Small Business Act also states that the size definition of a small business varies by
industry and the US SBA provides criteria that identifies the size of a small business
based on the North American Industry Classification System (NAICS) code (SBA, 2007).
The Office of Advocacy, of the US SBA, defines a small business as a business having
500 or fewer employees. The study used US SBA definitions and classifications.
E-commerce and advances in computer technology provide motivation and
opportunities for small businesses to increase their revenues and global customers
(Warren & Hutchinson, 2003). According to Warren and Hutchinson, as small businesses
expand their customer base beyond their borders, they are exposed to cybercriminals
from all over the world. The authors claimed that e-commerce involves working with
partners and suppliers from all over the world, and thus it has a greater need for
authentication and reliability in its communications and transactions. The proliferation of
e-commerce increases the exposure of small businesses to cybercrime and thus their need
to implement comprehensive cyber security mechanisms (Warren & Hutchinson).
Cybercrime has evolved over the past decade, from a series of attacks against
large corporations and government organizations to distributed attacks motivated by
financial greed (Symantec, 2007). As cybercrimes severity and complexity increase, so
too will its negative impact upon small businesses (Kshetri, 2006). According to the
Symantec Threat Report (Symantec), small business was the third most targeted industry
segment during the second half of 2005, experiencing almost 25% of all attacks.
Symantec researchers assumed that small businesses in the US tend to lack a rigorous
65
security infrastructure. The current trends in cybercrime (see Figure 2) indicate that the
problem will continue to grow over the next decade (CSI/FBI, 2006).
83.7
Virus, worms, trojans
79.5
Spyware
32.9
Port Scans
22.7
Sabotage of data/network
22.4
Adult Pornography
15.5
Laptop/Desktop/PDA theft
Insider abuse/piracy
15
Denial of Service
14.5
Network Intrusion
14.2
None
13.4
8.4
Financial Fraud
5.3
Telecom Fraud
Unauthorized access to IP
3.9
Wireless network misuse
2.9
Website Defacement
2.7
Child Pornography
2.6
20
40
60
80
100
Figure 2. Computer Security Incidents in the US (CSI/FBI, 2006).

Significance of Small Businesses to the US Economy
Small businesses play a significant role in the US economy (SBA, 2007).
According to the US SBAs Office of Advocacy, the US had 17,000 large businesses and
approximately 25 million small ones in 2005. Small businesses generated 2.4 times more
innovations than large businesses (SBA). According to the US SBA, small businesses
employ half of all private sector employees and pay half of the total US private payroll.
Small businesses in the US have generated 60 to 80% of net new jobs annually
over the last decade and created more than 50% of nonfarm private gross domestic
product (SBA, 2007). Economic figures indicate the importance of small businesses to
66
the US economy and the potential for negative economic impacts from cybercrime
(CSI/FBI, 2006). A coordinated cyber threat against small businesses might readily
impact a significant section of the US economy (State of small business security, 2006).
Because small businesses are so important to the US economy, preparation against the
evolving threat of cybercrime is important (CSI/FBI).
Categories of Small Businesses and Information Security
In regard to their preparations against cybercrime, small businesses can be divided
into three categories (State of small business security, 2006). According to the report on
the state of small business security, one category consists of mom and pop businesses
whose business computers also serve as the owners home computers. Small businesses
in the mom and pop category have basic anti-virus and security software in place and
rarely rely on skilled professionals for security assistance. The report on the state of small
business security also described a second category of small companies with a few
hundred employees and a dedicated information technology (IT) staff (CSI/FBI, 2006).
According to the US CSI/FBI study, small businesses with a few hundred employees rely
on the knowledge and expertise of their key IT personnel for cyber security.
The third and final category included small businesses that outsource most of their
security requirements to third-party vendors (State of small business security, 2006).
According to the report on the state of small business security, vendors provide the level
of security needed to prevent cybercrime and enable recovery from security breaches.
Small businesses that outsource information security depend upon on the outside
vendors training and reliability for their security needs (CSI/FBI, 2006). According to
the US CSI/FBI study, reliance on an external vendor introduces risks but also benefits in
67
that it removes the need of a small business to train and retain skilled IT employees to
combat cybercrime.
Unlike large businesses with dedicated IT resources, small businesses often lack
the skills, resources, and infrastructure to tackle cybercrime and even to conduct security
assessments (Gupta & Hammond, 2005). According to Gupta and Hammond, small
businesses frequently fail to deploy comprehensive and effective security policies.
Because of ongoing challenges, cybercriminals increasingly target small instead of large
businesses for identity theft and other cybercrimes (CSI/FBI, 2006).
Information Security Problems (Dependent Variables)
Small businesses face diverse information security problems (CSI/FBI, 2006).
This study examines 14 information security problems as its dependent variables.
1. Insider Access Abuse: As discussed in a previous section, employees need
authorization to access computer resources and data according to the security
policies of the small business (Wakefield, 2004a). Insider access abuse occurs
when individuals without permission or authority access information systems
(Nord et al., 2006). According to Nord et al., such unauthorized or
inappropriate access may lead to data theft or other forms of cybercrime.
2. Viruses: A virus is a program that self-replicates and spreads from one
computer to another (Day, 2003; Easttom, 2006). While not all viruses are
destructive, their mere presence and propagation from one machine to another
can slow down computer networks and systems (Day). Small businesses can
be impacted by destructive viruses that damage computer data, or have their
68
networks slow down due to additional traffic created by the propagation of
viruses (Easttom).
3. Power Failure: Power failure can occur for many reasons that are usually
unrelated to cybercrime (Day, 2003; Easttom, 2006). The computer systems of
small businesses, affected by power failures, can destroy computer machines
or data (Easttom). According to Day, uninterruptible power supplies are
batteries that prolong the life of a computer system in the event of a power
failure. They batteries are available at computer stores, and small businesses
can purchase them as a precaution (Day).
4. Software Problems: Some software problems such as the inability to maintain
patches and updates can corrupt or destroy existing databases and data (Baker
& Wallace, 2007). According to Baker and Wallace, malicious software that
enters information systems through worms and viruses can destroy important
data. Small businesses can stay vigilant against software problems by using
the services of information technology professionals and implementing secure
policies (Day, 2003).
5. Data Integrity: Data integrity refers to the soundness of the datas quality and
accuracy (Ryan, 2000). Financial data represents one example of data
integritys importance. According to Ryan, the integrity of financial data
underlies the success of the business and is necessary to fulfill the reporting
requirements of and other regulatory authorities.
6. Transaction Integrity: Transaction integrity involves the validity and quality
of the transaction or exchanges made by the business (Ryan, 2000). One
69
example of transaction integrity is an online payment to a credit card company
made from an online bank. For the transaction to have integrity, the payment
amount credited to the credit card account must equal the amount debited
from the bank account (Ryan).
7. Outside Abuse Access: Occurs when individuals external to the business
fraudulently obtain authorization to enter computer systems (Day, 2003).
According to Day, they use fraud, deception, or theft to obtain passwords and
other identifying information needed to gain access.
8. Data Secrecy: Data is critical to the small business (Day, 2003; Easttom,
2006). Without information stored in secure databases, small businesses are
vulnerable to data thieves (Ryan, 2000). Data secrecy refers to the
confidentiality of information that is restricted to the internal usage of the
small business (Day). According to Day, data secrecy involves technologies
and policies that secure the access, transmission, and storage of data for the
business. One example of a procedure to safeguard data secrecy is the secure
storage and access of company password information, or other confidential
information like employee social security numbers (Easttom).
9. Data Availability: Data availability refers to what extent people with the
proper authority and responsibilities can access the data they require (Day,
2003). For example, a financial manager of a small business requires ready
access to the companys financial data. According to Day, cybercrime that
compromises the availability of critical data to a small business can lead to
productivity losses and other negative outcomes.
70
10. Data Theft: Data theft involves criminal acts to steal data from a company
(Easttom, 2006). Examples of data theft acts could range from insider access
abuse to theft from online databases. According to Easttom, small businesses
may not be aware of data theft, as it may leave few cyber footprints. The theft
of sensitive data like employee or financial information can severely damage a
small business (Easttom).
11. Data sabotage: Data sabotage involves the destruction of computer systems
and networks, whether through acts of cybercrime or traditional crimes like
arson (Easttom, 2006). An incident of sabotage of computer systems could
occur by accidents such as fires. Small businesses realize the risk of sabotage,
accidental or intentional (Easttom). According to Easttom, they can avail
themselves of insurance policies that provide a certain level of protection.
12. User Errors: Accidental acts of employees or visitors can lead to destruction
of data and systems (Day, 2003). An example of a destructive user error
would be the accidental deletion of key records in a company database.
According to Day, to mitigate user errors, small businesses need to have
trained employees responsible for the safety and integrity of key data, and
secure and effective policies that minimize the potential for accidental user
errors.
13. Natural Disaster: Natural disasters like earthquakes and hurricanes can destroy
the information system infrastructure of small businesses (Ryan, 2000). An
example of a natural disaster is a hurricane that destroys confidential data, and
networks that allow access to the internet or confidential data. According to
71
Ryan, small businesses can mitigate risks by employing disaster prevention
and recovery technologies and policies.
14. Fraud: Fraud involves the deception of small business users to make them
divulge confidential information (Ryan, 2000). A common example of fraud
involves phishing, where cybercriminals exploit vulnerabilities by sending
fake emails and phone calls to elicit confidential information like social
security numbers and bank account data. Small businesses need to stay
vigilant against fraud, as the means and methods of cybercriminals vary over
time (Gupta & Hammond, 2005).
Impact of Regulations and Standards on Information Security
Several regulations in the US require small businesses in specific industries like
financial services and healthcare to focus on cyber security and information protection
(Adamkiewicz, 2005). According the Privacy and Safeguards Rule of the Gramm-LeachBliley Act (GLBA), US financial institutions are required to maintain written security
policies and procedures that safeguard the privacy, integrity, safety, and confidentiality of
customer information (Cavusoglu et al., 2004). According to Cavusoglu et al., the
Disposal Rule of the Gramm-Leach-Bliley Act also regulates users of credit reports to
securely dispose of the paper documents after use and not allow confidential reports to
fall into the hands of identity thieves. Other regulatory requirements that require written
computer security policies include the Health Insurance Portability and Accountability
Act (HIPAA), which covers healthcare providers in the US (Adamkiewicz).
International standards like ISO/IEC 17799 also guide the creation and
enforcement of policies that enhance cyber security for all types of businesses (ISO/IEC,
72
2005). While compliance with regulatory policies may increase the likelihood of written
security policies in a few key industries, it does not propagate to the rest of the small
businesses in the US (Adamkiewicz, 2005). Lack of a written security policy for the
majority of small businesses in the US hampers their overall state of preparedness and
ability to combat cybercrime (Gupta & Hammond, 2005).
Security Vendors and Resources Available to Small Business
Small businesses have access to several technology vendors who provide tools
and services to combat cybercrime (Day, 2003). The leading technology vendors that
target small and medium-sized businesses include Symantec (Symantec, 2007), McAfee
(McAfee, 2007) and Microsoft (Microsoft, 2007). Each vendor provides software for the
small business as shown in Figure 3 (FBI, 2005).
Antivirus software
98.2
Firewalls
90.7
Antispam software
76.2
Antispyware software
75
Limits on User Installations
52.8
Access Control Lists
48.9
Physical Security
47.8
Periodic Password Changes
46.9
VPNs
46.3
Complex Passwords
46.3
Encrypted Login
31.9
Encrypted Files (Transfer)
31.6
Website Content Filtering
24.5
Intrusion Prevention/Detection
23
22.2
Encrypted Files (Storage)

Smartcards
6.7
4.4
Biometrics
Other
2.3
20
40
60
80
100
Figure 3. Technologies Used by Businesses in the US (CSI/FBI, 2006).
120
73
However, security technology vendors usually provide tools and services that
enable detection of known viruses (Easttom, 2006; Szor, 2005). New or unknown viruses,
undetectable by a vendors software, can infect small businesses (Szor). Unknown
viruses, though rare, often exist for a short period before the security vendor updates its
software with new patches against them. According to Szor, because technology vendors
make their tools and services available, many small businesses are able to deploy
technology solutions that provide a basic level of cyber security.
Small businesses have numerous avenues for reporting incidents of cybercrime to
law enforcement authorities (Wall, 2005). A website to report internet crime, the Internet
Crime Complaint Center (IC3, 2006), is a collaboration between the US FBI and the
National White Collar Crime Center (NW3C, 2006). The IC3 often receives 25,000
reports of cybercrime incidents each month (State of small business security, 2006).
However, according to the 2005 FBI Computer Security Survey (FBI, 2005), the
vast majority of US businesses tend to not report incidents of cybercrime to the
authorities. The FBI survey found that only 9% of the victims of cybercrime reported the
incident to law enforcement. Nondisclosure of cybercrime by most businesses hampers
the overall effort by law enforcement authorities (Wall, 2005). According to Wall, by
analyzing trends and common patterns, law enforcement authorities can mount a
coordinated and systematic challenge to organized cyber criminals. Small business can
help combat the overall impact of cybercrime by promptly reporting incidents to the
appropriate authorities (Wall, FBI).
74
Gaps in the Literature
The existing literature on cybercrime and cyber security focuses on the needs of
large organizations that have thousands of employees, complex security needs, and large
computer systems (Adamkiewicz, 2005). The literature on leadership styles and
information security concerns within small businesses is very limited. The literature gap
may be due to the evolution of cybercrime, which initially targeted the computer systems
of large corporations and government organizations (Gupta & Hammond, 2005).
As the cyber security efforts of large organizations and the government have
expanded and improved, the trends of cybercrime have shifted to vulnerable targets like
small businesses (Wall, 2005). According to the Symantec Threat Report of 2005
(Symantec, 2007) cybercriminals increasingly focused on identity theft and fraud for
motives of financial gain. The shift in the orientation of cybercriminals over the past few
years may help to explain the present literature gap regarding the impact of cybercrime
on small businesses (Adamkiewicz, 2005; Gupta & Hammond, 2005).
Vendors like Microsoft, Symantec, and McAfee have dedicated websites and
content targeted towards small businesses (Easttom, 2006). Dedicated web sites suggests
a growing demand for security software and services from small businesses in the US and
around the world, especially for products and services to combat specific cybercrimes
like identity theft, data loss, and sabotage (Day, 2003; Szor, 2005). In addition to offering
security technologies, vendors like Symantec publish annual security threat reports.
Organizations like Ernst and Young conduct annual global surveys on the security needs
of business organizations (GISS, 2006). The CSI/FBI Report is another annual report
that covers all types of businesses in the US (CSI/FBI, 2006). While security studies are
75
comprehensive and detailed, they do not target the specific needs of small businesses
(Baker & Wallace, 2007; Gupta & Hammond, 2005).
The existing literature on small businesses provides checklists and guidelines for
the safe usage of email (Ray, 2006) and for remote backup and disaster recovery
procedures from recent natural disasters like Katrina (McCarthy, 2006). Gupta and
Hammond (2005) attempted to address the gap in the literature with their empirical study
of 1000 small businesses from the area of Lynchburg, Virginia. According to the
authors, small businesses display a lack of concern and often adopt ineffective
technology to address their security concerns; are not responsive to current trends in
cybercrime; and rely on outdated technology to solve all existing and future threats.
Small businesses do not conduct security assessments of their vulnerabilities and are
often complacent and reactive in their approach to cybercrime (Gupta & Hammond).
Another gap in the literature involves cybercrime that affects small and medium
business around the world (Adamkiewicz, 2005; Wall, 2005). According to Wall, many
European countries as well as Asian countries like Japan, China, Korea, and India are
rapidly introducing computers and information technology to small and medium
businesses. Because of globalization and e-commerce, small and medium businesses
from developing countries can target consumers in developed nations like the US (Wall).
Wall claimed that with the proliferation of global cybercrime, the same methods used by
cybercriminals against businesses in the US, potentially threaten businesses from all
across the world. Hassan et al. (2003) emphasized the importance of trust and confidence
when it comes to global e-commerce. According to Hassan et al., cybercrime targeted at
76
small businesses around the world can erode the level of trust and confidence that US
consumers have for global online businesses.
Given the lack of existing literature on leadership styles and information security
solutions for small businesses, several directions exist for future research. First, a national
survey of small businesses in the US could provide a comprehensive list of security
concerns and issues. Ongoing studies that analyze a national sample can gauge changes in
security concerns and issues and in the tactics and orientations of cybercriminals.
Second, global surveys that specifically target small and medium organizations
outside the US could provide insight into the common security and cybercrime concerns
faced by businesses worldwide. Finally, a strategic direction for research would be to
study the cost and feasibility of implementing new security mechanisms within small
businesses, the leadership styles necessary to implement security mechanisms, and the
real and perceived benefits achieved because of security actions. New directions in
research would expand the body of literature and provide small businesses with practical
and effective methods to combat cybercrime.
Conclusion
Small businesses, a critical component of the US economy, increasingly rely on
information technology and e-commerce (Baker & Wallace, 2007; Gupta & Hammond,
2005; Wall, 2005). As small businesses become more connected to the networked
society, they become more vulnerable to cybercriminals (Wall). Wall claimed many
small businesses are vulnerable to the latest exploits and tactics of cybercriminals. The
literature review confirms that the skills of many small business owners do not involve
information technology (Gupta & Hammond). According to Gupta and Hammond, a lack
77
of concern, reliance on ineffective leadership styles and outdated technology, a sense of
complacency during an absence of media news of virus attacks, and a lack of security
policies and procedures all create an environment that is conducive to cybercrime.
The existing literature on cybercrime focuses largely on the challenges and issues
faced by large corporations and government organizations (Adamkiewicz, 2005; Baker &
Wallace, 2007). The literature is limited on the issues and needs of small businesses
(Adamkiewicz). Adamkiewicz noted that the reasons for the gap in the literature might lie
in the evolution of cybercrime over the past decade.
As cybercrime has shifted from disruptive and malicious attacks on large
corporations and government organizations to actions motivated by financial greed, the
nature and target of attacks have changed (Gupta & Hammond, 2005; Wall, 2005). New
forms of cyber attacks include identity theft and cyber fraud, which target businesses of
all sizes (Gupta & Hammond). With their known vulnerabilities and lack of security
infrastructure, small businesses are easy targets for cyber criminals operating from all
over the globe (Wall).
Review of the literature revealed that as cybercrime has increased in the US and
cybercriminals have operated from countries outside the US, law enforcement authorities
like the US FBI have stepped up their efforts to combat cybercrime (CSI/FBI, 2006).
Small businesses now have the opportunity to report cybercrime incidents to a national
reporting agency which collects and analyzes them (IC3, 2006). Despite opportunities, a
US FBI survey (FBI, 2005) reveals that only 9% of small businesses report cybercrime
incidents to the authorities. Widespread failure to report hinders the ability of law
enforcement to analyze trends and detect patterns in cybercrime (Wall, 2005).
78
The literature review assisted the studys purpose of understanding why small
businesses do not adequately guard themselves against cybercrime. Preparation against
cybercrime involves more than the installation of basic technology solutions like antivirus software (Easttom, 2006). The use of effective leadership styles and the assessment
of vulnerabilities and infrastructure enable small businesses to be aware of their security
needs and requirements (Day, 2003). According to Day, adequate proactive measures like
the application of patches and anti-virus software prevent known viruses and worms from
infiltrating a small business.
Robust, ongoing intrusion detection can alert businesses to unusual patterns of
unauthorized access (Cavusoglu et al., 2005). Incident management, recovery, and
reporting allow small businesses to recover from security breaches and report incidents to
the appropriate law enforcement authorities (Wall, 2005). Effective security policies and
procedures allow small businesses to deploy safe computing practices, educate
employees about security, monitor employees, and former employees, and ensure the
physical safety of facilities and computers (Gupta & Hammond, 2005).
This study attempted to analyze the relationship between leadership styles and
level of concern for information security problems. While small businesses are aware of
cybercrime and its potential for damage, they often are complacent and rely on
ineffective technology (Gupta & Hammond, 2005). According to Gupta and Hammond,
small businesses need instead to defend themselves against cybercrime at multiple levels
of preparedness. This study benefits small businesses by contributing to the knowledge of
leadership styles, cybercrime, and security threats and by helping small business leaders
to prioritize their defenses against cybercrime.
79
Summary
The review of the literature covered the various styles of leadership and the
overall impact of cybercrime on small businesses in the US. This studys foundation was
the full range leadership model proposed by Bass and Avolio (2004). The model by Bass
and Avolio describes the transformational, transactional, and passive-avoidant leadership
styles. The literature review traced the historical evolution of leadership theories and
cybercrime through the past decade from early disruptive attacks on large corporations
and government institutions to current attacks like identity theft and online extortion
(Day, 2003; Easttom, 2006; Gupta & Hammond, 2005; Wall, 2005). The dependent
variables for this study included the level of concern for information security problems
for small businesses. The review examined 14 common information security problems.
Since the study focused on the influence of leadership styles upon information
security concerns within small businesses, the cost-benefit model proposed by Gordon
and Loeb (Gordon & Loeb, 2006a) was also important. The independent variable covered
by the literature review was leadership style, a term that includes the transformational,
transactional, and passive-avoidant styles. This study focused on the possible relationship
between leadership styles and level of concern for information security problems.
The literature review also provided guidance to researchers about directions for
future research, as the nature and incidence of cybercrime increases over the next decade.
The literature review concluded with a detailed examination of leadership styles,
information security concerns, and the gaps in the scholarly literature regarding
cybercrime and small businesses. The findings of the literature review supported the
studys research methodology and design, which are the focus of Chapter 3.
80
CHAPTER 3: METHOD
and trade associations in Hawaii. The second purpose of this study was to determine the
degree of a possible relationship between leadership styles and the level of concern
towards information security problems within small businesses. Chapter 2 presented
relevant studies on leadership styles and information security management. This chapter
explains the proposed studys research design, design appropriateness, population,
sampling, data collection procedures and rationale, internal and external validity, and data
analysis techniques. The findings of this research enlarge the limited body of current
knowledge regarding small business leadership styles and their impact upon information
security experiences and problems.
Research Design
This research study used a quantitative, descriptive, correlational methodology to
investigate a possible relationship between the particular leadership styles of small
business owners (independent variables) and the level of concern for information security
problems (dependent variables) within small businesses in Hawaii. The study defined a
small business as one with 500 or fewer employees, according to the United States
Small Business Administration (SBA, 2007). This study utilized the Multifactor
Leadership Questionnaire (MLQ) instrument (Bass & Avolio, 2004), to assess each
companys leadership style (independent variable) and the Small Business Security
81
Survey instrument (Ryan, 2000) to determine the level of concern for information
security problems within each small business (dependent variable).
For the first part of the research, a pilot study was conducted with 10 small
businesses who are members of the various chambers of commerce and trade associations
within Hawaii. The pilot study participants, randomly selected from the study population
were small business owners who fulfilled the eligibility criteria of the study population.
The randomly selected 10 businesses represented different industries, and had different
number of employees. Five businesses belonged to the Chamber of Commerce of Hawaii
and five businesses belonged to the Small Business Hawaii trade association.
Over two weeks, an online survey was distributed to all 10 participants through
email. The instructions in the email directed the participants to an online survey hosted
by Zoomerang (2007), a commercial provider of online surveys. The researcher followed
up any survey responses needing clarification with phone calls. The pilot study sought to
ensure that the participants clearly understood the survey questions; that the survey was
adequate for answering the research questions; and that the online survey was userfriendly enough for participants to complete it in 10 minutes.
The second part of the current research involved an online survey of 800 small
businesses who, as mentioned previously, are members of the various chambers of
commerce and trade associations within Hawaii. Businesses that belong to more than one
organization were included only once in the study population, in order to avoid
duplication. The online survey used two previously validated, reliable and broadly used
research survey instruments (Bass & Avolio, 2004; Ryan, 2000).
82
The third part of this study involved triangulation and the random selection of 10
small businesses from the list of valid respondents to the online survey. Interviews were
conducted with 10 businesses to help triangulate the results of the online survey and to
confirm or dispute the findings. Triangulation helped reduce the chances for systematic
error because triangulation provided a strategy for obtaining the same information
through different methods (Rubin & Babbie, 2005).
Research Questions
The following research questions guided this study and established the hypotheses
using quantitative data collection and analysis.
Research Question 1
Research Question 2
Research Question 3
Hypothesis
The research study employed three statistical hypotheses to measure the
relationship(s) among three independent variables (three leadership styles) and 14
dependent variables (information security problems). The H0 represented the null
83
hypothesis and Ha the alternative hypothesis. The following hypotheses were tested,
based on a quantitative research methodology, to answer the research questions.
Hypothesis 1
businesses.
businesses.
Hypothesis 2
Hypothesis 3
businesses.
businesses.
84
Appropriateness of Design
A quantitative, correlational, descriptive design was appropriate for this research
study. Leedy and Ormrod (2001) claimed that quantitative descriptive design involves
either identifying the characteristics of an observed phenomenon or exploring possible
correlations among two or more phenomena (p.191). The design accomplished the first
goal, which was to examine the relationship between transformational leadership styles
and the level of concern for information security problems within small businesses.
The design also accomplished the remaining study goals, which was to examine
the second relationship between transactional leadership styles and the level of concern
for information security problems. Finally, the design examined the third relationship
between passive-avoidant leadership styles and the level of concern for information
security problems. To ensure the validity of the data through triangulation, one-on-one
interviews were conducted with 10 small businesses randomly selected from those who
had already submitted valid and complete responses to the online survey.
According to Smith (1981), a descriptive research paradigm provides details
regarding the participants based on the examination of two or more study variables. The
correlational research method investigates the possible degree of a relationship between
independent and dependent variables (Smith). Previous studies on leadership styles (Bass
& Avolio, 2004) and information security experiences and problems (Ryan, 2000)
indicated that this study topic was researchable. The study employed close-ended
questions from validated and reliable instruments and focused on information security.
Figure 4 presents a map of the methodology and design that guided this study.
85
Map of Research Methodology and Design
Figure 4. Map of Research Methodology and Design
86
The selected research methodology and design was appropriate because the
primary objective of this study was to explore possible relationships between leadership
styles (independent variables) and the level of concern for information security problems
(dependent variables), within small businesses located in the state of Hawaii. To ensure
that the descriptive, non-experimental, correlational design was the most appropriate for
this study, the researcher evaluated other available research design approaches for their
appropriateness and feasibility. Since leadership styles and information security concerns
are internal perceptions of people within small businesses, and not subject to external
influences, it was not feasible to conduct true experiments under controlled conditions
(Creswell, 2003; Rubin & Babbie, 2005). Thus, experimental or quasi-experimental
quantitative studies were inappropriate for the study.
The objective of this study was not to establish causal relationships between the
independent and dependent variables (Rubin & Babbie, 2005). Therefore, a causalcomparative design was not appropriate for this study. While quantitative study design
describes and explains the relationships between variables, qualitative study design
explores and comprehends meaning from data collected from the field (Creswell, 2003).
Qualitative design, typically used to explore and understand a central phenomenon in the
development of a theory (Creswell), did not meet the primary objective of the study.
Qualitative methods like ethnographies, grounded theory, and case studies also did not
meet the primary objective of the study (Rubin & Babbie).
Population
According to Rubin and Babbie (2005), a study population is that aggregation of
elements from which the sample is actually selected (p. 252). The population for this
87
study comprised nearly 2825 small businesses located in Hawaii. This included small
business members of various chambers of commerce (CoCHawaii, 2007), and members
of various trade associations (SBH, 2007) in Hawaii. Businesses that belonged to more
than one organization were included once in the population of the survey, in order to
avoid duplicate selection.
The Chamber of Commerce of Hawaii, established in 1850, is the largest advocate
of small businesses in the state of Hawaii (CoCHawaii, 2007). Over 75% of its 1100
members, or 825 members, are small businesses and suitable for the study population.
The Small Business Hawaii trade association, another prominent advocate within the
state for small businesses, contains a membership of 2000 small businesses (SBH, 2007).
As mentioned previously, the population of this study consisted only of small
businesses, defined as those with 500 or fewer employees. The small business members
of the Chamber of Commerce of Hawaii and the Small Business Hawaii trade association
fall into more than 25 categories of industries. Members include but are not limited to
attorneys, construction companies, realtors, automobile dealers, doctors, dentists, hotels,
restaurants, travel agents, and wholesaler merchants. The diversity of industries is
representative of small businesses located in the state of Hawaii (CoCHawaii, 2007).
Sampling Frame
According to Rubin and Babbie (2005) a sampling frame is the list of quasi-list
of elements from which a sample is selected (p. 261). A sampling frame must be
consonant with the study population. Properly drawn samples describe the characteristics
of the population that are present in the sampling frame (Rubin & Babbie). The sampling
frame for this study included small businesses, those with 500 or fewer employees. Using
88
systematic sampling techniques, 800 small businesses were selected from the study
population of nearly 2825 small businesses.
According to Gay and Airasian (2000), if a normal distribution and the
availability of more than 30 samples are assumed, the sample size can be derived from
the study population based on the margin of error and the confidence level. Assuming a
margin of sampling error of 8%, a confidence level of 95%, and a conservative response
proportion of 50%, the minimum sample size for a sampling frame of 800 small
businesses, is a sample of 120 small businesses (Gay & Airasian).
Based on the selected sample size, Pass Power Analysis and Sample Size (PASS)
2005 software was used to conduct statistical power analysis and determine the
probability of avoiding Type II errors (Rubin & Babbie, 2005). Assuming a significance
level of .05 and a medium effect size with r2 = 0.09, the power of the test of significance
of correlation for sample size of 122 is 0.90. The result indicates that the probability of
committing a Type II error will be very small at 0.01 (1 - .99) for samples larger than 200
and small at 0.10 (1 - .90) for a sample size of 122, assuming a medium effect size with r2
= 0.09 and at .05 significance level (Rubin & Babbie).
Informed Consent, Confidentiality, and Geographic Location
The voluntary enlistment of small businesses into the research study required the
generation and the electronic distribution of an informed consent form (see Appendix A).
The informed consent form explained the studys purpose, nature, participant
involvement, structure, and confidentiality. After their selection through systematic
sampling, participants acknowledged their consent by electronically submitting the online
survey. Participants were able to decline to participation in the survey by simply ignoring
89
the online electronic communication or closing the online survey form at any stage in the
survey process. The online survey process was aligned with the requirements of the
quantitative research methodology.
The identity of the participants remained confidential and the data collected from
the online survey did not contain any identifying information regarding the participants or
the small business. The researcher received a certification of completion regarding the
human subjects training. The researcher adhered to the ethical guidelines regarding data
collection and analysis throughout the various stages of the research project (see
Appendix E). The geographic area of the research study was limited to small businesses
located in the state of Hawaii, who are members of various chambers of commerce and
trade organizations.
Instruments
The theoretical framework of the research study was based on the full range
leadership model developed by Bass and Avolio (2004). The research study used the
MLQ instrument (see Section 1 of Appendix B). Responses presented on a Likert scale
measured three leadership styles (defined in this study as independent variables) of small
business owners (Bass & Avolio, 2004). As mentioned in Table 4, independent variables
were the transformational, transactional, and passive-avoidant leadership styles.
The MLQ questionnaire contained 45 questions total. The initial 36 questions
measured the three leadership styles; the final nine questions measured three different
behavioral outcomes. All 36 leadership style questions in this studys online survey had
exactly the same wording as the initial 36 items in the original MLQ questionnaire. The
90
online survey excluded the final nine questions from the MLQ survey, as they did not
meet the objectives of the study.
The level of concern for information security problems (defined in this research as
dependent variables) were examined using the Small Business Security Survey (Ryan,
2000). All questions on information security in the online survey had exactly the same
wording as the questions in Small Business Security Survey (see Section 2 of Appendix
B). The Small Business Security Survey used a Likert scale to measure the level of
concern for 14 information security problems, or dependent variables in the research
study, which are common to small businesses (see Table 1).
Other leadership instruments that were considered for this research study included
the Leadership Practices Inventory (LPI) (Kouzes, 2002) and the Transformational
Leadership Behavior Inventory (TLBI) (Podsakoff, Mackenzie, & Bommer, 1996).
Unlike the MLQ instrument, both the LPI and the TBLI instrument measure either
transformational or transactional leadership but not both. The LPI and TBLI instruments
do not measure passive-avoidant and laissez-faire leadership styles, which are critical to
the study.
Reputable researchers and authors have developed the LPI and TBLI, but the two
instruments did not meet the objectives of this study and did not support the three
research questions. An alternative instrument for information security concerns was an
adaptation of the Small Business Security Survey by Adamkiewicz (2005). However, the
adapted survey focused on productivity within a small business, and did not support the
objectives of this study. Table 6 shows the three independent and 14 dependent variables,
the three related research questions and the associated questions from the instruments.
91
Table 6
Variables, Research Questions, and Survey Items
92
Data Collection
The process of data collection from research participants contained three parts.
The first part was a pilot study conducted with 10 small businesses, who were members
of the various chamber of commerce and trade organizations in Hawaii. The participants
for the pilot study were small business owners who fulfilled the eligibility criteria of the
study population. The pilot study, conducted over a two-week period, involved the
distribution of the online survey to all 10 participants.
There was a follow-up phone call for any participants who needed clarification.
The objective of the pilot study was to ensure that the participants clearly understood the
questions in the survey and that the survey was adequate to answer the research
questions. Another goal of the pilot study was to ensure that the online survey was userfriendly enough for the participants to complete it in 10 minutes.
The second part of the data collection process involved compiling the small
business membership lists from the various chambers of commerce and trade associations
in Hawaii. Given that 75% of the 1100 members of the Chamber of Commerce of Hawaii
are small businesses, 825 members would qualify. In addition, 2000 members of other
chambers of commerce and trade associations such as the Small Business Hawaii trade
association would constitute the total study population of nearly 2825 small businesses.
According to Rubin and Babbie (2005), in systematic sampling, every kth
element in the total list is chosen (systematically) for inclusion in the sample (p. 266).
Using systematic sampling techniques, 800 members were systematically selected from
the study population of 2825 small businesses to form the studys sampling frame. An
email message containing instructions and a link to an online survey was sent to each of
93
800 small businesses that were eligible for this study. The actual response rate was 17%
(137 responses); and 15% of responses (122 responses) were valid and complete.
The online survey (see Appendix B) included the MLQ instrument (Bass &
Avolio, 2004) and the Small Business Security Survey (Ryan, 2000). Online survey tools
from Zoomerang (2007) were used to create and distribute the survey. Online
distributions of the survey were the primary method for communicating with potential
participants. Sending the survey by first class mail and fax distribution were considered
as secondary means of reaching study participants who did not have a valid email address
or could not respond to the online survey.
Potential participants received an informed consent form with instructions (see
Appendix A) and a link to the web-based, online survey instrument (see Appendix B) via
electronic mail. The study maintained strict confidentiality of participant information.
Participation in the study was voluntary. Small businesses were able to decide not to
participate by simply by ignoring the email or closing the online survey form. The
estimated time to complete the online survey was 10 minutes.
Instructions to the participants included guidance on providing honest responses
and returning the completed survey to the online survey provider. A web server and a
researcher-owned hard drive stored the responses collected from the online survey. The
study lasted approximately two months. At the end of the two-month period, a reminder
was sent to participants who have not yet responded. As mentioned previously, an
estimated 122 responses were received and constituted a statistically valid sample.
The third part of the study involved more in-depth interviews with a randomly
selected group of 10 small businesses who had already provided valid responses to the
94
online survey. Post-survey interviews, that lasted 30 minutes each, were conducted over
the telephone. The data was exported to SPSS version 16.0 for Windows software to
perform descriptive statistical, correlation, and multiple regression analyses. Correlation
and multiple regression analyses, according to Creswell (2003), provided information
necessary to answer the research questions and related hypotheses.
Data Analysis
The study used descriptive analysis, frequency analysis and hypothesis testing,
correlational analysis and multiple regression analysis to examine the relationships
between the independent and dependent variables. The online survey data was transferred
from Zoomerang (2007), the commercial survey provider, to the researchers hard disk
for analysis. The study survey generated interval data for the independent variable of
leadership styles and the dependent variables of concern level for information security
problems. Since the sample data was assumed to come from a normal distribution,
parametric tests were performed for correlation and regression analysis. Non-parametric
tests were used for intervening variables that involved nominal data.
Descriptive Statistics and Chi-Square Tests
According to Rubin and Babbie (2005), descriptive statistics is a method for
presenting quantitative descriptions in a manageable format (p. 572). Such techniques as
frequency distributions, measures of central tendency, and the measures of variability
facilitate data summarization. Non-parametric Chi-Square analysis compared interval
independent variables with nominal intervening variables (Rubin & Babbie).
Cramers V tests are used to test the relationship between two variables that are
both nominal scales (Rubin & Babbie, 2005). Eta tests are relevant when the independent
95
variable is nominal and the dependent variable is interval. The F-test calculates the
likelihood that two variances are statistically significant based on the results from the
survey (Rubin & Babbie). The Cramers V tests, Eta tests and F-test were not required for
this study. Descriptive data analysis for this study was performed using SPSS v16.
Pearsons Correlation and Multiple Regression Analysis
To answer the three research questions, correlation analysis and multiple
regression analysis were used to examine the relationship between leadership styles and
the level of concern for information security problems. The scores for the three
independent variables were computed by calculating the average score for each variable
based on responses from the survey. A low score on an independent variable implied a
self-evaluation by a leader of low rating of a specific leadership style. A high score on an
independent variable implied a high rating of that specific leadership style. Likewise, a
low score on any of the 14 dependent variables implied a low level of concern for an
information security problem, and a high score on any dependent variable implied a high
level of concern.
Rubin and Babbie (2005) stated that the Pearson product-moment correlation, or
(r), can be used when both independent and dependent variables are at the interval level
of measurement (p. 627). The strength of the relationship between the independent and
dependent variables is measured by the correlation coefficient r, with numbers close to
+1 or -1 as indicators of strong correlation (Rubin & Babbie). A parametric test like
Pearsons product-moment correlation was used in this study. A correlation coefficient r
that was within 0.196 to < 0.5 signified mild correlation, r-values between 0.5 and < 0.7
96
signified moderate correlation, and r-values above 0.7 signified strong correlation. All
correlation analysis was performed using SPSS v16 software.
According to Rubin and Babbie (2005), multiple regression analysis shows the
overall correlation between each set of independent variables and an interval-level
dependent variable (p. 627). Multiple regression analysis also computes the standardized
regression coefficient or beta weight, for each predictor variable or leadership style
(Rubin & Babbie). The higher the beta weight, the greater the effects of the predictor
variable on the criterion or dependent variable, assuming other predictor variables are
under control. Regression analysis helps determine the significance of the relationship
each independent variable has with the dependent variable, when the other independent
variables are under control (Rubin & Babbie). A parametric test such as multiple
regression analysis was used in this study.
Stepwise multivariate linear regression was used for each of the 14 dependent
variables (the information security problems) to identify the combined effect of the
independent predictors (transformational leadership, transactional leadership and passiveavoidant leadership). According to Pearson (1938) the regression equation is y = 1x1 +
2x2
+ 3x3 + + e, where y represents the dependent variable, or alpha represents the
intercept of the line, or beta represents the regression coefficient or the slope for each
independent variable, and x represents the independent variables and e the error term.
Validity and Reliability
The study involved two published, peer-reviewed, reliable, and valid instruments,
used in several research studies over the past seven years. All 36 leadership questions in
this studys online survey had exactly the same wording as the 36 questions in the
97
original MLQ questionnaire. The online survey excluded the final nine questions from
the MLQ survey, as they did not meet the objectives of the study. All questions on
information security in the online survey had the exact wording as the questions in Small
Business Security Survey (Ryan, 2000) and no question was excluded. The validity and
reliability of the two survey instruments, MLQ and Small Business Security
Questionnaire, was supported through various applications across various disciplines
(Bass & Avolio, 2004), application in a dissertation project (Ryan, 2000) and a
subsequent study reported in a peer-reviewed journal (Gupta & Hammond, 2005).
Internal Validity
Leedy and Ormrod (2001) stated that the internal validity of an instrument is the
extent to which its design and the data it yields allow the research to draw an accurate
conclusion about relationships within the data (p. 103). The MLQ has been used by a
variety of researchers from multiple disciplines to examine leadership styles and
leadership behavior outcomes (Bass & Avolio, 2004). Based on criticisms of earlier
versions of the MLQ, Bass and Avolio created the latest version, the MLQ 5X, based on
14 samples to validate and cross-validate the instrument. The creation of the MLQ 5X
used a normative data set, and generalized results from data collected from 3,786
respondents across 14 independent samples (Bass & Avolio).
Based on the history of the MLQ, comparisons of nine models representing
different structures of the MLQ determined the best fit for the MLQ. Bass and Avolio
(2004) conducted extensive confirmatory factor analysis to analyze five factors under
transformational leadership, two factors under transactional leadership, and two factors
under passive-avoidant leadership. Results indicated that the best fit for the MLQ was the
98
nine-factor model, regardless of the rater source and the geographic location of the
participant (Bass & Avolio). Bass and Avolio report a Goodness of Fit index of 0.93 for
the MLQ Leader instrument.
The internal validity of the Small Business Security Questionnaire (Ryan, 2000)
was confirmed during the dissertation project of the author. In addition, in their
published, peer-reviewed study, Gupta and Hammond (2005) confirmed that the Small
Business Security instrument met their requirements for construct and criterion validity.
Both instruments met the standards for internal validity for the study.
External Validity
Leedy and Ormrod (2001) stated that external validity of a research study is the
extent to which its results apply to situations beyond the study itself (p. 105). Bass and
Avolio (2004) have developed the MLQ instrument over the past 25 years with a variety
of studies in the military, government, educational, manufacturing, high technology,
church, correctional, hospital, and volunteer organizations (p. 12). Various forms of the
MLQ, used in over 30 countries and at all managerial levels of Fortune 500 and 1000
firms, confirm the validity of the instrument. Reliability coefficients computed from a
sample size of 2,080 from nine separate studies also confirm external validity. The
samples were diverse and included the military, four businesses, a nursing organization,
and a government agency.
Ryan (2000) used the Small Business Security Questionnaire in a doctoral
dissertation study. The validity of the original questionnaire was demonstrated when it
was adapted for a subsequent dissertation project (Adamkiewicz, 2005) and an empirical
study of 1000 small businesses in the Lynchburg, Virginia area, as reported in a peer-
99
reviewed journal (Gupta & Hammond, 2005). Gupta and Hammond confirmed that the
instrument met their requirements for construct and criterion validity.
Reliability Analysis
The authors of both instruments confirm their reliability based on empirical
studies. The MLQ has been tested for reliability by Bass and Avolio (2004). They
reported reliabilities for each of the six leadership factor scales ranged from .63 to .92 in
the initial sample set, and .64 to .92 in the replication set (p. 61). Bass and Avolio noted
that the internal consistency rating, using Cronbachs coefficient alpha, was above 0.70
for each of the scales except for active management-by-exception. Gupta and Hammond
(2005) reported that their tests on the reliability of the Small Business Security
Questionnaire resulted in Cronbach coefficient alpha values that ranges from 0.64 to
0.785. Alpha values indicate that both instruments are reliable.
Creswell (2003) noted that triangulation provides the opportunities to use
different data sources of information by examining evidence from the sources and using
it to build a coherent justification for themes (p. 196). The first set of data for the
research study was obtained from the results of the online survey of 800 members of
various chambers of commerce and trade organizations in Hawaii. The subsequent phone
interviews conducted with 10 small businesses provided the second set of data for
triangulation purposes.
Summary
Chapter 3 presented the research design methodology for conducting this
quantitative, descriptive, correlational research study of leadership styles and the level of
concern for information security problems within small businesses in Hawaii. This study
100
utilized the Multifactor Leadership Questionnaire (MLQ) instrument (Bass & Avolio,
2004), to assess each companys leadership style (independent variable) and the Small
Business Security Survey instrument (Ryan, 2000) to determine the level of concern for
information security problems within each small business (dependent variable).
The population for this study comprised nearly 2825 small businesses located in
Hawaii. This includes small business members of the Chamber of Commerce of Hawaii,
located in Honolulu, Hawaii (CoCHawaii, 2007), and members of other chambers of
commerce and trade associations such as Small Business Hawaii (SBH, 2007). For the
first part of the research, a pilot study was conducted with 10 small businesses. The
second part involved an online survey of 800 small businesses, systematically selected
from a study population. After the online survey, the study triangulated data by
conducting interviews with 10 small businesses who had responded to the online survey.
This chapter explained the details of the research method, research design, and
appropriateness of design, validity, and reliability of instruments, research questions,
variables, and population of the study.
Creswell (2003) and Rubin and Babbie (2005) noted the importance for
researchers to identify threats to internal and external validity of the study and
instruments. The methodology and design of this study identified threats to validity.
Other researchers may use this studys findings to conduct additional studies regarding
the impact of leadership styles on information security concerns with small businesses.
Small businesses might be located outside the state of Hawaii or outside the United
States. Chapter 4 will present a detailed discussion of the findings and data analysis,
based on the data collected from the survey administration and conduct of the interviews.
101
CHAPTER 4: RESULTS
The first purpose of this research study was to investigate leadership styles and
assess the level of concern towards information security problems within small
businesses that belong to various chambers of commerce or trade associations within the
state of Hawaii. The second purpose of this study was to determine the degree of a
possible relationship between leadership styles and the level of concern towards
information security problems within these small businesses.
This research study used the Multifactor Leadership Questionnaire (MLQ) and a
security questionnaire to collect data from small businesses in Hawaii. The small
businesses who responded to the online survey were members of various chambers of
commerce and trade associations within the state of Hawaii. Descriptive statistics,
correlation analysis and multiple regression analysis were used to process the data.
Relationships between leadership styles and information security concern were measured
through descriptive and inferential statistics, such as descriptive and frequency
distribution, bivariate correlation, and stepwise multiple regression analyses.
The purpose of Chapter 4 is to collect, measure, and present the research study
findings using statistical procedures relative to the research design and methodology
presented in Chapter 3. The data findings are discussed in three sections. The first section
presents the data collection procedures and a reliability analysis of the survey
instruments; the second, descriptive analysis and Chi-Square analysis of the intervening,
dependent and independent variables; and the third, an inferential statistical analysis of
the survey results to answer the three research questions and hypothesis. Chapter 4
concludes with a summary of these research findings.
102
Study Process
Sample Participants
The participants for the study included several small businesses who are members
of various chambers of commerce and trade associations in Hawaii. A list of 2825
potential participants was compiled from public lists available from these chambers of
commerce and trade associations. Participants were also recruited from emails sent out by
sponsors and coordinators of trade organizations; website listings in trade organizations;
monthly newsletters; and other marketing information regarding the survey. Systematic
random sampling techniques were used to select 800 survey recipients from this list of
potential participants.
The primary tool for communicating with potential participants and administering
the survey was a website hosted by Zoomerang (2007). Zoomerang provided capabilities
to manage a list of survey contacts, track responses from each contact, and send
reminders if needed. Most survey respondents clicked on an online survey link from
Zoomerang to initiate their response to the survey. Sending the survey by first class mail
and fax were designated the secondary means for reaching additional participants.
Sample participants were small business owners or leaders whose companies
comprised of 500 or less employees and were located within the state of Hawaii. No more
than two participants from each small business were allowed to respond to the online
survey. Sample participants for the pilot study included 10 small businesses that fit the
profile for the study population. Participants for the post-survey interviews included 10
small businesses who had earlier responded to the online survey.
103
Survey Development
The online survey for the research study was created through Zoomerang software
(2007) based on the survey instruments listed in Appendix B. The first page of the online
survey contained the Informed Consent document displayed in Appendix A. Respondents
reviewed the Informed Consent page and provided affirmative consent to participation.
The first two pages of the online questions contained 36 questions regarding
leadership styles. These questions were entirely based on the questions in the Multifactor
Leadership Questionnaire (MLQ) displayed in Appendix B, Section 1. The last nine
questions in the MLQ questionnaire were not included in the online survey, as they did
not fall within the scope of the research goals for this study. The individual raw scores for
each of the 36 leadership questions were coded 1 through 5. The restrictions of the
Zoomerang system did not allow coding the raw scores on a scale of 0 through 4.
The third page of questions contained eight business questions from the security
questionnaire displayed in Appendix B, Section 2. The survey required mandatory
responses for Business Area, Number of Employees, Annual Revenue and Number of
Computers. In addition, the third page of questions contained a list of checkboxes to
assess computer connectivity and computer usage within the participants small business.
The fourth page contained a list of checkboxes for policies, procedures, and
technologies employed by the business. Another question, coded on a Likert scale from 1
to 5 (1 = Not Important, 3 = Moderate, 5 = Extremely Important), rated the importance of
various types of data. The final page five recorded information security experiences and
contained mandatory questions to rate the level of security concern, coded on a Likert
scale from 1 to 5 (1 = Not Concerned, 3 = Moderate, 5 = Extremely Concerned).
104
Pilot Testing
A pilot study was conducted to evaluate whether that the validity and reliability of
the online survey in Zoomerang (2007) were comparable to those of the original
instruments listed in Appendix B. 10 small businesses within the sample population
participated in the pilot study. All 10 businesses received a link to the online survey from
Zoomerang and responded to the online survey with suggestions, feedback, and opinions.
The pilot testers responded positively to the online survey and confirmed that: (a)
they understood the informed consent, and survey questions; (b) the statements were
precise, unambiguous, and consistent; (c) the elements were relevant and adequate in
addressing the studys three research questions; and (d) the instructions and page layouts
were clear and user-friendly. Table 7 displays the structure of the online survey.
Table 7
Structure of Online Survey
Page Variables Measured and Levels of Measurement
1
Leadership Q1-18 from MLQ (Interval Scale 1-5) Independent Variables
Leadership Q19-36 from MLQ (Interval Scale 1-5) Independent Variables
Business Area (Nominal); # Employees (Ordinal), Revenue (Ordinal), and #

Computers (Ordinal); Connectivity and Usage (Nominal) Intervening Variables
Security Policies (Nominal), Technologies (Nominal), Data Importance

(Mandatory, Interval Scale 1-5) Other Security Variables
Security Experiences (Nominal) Other Security Variables; Security Concerns for

14 issues (Mandatory, Interval Scale 1-5) Dependent Variables
105
Data Collection
A total of 800 emails were sent to various chambers of commerce, trade
associations, and small businesses during the months of November and December 2007.
Several trade organizations publicized the survey in their monthly newsletters and
published the link to the online survey hosted by Zoomerang (2007). Based on the survey
emails, 122 complete and valid responses (N=122) were received by Zoomerang. A total
of 15 partial responses were discarded from subsequent data analysis.
Since the data collection process involved sending emails to small businesses
unknown to the researcher and unaware of the study, many recipients filtered these
recruitment messages as spam. Several potential participants responded by asking
questions and clarifications about the study to the researcher. A higher response rate was
obtained when the survey email was forwarded by a sponsor from a chamber of
commerce or a local trade organization. Reminders to potential respondents were sent
four weeks after the initial email. This reminder email resulted in additional responses
from businesses.
The responses from survey participants were recorded in the Zoomerang database.
Periodically, the researcher downloaded the survey data from Zoomerang into a local
hard disk. The researcher did not download identifying information about the respondent
or the small business. Each response downloaded from Zoomerang included a Session ID
and Response date that uniquely identified each survey response. The download data was
stored in a comma-separated file and transformed into an Excel 2007 spreadsheet. The
Excel spreadsheet was imported into SPSS v16 (2008) for data analysis.
106
Post-survey Interviews
Interviews were conducted with 10 randomly selected, small business owners in
January 2008, after the completion of the survey data collection phase. Qualitative
interview data was used to triangulate findings and to provide another source to confirm
or dispute the quantitative findings from the online survey (Creswell, 2003). The goal of
the interviews was to gain a different perspective from small businesses regarding their
understanding of computer security policies and procedures, security concerns and
leadership styles.
The 10 interviewees were randomly selected from the participants of the online
survey. The interviews were conducted by telephone, with subsequent email discussions
for questions and clarifications. The interviews lasted from 20 to 30 minutes, based on
each interviewees availability and schedule. During the course of the interview seven
questions were asked, as described in Table 8 below.
Table 8
Post-Survey Interview Questions
Question
Description
What leadership styles are most important to you and your business? Why?
Which leadership style best influences your ability to mitigate cybercrime?
What security concerns do you find most threatening to small businesses?
What security processes/procedures do you employ to mitigate cybercrime?
What technologies do you use, or plan to deploy, to combat cybercrime?
What business data do you consider most important for your small business?
Describe one cyber security experience or incident during the past 12 months.
107
Reliability Analysis
The MLQ has been tested for reliability by Bass and Avolio (2004). Bass and
Avolio noted that the internal consistency rating, using Cronbachs coefficient alpha, was
above 0.70 for each of the scales except for active management-by-exception. Gupta and
Hammond (2005) reported that their tests on the reliability of the Small Business Security
Questionnaire (Ryan, 2000) resulted in Cronbach coefficient alpha values that ranged
from 0.64 to 0.785. This study combined the 36 leadership questions from the MLQ and
security questions for an 88 numeric item survey. Appendix F displays the reliability
coefficients for internal consistency, with an acceptable Cronbachs alpha of 0.93.
Post-hoc Confirmatory Factor Analysis
Post-hoc confirmatory factor analysis (CFA) was conducted to determine the
Pearsons product-moment correlation among the nine factors of leadership. The results,
presented in Appendix L, indicated high, positive correlations among the five
transformational leadership factors, which was consistent with the results from the MLQ
(Bass & Avolio, 2004). The transactional factor of contingent reward (CR) also displayed
a high, positive correlation with each of the five transformational factors.
The results of the post-hoc CFA indicated that two particular leadership styles are
associated with concern for security. One style involved all five transformational
leadership factors, and the transactional leadership of Contingent Reward. Another style
involved the passive-avoidance leadership factors of MBEP and LF, and a moderate
correlation with MBEA. These results supported the findings in the study that augmented
a transformational leadership style with elements of transactional leadership (CR). The
108
results of the post-hoc CFA also supported a passive-avoidance leadership style, with
leadership factors that involved MBEP and LF.
Non-Response Bias Analysis
Independent t-tests were used to determine whether statistically significant
differences existed between the mean responses of early and late respondents. An
assumption was made that late respondents were similar to non-respondents (Armstrong
& Overton, 1977). The sub-samples were comprised of the first 30 respondents (first
quartile) and the last 30 respondents (fourth quartile). The results of the independent ttests, presented in Appendix M, indicated no significant difference in the mean responses
of the two sub-samples. These results suggested no statistically significant differences
between those who responded to the survey and those who declined to respond to the
survey.
Descriptive Statistical Analysis
Descriptive statistical analysis was used to provide statistical measures of central
tendency (mean, median, mode), measures of variability (range, variance and standard
deviation), as well as graphs (histograms), skewness, frequencies and percentages. The
first objective of the descriptive analysis phase was to store the downloaded raw data
from Zoomerang into an Excel 2007 spreadsheet and compute the aggregated MLQ
leadership scores for the three leadership styles.
Given that the raw scores for the MLQ leadership questions were recorded on a
Likert scale from 1 to 5, the results had to be modified to a revised scale from 0 to 4. The
second objective of the descriptive analysis phase was to compute the frequencies for the
109
intervening variables. The final objective of the descriptive analysis phase was to transfer
the Excel 2007 data into SPSS v16 (2008) and compute detailed descriptive statistics.
Independent Variables
The three independent variables and nine factors are shown below in Table 9.
Table 9
Independent Variables: Three Leadership Styles
Leadership styles Factors
Measurement Level
Transformational Idealized Influence Attributes (IIA)
Interval scale
Idealized Influence Behavior (IIB)

Inspirational Motivation (IM)
Intellectual Stimulation (IS)
Individual Consideration (IC)
Transactional
Contingent Reward (CR)
Interval scale
Management-by-Exception Active (MBEA)

Passive-avoidant
Management-by-Exception Passive (MBEP) Interval scale

Laissez-Faire (LF)
Table 10 below presents descriptive statistics for the three leadership styles. The
results are sorted in descending order of the mean score, and measured in an interval
scale from 0 (Not at all) to 4 (Frequently, if not always). The highest mean and median
scores indicated that that transformational leadership style was the most prevalent
leadership style among small businesses who responded to the study, followed by
transactional and passive-avoidance leadership styles.
110
The variance of scores is lowest for the transactional leadership style. The range
of scores differs by leadership style, with passive-avoidance leadership style recording
the largest range in scores.
Table 10
Descriptive Statistics of Independent Variables
Transformational Transactional Passive-Avoidance
Leadership
Leadership
Leadership
N
Valid
122.00
122.00
122.00
Missing
0.00
0.00
0.00
Mean
2.96
2.47
0.89
Median
3.00
2.44
0.75
Mode
3.00
2.75
0.00
Std. Deviation
0.56
0.50
0.77
Skewness
-0.17
0.01
0.78
Std. Error of Skewness (SES)
0.22
0.22
0.22
Fishers Skewness Coefficient
-0.77
0.05
3.55
Range
2.50
2.58
3.00
Minimum
1.50
1.16
0.00
Maximum
4.00
3.75
3.00
Triola (2004) and Abu-Bader (2006) describe skewness and standard deviation as
measures of dispersions from the mean scores. According to Abu-Bader, the value of the
Fishers skewness coefficient (skewness divided by SES) must be within the range of 1.96 and +1.96 for the distribution to approach a normal curve. The following histograms
(see Figure 5, 6, and 7) illustrate the distributions of the independent variables.
Figure 5 and 6 depict a normal curve for transformational and transactional
leadership with a Fishers skewness coefficient of -0.77 (transformational) and 0.05
(transactional). Both coefficients are less than 1.96 and indicate a distribution that
111
approaches a normal curve. However, Figure 7 depicts a positively skewed distribution
for passive-avoidance leadership with Fishers skewness coefficient of 3.55.
Figure 5. Histogram of Transformational Leadership Styles
Figure 6. Histogram of Transactional Leadership Styles
112
Figure 7. Histogram of Passive-Avoidance Leadership Styles

The positive skewness of the passive-avoidance leadership style (see Figure 7),
along with a mean score of 0.89 and median score of 0.75 (see Table 12), indicates that
most survey respondents did not characterize their leadership style as containing elements
of passive-avoidance leadership styles. Table 11 below presents the descriptive statistics
of factors that are contained with each leadership style. A description of each factor is
provided in the Literature Review in Chapter 2.
Transformational leadership style contains five factors, with Idealized Influence
Attributes and Individual Consideration being the most prevalent among survey
respondents, having the highest mean, and median score. Among the two factors that
comprise transactional leadership, the high mean score was recorded for the Contingent
Reward factor. Among the two factors that constitute passive-avoidance leadership, the
113
Laissez-Faire factor was the least common factor with a high degree of positive skewness
coefficient of 3.55.
The distribution for every factor, except for Laissez-Faire, approaches a normal
curve. The range of interval values for each factor scaled from 0 (Not at all) to 4
(Frequently, if not always). Across all nine leadership factors, the top five mean scores
were recorded for Idealized Influence Attributes (IIA), Individual Consideration (IC),
Contingent Reward (CR), Idealized Influence Behavior (IIB) and Inspirational
Motivation (IM).
Table 11
Descriptive Statistics of Factors within each Leadership Style
Valid N
(Missing)
IIAa
IIBa
IMa
ISa
ICa
CRb
MBEAb
MBEPc
LFc
122 (0)
122 (0)
122 (0)
122 (0)
122 (0)
121 (1)
122 (0)
122 (0)
122 (0)
Mean Median Mode
Std.
Dev.
Skewness
Std.
Error of
Skewness
3.06
2.93
2.92
2.82
3.06
2.96
1.98
1.42
0.89
0.64
0.69
0.75
0.75
0.60
0.66
0.86
0.73
0.77
-0.30
-0.43
-0.31
-0.42
-0.20
-0.43
0.09
0.30
0.78
0.22
0.22
0.22
0.22
0.22
0.22
0.22
0.22
0.22
3.00
3.00
3.00
3.00
3.00
3.00
2.00
1.25
0.75
3.25
3.00
3.00
3.00
2.75
3.00
2.00
1.25
0.00
Min. Max.
1.50
1.25
1.00
0.50
1.25
0.75
0.00
0.00
0.00
4.00
4.00
4.00
4.00
4.00
4.00
4.00
3.00
3.00
Note: aTransformational Leadership Factors: IIA, IIB, IM, IS and IC. bTransactional Leadership
Factors: CR and MBEA. cPassive-Avoidance Leadership Factors: MBEP and LF.
Dependent Variables
Table 12 below presents the 14 dependent variables which are based on the Small
Business Security Questionnaire (Ryan, 2000). The variables are measured on an interval
scale from 0 (not concerned) to 5 (extremely concerned). Based on the mean scores, the
top five concerns included viruses, data availability, data integrity, software problems and
114
power failure. Viruses and data availability were the most common concerns based on the
mode score, and negatively skewed with coefficient of -2.4. Fraud and insider access
abuse were the lowest rated concerns, with positively skewed data for insider access
abuse.
Table 12
Descriptive Statistics of 14 Dependent Variables
Valid
N = 122,
Missing = 0
Mean Median Mode
Std. Skewness
Dev.
Std.
Error of
Skewness
-0.53
0.22
-0.54
0.22
Viruses
3.70
4.00 5.00 1.11
Data
3.42
4.00 4.00 1.37
Availability
Data Integrity
3.25
3.00 4.00 1.30
-0.33
Software
3.25
3.00 3.00 1.15
-0.30
Problems
Power Failure
3.20
3.00 3.00 1.19
-0.08
Data Secrecy
3.16
3.00 5.00 1.47
-0.16
Transaction
3.10
3.00 3.00 1.39
-0.12
Integrity
User Errors
3.04
3.00 3.00 1.15
0.02
Data Theft
3.03
3.00 3.00 1.43
0.00
Outsider
2.98
3.00 3.00a 1.35
0.00
Access Abuse
Natural
2.84
3.00 3.00 1.22
0.21
Disaster
Data Sabotage
2.82
3.00 1.00 1.43
0.22
Fraud
2.80
3.00 3.00 1.40
0.17
Insider Access
2.29
2.00 1.00 1.31
0.62
Abuse
Note: aMultiple modes exist. The smallest value is shown.
Min. Max.
1.00
1.00
5.00
5.00
0.22
0.22
1.00
1.00
5.00
5.00
0.22
0.22
0.22
1.00
1.00
1.00
5.00
5.00
5.00
0.22
0.22
0.22
1.00
1.00
1.00
5.00
5.00
5.00
0.22
1.00
5.00
0.22
0.22
0.22
1.00
1.00
1.00
5.00
5.00
5.00
The five intervening variables for the research study, based on the Small Business
Security Questionnaire (Ryan, 2000) are shown below in Table 13.
115
Table 13
Variable name
Levels of Measurement
Business area
Categorical variable, mutually exclusive, nominal
Number of employees Ordinal, mutually exclusive

Annual revenue
Ordinal, mutually exclusive
Number of computers
Ordinal, mutually exclusive
Connectivity
Not mutually exclusive, Nominal
Frequency distributions were employed to describe the intervening variables:

Business Area (see Figure 8), Number of Employees (see Figure 9), Annual Revenues
(see Figure 10) and Number of Computers (see Figure 10).
Figure 8. Business Area
116
Figure 9. Number of Employees
Figure 10. Annual Revenues
117
The results in Figure 8 and Appendix G indicate that the top five business areas,
those identified by 73.8% of the respondents, are: 1) Professional, Scientific, and
Technical Services; 2) Other; 3) Educational Services; 4) Finance and Insurance; and 5)
Retail Trade. According to Figure 9 above, the largest single group of small businesses,
or 69.7% of respondents, contained 10 or fewer employees. According to Figure 10,
57.4% of the respondents earned annual revenues of less than $500,000. 23% of
respondents earned more than $5 million in annual revenues.
Figure 11. Number of Computers

Figure 11 notes that the majority of respondents, or 54.9%, had 5 or fewer
computers. However, 11.5% of respondents had more than 100 computers. A typical
survey respondent was involved in Professional, Scientific and Technical Services,
employed less than 10 employees, earned less than $500,000 in annual revenues, and
owned 5 or fewer computers.
118
Unlike the previous four intervening variables, the fifth intervening variable
involving connectivity did not record mutually exclusive data. According to Abu-Bader
(2006), mutually exclusive data implies that the researcher needs to classify every
participant in one and only one of the variables attributes (p. 4). A participant cannot
select more than one attribute. In the case of the fifth intervening variable, the participant
was allowed to select multiple responses for connectivity options. Table 14 displays the
sum of responses, sorted in descending order, for each connectivity option applicable to
the small business. The results indicate that the majority of the respondents possessed
Internet (94.26%), Local Area Network (LAN, 50.82%) and Web connectivity (50%).
Table 14
Intervening Variable: Connectivity Options
Internet Connectivity
LAN Connectivity
Web Connectivity
Intranet Connectivity
E-commerce
Extranet
Number of respondents Percent
122
122
122
122
122
122
115
62
61
35
22
20
94.26
50.82
50.00
28.69
18.03
16.39
Statistical computations were performed to examine the possible relationships

among leadership styles and the five intervening variables noted in Table 13. Chi-Square
analysis was performed to compare the independent variable of leadership style with all
five intervening variables (see Appendix H). The results do not indicate a significant
statistical relationship between leadership styles and any of the five intervening variables,
with the Chi-Square coefficient p > 0.05 in all cases.
119
Other Security Variables
Other security variables covered various aspects of information security relevant
to small businesses. Table 15 displays the various employees and users who are allowed
access to computers and networks within small businesses. The top two groups are fulltime and part-time employees, but other user groups like family members and customers
also obtain access to computers and networks within small businesses.
Table 15
Access to Computers and Networks
All Full-time Employees

Part-time Employees
Temporary Employees
Some Employees, job related
Contractors
Family members, friends
Customers
E-commerce partners
Number of respondents
122
122
122
122
122
122
122
122
88
47
26
25
22
19
15
6
Table 16 below displays the information security policies and procedures within
small businesses. The top four items include data recovery procedures, information
security policies, information security procedures, and computer use and misuse policies.
Table 17 below displays the technologies used by the survey respondents to prevent,
detect, and resolve information security problems. The top three technologies are antivirus software, firewalls, and power surge protectors. The bottom of the list includes
security evaluation systems, media degaussers, and dial-back modems.
120
Table 16
Information Security Policies and Procedures
Data Recovery Procedures

Information Security Policy
Information Security Procedures
Computer Use and Misuse Policy
Proprietary Data Use and Misuse Policy
Communications Use and Misuse Policy
Data Destruction Procedures
Computer Emergency Response Plan
Business Continuity Policy
Computer Emergency Response Team
Media Destruction Procedures
Information Sensitivity Coding
Number of Respondents
122
122
122
122
122
122
122
122
122
122
122
122
61
60
56
54
47
39
33
32
25
22
21
14
Table 17
Information Security Technologies
Anti-virus Software
Firewalls
Power Surge Protectors
Data Backup Systems
Shredders
Encryption
System Access Control
Intrusion Detection
Facility Access Control
Redundant Systems
Data Segmentation
System Activity Monitor
Security Evaluation Systems
Media Degaussers
Dial-back Modem
Number of Respondents
122
122
122
122
122
122
122
122
122
122
122
122
122
122
122
117
110
103
87
84
51
48
46
32
31
26
25
17
7
3
121
Table 18 displays the importance of several types of data to the respondents of the
survey, recorded on an interval scale from 0 (Not important) to 5 (Extremely important).
Customer and privacy data ranked among the top two in the list, while competitive and
market data ranked among the bottom two items in the list. The responses for the
importance of customer, privacy, and proprietary data were highly negatively skewed
(skewness coefficient < -1.96) indicating the high importance placed by the respondents
on these aspects of information security.
Table 18
Data Importance
Valid N = 122
Mean Median Mode Std. Dev. Skewness Std.

Error
Customer Data
4.25 5.00
5.00 1.08
-1.53
0.22
Privacy Data
4.13 5.00
5.00 1.15
-1.22
0.22
Proprietary Info
3.83 4.00
5.00 1.32
-0.74
0.22
Trade Secrets
3.43 4.00
5.00 1.53
-0.36
0.22
Competitive Data 3.33 3.00
3.00 1.38
-0.26
0.22
Market Data
3.30 3.00
3.00 1.28
-0.26
0.22
Min. Max.
1
1
1
1
1
1
5
5
5
5
5
5
Table 19 below displays the information security issues and problems experienced
by the survey respondents within the past 12 months, or the calendar year 2007. Based on
the results, data corruption and problems with virus and malicious software (or malware)
topped the list of negative experiences. Abuse of internet access privileges by employees
and problems with reliability in information systems also placed within the top five
concerns of survey respondents. Seven respondents reported problems with intrusion to
computer systems by outsiders. Seven reported abuse from insiders of information access
privileges.
122
Five respondents were victims of cyber fraud. The least frequent experiences
included theft of proprietary and loss of secret information. Four respondents provided
qualitative feedback that quantified loss of money from an information security incident.
While one respondent noted a $20,000 loss due to sabotage of a computer network, three
others reported losses in amounts less than $500.
Table 19
Information Security Experiences within Past 12 Months
N
Data Corrupted or Partially Lost
Problems with Virus or Malicious Software
Employees Abused Internet Access Privileges
Problems with Reliability of Information Systems
Experienced Information Security Incident
Outsider Break in to Information System
Insider Abused Information Access Privileges
Victim of Fraud
Lost Money due to Information Security Problem
Victim of a Natural Disasters
Computer Equipment Stolen
Proprietary Data Stolen
Secret Information Divulged
122
122
122
122
122
122
122
122
122
122
122
122
122
Number
of Respondents
24
22
15
15
8
7
7
5
4
4
4
3
3
Results of Research Questions and Hypothesis

Research Question 1 and Hypothesis 1
businesses.
123
businesses.
To answer Research Question 1 and test Hypothesis 1, Pearsons product-moment
correlation coefficients were generated to examine the possible relationship between
transformational leadership style (independent variable) and information security
concerns (dependent variables). As noted previously in Table 12, the research study
considered 14 separate information security concerns as dependent variables. The results,
shown in Table 20, indicate a positive relationship (p <= 0.05) between transformation
leadership style and two (out of 14) information security concerns (Data Secrecy and
Data Availability). The entire results of Pearsons product-moment correlations are
displayed in Appendix I.
Table 20
Pearson's Correlations - Transformational Leadership Style
N=122
Data Secrecy
Transformational Leadership
Pearson Correlation 0.18b (r2 = 0.03)
Sig. (2-tailed)
0.05
Data Availability Pearson Correlation 0.24a (r2 = 0.06)
Sig. (2-tailed)
0.01
b
Note: aSignificant at the 0.01 level. Significant at the 0.05 level.
The results indicate that small businesses leaders who practice transformation
leadership styles display high levels of concern for problems regarding data secrecy and
data availability. The independent variable (transformational leadership style) explains
less than 3% (coefficient of determination, r2 = 0.03) of the variance for data secrecy and
6% (r2 = 0.06) of the variance for data availability. More than 94% of the variance in data
secrecy and data availability is unaccounted for and could be related to extraneous
124
variables. Thus, although transformational leadership style has a statistically significant
relationship with two information security concerns, this relationship is considered weak.
As noted previously in Table 9, the independent variable Transformational
Leadership Styles consists of five factors of leadership. To answer Research Question 1
in additional detail, Pearsons product-moment correlation coefficients were generated to
examine the possible relationship between five transformational leadership factors
(independent variables) and 14 information security concerns (dependent variables). The
results, shown in Table 21, indicated a positive relationship (p < 0.05) between four
factors of transformation leadership and six information security concerns. The entire
results of Pearsons product-moment correlations are displayed in Appendix I.
This indicates that small business leaders who practice specific factors of
transformational leadership display high levels of concern regarding specific information
security problems. For example, the Idealized Influence Attribute (IIA) had a statistically
significant relationship (p < 0.05) with concern for the six security problems of insider
access abuse, data integrity, data secrecy, data availability, data theft and data sabotage.
Idealized attributes behavior (IIB) and inspirational motivation (IM) had a statistically
significant relationship (p < 0.05) with the level of concern for the security problems of
data availability and data secrecy respectively.
However, except in the case of IIA and Data Availability (where r2 = 13%) the
independent variables (factors of transformational leadership) in Table 21 explain less
than 5% of the variance for the specific information problem. More than 95% of the
variance is unaccounted for and could be related to extraneous variables. In the case of
IIA and Data Availability, the independent variable explains 13% of the variance in Data
125
Availability problems. Thus, although four factors in transformational leadership (IIA,
IIB, IM and IC) have a statistically significant relationship with the level of concern for
six information security problems, this relationship is considered weak.
Table 21
Pearson's Correlations - Transformational Leadership Factors
N=122
Data Integrity
Data Secrecy
Data Availability
Data Theft
Data Sabotage
Pearson Correlation
Sig. (2-tailed)
Pearson Correlation
Sig. (2-tailed)
Pearson Correlation
Sig. (2-tailed)
Pearson Correlation
Sig. (2-tailed)
Pearson Correlation
Sig. (2-tailed)
Pearson Correlation
Sig. (2-tailed)
IIA
0.22a
0.01
0.22b
0.02
0.21b
0.02
0.36a (r2 = 0.13)
0.00
0.19b
0.03
0.20b
0.03
IIB
0.02
0.83
0.14
0.13
0.11
0.23
0.18b
0.04
0.11
0.25
0.13
0.15
IM
0.00
0.99
0.15
0.11
0.18b
0.04
0.13
0.15
0.03
0.74
0.03
0.72
IC
-0.11
0.22
0.08
0.36
0.10
0.30
0.21b
0.02
0.02
0.76
-0.01
0.93
Note: aSignificant at the 0.01 level. bSignificant at the 0.05 level.
According to Abu-Bader (2006), while bivariate statistics examine the overall

relationship between one dependent variable and one independent variable, multivariate
statistics examine the relationships among multiple independent variables and one (or
more) dependent variable. The Pearsons product-moment correlation is an example of
bivariate statistics, while multiple regression analysis is an example of multivariate
analysis. As noted in Table 21, more than one leadership factor had a statistically
significant relationship with the information security problems of data secrecy and data
availability. Both IIA and IM leadership factors were statistically significantly related to
data secrecy problems, while IIA, IIB, and IC factors were statistically significantly
related to data availability problems.
126
Stepwise multiple regression analysis was conducted to predict the specific
outcome or criterion (specific information security problem) based on multiple,
significant leadership factors. Independent variables were entered into the regression
model only if their correlation with the criterion (dependent variable) was statistically
significant at alpha of 0.05 or less. Tables 22 and 23 display the summary results with
multiple correlation coefficient (R), multiple R square, unstandardized coefficient B,
standard error of unstandardized coefficient, standardized regression coefficient (), t
value and level of significance (p) for each regression coefficient. The results display the
one-way ANOVA F ratio and the overall level of significance for each regression model.
A stepwise multiple regression analysis was conducted to estimate a model that
best predicts level of concerns for data secrecy. The results of the stepwise analysis,
shown in Table 22, reveals one of the two leadership factors (IIA, but not IM) as a
statistically significant predictor of concern for data secrecy (F = 5.28, p < 0.05). With a
beta of 0.21 (p < 0.05), the transformational leadership factor of idealized influence
attributes (IIA) emerged as the strongest predictor of the level of concern for data secrecy
problems, accounting for 4% of the variance in the level of concern.
Table 22
Multiple Regression Analysis - Predictors of Data Secrecy
Factor
2
Unstd. Std.
Coeff B Err.
R
R
(Constant)
1.73
a
IIA
0.21 0.04 0.47
a
Std.
Coeff t
0.64
0.21 0.21b
ANOVA
F ratio Sig.
2.70 0.01
2.30 0.02 5.28b
0.02a
Note: Predictors: (Constant), Idealized Influence Attributes (IIA). Criterion: Data Secrecy.
These results indicate that the higher the level of Idealized Influence attributes
(IIA) within small business, the higher the level of concern for Data Secrecy issues and
127
problems. Overall, the regression model explained only 4% of the variance in the concern
for data secrecy (R = 0.21), indicating a weak relationship between Idealized Influence
Attributes (IIA) and concerns for data secrecy. The unstandardized regression equation
for data security concerns is as follows:
Y = a + b1X1 + b2X2 + biXi, where Y is the score for the independent variable,
b is the unstandardized regression coefficient and X is the score for the dependent
variable. Based on the above formula and results, the regression equation is:
Data Secrecy Raw Score = 1.73 + (0.47 x Idealized Influence Attribute Score)
For example, if a small business scored a rating of 3 (Fairly Often) on Idealized
Attributes, then we could predict the level of concern for data secrecy to be as follows:
Data Secrecy Score = 1.73 + (0.47 x 3) = 3.14 or Moderate level of concern.
best predicts level of concern for data availability among small businesses. The results of
the stepwise analysis, shown above in Table 23, revealed that one of the three statistically
significant leadership factors (IIA, but not IIB and IC) emerged as a statistically
significant prediction of the level of concern for data availability problems (F = 17.67, p
< 0.05).
Table 23
Multiple Regression Analysis - Predictions of Data Availability
Factor
R
R2
Unstd. Std.
Coeff B Err.
(Constant)
1.07
a
IIA
0.36 0.13 0.77
Std.
Coeff t
0.57
0.18 0.36b
ANOVA
F ratio Sig.
1.89 0.06
4.20 0.00 17.67b
0.00a
Note: aPredictors: (Constant), Idealized Influence Attributes (IIA). bCriterion: Data Availability.
128
With a standardized beta of 0.36 (p < 0.05), the transformational leadership
factor of idealized influence attributes (IIA) emerged as the strongest predictor of the
level of concern for data availability problems, accounting for 13% of the variance in the
level of concern for data availability problems. These results indicate that the higher the
level of Idealized Influence attributes (IIA) within small business, the higher the level of
concern and preparation for data availability problems. Overall, the regression model
explained 13% of the variance in the concern for data secrecy (R = 0.36), indicating a
weak relationship between Idealized Influence Attributes (IIA) and concerns for data
availability. The unstandardized regression equation for data security concerns is as
follows:
Data Availability Score = 1.07 + (0.77 x Idealized Influence Attribute Score)
For example, if a small business scored a rating of 3 (Fairly Often) on Idealized
Attributes, then we could predict the level of concern for data availability as follows:
Data Availability Score = 1.07 + (0.77 x 3) = 3.38 or Moderate level of concern.
Because one factor of transformational leadership (IIA) was statistically
significant in the multiple regression analysis (p < 0.05) in predicting the level of concern
for two information security problems (data secrecy and data availability), the null
hypothesis that no statistically significant relationship exists between the transformational
leadership style and the level of concern for information security problems within small
businesses is rejected.
129
transactional leadership style (independent variable) and information security concerns
(dependent variables). As noted previously in Table 12, the research study considered 14
separate information security concerns as dependent variables. The results, shown in
Table 24, indicated a positive relationship (p < 0.05) between transactional leadership
style and 11 (out of 14) information security concerns. The entire results of Pearsons
product-moment correlations are displayed in Appendix I.
This indicates that small business leaders who practice transactional leadership
display higher levels of concern for problems regarding insider access abuse, viruses,
data integrity, outsider access abuse, data secrecy, data availability, data theft, data
sabotage, user errors, natural disasters, and fraud. The independent variable (transactional
leadership style) explains less than 9% (coefficient of determination, r2 <= 0.09) of the
variance of the level of concern for 10 information security problems. These 10 problems
include insider access abuse, viruses, data integrity, outsider access abuse, data secrecy,
data availability, data theft, data sabotage, user errors, and fraud.
Transactional leadership style explains 11% (r2 = 0.11) of the variance of the level
of concern for natural disasters. More than 89% of the variance for the level of concern
for natural disasters is unaccounted for and could be related to extraneous variables.
130
Although transformational leadership style has a statistically significant relationship with
the level of concern for 11 information security problems (p < 0.05), these relationships
are considered weak.
Table 24
Pearson's Correlations - Transactional Leadership Style
N=122
Transactional Leadership
Pearson Correlation 0.24a (r2 = 0.06)
Sig. (2-tailed)
Viruses

Sig. (2-tailed)
Data Integrity
0.01
0.00

Sig. (2-tailed)
0.00
Outsider Access Abuse Pearson Correlation 0.23a (r2 = 0.05)

Sig. (2-tailed)
Data Secrecy

Sig. (2-tailed)
Data Availability
0.00

Sig. (2-tailed)
0.00

Sig. (2-tailed)
Fraud
0.00

Sig. (2-tailed)
Natural Disasters
0.00

Sig. (2-tailed)
User Errors
0.00

Sig. (2-tailed)
Data Sabotage
0.05

Sig. (2-tailed)
Data Theft
0.01
0.04
Note: Significant at the 0.01 level. Significant at the 0.05 level.
131
As noted previously in Table 9, the independent variable transactional leadership
style consists of two factors of leadership. To answer Research Question 2 in additional
detail, Pearsons product-moment correlation coefficients were generated to examine the
possible relationship between two transactional leadership factors (independent variable)
and the level of concern for 14 information security problems (dependent variables). The
results, shown in Table 25, indicated a positive relationship (p < 0.05) between two
factors of transactional leadership and the level of concern for 11 information security
problems. The entire results of Pearsons product-moment correlations are displayed in
Appendix I.
This indicates that small business leaders who practice specific factors of
transactional leadership display high levels of concern for specific information security
problems. For example, the Management by Exception Active (MBEA) had a statistically
significant relationship (p < 0.05) with the level of concern for 10 security problems of
insider access abuse, data integrity, outsider access abuse, data secrecy, data availability,
data theft, data sabotage, user errors, natural disasters and fraud. Contingent Reward (CR)
had a statistically significant relationship with the level of concern from viruses. The
independent variables (factors of transactional leadership) explain less than 10% for the
variance of the level of concern for the specific information problem listed in Table 25.
More than 90% of the variance is unaccounted for and could be related to
extraneous variables. In the case of MBEA and data sabotage, the independent variable
explains 10% of the variance in the level of concern from data sabotage. In the case of
CR and viruses, the independent variable explains 5% of the variance in the level of
concerns from viruses. Thus, although two factors in transactional leadership (CR and
132
MBEA) have a statistically significant relationship with the level of concern for 11
information security problems (p < 0.05), this relationship is considered weak.
Table 25
Pearson's Correlations - Transactional Leadership Factors
N=122,
except for CR N=121
Viruses
CR
Pearson Correlation 0.00
0.27a (r2 = 0.07)
Sig. (2-tailed)
0.00
Data Integrity
0.98
Pearson Correlation 0.23a (r2 = 0.05) 0.12

Sig. (2-tailed)
Power Failure
0.01
0.23a (r2 = 0.05)
Sig. (2-tailed)
0.01
0.59
0.22b (r2 = 0.05)
Sig. (2-tailed)
0.02
Sig. (2-tailed)
Data Theft
Data Sabotage
User Errors
Natural Disasters
Fraud
0.20
Pearson Correlation -0.05
0.10
Outsider Access Abuse Pearson Correlation 0.05
Data Availability
MBEA
0.58
0.22b (r2 = 0.05)

0.02
0.24a (r2 = 0.06)
Sig. (2-tailed)
0.01
0.13
0.30a (r2 = 0.09)
Sig. (2-tailed)
0.00
0.94
0.31a (r2 = 0.10)
Sig. (2-tailed)
0.00
0.93
0.30a (r2 = 0.09)
Sig. (2-tailed)
0.00
0.72
0.29a (r2 = 0.08)
Sig. (2-tailed)
0.00
0.22
0.25a (r2 = 0.06)
Sig. (2-tailed)
0.01
0.54
Note: aSignificant at the 0.01 level. bSignificant at the 0.05 level.
133
Since no more than one leadership factor was significantly related to each of the
11 security concerns in Table 25, multiple regression analysis was not required. Because
two factors of transactional leadership (CR and MBEA) were statistically significantly
related (p < 0.05) to 11 information security concerns, the null hypothesis that no
statistical significant relationship exists between the transactional leadership style and the
level of concern for information security problems within small businesses is rejected.
businesses.
businesses.
passive-avoidance leadership style (independent variable) and information security
concerns (dependent variables). The results, shown in Table 26 below, indicated a
positive relationship (p < 0.05) between passive-avoidance leadership style and one (out
of 14) information security problems. The entire results of Pearsons product-moment
correlations are displayed in Appendix I.
134
This indicates that small business leaders who practice passive-avoidance
behavior have high levels of concern about power failure. The independent variable
(passive-avoidance leadership style) explains less than 4% (coefficient of determination,
r2 <= 0.04) of the variance for the level of concern about power failures. More than 96%
of the variance is unaccounted for and could be related to extraneous variables. Thus,
although passive-avoidance leadership style has a statistical significant relationship with
the level of concern for one information security problem (p < 0.05), this relationship is
considered weak.
Table 26
Pearson's Correlations - Passive-Avoidance Leadership Style
N=122
Passive-Avoidance
Leadership
Power Failure Pearson Correlation 0.19 b (r2 = 0.04)
Sig. (2-tailed)
0.03
Note: bSignificant at the 0.05 level.
As noted previously in Table 9, the independent variable passive-avoidance

leadership style consists of two factors of leadership. To answer Research Question 3 in
additional detail, Pearsons product-moment correlation coefficients were generated to
examine the possible relationship between two passive-avoidance leadership factors
(independent variable) and the level of concern for 14 information security problems
(dependent variables). The results, shown in Table 27, indicated a positive relationship (p
< 0.05) between one factor of passive-avoidance leadership (MBEP) and the level of
concern for one information security problem. The entire results of Pearsons productmoment correlations are displayed in Appendix I.
135
This indicates that small business leaders who practice passive management by
exception behavior (MBEP) have a high level of concern for power failure. For example,
the Management by Exception Passive (MBEP) style had a statistical significant
relationship (p < 0.05) with the level of concern for power failure. However, the
independent variable (MBEP) explains less than 5% of the variance for the level of
concern, as presented in Table 27. More than 95% of the variance is unaccounted for and
could be related to extraneous variables. Thus, although one factor in transactional
leadership (MBEP) has a statistically significant relationship with the level of concern for
one information security problem (p < 0.05), this relationship is considered weak.
Table 27
Pearson's Correlations Passive-Avoidance Leadership Factors
MBEP
Power Failure Pearson Correlation
Sig. (2-tailed)
Note: aSignificant at the 0.01 level.
0.23a (r2 = 0.05)

0.01
Since no more than one leadership factor was significantly related to the level of
concern for one security problem in Table 27, multiple regression analysis was not
required. Because one factor of passive-avoidance leadership (MBEP) was statistically
significantly related (p < 0.05) to the level of concern for one information security
problem, the null hypothesis that no statistically significant relationship exists between
the passive-avoidance leadership style and the level of concern for information security
problems within small businesses is rejected.
136
Multiple Regression Analysis
outcome or criterion (specific information security concern) based on multiple,
significant factors across all three leadership styles. Independent variables were entered
into the regression model only if their correlation with the criterion was statistically
significant at alpha of 0.05 or less. The results below present the values for multiple
correlation coefficient (R), multiple R square, unstandardized coefficient B, standard
error of unstandardized coefficient, standardized regression coefficient (), t value, and
level of significance (p) for each regression coefficient. The results also display the oneway ANOVA F ratio and the overall level of significance for each regression model.
Predictors of Insider Access Abuse
best predicts level of concern for insider access abuse within small businesses. The
results of the stepwise analysis, shown in Table 28, revealed that two statistically
significant leadership factors (MBEA and IIA) emerged as significant predictors of the
level of concern for insider access abuse problems (F = 6.69, p < 0.05).
Table 28
Multiple Regression Analysis - Predictors of Insider Access Abuse
Factor
2
Unstd. Std.
Coeff B Err.
R
R
(Constant)
0.49
a
MBEA
0.27 0.07 0.35
IIA
0.32a 0.10 0.36
Std.
Coeff t
0.57
0.14 0.23b
0.18 0.18b
ANOVA
F ratio Sig.
0.86 0.39
2.59 0.01 9.21b
1.98 0.05 6.69b
0.00a
0.00a
Note: aPredictors: (Constant), Management by Exception Active (MBEA), Idealized Influence

Attributes (IIA). bDependent Variable: Insider Access Abuse.
137
With a beta of 0.23 (p < 0.05), the transactional leadership factor of
management by exception active (MBEA) emerged as the strongest predictor of the level
of concern for insider access abuse problems, accounting for 7% of the variance
regarding insider access abuse problems. The second strongest factor was the
transformation leadership factor of Idealized Influence Attributes (IIA) ( = 0.18, p <
0.05) accounting for an additional 3% of the variance in insider access abuse problems.
These results indicate that the higher levels of concern for insider access abuse are a
function of practicing specific transformational (IIA) and transactional leadership
(MBEA). Overall, the model indicates a weak relationship and explains 10% of the
variance in concern for insider access abuse problems.
Predictors of Power Failure
best predicts level of concern about power failure. The results of the stepwise analysis,
shown in Table 29, revealed one statistically significant leadership factor (MBEA
included, MBEP excluded) as a statistically significant predictors of the level of concern
for insider access abuse problems (F = 6.43, p < 0.05).
Table 29
Multiple Regression Analysis - Predictors of Power Failure
Factor
2
Unstd. Std.
Coeff B Err.
R
R
(Constant)
2.59
a
MBEA
0.23 0.05 0.31
a
Std.
Coeff t
0.27
0.12 0.23b
ANOVA
F ratio Sig.
9.74 0.00
2.54 0.01 6.43b
0.01a
Note: Predictors: (Constant), Management by Exception Active (MBEA). Dependent Variable:

Power Failure.

138
of concern for power failure, accounting for 5% of the variance in concern about power
failure. These results indicate that the higher levels of concern for power failure are a
function of practicing specific transformational (IIA) and transactional leadership
(MBEA). Overall, the model indicates a weak relationship and explains only 5% of the
variance in the level of concern regarding power failure.
Predictors of Data Integrity
best predicts level of concern for data integrity within small businesses. The results of the
stepwise analysis, shown in Table 30, revealed that two statistically significant leadership
factors (IIA and MBEA) emerged as significant predictors of the level of concern for data
integrity problems (F = 5.11, p < 0.05).
Table 30
Multiple Regression Analysis - Predictors of Data Integrity
Factor
2
Unstd. Std.
Coeff B Err.
R
R
(Constant)
1.58
IIA
0.22a 0.05 0.37
MBEA
0.28a 0.08 0.27
Std.
Coeff t
0.58
0.18 0.18b
0.14 0.18b
ANOVA
F ratio Sig.
2.73 0.01
2.04 0.04 6.13b
1.99 0.05 5.11b
0.02a
0.01a
Note: aPredictors: (Constant), Idealized Influence Attributes (IIA), Management by Exception

Active (MBEA). bDependent Variable: Data Integrity.
With a beta of 0.18 (p < 0.05), the transformational leadership factor of

idealized influence attributes (IIA) emerged as the strongest predictor of the level of
concern for data integrity problems, accounting for 5% of the variance in concern for data
integrity. The second strongest factor was the transactional leadership factor of
Management by Exception Active (MBEA) ( = 0.18, p < 0.05) accounting for an
additional 3% of the variance in concern for data integrity. These results indicate that the
139
higher levels of concern for data integrity are a function of practicing specific
transformational (IIA) and transactional leadership (MBEA). Overall, the model indicates
a weak relationship and explains 8% of the variance in the level of concern for data
integrity problems.
Predictors of Data Availability
best predicts level of concern regarding data availability within small businesses. The
results of the stepwise analysis, shown in Table 31, revealed that two statistically
significant leadership factors (IIA and MBEA included in regression model, IIB and IC
excluded) are significant predictors of the level of concern for insider access abuse
problems (F = 11.03, p < 0.05).
Table 31
Multiple Regression Analysis - Predictors of Data Availability
Factor
2
Unstd. Std.
Coeff B Err.
R
R
(Constant)
0.77
IIA
0.36a 0.13 0.69
MBEA
0.40a 0.16 0.27
Std.
Coeff t
0.58
0.18 0.32b
0.14 0.17b
ANOVA
F ratio Sig.
1.32 0.19
3.75 0.00 17.67b
1.99 0.05 11.03b
0.00a
0.00a
Note: aPredictors: (Constant), Idealized Influence Attributes (IIA), Management by Exception

Active (MBEA). bDependent Variable: Data Availability.
With a beta of 0.32 (p < 0.05), the transformational leadership factor of

idealized influence attributes (IIA) emerged as the strongest predictor of the level of
concern for data availability problems, accounting for 13% of the variance in the concern
for data availability problems. The second strongest factor was the transactional
leadership factor of Management by Exception Active (MBEA) ( = 0.17, p < 0.05)
accounting for an additional 3% of the variance in the concern for data availability
140
problems. These results indicate that the higher levels of concern for data availability are
a function of practicing specific transformational (IIA) and transactional leadership
(MBEA). Overall, the model indicates a weak-to-moderate relationship and explains 16%
of the variance in the level of concern for data availability problems.
Predictors of Data Theft
best predicts level of concern about data theft within small businesses. The results of the
stepwise analysis, shown in Table 32, revealed one statistically significant leadership
factor (MBEA included, IIA excluded) as a significant predictor of the level of concern
regarding data theft within small businesses (F = 11.97, p < 0.05).
Table 32
Multiple Regression Analysis - Predictors of Data Theft
Factor
R
R2
Unstd. Std.
Coeff B Err.
(Constant)
2.05
MBEA
0.30a 0.09 0.50
a
Std.
Coeff t
0.31
0.14 0.30b
ANOVA
F ratio Sig.
6.58 0.00
3.46 0.00 11.97b
0.00a

Data Theft.

of concern about data sabotage, accounting for 9% of the variance in concern about data
theft. These results indicate that the higher level of concern for data theft is a function of
practicing specific transactional leadership (MBEA). Overall, the model indicates a weak
relationship and explains only 9% of the variance in concern regarding data theft.
141
Predictors of Data Sabotage
best predicts level of concern about data sabotage within small businesses. The results of
the stepwise analysis, shown in Table 33, reveals that one statistically significant
leadership factor (MBEA included, IIA excluded) significantly predicts the level of
concern about data sabotage problems (F = 12.62, p < 0.05).
Table 33
Multiple Regression Analysis - Predictors of Data Sabotage
Factor
2
Unstd. Std.
Coeff B Err.
R
R
(Constant)
1.80
MBEA
0.31a 0.10 0.51
Std.
Coeff t
0.31
0.15 0.31b
ANOVA
F ratio Sig.
5.79 0.00
3.55 0.00 12.62b
0.00a

Data Sabotage.

of concerns for data sabotage, accounting for 10% of the variance in concern about data
sabotage. These results indicate that the higher levels of concern for data sabotage are a
function of practicing specific transactional leadership (MBEA). Overall, the model
indicates a weak relationship and explains only 10% of the variance in concerns
regarding data sabotage.
Summary of Predictors for Seven Security Concerns
Table 34 displays a consolidated summary of the results of the stepwise linear
regression analysis with values for multiple correlation coefficient (R), multiple R square,
standardized regression coefficient (), t value and level of significance (p) for each
regression coefficient. Table 34 displays the leadership factors, across all leadership
142
styles that best predict concern for seven information security problems within small
businesses. The leadership factors selected for this regression analysis were the factors
with statistically significant relationships (p <= 0.05), as noted in Appendix I.
The security problems that were significantly related to more than one leadership
factor were considered for this stepwise regression analysis. Security problems such as
viruses, outsider access abuse, user errors, natural disasters and fraud were excluded from
the analysis, as they are related to only one leadership factor (see Appendix I). Security
concerns for software problems and transaction integrity were also excluded from the
analysis. The results in Table 34 indicate that leadership factors of MBEA and IIA are the
best predictors of the level of concern for seven specific security problems.
Table 34
Summary of Predictors for Seven Security Problems
Criterion
Factors or Predictors
t
p
(Security Concerns)
(Leadership Factors) R
R2
Insider Access Abuse MBEA
0.27 0.07 0.23 2.59 0.01
IIA
0.32 0.10 0.18 1.98 0.05
Power Failure
MBEA
0.23 0.05 0.23 2.54 0.01
Data Integrity
IIA
MBEA
0.22 0.05 0.18 2.04 0.04

0.28 0.08 0.18 1.99 0.05
Data Secrecy
IIA
0.21 0.04 0.21 2.30 0.02
Data Availability
IIA
MBEA
0.36 0.13 0.32 3.75 0.00

0.40 0.16 0.17 1.99 0.05
Data Theft
MBEA
0.30 0.09 0.30 3.46 0.00
Data Sabotage
MBEA
0.31 0.10 0.31 3.55 0.00
Note: IIA Idealized Influence Attributes, MBEA Management by Exception Active
143
Predictors across Leadership Styles, Technology and Procedures
outcome or criterion (specific information security concern) based on multiple,
statistically significant factors across all three leadership styles, as well as policies and
technologies. Independent variables were entered into the regression model only if their
correlation with the criterion was statistically significant at alpha of 0.05 or less.
Appendix J displays the results of the stepwise linear regression analysis with values for
multiple correlation coefficient (R), multiple R square, standardized regression coefficient
(), t value and level of significance (p) for each regression coefficient.
The first table in Appendix J displays the three leadership styles that best predict
the level of concern for 12 security problems. The results indicate that transactional
leadership style is the best predictor of concern for eight (out of 12) problems.
Transformational leadership style is the best predictor for data secrecy problems and
passive-avoidance style is the best predictor for the problem of power failure.
The second table in Appendix J displays technologies, policies, and procedures
that, along with the nine leadership factors, best predict the level of concern for security
problems within small businesses. The leadership factors selected for this regression
analysis were the factors with statistically significant relationships (p <= 0.05) as noted in
Appendix I. The policies and technologies selected for this regression analysis are
displayed above in Table 16 and 17 respectively. The results in Appendix J indicate the
significant combination of leadership styles, technology, and procedures required to
predict the level of concern for information security problems among small businesses.
144
Qualitative Data for Triangulation
Post-survey interviews were conducted with 10 survey respondents to help
triangulate findings and to provide another source to confirm or dispute the quantitative
data collected for this study and presented in the previous sections. Triangulation helped
reduce the chances for systematic error because triangulation provided a strategy for
obtaining the same information through different methods (Rubin & Babbie, 2005). The
summary of the responses from the 10 interviews is presented in Table 35.
Table 35
Summary of Post-Survey Interview Responses
Question
Description
What leadership styles are most important to you and your business? Why?
Eight respondents valued a combination of transactional and transformational
leadership styles. Transactional styles were appropriate for known information
security problems like viruses and data security. Transformational styles were
appropriate for new problems like fraud.
Which leadership style most impacts your ability to mitigate cybercrime?

Transactional leadership style was most effective against common forms of
cybercrime. Transactional leadership allowed small business leaders and
managers to pay close attention to system updates, security policies and
procedures, as well as training staff members to combat cybercrime.
What security concerns do you find most threatening to small businesses?

Nine small businesses reported data security and malicious software as the
most important threats to small businesses. Data security involved company as
145
Question
Description
well as customer data. Data could be stored within the company, or with
external data hosts. Malicious software allowed cybercriminals to penetrate
the defenses of the small business in a stealthy manner.
What security processes/procedures do you employ to mitigate cybercrime?

All interviewees responded that they deployed basic security policies that
ensured regular changes in passwords and other forms of network security.
Five interviewees noted that they physically secured their computers, servers,
and other operations from current and former employees.
What technologies do you use, or plan to deploy, to combat cybercrime?

Nine interviewees noted that they deployed basic anti-virus software,
firewalls, backups, updates and other protective software to combat
cybercrime. Two respondents noted that they deployed intrusion detection
systems to notify system administrators of a breach in security defenses.
What business data do you consider most important for your small business?
All 10 respondents considered customer data and internal financial data most
important. All respondents mentioned that customer information and credit
card information was the most vulnerable data that they possessed. Damage to
financial data was considered the most damaging threat to the business.
Describe one cyber security experience or incident during the past 12 months.
Four security experiences were related to attempts by cyber criminals to
obtain credit cards and banking information. Two incidents were related to
natural disasters that resulted in power outage and loss of data.
146
Summary of Findings
Chapter 4 described the collection and evaluation of the results and reported the
quantitative, correlational, and descriptive findings regarding the impact of leadership
styles and information security problems within small businesses. The findings were
obtained using the MLQ (Bass & Avolio, 2004) and Small Business Security (Ryan,
2000) survey instruments. The research study utilized these two survey instruments to
investigate the problem the relationship between leadership styles and information
security problems within small businesses in the state of Hawaii.
Post-hoc confirmatory factor analysis (CFA) was conducted to determine the
Pearsons product-moment correlation among the nine factors of leadership. The results,
presented in Appendix L, indicated high, positive correlations among the five
transformational leadership factors, which is consistent with the results from the MLQ
(Bass & Avolio, 2004). The transactional factor of contingent reward (CR) also displayed
a high, positive correlation with each of the five transformational factors.
The results of the post-hoc CFA supported a relationship between two particular
leadership styles and information security problems. One leadership style involved all
five transformational leadership factors, and the transactional leadership of Contingent
Reward. Another style involved the passive-avoidance leadership factors of MBEP and
LF, and a moderate correlation with MBEA. These results supported the findings in the
study that augmented a transformational leadership style with elements of transactional
leadership (CR). The results also supported a relationship between security problems and
a passive-avoidance leadership style, with leadership factors that involve MBEP and LF.
Table 36 summarizes the findings for the three research questions.
147
Table 36
Summary of Findings for Research Questions
Research Question
R1: What is the relationship
between the transformational
leadership style and the level of
concern for information security
problems within small
businesses?
Summary of Findings
There is a statistically significant relationship
between transformational leadership style and two
information security problems: data secrecy and data
availability. See Appendix I for details.

between the transactional
businesses?
Using the Pearson product-moment correlation, there

is a statistically significant relationship between
transactional leadership style and 11 (out of 14)
information security problems: insider access abuse,
viruses, data integrity, outsider access abuse, data
secrecy, data availability, data theft, data sabotage,
user errors, natural disasters and fraud.
A specific transformational leadership factor such as

Idealized Influence Attributes (IIA) is significantly
related to six information security problems: insider
access abuse, data integrity, data secrecy, data
availability, data theft and data sabotage.
A specific transactional leadership factor such as

Management by Exception Active (MBEA) is
significantly related to 10 information security
problems: insider access abuse, power failure, data
integrity, outsider access abuse, data availability, data
theft, data sabotage, user errors, natural disasters and
fraud. See Appendix I for details.
between the passive-avoidance
businesses?

is a statistically significant relationship between
passive-avoidance leadership style and the level of
concern for one (out of 14) information security
problem: power failure. See Appendix I for details.
A specific transformational leadership factor such as
Management by Exception Passive (MBEP) is
significantly related to the problem of power failure.
148
Statistical tests were conducted to compute the Pearsons product-moment
correlation coefficient and stepwise multiple regression coefficients. The study
investigated leadership styles and assessed the level of concern towards information
security problems within small businesses in Hawaii. Table 37 summarizes the findings
for the three research hypothesis.
Table 37
Summary of Findings for Research Hypothesis
Research Hypothesis
H10: There is no relationship
between the transformational
leadership style score and the
level of concern for information
security problems within small
businesses.
Summary of Findings
is a statistically significant (p <= 0.05), positive
correlation between transformational leadership style
score and the level of concern for two (out of 14)
information security problems. These two problems
are data secrecy and data availability. The null
hypothesis H10 is rejected. See details in Appendix I.

between the transactional
businesses.

correlation between transactional leadership style
score and the level of concern for 11 (out of 14)
information security problems. These 11 problems
are insider access abuse, viruses, data integrity,
outsider access abuse, data secrecy, data availability,
data theft, data sabotage, user errors, natural
disasters and fraud. The null hypothesis H20 is
rejected. See details in Appendix I.

between the passive-avoidance
businesses.

correlation between passive-avoidance leadership
style score and the level of concern for one (out of
14) information security problems, power failure.
The null hypothesis H30 is rejected. See details in
Appendix I.
149
The results of the correlations indicated that all three independent variables
(leadership styles) were significantly correlated with at least one of the 14 dependent
variables (information security problems). Additional correlational analysis (see
Appendix I) identified the factor(s), within each independent variable (leadership style),
that were significantly related to a dependent variable (information security problem).
Significant and noteworthy findings are presented in Table 38.
Table 38
Summary of Significant and Noteworthy Findings
Findings
Transactional leadership style is significantly related to 11
out of 14 information security problems. This implies that
the higher the level of transactional leadership style score,
the higher the level of concern for 11 information security
problems.
Details
See Appendix I for list of
problems related to
Transactional Leadership
style.
The transactional leadership factor of Management by

Exception Active (MBEA) is significantly related to 10 out
of 14 information security problems. This implies that the
higher the practice of active management by exception, the
higher the level of concern for 10 information security
problems.
See Appendix I for list of

problems associated with
MBEA leadership factor.
Seven out of 14 information security problems were related

to more than one leadership factor. Using stepwise multiple
regression analysis, the transformational factor of Idealized
Influence Attributes (IIA) and the transactional factor
Management by Exception (MBEA) were the best predictors
for the seven information security problems. This implies a
combination of transformation and transactional leadership
styles to prepare against seven common security problems.
See Table 34 for a

summary of leadership
factors that best predict
seven information security
problems.
150
Conclusions
Chapter 4 described the data collection process and the results of the study. As
previously mentioned, this study collected data from 122 small businesses located in the
state of Hawaii, using the MLQ (Bass & Avolio, 2004) and Small Business Security
(Ryan, 2000) survey instruments. The methodology outlined in Chapter 3 was
implemented and the findings presented in tables, charts and narrative description.
The findings indicated that the transactional leadership style, especially the factor
of active management by exception (MBEA), was significantly related to the level of
concern for 11 out of 14 total information security problems. Transformational leadership
style was significantly related to the level of concern for two information security
problems, and passive-avoidance leadership was related to one information security
problem. Chapter 5 will conclude this research study by interpreting the results of the
data analysis, making inferences about the statistically significant findings, and
discussing implications and conclusions for leadership styles and information security
problems, as well as making recommendations for future research.
151
CHAPTER 5: CONCLUSIONS AND RECOMMENDATIONS
Cybercriminals engage in online attacks that exploit vulnerabilities and
deficiencies within the cyber defenses of small and large organizations (Szor, 2005).
Because of size, resource, and skill constraints, small businesses are often ill-prepared to
combat the emerging threats of cybercrime (Ryan, 2000). Small business owners and key
employees with effective leadership styles can help prioritize actions needed to combat
cybercrime and mitigate information security concerns (Northouse, 2004). Conversely,
ineffective leadership styles can lead to passive or reactive measures against cybercrime,
which can lead to business damages and losses (Gupta & Hammond, 2005).
The research problem was that small businesses often display a lack of concern
towards information security problems (Gupta & Hammond, 2005). A lack of concern or
awareness usually results in delayed or incorrectly implemented security measures, which
increases vulnerability to cybercrime (Andress, 2003; DeZulueta, 2004). The first
purpose of this quantitative, descriptive, correlational research study was to investigate
leadership styles and assess the level of concern towards information security problems
within small businesses that belong to various chambers of commerce or trade
associations within the state of Hawaii. The second purpose of this study was to
determine the degree of a possible relationship between leadership styles and the level of
concern towards information security problems within small businesses.
The research design of the study involved a pilot study, online survey, and phone
interviews to triangulate data from survey respondents. The online survey used two peerreviewed, valid, and reliable surveys. These two surveys were the Multifactor Leadership
Questionnaire (Bass & Avolio, 2004) and the Small Business Security Survey (Ryan,
152
2000). The specific study population included 2825 small businesses located in the state
of Hawaii, with 500 or fewer employees (SBA, 2007), that belonged to various chambers
of commerce (CoCHawaii, 2007) or trade associations (SBH, 2007) within the state of
Hawaii.
Chapter 5 will conclude this research study by discussing and interpreting the
results of the data analysis and making inferences about the statistically significant
findings. Chapter 5 is divided in three sections: 1) Conclusions, 2) Implications, and 3)
Recommendations. The Conclusions section is organized by the research design, research
questions, and hypothesis as presented in Chapter 4.This section also discusses the
significance of the literature review, assumptions, limitations, and delimitations that have
guided the study. This section answers the following questions: a) Are the findings
important? b) Are the findings consistent with the results of previous research?
The Implications section focuses on the broader social significance and
implications of the data analysis for the fields of leadership and information security. It
covers implications for both global and small business leadership. The Recommendations
section presents suggestions for action by small business leaders, and recommendations
for future research that uses different samples or populations.
Conclusions
Literature Review
The review of the literature confirmed that cybercrime is not only relevant to
large corporations, but to the millions of small businesses in the United States (Gupta &
Hammond, 2005). Over the past decade, e-commerce and advances in computer
technology have provided motivation and opportunities for small businesses to increase
153
their revenues and global customer base (Warren & Hutchinson, 2003). This expansion
also increases exposure to global cybercriminals. The review of the literature also
confirmed that the proliferation of e-commerce increases the vulnerability of small
businesses to cybercrime and heightens their need to implement comprehensive cyber
security mechanisms (Warren & Hutchinson).
Cybercrime has evolved over the past decade from a series of attacks against large
corporations and government organizations to distributed attacks against small and large
corporations (Symantec, 2007). The review of the literature confirmed that as
cybercrimes severity and complexity increases, so too will its negative impact upon
small businesses (Kshetri, 2006). According to the Symantec Threat Report (Symantec),
small business was the third most targeted industry segment during the second half of
2005, experiencing almost 25% of all attacks. According to the literature review
(CSI/FBI, 2006) security attacks against small business will continue to grow.
The review of the literature confirmed that small businesses play a significant role
in the US economy (SBA, 2007). According to the US SBAs Office of Advocacy, the
US had 17,000 large businesses and approximately 25 million small ones in 2005. Small
businesses generated 2.4 times more innovations than large businesses (SBA). According
to the US SBA, small businesses employ half of all private sector employees and pay half
of the total US private payroll. Economic figures indicate the importance of small
businesses to the US economy and the potential for negative economic impacts from
cybercrime (CSI/FBI, 2006). The review of the literature confirmed that a coordinated
cyber threat against small businesses might readily impact a significant section of the US
economy (State of small business security, 2006).
154
The literature confirmed that transformational leadership strived to achieve the highest
level of performance and job satisfaction from the followers. Bass and Avolio identified
five factors of transformational leadership in their full range leadership model. An
important factor for computer security, Idealized Influence Attributes (IIA), includes the
abilities to instill pride in followers and go beyond self-interest for the good of the group.
According to Bass (1990), transactional leadership involves an exchange between
the leader and followers in which the leader rewarded or disciplined followers in
exchange for their actions. Bass and Avolio (2004) describe transactional leadership as
behaviors associated with constructive and corrective transactions (p. 97). Bass and
Avolio define transactional leadership as having the following two factors. An important
factor to computer security, Management-by-Exception (MBEA) involves situations
where leaders clarify the standards for compliance, and monitor followers who are not
meeting specific standards. Leaders take corrective action when their followers fall short
of their expectations and standards, and focus on tracking mistakes and errors.
Finally, according to Bass and Avolio (2004), the passive-avoidant leadership
style is characterized by passivity and reactivity. Passive-avoidant leaders avoid
specifying agreements, clarifying expectations, and providing goals for their followers. A
passive style has the negative effect of misleading followers, which increases the
vulnerability and exposure to cybercrime. Conclusions drawn from the literature review
on cybercrime and leadership styles served as the foundation for the research study.
155
Assumptions
This research study was based upon four assumptions. The first assumption was
that owners and leaders of small businesses would take the appropriate amount of time to
participate in the online survey, and that they would give honest answers. The actual time
to complete the entire online survey was 10 minutes or less. The anonymous nature of the
study and the online nature of the survey allowed respondents to complete the survey at
their convenience and without providing any identifying information.
The second assumption was that the systematic sampling of 800 small businesses
from the study population of 2,825 members of various chambers of commerce and trade
association would yield an adequate number of respondents for gathering
comprehensible, honest, and reliable data. Online surveys were assumed to have higher
response rates than paper-based ones, as online users are more receptive to filling out
online surveys than completing paper forms and returning them via postal mail (Rubin &
Babbie, 2005). The actual response for the online survey was 122 complete and valid
responses from a sampling frame of 800 small businesses or a response rate of 15%. This
response was considered adequate for the purposes of data analysis and interpretations.
The third assumption involved retaining the confidentiality and privacy of the
survey participants. Since the survey asked for disclosure of security issues and concerns
within small businesses, protecting the confidentiality and privacy of the small business
participant was important. To ensure privacy, study participants were not asked to
disclose their identities. The online survey did not collect or store identifying information
about the study participants and small businesses. Survey respondents were informed that
the results of the survey were available upon request.
156
The fourth assumption was that adherence to social science research guidelines
would avert any threats to the physical, emotional, or economic benefit of the study
participants. Since the survey examined leadership styles of small business leaders, the
study assumed that the participants would not incur emotional harm in responding to the
questions about their leadership styles. The respondents to the survey affirmatively
agreed to the terms and conditions of the study prior to answering any question.
Respondents were allowed to leave the online survey at any point in the study process.
Limitations
The studys scope was limited to the potential relationship that exists between
leadership styles and information security concerns within small businesses who are
members of various chambers of commerce and trade associations in Hawaii.
Consequently, results of this study limited generalization of the results to mid-sized and
larger organizations with more than 500 employees. The geographic location of the study
participants in the state of Hawaii also limited the generalization of the results to small
businesses located elsewhere in the United States as well as those overseas. The results of
the study indicated respondents mainly belonged to small businesses with less than 10
employees. All survey respondents were located in the state of Hawaii. A post-study
interview was conducted with 10 randomly selected survey respondents to provide
another source of data for triangulation.
The online survey involved self-reporting and self-evaluation. Therefore, there
were no mechanisms to control the validity of the results. The study assumed the honesty
and reliability of the participants. The reliability and validity of the survey was limited by
the nine leadership factors contained in the Multifactor Leadership Questionnaire (Bass
157
& Avolio, 2004). The scope of information security concerns was limited to the 14
problems listed in the Small Business Security Survey (Ryan, 2000). The study did not
address any leadership styles and information security problems outside the scope of the
two survey instruments. The research design and methodology outlined in Chapter 3
served as a guide for the data collection and data analysis process. To reduce risks in the
survey research, a pilot study was conducted prior to the administration of the actual
survey. The goal of the pilot study was to ensure that survey instrument and informed
consent instructions were unambiguous and consistent with the goals of the research.
Delimitations
This study confined itself to a survey of small businesses that are located in the
state of Hawaii and are members of various chambers of commerce and trade
associations. This study focused on the full range leadership model, which encompasses
the transformational, transactional, and passive-avoidant leadership styles (Bass &
Avolio, 2004). The three leadership styles comprised three independent variables. In
addition, the study also examined the influence of the three leadership styles on the level
of concern for 14 information security problems (or 14 dependent variables) outlined in
the Small Business Security Survey (Ryan, 2000). The online survey collected
information about these three independent and 14 dependent variables. Given the purpose
of this research, the delimitations do not appear to have lessened the rigor of the research.
Reliability
The results of the reliability analysis (see Appendix F) yielded a high Cronbachs
alpha coefficient ( = 0.93) for 122 valid responses to the online survey. The scores for
the nine factors of leadership styles and the scores for the level of concerns for 14
158
security problems indicated that the online survey was a reliable tool to measure the
correlation between leadership styles and the level of concern for information security
problems within small businesses in the state of Hawaii.
For the purposes of this research study, five intervening variables noted
previously in Table 13, were used to analyze the relationship between leadership styles
and the level of concern for security problems within small businesses. Chi-Square
analysis was performed to compare the independent variable of leadership style with all
five intervening variables (see Appendix H). The statistical computations do not indicate
a statistically significant relationship between leadership styles and any intervening
variable, with the Chi-Square coefficient p > 0.05 in all cases. As a result, the intervening
variables are not statistically significant in mediating the effects of the independent
variables (leadership styles) on the dependent variables (information security problems).
Other Security Variables
Access to Computers and Networks. Other security variables covered various
aspects of information security relevant for small businesses. Table 15 above displays the
various employees and users who are allowed access to computers and networks within
small businesses. The top two groups are full-time and part-time employees, implying
that small businesses primarily allow full-time employees and trusted part-time
employees access to their computer systems. However, 18% of 122 respondents reported
that they give computer access to contractors, family members, and friends. This result
implies that small businesses require strict access control policies for all users of their
computer systems.
159
Policies and Procedures. Table 16 displays the information security policies and
procedures within small businesses. The top five policies and procedures include data
recovery procedures, information security policies and procedures, computer use, and
misuse policies and proprietary data use and misuse policies. The four least used policies
included business continuity policies, a computer emergency response team, media
destruction procedures, and information sensitivity coding. The low responses on
business continuity policies and computer emergency response team imply a lack of
preparation among the respondents for an emergency or natural disaster.
Technologies. Table 17 displays the technologies used by the survey respondents
to prevent, detect, and resolve information security problems. The top five technologies
are anti-virus software, firewalls, power surge protectors, data backup systems, and
shredders. The bottom five items of the list included intrusion detection, facility access
control, security evaluation systems, media degaussers, and dial-back modems. The low
ranking of intrusion detection and facility access control systems implies vulnerability to
criminals stealthy attacks and physical intrusions.
Data Importance. Table 18 displays the importance of several types of data to the
respondents of the survey. Customer, privacy, and proprietary data were the top three in
the list, while trade secrets, competitive, and market data ranked among the bottom three..
The responses for the importance of customer, privacy and proprietary data were highly
negatively skewed (skewness coefficient < -1.96) indicating the high importance placed
on these by the respondents. The low rank of trade secrets and competitive data implies
vulnerability to data theft and sabotage.
160
Information Experiences. Table 19 displays the information security issues and
problems experienced by the survey respondents within the past 12 months, or the
calendar year 2007. Based on the results, data corruption and problems with virus and
malicious software (or malware) were the top three negative experiences. Abuse of
internet access privileges by employees and problems with reliability in information
systems also placed within the top five negative experiences.
Seven respondents reported problems with intrusion to computer systems by
outsiders and seven reported abuse from insiders of information access privileges. Five
respondents were victims of cyber fraud. The least frequent experiences were theft of
proprietary and loss of secret information. The low response by the respondents for fraud
and sabotage are in contrast with the data reported by the US FBI (CSI/FBI, 2006) for all
businesses. However, the data from the US FBI also lists attack from viruses, Trojans,
spyware, and other malicious software as the highest threat for all businesses.
businesses.
businesses.
161
transformational leadership style (independent variable) and information security
concerns (dependent variables). The results, shown in Table 20, indicated a statistically
significant, positive relationship (p < 0.05) between transformational leadership style and
the level of concern for two (out of 14) information security problems (Data Secrecy and
Data Availability). Based on these results, the null hypothesis H10 is rejected.
These findings are important because they indicate the overall importance of
transformational leadership style to addressing two key information security problems.
Data secrecy and data availability are important to small businesses, who value the
confidentiality of customer data, privacy data, and proprietary information (see Table 18).
As indicated by the results in Table 19, the top negative experience for respondents
during the 12 months of 2007 was data corruption. To mitigate this risk, and ensure data
availability, small businesses need to adopt transformational leadership styles.
The entire results of the data analysis, using Pearsons product-moment
correlations, are displayed in Appendix I. The results indicate that small businesses that
practice specific factors of transformational leadership display high levels of concern for
specific information security problems. For example, the Idealized Influence Attribute
(IIA) had a statistically significant relationship (p < 0.05) with six security problems:
insider access abuse, data integrity, data secrecy, data availability, data theft, and data
sabotage. Idealized attributes behavior (IIB) and inspirational motivation (IM) had a
statistically significant relationship (p < 0.05) with the level of concern for data
availability and data secrecy respectively.
162
These findings are important because they imply that the adoption of specific
factors of transformational leadership can enable small businesses to expand their
awareness and readiness against a wider range of information security problems. Based
on the findings, an adoption of the transformational leadership factor of Idealized
Influence Attribute (IIA) can enable small businesses to better prepare against these six
security problems of insider access abuse, data integrity, data secrecy, data availability,
data theft and data sabotage. IIA includes the abilities to instill pride in followers and go
beyond self-interest for the good of the group.
As indicated by Table 19, the top four negative experiences for survey
respondents in 2007 were data corruption, viruses or malicious software, employee abuse
of internet privileges, and problems with reliability of information systems. To mitigate
these four risks, small businesses need to adopt specific factors of transformational
leadership such as Idealized Influence Attributes (IIA). Other factors of transformational
leadership that can help prepare small business against problems with data availability
and data secrecy include Idealized Influence Behavior (IIB) and Inspirational Motivation
(IM) respectively. Leaders demonstrating Idealized Influence Behavior (IIB)
communicate a sense of power and confidence and build respect among the followers.
Leaders who demonstrate Inspirational Motivation (IM) guide followers by providing
meaning and inspiration. These leaders are articulate and enthusiastic about their future
and express a compelling vision that persuades followers to work for success.
The research results supported the theory of transformational leadership using the
full range leadership model (Bass & Avolio, 2004). Bass and Avolio suggested that
leaders often follow more than one leadership style, based on the underlying situation and
163
environment. The research results indicate support for this theory, by highlighting factors
of transformational leadership that target specific information security problems and
concerns for small businesses. These results imply that small businesses leaders need to
demonstrate more than one leadership style to broaden their preparation against a range
of information security concerns, issues, and problems.
transactional leadership style (independent variable) and information security concerns
(dependent variables). The results, shown in Table 24, indicated a statistically significant,
positive relationship (p < 0.05) between transactional leadership style and the level of
concern for 11 (out of 14 total) information security problem. Based on these results, the
null hypothesis H20 is rejected.
These findings are important because they indicate the overall importance of
transactional leadership style to addressing the majority (11 out of 14) of information
security problems. These 11 problems are insider access abuse, viruses, data integrity,
outsider access abuse, data secrecy, data availability, data theft, data sabotage, user
164
errors, natural disasters, and fraud. As indicated by the results in Table 19, the top five
negative experiences for respondents during the 12 months of 2007 were data corruption,
viruses or malicious software, abuse of internet privileges by employees, problems with
reliability of information systems, and information security breaches. To mitigate these
risks, small businesses need to adopt effective transactional leadership styles.
The entire results of the data analysis, using Pearsons product-moment
correlations, are displayed in Appendix I. The results indicate that small businesses which
practice specific factors of transactional leadership display high levels of concern for
specific information security problems. For example, the Management by Exception
Active (MBEA) had a statistically significant relationship (p < 0.05) with the level of
concern for 10 security problems, namely insider access abuse, data integrity, outsider
access abuse, data secrecy, data availability, data theft, data sabotage, user errors, natural
disasters, and fraud. Contingent Reward (CR) had a statistically significant relationship
with the level of concern about viruses.
These findings are important because they imply that the adoption of specific
factors of transactional leadership can enable small businesses to mitigate a wide range of
information security problems. Based on the findings, an adoption of the transactional
leadership factor of Management by Exception Active (MBEA) can enable small
businesses to better prepare against the majority (10 out of 14) of information security
concerns. These 10 concerns are insider access abuse, data integrity, outsider access
abuse, data secrecy, data availability, data theft, data sabotage, user errors, natural
disasters, and fraud. Leaders demonstrating active management by exception (MBEA)
clarify the standards for compliance and monitor followers who do not meet specific
165
standards. Leaders take corrective action when their followers fall short of their
expectations and standards, and focus on tracking mistakes and errors.
As indicated by Table 19, the top four negative experiences for survey
respondents in 2007 included data corruption, viruses, employee abuse of internet
privileges, and problems with reliability of information systems. To mitigate these risks,
small businesses need to adopt specific factors of transactional leadership, such as
Management by Exception Active (MBEA). Another factor of transformational
leadership that can help prepare small business against problems with viruses includes
Contingent Reward (CR). Leaders who demonstrate the transactional leadership factor of
contingent reward set expectations and goals and reward followers who achieve specific
goals. Such leaders assist followers in achieving specific goals, providing feedback, and
enabling the entire team to reach their pre-defined levels of performance.
The research results support the theory of transformational leadership using the
full range leadership model (Bass & Avolio, 2004). Bass and Avolio suggested that
leaders often follow more than one leadership style, including the combination of
transformational and transactional leadership styles. The research results indicate support
for this theory, by highlighting the combined effects of transformational and transactional
leadership on the mitigation of information security problems. These results imply that
small businesses leaders need to demonstrate both transactional and transformational
leadership styles, with specific focus on factors such as MBEA and IIA, to broaden their
preparation against a wide range of information security concerns, issues, and problems.
166
businesses.
businesses.
passive-avoidance leadership style (independent variable) and the level of concern for
information security problems (dependent variables). The results, shown in Table 26,
indicate a statistically significant, positive relationship (p < 0.05) between passiveavoidance leadership style and the level of concern for one (out of 14) information
security problem. Based on these results, the null hypothesis H30 is rejected.
These findings are important because they indicate the lack of importance of
passive-avoidance leadership style to addressing information security problems. As
indicated by the results in Table 19, the top five negative experiences for respondents
during the 12 months of 2007 were data corruption, viruses or malicious software, abuse
of internet privileges by employees, problems with reliability of information systems, and
information security breaches. None of these experiences are addressed by a passiveavoidance leadership style. Table 17 indicates that 88% of the survey respondents
167
deployed power surge protectors in their small business to safeguard against power spikes
and power failures. These results implied that small businesses may already be protected
against the incidence of power failure by deploying appropriate technologies and policies.
The entire results of Pearsons product-moment correlations are displayed in
Appendix I. The results indicate that small businesses which practice the passiveavoidance factor of Management by Exception Passive (MBEP) display a high level of
concern for only one (out of 14) security problem, power failure. The passive-avoidant
leader often fails to intervene until the situation becomes serious or threatening. He or she
generally remains passive until things go wrong. He or she expects followers to work
without guidance and without any intervention unless they make mistakes.
These findings are important because they highlight the unimportance of passiveavoidance leadership factors to mitigating issues and concerns from information security
problems. While the factor of MBEP is capable of targeting one information security
problem, the other factor of laissez-faire (LF) does not mitigate any information security
problem. The leader who exhibits the laissez-faire factor is often absent during the course
of important decisions. He or she avoids or delays making key decisions; and is not
available to followers during times of stress or difficulty; and prefers to remain on the
sidelines when important issues or concerns arise. These study results imply the dangers
of demonstrating passive-avoidance behavior among small businesses against the threats
from information security problems.
The research results support the theory of transformational leadership using the
full range leadership model (Bass & Avolio, 2004). According to Bass and Avolio
(2004), the passive-avoidant leadership style is characterized by passivity and reactivity.
168
Bass and Avolio warned that a passive style has the negative effect of misleading
followers, which is the opposite of the desired outcome. This study supported this theory
by demonstrating that passive styles do not help small businesses against cybercrime.
Implications
The review of the literature indicated that the information systems of small
businesses in the United States are vulnerable to cybercrime (Adamkiewicz, 2005; Baker
& Wallace, 2007; Gupta & Hammond, 2005; O'Rourke, 2003). Computer security
breaches disrupt businesses, causing annual revenue losses of over $200 million in the
United States (Norah, 2004). Yet small businesses often display a lack of concern
towards information security problems (Gupta & Hammond, 2005). The results of this
study indicate that a combination of transformational and transactional leadership styles
within small businesses correlates with the ability to mitigate information security
problems. The results also emphasize that passive leadership styles provide few benefits
to small businesses against the growing threats from cybercrime.
Implications for Global Leadership
According to Bass and Avolio, transformational leadership strives to achieve the highest
level of performance and job satisfaction from the followers. Bass (1990) noted that
transactional leadership involves an exchange between the leader and followers in which
the leader rewards or disciplines followers in exchange for their actions. Bass and Avolio
(2004) described transactional leadership as behaviors associated with constructive and
169
corrective transactions (p. 97). Transactional leaders define clear performance
expectations from their followers and expect achievement of specific goals in exchange
for rewards.
These study findings support the model (Bass, 1985) that transformational
leadership augments transactional leadership in predicting effects on employees. Bass
and Avolio (2004) supported the model with evidence and noted that transactional
leadership provides a basis for effective leadership, but a greater amount of Extra Effort,
Effectiveness, and Satisfaction is possible from employees by augmenting transactional
with transformational leadership (p. 22). Figure 12 displays a graphical view of the
leadership augmentation model to promote cybercrime vigilance within small businesses.
Figure 12. Leadership Augmentation Model for Cybercrime

Source: Developed by researcher Debasis Bhattacharya, University of Phoenix
The results of the study support the model of augmenting transactional leadership
styles with transformational leadership styles. While effective transactional leadership is
the predominant leadership style for mitigating cybercrime, transformational leadership
170
augments the benefits to small businesses. The results of the study highlight the need for
both transformational and transactional leadership styles within small businesses to
address information security problems.
Implications for Small Business Leaders
The study also highlights the need to complement the benefits of transformational
and transactional leadership styles with effective policies and updated technologies that
mitigate information security problems. Small businesses cannot rely primarily on basic
technologies such as anti-virus software, firewalls, and power surge protectors, the top
three technologies in Table 17, to protect against cybercrime. Likewise, small businesses
cannot rely primarily on basic data recovery procedures and information security policies
and procedures for protection against cybercrime. A combination of leadership, policy,
and technologies provides a small business with an effective security framework to
maintain vigilance against cybercrime (see Figure 13).
Figure 13. Cybercrime Leadership Framework Overview for Small Business

Source: Developed by researcher Debasis Bhattacharya, University of Phoenix
The second table in Appendix J identifies the combination of leadership, security
policy, and security technology that best prepares a small business for a specific security
171
problem. Figure 14 below provides details on the specific policies and procedures,
technology, and leadership factors required by small businesses to mitigate information
security problems. All policies and procedures, as well the technologies identified in
Figure 14, need to be effectively deployed by the small business. The leadership styles
include a combination of transactional and transformational leadership. Transactional
leadership factors of Contingent Reward and Active Management by Exception need to
be augmented with transformational leadership factor of Idealized Influence Attributes.
Figure 14. Cybercrime Leadership Framework Details for Small Business

Source: Developed by researcher, Debasis Bhattacharya, University of Phoenix
Bass and Avolio (2004) cautioned against the limitations of transactional
leadership. The authors noted that some leaders practice less than active management by
exception, and turn to contingent negative reinforcement to avoid transactional
relationships with employees (p. 23). There are occasions when transactional leaders fail
to deliver the necessary rewards and consequently tarnish their reputations (Bass &
172
Avolio). The implications of these risks for small business are significant as small
business leaders cannot optimize their defenses against cybercrime and information
security problems without transactional leadership styles that are credible and effective.
Small business leaders also need to augment transactional leadership with genuine
transformational leadership and effective deployment of policies and technology.
Recommendations
Three recommendations are proposed to address information security concerns
within small businesses. The recommendations are based on the findings of the research
study, implications, conclusions, and personal observations that align with the established
theories of transformational leadership (Bass & Avolio, 2004) and information security
(Ryan, 2000). The recommendations address the study problem that small businesses
often display a lack of concern towards information security (Gupta & Hammond, 2005).
A lack of concern usually results in delayed or incorrectly implemented security
measures, which increases vulnerability to cybercrime (Andress, 2003; DeZulueta, 2004).
These recommendations will enable small business owners and entrepreneurs to
understand which combination of leadership styles, policies, and technologies best
protects information security.
Recommendation 1: Leadership Styles Assessment
The first recommendation for small business leaders is to introduce a systematic
and consistent system of leadership assessment within their organization. The Multifactor
Leadership Questionnaire (MLQ), available from Mind Garden Inc. (2008), is a valid and
reliable survey instrument for assessing leadership styles within a small business. The
results of this research study highlight the importance of three leadership factors that are
173
components of transformational and transactional leadership styles. These leadership
factors are Idealized Influence Attributes (IIA), Contingent Reward (CR) and
Management-by-Exception Active (MBEA). Small business leaders can evaluate their
scores on these three leadership factors by using the MLQ (Rater Form) with their
subordinates. Figure 15 provides a graphical display of the three leadership factors.
Figure 15. Assessment of Key Leadership Factors

The average score of the Contingent Reward (CR) and Management-byException (MBEA) computes the aggregated transactional leadership scores for the small
business. The score for the Idealized Influence Attributes (IIA) provides one dimension
of transformational leadership. Other factors for transformational leadership include
Idealized Influence Behavior (IIB), Inspirational Motivation (IM), Intellectual
Stimulation (IS) and Individual Consideration (IC). The average of the scores for the five
factors--IIA, IIB, IM, IS and IC--computes the aggregated transformational leadership
174
score for the small business. Figure 16 displays the factors that compute the overall
scores.
Figure 16. Computation of Leadership Style Scores

Recommendation 2: Information Security Assessment
The second recommendation is for small businesses to conduct an audit of their
information security. A web site (ReadyBusiness, 2008) and guide published by the US
Department of Homeland Security (2004) provides a detailed checklist to conduct
security assessments within small businesses. Another detailed guide from SANS (2003)
provides a risk audit for very small businesses, with 10 or less employees, who were the
primary respondents for this research study. Appendix K provides a detailed information
security checklist for small business owners and leaders. Appendix N provides a detailed
list of online and other resources available to businesses who are victims of cybercrime.
The US National Institute of Standards and Technology (NIST), in conjunction
with the US Small Business Administration (SBA) and the US Federal Bureau of
175
Investigation (FBI), conducts a series of regional workshops on IT security for small
businesses. The emphasis of these workshops is practical advice that small business
leaders can apply to their business to improve IT security and mitigate information
security problems (NIST, 2008). Security technology and guidance for small businesses
can be obtained from the websites of leading technology vendors such as Microsoft
(2007), Symantec (2008), McAfee (2007), Cisco (2008), and ADT (2008).
Self-help books on computer security can provide small business leaders with a
cost-effective but basic approach to assess the risks and vulnerabilities of the
organization, and create a basic audit of information security needs (Day, 2003; Easttom,
2006). Based on the security checklist provided by Easttom, Figure 17 displays the
various components of a basic information security assessment that small businesses can
conduct on their own or with the assistance of an external security professional. Easttom
provides guidance to small businesses to train internal or hire external professionals who
can sustain an effective computer emergency response team.
Figure 17. Basic Information Security Assessment (Easttom, 2006)
176
Recommendation 3: Application of Cybercrime Leadership
The third recommendation is to use the feedback from the leadership assessment
survey (MLQ) to compute the level of concern for an information security problem. This
level of concern identifies the importance that a small business needs to place on the
specific information security problem. To compute the level of concern, as shown in
Table 39, the leader needs to use the leadership score and the regression equation.
Table 39
Cybercrime Leadership using Leadership Style Score
Security
Problem
Insider Access
Compute Leadership Score

from MLQ (Scale of 0-4)
Transactional Score
Compute Level of Concern using

Unstandardized Regression Equation
0.75 + (0.62 x Transactional Score)
Viruses
Transactional Score
Data Integrity
Transactional Score
Outsider
Access
Transactional Score
Data Secrecy
Transformational Score
1.77 + (0.47 x Transformational Score)
Data
Availability
Transactional Score
Data Theft
Transactional Score
Data Sabotage
Transactional Score
User Errors
Transactional Score
Natural
Disaster
Transactional Score
Fraud
Transactional Score
177
For example, assuming that the transformational score is 3.0 and the transactional
score is 2.5; Figure 40 displays the desired level of concern necessary for an information
security problem. The regression equation is based on study data from Appendix J. The
results imply that small businesses should display moderate-to-high levels of concern for
viruses, data availability, and data integrity. Lower levels of concerns are appropriate for
insider access abuse, fraud, data sabotage, and natural disasters.
Table 40
Example of Cybercrime Leadership
Security
Problem
Insider Access
Abuse
Viruses
Leadership Score from MLQ

(Scale of 0-4)
Transactional Score = 2.5
Level of Concern using

Unstandardized Regression Equation
0.75 + (0.62 x 2.5) = 2.30 (low)
2.26 + (0.58 x 2.5) = 3.71 (moderate)
Data Integrity
1.35 + (0.77 x 2.5) = 3.28
Outsider
Access
1.44 + (0.62 x 2.5) = 2.99
Data Secrecy
Transformational Score = 3
1.77 + (0.47 x 3) = 3.18
Data
Availability
1.34 + (0.85 x 2.5) = 3.47
Data Theft
1.18 + (0.75 x 2.5) = 3.06
Data Sabotage
0.84 + (0.80 x 2.5) = 2.84
User Errors
1.38 + (0.67 x 2.5) = 3.06
Natural
Disaster
0.81 + (0.82 x 2.5) = 2.86
Fraud
1.49 + (0.53 x 2.5) = 2.82
178
The Cybercrime Leadership Framework provides small businesses with a
quantifiable estimate of the level of concern needed to mitigate information security
problems. Table 41 identifies technologies and policies based on results in Appendix J.
Table 41
Cybercrime Leadership, Technology and Policy
Security Problem Recommended
Leadership Style
Insider Access
Transactional
Abuse
Recommended Technology and Policy to Augment

Leadership Style
Computer Emergency Response Team,
Encryption Technology
Viruses
Transactional
Anti-virus software, Computer Emergency

Response Plan
Data Integrity
Transactional
Intrusion Detection Systems, Computer Use and

Misuse Policy
Outsider Access
Abuse
Transactional
Intrusion Detection Systems
Data Secrecy
Transformational Information Security Policy, System Activity

Monitors, Anti-virus software
Data Availability
Transactional
Computer Use and Misuse Policy
Data Theft
Transactional
Computer Emergency Response Team, Anti-virus

software, System Activity Monitors
Data Sabotage
Transactional
Computer Emergency Response Team, Intrusion

Detection Systems
User Errors
Transactional
Computer Emergency Response Team, Anti-virus

software
Natural Disaster
Transactional
Computer Emergency Response Plan
Fraud
Transactional
Computer Emergency Response Team
179
Recommendations for Future Research
The findings of this research study disclose a statistically significant relationship
between transactional leadership style and several information security problems. Based
on the findings, an adoption of the transactional leadership factor of Management by
Exception Active (MBEA) can enable small businesses to better prepare against the
majority (10 out of 14) of information security problems. As mentioned previously, these
10 problems are insider access abuse, data integrity, outsider access abuse, data secrecy,
data availability, data theft, data sabotage, user errors, natural disasters, and fraud.
The study also highlights the need to complement the benefits of transformational
and transactional leadership styles with effective policies and updated technologies that
mitigate information security problems. Small businesses cannot rely only on basic
technologies such as anti-virus software, firewalls, and power surge protectors to protect
against cybercrime. Likewise, small businesses cannot rely merely on basic policies and
procedures for protection against cybercrime. A combination of leadership, policy, and
technologies provides a small business with a vigilant and effective security framework.
Based on these findings, five suggestions are offered for further research. The first
suggestion is to conduct additional studies in several small and large states in the United
States, and broaden the sample population. This expansion may result in findings that are
based on experiences of small business in various situations that are not relevant to the
state of Hawaii. Additional research may be conducted in overseas countries that contain
small businesses with profiles similar to those of small businesses in the United States.
This global exposure will provide researchers with insight into global security problems
and issues.
180
A second suggestion is to conduct a mixed-method quantitative-qualitative study
designed to, in addition to giving survey statements, ask open ended questions about
information security and concerns. Open-ended questions could elicit information
regarding new and emerging security issues and feedback that are not covered by the
questions in a survey instrument. Qualitative feedback could help facilitate specific action
plans and strategies to mitigate new and emerging information security problems.
A third suggestion is to conduct similar studies on an ongoing basis for the next
decade. Given the evolving nature of cybercrime and information security, the attitudes
and exposures of small businesses vary over time. As such, regular studies conducted
over a long period of time will provide researchers with details on trends and new issues.
The results from these studies will provide researchers with a comprehensive evaluation
of the growth and evolution of cybercrime and the abilities to combat it.
A fourth suggestion is to conduct a similar study in small, medium, and large
organizations. This broadened study would provide researchers with information to
compare and contrast security issues and concerns across an industry or region. The
results of this study may allow organizations to adopt leadership styles, technologies and
policies that are relevant to any organization, whatever its size.
A final suggestion is to update the list of independent and dependent variables to
ensure that they cover the current leadership styles and information security concerns. As
leadership styles evolve and the nature of cybercrime changes, the list of independent and
dependent variables will need to be updated. The specific elements of leadership and
security problems listed in the survey instruments for this study may become obsolete or
irrelevant in a few years. As a result, the questionnaire needs to be updated.
181
Summary
Chapter 5 discussed the researchers interpretations, inferences and conclusions
of the findings of the study presented in Chapter 4. The data analysis included results
describing the impact of leadership styles on the level of concern for information security
problems for small businesses located in Hawaii. In this chapter, the researcher discussed
the impact of the full range of leadership styles (transformational leadership, transactional
leadership and passive-avoidance leadership) and the significance for 14 separate
information security problems. The findings indicate the importance of transactional
leadership, augmented by transformational leadership, in mitigating the majority of
information security concerns. Recommendations were presented that highlighted the key
leadership style, policies and technologies necessary to mitigate cybercrime.
Conclusions
The research is socially significant in its finding that leadership styles are
statistically significant when it comes to mitigating information security issues and
concerns within small businesses. Small business leaders are preoccupied with everyday
business issues and concerns and often display a lack of concern towards information
security problems (Gupta & Hammond, 2005). A lack of concern usually results in
delayed or incorrectly implemented security measures, which increases vulnerability to
cybercrime (Andress, 2003; DeZulueta, 2004). This research has demonstrated the need
for effective transactional and transformation leadership styles that will enable small
business leaders to prioritize their efforts to mitigate cybercrime. An optimal combination
of leadership styles, security policies and technology will enable small business leaders to
mitigate information security problems without disrupting their core business functions.
182
REFERENCES
Abu-Bader, S. H. (2006). Using statistical methods in social work practice: A complete
SPSS guide. Chicago: Lyceum Books, Inc.
Abu-Musa, A. A. (2004). Investigating the security controls of CAIS in an emerging
economy: An empirical study on the Egyptian banking industry. Managerial
Auditing Journal, 19(2), 272.
Adamkiewicz, S. L. (2005). The correlation between productivity and the use of
information security controls in small businesses. The George Washington
University, United States -- District of Columbia.
ADT. (2008). Small business security and alarm systems. Retrieved January 18, 2008,
from https://www.adt.com/wps/portal/adt/small_business/
Albrechtsen, E. (2007). A qualitative study of user's view on information security.
Computers and Security, 26(6), 276.
Amrstrong, S. J., & Overton, T. S. (1977). Estimating non-response bias in mail surveys.
Journal of Marketing Research, 14, 396-402.
Anat, H., & John, D. A. (2003). The impact of denial-of-service attack announcements on
the market value of firms. Risk Management and Insurance Review, 6(2), 97.
Anderson, B. B., Hansen, J. V., Lowry, P. B., & Summers, S. L. (2006). The application
of model checking for securing e-commerce transactions. Association for
Computing Machinery. Communications of the ACM, 49(6), 97.
Andress, A. (2003). Surviving security: How to integrate people, process and technology.
New York: Auerbach Publications.
183
Baker, W. H., & Wallace, L. (2007). Is information security under control? IEEE Security
& Privacy.
Bass, B. M. (1985). Leadership and performance beyond expectations. New York: Free
Press.
Bass, B. M. (1990). Bass & Stogdill's handbook of leadership: Theory, research, and
managerial applications (3rd ed.). New York: Free Press.
Bass, B. M., & Avolio, B. (2004). The multifactor leadership questionnaire: Sampler set.
Belasco, J. A., & Stayer, R. C. (1993). Flight of the buffalo: Soaring to excellence,
learning to let employees lead. New York: Warner Books Inc.
Bhaskar, R. (2006). State and local law enforcement is not ready for a cyber Katrina.
Association for Computing Machinery. Communications of the ACM, 49(2), 81.
Blake, I., Kenneth, R. W., & Helmut, S. (2004). The domino effect of password reuse.
Blake, M. (2003). GFI white paper exposes how hackers can elude anti-virus software
with custom Trojans. The Electronic Library, 21(6), 629.
Blyth, A., & Thomas, P. (2005). An XML-based architecture for data integration in
vulnerability assessments. Information Management & Computer Security, 13(4),
260.
Burns, J. M. (1979). Leadership. New York: Harper & Row.
Campbell, A. (2004). Why bother virus scanning? Information Management & Computer
Security, 12(2/3), 306.
Carrier, B. (2005). File system forensic analysis. Boston: Addison-Wesley Professional.
184
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating
information technology security investments. Association for Computing
Machinery. Communications of the ACM, 47(7), 87.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection
systems in information technology security architecture. Information Systems
Research, 16(1), 28.
CC&IPS. (2006). Computer Crime & Intellectual Property Section US Department of
Justice. Retrieved October 9, 2007, from
http://www.cybercrime.gov/cccases.html.
Chang, S. E., & Lin, C.-S. (2007). Exploring organizational culture for information
security management. Industrial Management + Data Systems, 107(3), 438.
Christensen, C. (1997). The innovator's dilemma. Boston: Harvard Business School
Press.
Cisco. (2008). Small and medium business security. Retrieved January 18, 2008, from
http://www.cisco.com/en/US/netsol/ns643/networking_solutions_packages_list.ht
ml
CoCHawaii. (2007). The Chamber of Commerce of Hawaii. Retrieved October 9, 2007,
from http://www.cochawaii.com/.
Creswell, J. W. (2003). Research design: Qualitative, quantitative and mixed methods
approaches. Thousand Oaks, CA: Sage.
CSI/FBI. (2006). Computer Crime and Security Survey XI Annual. Retrieved October 9,
2007, from http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf.
185
Day, K. (2003). Inside the security mind: Making tough decisions. Upper Saddle River,
NJ: Prentice Hall.
Delaney, E. M., Goldstein, C. E., Gutterman, J., & Wagner, S. N. (2003). House
considers bill to enhance criminal enforcement of internet copyright piracy
measures. Intellectual Property & Technology Law Journal, 15(9), 16.
Desai, M. S., Richards, T. C., & Desai, K. J. (2003). E-commerce policies and customer
privacy. Information Management & Computer Security, 11(1), 19.
DeZulueta, M. (2004). A novel neural network based system for assessing risks
associated with information technology security breaches. Florida International
University, United States -- Florida.
Diller-Haas, A. (2004). Identity theft: It can happen to you. The CPA Journal, 74(4), 42.
Douglas, M., & Wildavsky, A. (1982). Risk and culture: An essay on the selection of
technological and environmental dangers. Berkeley, CA: University of California
Press.
Drucker, P. (2004). What makes an effective executive? Harvard Business Review, 82(6).
Easttom, C. (2006). Computer security fundamentals. Upper Saddle River, NJ: Prentice
Hall.
Fan, W., Miller, M., Stolfo, S., Lee, W., & Chan, P. (2004). Using artificial anomalies to
detect unknown and known network intrusions. Knowledge and Information
Systems, 6(5), 507.
FBI. (2005). 2005 FBI Computer Crime Survey. Retrieved October 9, 2007, from
www.digitalriver.com/v2.0img/operations/naievigi/site/media/pdf/FBIccs2005.pdf.
186
Fernald, L. W., Solomon, G. T., & Tarabishy, A. (2005). A new paradigm:
Entrepreneurial leadership. Southern Business Review, 30(2), 1.
Fiedler, F. E. (1967). A theory of leadership effectiveness. New York: McGraw-Hill.
Foltz, C. B. (2004). Cyberterrorism, computer crime, and reality. Information
Management & Computer Security, 12(2/3), 154.
FTC. (2008). Federal trade commission - identity theft site. Retrieved February 11,
2008, 2008, from http://www.ftc.gov/bcp/edu/microsites/idtheft//
Furnell, S. M., Jusoh, A., & Katsabas, D. (2006). The challenges of understanding and
using security: A survey of end users. Computers and Security, 25, 27-35.
Gay, L. R., & Airasian, P. (2000). Educational research: Competencies for analysis and
application (6th ed.). Upper Saddle River, NJ: Prentice Hall.
Gellis, H. C. (2004). Protecting against threats to enterprise network security. The CPA
Journal, 74(7), 76.
Gibson, S. (2005). Spyware was inevitable. Association for Computing Machinery.
Communications of the ACM, 48(8), 37.
GISS. (2006). Global Information Security Survey. Retrieved October 9, 2007, from
http://www.ey.com/Global/download.nsf/International/TSRS__GISS_2006/$file/EY_GISS2006.pdf.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security. ACM
Transactions on Information and Systems, 5(4), 438-457.
Gordon, L. A., & Loeb, M. P. (2006a). Economic aspects of information security: An
emerging field of research. Information Systems Frontiers, 8(5), 335.
187
Gordon, L. A., & Loeb, M. P. (2006b). Managing cybersecurity resources: A cost-benefit
analysis. New York: McGraw-Hill.
Greenleaf, R. K. (2002). Servant leadership (25th ed.). Mahwah: New Jersey: Paulist
Press.
Gupta, A., & Hammond, R. (2005). Information systems security issues and decisions for
small businesses: An empirical examination. Information Management &
Computer Security, 13(4), 297.
Hall, J. (2003). Workers the weakest link. Information Management & Computer
Security, 11(2/3), 154.
Hanna, G. (2005a). Preventing computer fraud: Enemies from without and within are
constantly looking for ways to break into vulnerable computer systems. Risk
Management, 30(35).
Hanna, G. (2005b). Securing wireless networks against intruders. The CPA Journal,
75(4), 68.
Harland, L., & Harrison, W. (2005). Leadership behaviors and subordinate resilience.
Journal of Leadership & Organizational Studies, 11(2), 1-15.
Harrison, W. (2006). Passwords and passion. IEEE Software, 23(4), 5.
Hassan, A. A., Alexander, P., & Daniel, C. (2003). Global e-commerce: A framework for
understanding and overcoming the trust barrier. Information Management &
Computer Security, 11(2/3), 130.
Hausken, K. (2006). Returns to information security investment: The effect of alternative
information security breach functions on optimal investment and sensitivity to
vulnerability. Information Systems Frontiers, 8(5), 338.
188
Hazari, S. (2005). Perceptions of end-users on the requirements in personal firewall
software: An exploratory study. Journal of Organizational and End User
Computing, 17(3), 47.
Hersey, P., & Blanchard, K. H. (1996). The management of organizational behavior:
Utilizing human resources (7th ed.). Englewood Cliffs, N.J.: Prentice Hall.
Herzberg, F., Mausner, B., & Snyderman, B. B. (1959). The motivation to work (2nd ed.).
New York: John Wiley and Sons.
HomelandSecurity. (2004). Tools for small business. Retrieved January 18, 2008, from
http://www.ntsbdc.org/docs/sba_homeland_security.pdf
Hong, K.-S., Yen-Pin, C., Loui, R. C., & Tang, J.-H. (2003). An integrated system theory
of information security management. Information Management & Computer
Security, 11(5), 243.
House, R. J. (1971). A path-goal theory of leader effectiveness. Administrative Science
Leadership Review, 16, 321-339.
IC3. (2006). Internet Crime Complaint Center. Retrieved October 9, 2007, from
http://www.ic3.gov/.
ISO/IEC. (2005). ISO/IEC 17799:2005 Information technology - security techniques.
Retrieved October 9, 2007, from http://www.iso.org/iso/information_security.
Knight, W. (2004). Zombie networks fuel cybercrime. New Scientist, 184(2472), 28(21).
Kotter, J. (1990). A force for change: How leadership differs from management. New
York: The Free Press.
Kouzes, J. M. (2002). The leadership challenge (3rd ed.). San Francisco, CA: JosseyBass.
189
Kouzes, J. M. (2003). The leadership challenge (3rd ed.). San Francisco, CA: JosseyBass.
Kouzes, J. M., & Posner, B. Z. (2003). Encouraging the heart: A leader's guide to
rewarding and recognizing others. San Francisco, CA: Jossey-Bass.
Kreuter, E. A. (2003). The impact of identity theft through cyberspace. The Forensic
Examiner (May - June), 30.
Kros, J. R., Foltz, C. B., & Metcalf, C. L. (2004). Assessing & quantifying the loss of
network intrusion. The Journal of Computer Information Systems, 45(2), 36.
Kruh, L. (2003). Wireless computer security. Cryptologia, 27(2), 183.
Kshetri, N. (2006). The simple economics of cybercrimes. IEEE Computer Society.
Larson, L. L., Larson, R. K., & Greenlee, J. (2003). Privacy protection on the internet.
Strategic Finance, 84(12), 49.
Leedy, P. D., & Ormrod, J. E. (2001). Practical research: Planning and design (7th ed.).
Upper Saddle River, NJ: Prentice-Hall.
Lepofsky, R. (2006). Cyberextortion by denial-of-service attack. Risk Management,
53(6), 40.
Lunsford, D. L., Robbins, W. A., & Bizarro, P. A. (2004). Protecting information privacy
when retiring old computers. The CPA Journal, 74(7), 60.
Lussier, R., & Achua, C. (2004). Leadership: Theory, application and skill development
(2nd ed.). Stamford, CT: Thomson South-Western.
Ma, Q. (2004). A study on information security objectives and practices. Southern Illinois
University at Carbondale, United States -- Illinois.
190
Maroncelli, J. M., & Karpin, T. L. (2003). A worm in the works. Bulletin of the Atomic
Scientists, 59(5), 6.
Marshall, J., & Heffes, E. M. (2005). Computer security: Software patches more
vulnerable to hackers. Financial Executive, 21(2), 10-12.
McAfee. (2007). McAfee for small and medium business. Retrieved October 9, 2007,
from http://www.mcafee.com/us/smb/index.html.
McCarthy, E. (2006). Small firm technology tips. Journal of Accountancy, 201(5), 43.
McGregor, D. (1960). The human side of enterprise. New York: McGraw-Hill.
Microsoft. (2007). Security Guidance Center. Retrieved October 9, 2007, from
http://www.microsoft.com/smallbusiness/support/computer-security.mspx.
MindGarden. (2008). Multifactor Leadership Questionnaire Retrieved January 18,
2008, from http://www.mindgarden.com/products/mlq.htm
Moores, T. (2005). Do consumers understand the role of privacy seals in e-commerce?
Mulligan, D. K., Schwartz, A., & Mondal, I. (2006). Risks of online storage. Association
for Computing Machinery. Communications of the ACM, 49(8), 112.
NIST. (2008). SBC computer security workshops. Retrieved January 18, 2008, from
http://csrc.nist.gov/groups/SMA/sbc/workshops.html
Norah, L. (2004). Security Attacks Cost Business Billions. I.T. Vibe. Retrieved October
9, 2007, from http://itvibe.com/default.aspx?NewsID=2494.
Nord, G. D., McCubbins, T. F., & Nord, J. H. (2006). E-monitoring in the workplace.
Northouse, P. G. (2004). Leadership: Theory and practice. Thousand Oaks, CA: Sage.
191
NW3C. (2006). National White Collar Crime Center. Retrieved October 9, 2007, from
http://www.nw3c.org/.
O'Regan, N., Ghobadian, A., & Sims, M. (2005). The link between leadership, strategy,
and performance in manufacturing SMEs. Journal of Small Business Strategy,
15(2), 45.
O'Rourke, M. (2003). Cyberattacks prompt response to security threat. Risk Management,
50(1), 8.
Orshesky, C. M. (2003). Beyond technology - the human factor in business systems. The
Journal of Business Strategy. ABI/INFORM Global, 24(4), 43-47.
Pearson, E. S. (1938). Mathematical statistics and data analysis (2nd ed.). Belmont, CA:
Duxbury.
Peltier, T. R. (2003). Preparing for ISO 17799. Security Management Practices, 21-28.
Pietro, R. D., & Mancini, L. V. (2003). Security and privacy issues of handheld and
wearable wireless devices. Association for Computing Machinery.
Communications of the ACM, 46(9), 75.
Podsakoff, P. H., Mackenzie, S. B., & Bommer, W. H. (1996). Transformational leader
behaviors and substitutes for leadership as determinants of employee satisfaction,
commitment, trust, and organizational citizenship behaviors. Journal of
Management, 22, 259-299.
Prosise, C., Mandia, K., & Pepe, M. (2003). Incident response and computer forensics
(2nd ed.): McGraw-Hill Osborne Media.
Radnofsky, M. L. (2006). Corporate and government computers hacked by juveniles.
Public Manager, 35(3), 50.
192
Rawat, S., Gulati, V. P., & Pujari, A. K. (2004). Frequency- and ordering-based similarity
measure for host-based intrusion detection. Information Management &
Ray, Z. (2006). E-mail security for small businesses. The CPA Journal, 76(7), 51.
ReadyBusiness. (2008). Ready.Gov - small business readiness. Retrieved January 18,
2008, from http://www.ready.gov/business/index.html
Rees, J., Bandyopadhyay, S., & Spafford, E. H. (2003). PFIRES: A policy framework for
information security. Association for Computing Machinery. Communications of
the ACM, 46(7), 101.
Reid, G. (2003). The skinny on getting rid of spam. Black Issues in Higher Education,
19(25), 34.
Roussos, G., & Moussouri, T. (2004). Consumer perceptions of privacy, security and
trust in ubiquitous commerce. Personal and Ubiquitous Computing, 8(6), 416.
Rubin, A., & Babbie, E. (2005). Research methods for social work (5th ed.). Belmont,
CA: Brooks/Cole - Thomson Learning.
Ryan, J. J. C. H. (2000). Information security practices and experiences in small
businesses. The George Washington University, United States -- District of
Columbia.
Saint-Germain, R. (2005). Information security management best practice based on
ISO/IEC 17799. Information Management Journal, 39(4), 60.
SANS. (2003). Case study: A risk study of a very small business. Retrieved January 18,
2008, from http://www.sans.org/reading_room/whitepapers/casestudies/1243.php
193
SBA. (2007). US Small Business Administration. Advocacy Small Business Statistics and
Research. Retrieved October 9, 2007, from
http://app1.sba.gov/faqs/faqindex.cfm?areaID=24.
SBH. (2007). Small Business Hawaii. Retrieved October 9, 2007, from
http://www.smallbusinesshawaii.com/SBHabout.html.
Sherif, J. S., & Ayers, R. (2003). Intrusion detection: Methods and systems. Part II.
Information Management & Computer Security, 11(5), 222.
Sherif, J. S., Ayers, R., & Dearmond, T. G. (2003). Intrusion detection: The art and the
practice. Part I. Information Management & Computer Security, 11(4), 175.
Sherif, J. S., & Gilliam, D. P. (2003). Deployment of anti-virus software: A case study.
Simon, M. F. (2006). Dissertation and scholarly research: Recipes for success. Dubuque,
IA: Kendall/Hunt.
Smith, A. D. (2004). Cybercriminal impacts on online business and consumer confidence.
Online Information Review, 28(3), 224.
Smith, H. W. (1981). Strategies of social research: The methodological imagination.
Englewood Cliffs, NJ: Prentice Hall.
Sodiya, A. S., & Longe, H. O. D. (2005). An improved two-tiered strategy to intrusion
detection. Information Management & Computer Security, 13(2/3), 235.
Sodiya, A. S., Longe, H. O. D., & Akinwale, A. T. (2005). Maintaining privacy in
anomaly-based intrusion detection systems. Information Management &
194
Spears, L. C., & Lawrence, M. (Eds.). (2002). Focus on leadership: Servant-leadership
for the 21st century. New York: John Wiley & Sons.
SPSS. (2008). SPSS Graduate Pack v16. Retrieved January 3, 2008, from
http://www.spss.com/gradpack/
Stafford, T. (2005). Consumer apathy and the emerging revenue model of the internet:
The economic case for spyware. Journal of Electronic Commerce in
Organizations, 3(4), I.
The state of small business security in a cyber economy: Hearing before subcommittee on
regulatory reform and oversight of the committee on small business, US House of
Representatives, 109th Congress Second Sess. (2006).
Swartz, N. (2006). Indiana passes data breach law. Information Management Journal,
40(5), 18.
Symantec. (2007). Small and mid-sized business products. Retrieved October 9, 2007,
from http://www.symantec.com/smb/products/index.jsp.
Symantec. (2008). Small and mid-sized business products. Retrieved October 9, 2007,
from http://www.symantec.com/smb/products/index.jsp.
Szor, P. (2005). The art of computer virus research and defense. Upper Saddle River, NJ:
Symantec Press.
Taillon, G. (2004). Controlling internet use in the workplace. The CPA Journal, 74(7),
16.
Thompson, R. (2005). Why spyware poses multiple threats to security. Association for
195
Torbjorn, R., Oltedal, S., Moen, B.-E., & Hroar, K. (2004). Explaining risk perception:
An evaluation of cultural theory. 85.
Trim, P. R. J. (2005). Managing computer security issues: Preventing and limiting future
threats and disasters. Disaster Prevention and Management, 14(4), 493.
Triola, M. (2004). Elementary statistics (9th ed.). Boston, MA: Addison Wesley.
Tsohou, A., Karyda, M., & Kokolakis, S. (2006). Formulating information systems risk
management strategies through cultural theory. Information Management &
Computer Security, 14(3), 198-217.
USDoJ. (2008). United States Department of Justice. Retrieved February 11, 2008, from
http://www.cybercrime.gov/reporting.htm
Vroom, V. H. (1964). Work and motivation. New York: John Wiley and Sons.
Wakefield, R. L. (2004a). Computer monitoring and surveillance: Balancing privacy with
security. The CPA Journal, 74(7), 52-55.
Wakefield, R. L. (2004b). Network security and password policies. The CPA Journal,
74(7), 6.
Wall, D. S. (2004). Surveillant internet technologies and the growth in information
capitalism: Spams and public trust in the information security. In R. E. K.
Haggerty (Ed.), The new politics of surveillance and visibility. Toronto:
University of Toronto Press.
Wall, D. S. (2005). The internet as a conduit for criminal activity. In A. Pattavina (Ed.),
Information technology and the criminal justice system. Thousand Oaks, CA:
Sage Publications.
196
Warren, M., & Hutchinson, W. (2003). A security risk management approach for ecommerce. Information Management & Computer Security, 11(5), 238.
William, S. (2005). Risk analysis and control: Vital to records protection. Information
Management Journal, 39(5), 62.
Wren, J. T. (1995). The leader's companion: Insights on leadership through the ages.
New York: Free Press.
Yang, S.-M., Yang, M.-H., & Wu, J.-T. B. (2005). The impacts of establishing enterprise
information portals on e-business performance. Information Management & Data
Systems, 105(3), 349-368.
Ye, N., Farley, T., & Lakshminarasimhan, D. (2006). An attack-norm separation
approach for detecting cyber attacks. Information Systems Frontiers, 8(3), 163.
Yu, V. K., Mishchenko, N. M., Felizhanko, O. D., & Shchegoleva, N. N. (2004). Using
Bayesian networks for monitoring computer users. Cybernetics and Systems
Analysis, 40(6), 789.
Yukl, G., Gordon, A., & Taber, T. (2002). A hierarchical taxonomy of leadership
behavior: Integrating a half-century of behavior research. Journal of Leadership
& Organizational Studies, 9(1), 15-33.
Zhang, X. (2005). What do consumers really know about spyware? Association for
Zhao, N., Yen, D. C., & Chang, I. C. (2004). Auditing in the e-commerce era.
Zoomerang. (2007). Zoomerang Online Survey Tool. Retrieved October 9, 2007, from
http://info.zoomerang.com/.
197
APPENDIX A: INFORMED CONSENT FORM
198
Date:
Dear Survey Participant:
I am a student at the University of Phoenix working on a Doctoral of Business
Administration Degree. I am conducting a research study entitled Leadership Styles and
Information Security within Small Businesses: An Empirical Investigation. The purpose
of this quantitative, descriptive, correlational research is to conduct an empirical
investigation to assess leadership styles within small businesses, especially leadership
styles that influence the level of concern for information security problems.
Your participation will involve your honest response to each question appearing
the Leadership and Small Business Security Survey. The approximate time to complete
the questionnaire is 10-15 minutes. The results of the research study may be published
but your name will not be used and your results will be maintained in confidence. If you
are invited to participate in a post-survey interview as a part of this research project, the
same guidelines regarding voluntary participation and anonymity apply to that portion of
the research process.
In this research, there are no foreseeable risks to you. Although there may be no
direct benefit to you, the possible benefit of your participation is to reflect on your
leadership style and recognize how your leadership may influence information security
concerns within the business. The results of this research could provide insight into
leadership styles that help mitigate information security breaches, attacks and issues.
By signing this form, I acknowledge that I understand the nature of the study, the
potential risks to me as a participant, and the means by which my identity will be kept
confidential. My signature on this form also indicates that I am 18 years old or older and
that I give my permission to voluntarily serve as a participant in the study described. If
you have any questions concerning the research study, or wish to obtain a copy of study
results, please contact me by phone at XXX-XXX-XXXX or via email at XXXXXX.
Sincerely,
Debasis Bhattacharya
Doctoral Candidate, University of Phoenix
199
APPENDIX B: COPY OF SURVEY INSTRUMENTS
200
SECTION 1of 2 MULTIFACTOR LEADERSHIP QUESTIONAIRE

LEADER FORM
Note: The first 36 questions that concern leadership styles, will be included in the online
survey. The last 9 questions, that cover behavioral outcomes, will be excluded as they do
not support the objectives of the study.
Only five sample questions (out of a total of 45 questions in the actual MLQ Leader
survey) are authorized for reproduction in this appendix by Mind Garden Inc.
Reproduced with permission of the publisher, Mind Garden Inc., www.mindgarden.com.
MLQRD, 1995, Bruce Avolio and Bernard Bass. All Rights Reserved.
201
SECTION 2 of 2 SMALL BUSINESS SECURITY SURVEY
This Small Business Security Section is reproduced with permission of the author Dr.
Julie Ryan. Small Business Security Survey 2000, Dr. Julie Ryan. All Rights Reserved.
202
APPENDIX C: PERMISSION TO USE MLQ
203
204
APPENDIX D: PERMISSION TO USE SECURITY SURVEY
205
206
APPENDIX E: HUMAN RESEARCH SUBJECTS CERTIFICATION
207
CITI Course in The Protection of Human Research Subjects

Monday, July 9, 2007
CITI Course Completion Record # 257169
for Debasis Bhattacharya
To whom it may concern:

On 4/11/2006, Debasis Bhattacharya (username=XXXXXXXX) completed all CITI Program requirements for the
Course in The Protection of Human Research Subjects.
Learner Institution: University of Phoenix

Learner Group: Group 1.
Learner Group Description: Social / Behavioral Research Investigator and Key Personnel. Complete all required
modules. Complete optional modules if they pertain to your research activities.
Contact Information:
Department: School of Advanced Studies

Phone: XXX
Email: XXX
The Required Modules for Group 1. are:
Date completed
Introduction
History and Ethical Principles - SBR
04/11/06
Defining Research with Human Subjects - SBR
04/11/06
The Regulations and The Social and Behavioral Sciences - SBR
04/11/06
Assessing Risk in Social and Behavioral Sciences - SBR
04/11/06
Informed Consent - SBR
04/11/06
Privacy and Confidentiality - SBR
04/11/06
Workers as Research Subjects-A Vulnerable Population
04/11/06
University of Phoenix
For this Completion Report to be valid, the learner listed above must be affiliated with a CITI participating
institution. Falsified information and unauthorized use of the CITI course site is unethical, and may be
considered scientific misconduct by your institution.
Paul Braunschweiger Ph.D.
Professor, University of Miami
Director Office of Research Education
CITI Course Coordinator
208
209
APPENDIX F: RELIABILITY ANALYSIS
210
Summary of Cases
N
%
120 98.4
Cases Valid
Excluded
2
1.6
Total
122 100.0
Reliability Statistics to compute Cronbachs Alpha

Cronbach's Cronbach's Alpha Based
N
Alpha
on Standardized Items of Items
0.93
0.93
88
Summary Statistics
Mean
Item Means
1.29
Item Variances
0.54
Min. Max.
0.008 4.28
0.008 2.30
Range
4.27
2.29
Max./Min.
513.00
276.00
Variance
1.86
0.43
N of Items
88
88
Reliability Statistics by Split-Half Method (Split 88 Survey Items into 2 groups of 44)
Cronbach's Alpha
Value
0.92
Part 1
N of Items
44
Part 2
Value
0.91
N of Items
44
Total N of Items
88
Correlation Between Forms
0.52
Spearman-Brown Coefficient Equal Length
0.68
Unequal Length
0.68
Guttman Split-Half Coefficient
0.51
Summary Statistics based on Split-Half Method
Mean Min Max Range
Item Means
Item
Variances
Part 1
Part 2
Both
Part 1
Part 2
Both
2.32
0.27
1.29
0.94
0.14
0.54
0.17
0.01
0.01
.05
0.01
0.01
4.28
0.96
4.28
2.30
0.25
2.30
4.12
0.95
4.27
2.25
0.24
2.29
Max / Variance
Min
25.65
1.57
115.00
0.06
513.00
1.86
48.02
0.54
30.24
0.01
276.00
0.43
N of
Items
44
44
88
44
44
88
211
APPENDIX G: FREQUENCY TABLES
212
Frequency Table of Intervening Variable: Business Area
Professional, Scientific, and Technical Services

Other
Educational Services
Finance and Insurance
Retail Trade
Real Estate, Rental, and Leasing
Arts, Entertainment, and Recreation
Construction
Management of Companies and Enterprises
Agriculture
Information
Transportation and Warehousing
Manufacturing
Publishing, Broadcasting, ISPs, Telcos and Recording
Wholesale Trade
Accommodation and Food Services
Utilities
Waste Management and Remediation Services
Total
Frequency
44
16
9
8
7
6
5
5
4
3
3
3
2
2
2
1
1
1
122
Frequency Table of Intervening Variable: Number of Employees
1 to 100
201 to 500
21 to 50
101 to 200
11 to 20
51 to 100
Total
Frequency
85
11
10
6
6
4
122
Percent
69.7
9.0
8.2
4.9
4.9
3.3
100.0
Percent
36.1
13.1
7.4
6.6
5.7
4.9
4.1
4.1
3.3
2.5
2.5
2.5
1.6
1.6
1.6
.8
.8
.8
100.0
213
Frequency Table of Intervening Variable: Annual Revenues
0 to $500,000
More than $5 million
$500,001 to $1 million
$1 million to $5 million
Total
Frequency
70
28
13
11
122
Percent
57.4
23.0
10.7
9.0
100.0
Frequency Table of Intervening Variable: Number of Computers
1 to 5
11 to 20
More than 100
6 to 10
21 to 50
51 to 100
Total
Frequency
67
14
14
13
8
6
122
Percent
54.9
11.5
11.5
10.7
6.6
4.9
100.0
214
APPENDIX H: CHI-SQUARE TESTS
215
Chi-Square Test of Leadership Styles by Business Area (Intervening Variable #1)

Value
df Asymp. Sig. (2-sided)
Pearson Chi-Square 1676.28 1632 0.22 (p > 0.05)
N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Number of Employees (Intervening Variable #2)
Value df Asymp. Sig. (2-sided)
N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Annual Revenue (Intervening Variable #3)

N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Number of Computers (Intervening Variable #4)

N of Valid Cases
122.00
Note: The Chi-Square p values for all four intervening variable were greater than 0.05 (p
> 0.5), and indicated no statistically significant relationship with leadership styles. As a
result, there was no need to examine the strength of relationship through the Phi and
Cramers V tests.
216
Chi-Square Test of Leadership Styles by LAN Connectivity (Intervening Variable #5a)

N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Internet Connectivity (Intervening Variable #5b)
N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Intranet Connectivity (Intervening Variable #5c)
N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Web Connectivity (Intervening Variable #5d)
N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by Extranet Connectivity (Intervening Variable
#5e)
N of Valid Cases
122.00
Chi-Square Test of Leadership Styles by E-Commerce Connectivity (Intervening Variable
#5f)
N of Valid Cases
122.00
Note: All Chi-Square p values (p > 0.05) indicated no statistically significant relationship
between elements of connectivity and leadership styles. As a result, there was no need to
examine the strength of relationship through the Phi and Cramers V tests.
217
APPENDIX I: PEARSONS CORRELATIONS
218
Pearson's Correlations - Transformational Leadership Style and Five Factors
N=122
Transf IIA
IIB
IM
IS
a
0.02
0.00
-0.04
Correlation
0.02
0.22
Sig. (2-tailed) 0.81
0.99 0.69
0.01 0.83
Viruses
Correlation
0.13
0.15 0.07
0.16 0.12
0.10 0.44
0.09 0.20
Power Failure
Correlation
-0.10
-0.08 -0.08 -0.11 -0.11
0.38 0.37
0.23 0.24
Software Problems
Correlation
0.03
0.02 0.07
0.06 -0.03
0.79 0.46
0.55 0.79
Correlation
0.16
Data Integrity
0.15 0.05
0.22b 0.14
0.11 0.58
0.02 0.13
Transaction Integrity
Correlation
0.07
0.01 0.06
0.11 0.02
0.94 0.53
0.22 0.82
Outsider Access Abuse Correlation
0.06
0.12 0.07
0.05 0.01
0.19 0.44
0.60 0.94
Correlation
Data Secrecy
0.18b
0.21b 0.11
0.18b 0.13
0.02 0.23
0.04 0.15
a
a
b
Correlation
Data Availability
0.13 0.12
0.24
0.36 0.18
0.15 0.20
0.00 0.04
Data Theft
0.03 0.02
Correlation
0.09
0.19b 0.11
0.74 0.80
0.03 0.25
Correlation
0.10
Data Sabotage
0.03 0.06
0.20b 0.13
0.72 0.50
0.03 0.15
User Errors
Correlation
-0.01
0.12 -0.01 -0.05 -0.01
0.19 0.88
0.56 0.88
Natural Disasters
Correlation
0.10
0.14 0.10
0.09 0.05
0.13 0.29
0.31 0.61
Fraud
Correlation
0.01
0.03 0.00
0.00 -0.03
0.71 0.97
0.98 0.74
b
a
Note: Significant at the 0.01 level. Significant at the 0.05 level. IIA & B - Idealized
IC
-0.11
0.22
0.03
0.72
-0.01
0.94
0.00
0.98
0.08
0.36
0.06
0.48
-0.01
0.96
0.10
0.30
0.21b
0.02
0.03
0.76
-0.01
0.93
-0.08
0.41
0.02
0.82
-0.07
0.48
Influence Attributes and Behavior, IM Inspirational Motivation, IS Intellectual Stimulation,

IC Individual Consideration
219
Pearson's Correlations - Transactional Leadership Style and Two Factors
N=122, except for CR N=121
Transac CR
0.00
Pearson Correlation 0.24a
Sig. (2-tailed)
Viruses
Power Failure
Software Problems
Data Integrity
0.23a 0.12
Sig. (2-tailed)
0.01
Data Availability
Sig. (2-tailed)
0.07
0.59
0.01
0.03
0.08
Sig. (2-tailed)
0.72
0.39
0.15
0.22b
Sig. (2-tailed)
0.00
0.10
0.02
0.10
0.04
0.28
0.69
0.05
0.22b
0.58
0.02
Pearson Correlation 0.18b
0.12
0.11
Sig. (2-tailed)
0.05
0.21
0.22
0.14
0.24a
0.13
0.01
User Errors
0.01
0.00
-0.01 0.30a
0.94
0.00
0.01
0.31a
Sig. (2-tailed)
0.93
0.00
0.03
0.30a
0.72
0.00
0.11
0.29a
0.22
0.00
0.00
0.00
0.00

Sig. (2-tailed)
Fraud
0.26
Sig. (2-tailed)
Natural Disasters
0.29
Sig. (2-tailed)
Data Sabotage
0.20
-0.05 0.23a
Sig. (2-tailed)
Data Theft
0.00
Sig. (2-tailed)
Data Secrecy
0.00
Sig. (2-tailed)
Outsider Access Abuse
0.98
0.01
MBEA
0.27a
0.00
Pearson Correlation 0.19b
-0.06 0.25a
Sig. (2-tailed)
0.54
0.04
0.01
220
Pearsons Correlations of Passive-Avoidance Leadership and Two Factors

Passive-Avoidance MBEP
Leadership
Insider Access Abuse Pearson Correlation
0.11
0.12
Sig. (2-tailed)
0.23
0.20
Viruses
Pearson Correlation
0.05
0.01
Sig. (2-tailed)
0.60
0.96
b
Pearson Correlation
Power Failure
0.23 a
0.19
Sig. (2-tailed)
0.01
0.03
Software Problems
Pearson Correlation
0.09
0.03
Sig. (2-tailed)
0.34
0.73
Data Integrity
Pearson Correlation
0.12
0.09
Sig. (2-tailed)
0.20
0.35
Pearson Correlation
0.08
0.03
Sig. (2-tailed)
0.42
0.74
Outsider Access Abuse Pearson Correlation
0.11
0.13
Sig. (2-tailed)
0.24
0.14
Data Secrecy
Pearson Correlation
0.03
0.05
Sig. (2-tailed)
0.71
0.57
Data Availability
Pearson Correlation
0.12
0.15
Sig. (2-tailed)
0.17
0.11
Data Theft
Pearson Correlation
0.16
0.16
Sig. (2-tailed)
0.08
0.09
Data Sabotage
Pearson Correlation
0.13
0.13
Sig. (2-tailed)
0.17
0.15
User Errors
Pearson Correlation
0.15
0.14
Sig. (2-tailed)
0.09
0.11
Natural Disasters
Pearson Correlation
0.11
0.09
Sig. (2-tailed)
0.23
0.34
Fraud
Pearson Correlation
0.14
0.13
Sig. (2-tailed)
0.11
0.16
b
LF
0.11
0.25
-0.04
0.69
0.13
0.15
-0.02
0.79
0.04
0.65
-0.02
0.87
0.14
0.13
0.06
0.51
0.15
0.11
0.13
0.16
0.12
0.20
0.11
0.22
0.05
0.58
0.09
0.31
221
APPENDIX J: MULTIPLE REGRESSION ANALYSIS
222
Multiple Regression Analysis Leadership Styles
Criterion (Security
Concern)
Insider Access
Abuse
Factors (Three
Leadership Styles)
(Constant)
Transactional
Viruses
R2
Unstd Std
B
0.75
0.24 0.06 0.62
0.24 2.67 0.01
(Constant)
Transactional
2.26
0.26 0.07 0.58
0.26 2.96 0.00
(Constant)
Passive-Avoidance
2.82
0.19 0.04 0.34
0.19 2.15 0.03
(Constant)
Transactional
1.35
0.29 0.08 0.77
0.29 3.36 0.00
Outsider Access
Abuse
(Constant)
Transactional
1.44
0.23 0.05 0.62
0.23 2.57 0.01
Data Secrecy
(Constant)
Transformational
1.77
0.18 0.03 0.47
0.18 1.99 0.05
(Constant)
Transactional
1.34
0.31 0.09 0.85
0.31 3.51 0.00
(Constant)
Transactional
1.18
0.26 0.07 0.75
0.26 2.97 0.00
(Constant)
Transactional
0.84
0.28 0.08 0.80
0.28 3.17 0.00
(Constant)
Transactional
1.38
0.29 0.08 0.67
0.29 3.31 0.00
(Constant)
Transactional
0.81
0.34 0.11 0.82
0.34 3.89 0.00
(Constant)
Transactional
1.49
0.19 0.04 0.53
0.19 2.09 0.04
Power Failure
Data Integrity
Data Availability
Data Theft
Data Sabotage
User Errors
Natural Disaster
Fraud
Note: Software problems and transaction integrity had no significant relationship with leadership.
223
Multiple Regression Analysis Leadership Factors, Policies, and Technologies
Factor (Nine Leadership
Criterion
Unstd Std
R
R2
Factors, Policies or
(Security
B
t
Technologies)
Concern)
Insider
(Constant)
1.23
Access
Computer Emergency
0.36 0.13 1.02
0.30 3.62
Abuse
Response Team
MBEA
0.43 0.19 0.33
0.22 2.64
Encryption
0.47 0.23 0.53
0.20 2.41
Viruses
(Constant)
Anti-virus software
Computer Emergency
Response Plan
CR
0.00
0.01
0.02
0.41
0.48
0.17
0.23
0.71
2.11
0.49
0.39
0.20
4.83
2.37
0.00
0.02
0.51
0.26
0.29
0.18
2.10
0.04
0.26
0.07
2.44
0.98
0.36
4.10
0.00
0.38
0.42
0.14
0.18
0.42
-0.67
0.26 3.03 0.00

-0.20 -2.23 0.03
0.30
0.35
0.09
0.12
2.27
0.54
0.51
0.20
0.20
2.19
2.17
0.03
0.03
0.39
0.15
0.28
0.18
2.13
0.04
Transaction (Constant)
Integrity
Anti-virus software
0.22
0.05
1.6
1.56
0.22
2.51
0.01
Outside
Access
Abuse
(Constant)
Intrusion Detection
MBEA
0.38
0.41
0.14
0.17
2.07
0.99
0.27
0.36
0.17
4.23
2.03
0.00
0.04
Data
Secrecy
(Constant)
Information Security Policy
System Activity Monitors
Anti-virus Software
0.34
0.40
0.44
0.11
0.16
0.19
1.40
0.62
0.83
1.35
0.21
0.23
0.18
2.30
2.55
2.16
0.02
0.01
0.03
Power
Failure
Data
Integrity
(Constant)
Computer Emergency
Response Plan
MBEP
Security Evaluation
Systems
(Constant)
Intrusion Detection
Computer Use and
Misuse Policy
MBEA
224
Criterion
(Security
Concern)
Data
Availability
Data Theft
Data
Sabotage
User Errors
Natural
Disaster
Fraud
Factor (Nine Leadership

Factors, Policies or
Technologies)
(Constant)
IIA
Computer Use and Misuse
Policy
MBEA
(Constant)
MBEA
Computer Emergency
Response Team
Anti-virus software
System Activity Monitors
(Constant)
MBEA
Computer Emergency
Response Team
Intrusion Detection
(Constant)
MBEA
Computer Emergency
Response Team
Anti-virus software
R2
Unstd Std
B
0.36
0.45
0.13
0.21
0.71
0.60
0.78
0.28
0.28
3.37
3.46
0.00
0.00
0.48
0.23
0.27
0.17
2.05
0.00
0.30
0.41
0.09
0.16
0.67
0.47
0.76
0.28
0.21
3.44
2.40
0.00
0.02
0.45
0.47
0.20
0.23
1.22
0.61
0.17
0.17
2.07
2.03
0.04
0.04
0.31
0.41
0.10
0.17
1.57
0.45
0.81
0.27
0.22
3.23
2.56
0.00
0.01
0.45
0.20
0.58
0.20
2.31
0.02
0.30
0.40
0.09
0.16
1.24
0.36
0.74
0.27
0.25
3.22
2.96
0.00
0.00
0.43
0.19
1.00
0.17
2.05
0.04
0.32
3.87
0.00
(Constant)
Computer Emergency
Response Plan
MBEA
0.34
0.12
1.86
0.88
0.43
0.19
0.38
0.27
3.22
0.00
(Constant)
MBEA
Computer Emergency
Response Team
0.25
0.32
0.06
0.10
1.89
0.40
0.70
0.24
0.19
2.79
2.20
0.01
0.03
Note: One security problem, software problems, had no significant relationship with any
leadership style, policy or technology.
225
APPENDIX K: SMALL BUSINESS SECURITY CHECKLIST
226
Basic Small Business Security Assessment
Microsoft Windows PC Security Checklist

Priority
Task
Details
High
Perform full virus scans Anti-virus software is available from several
on a regular schedule
software vendors such as McAfee, Symantec,
F-Secure, CA, and Microsoft.
High
Turn on anti-spyware
Anti-spyware is available from Microsoft
software
Windows Defender or vendors like McAfee
High
Install latest patches
Microsofts Windows Update site, which can
and software updates
be invoked by an icon in the Control Panel,
provides patches and updates for download.
Internet Explorer allows the user to set
High
Configure Browser to
default (Medium-High) security levels. Keep browser to default
security, unless custom settings are needed.
security
High
Turn on PC firewall
A Personal Firewall is provided by Microsoft
Windows as well as vendors like McAfee.
High
Change strong
Passwords of at least eight characters, with
passwords regularly
numbers and upper case letters, should be
changed every 90 days.
High
Only administrator has Create user accounts that have lesser
full rights
privileges than the administrator.
High
Backup hard disk
Backup to external hard disk weekly.
Recommended Turn on pop-up blocker Pop-up blockers available via toolbars from
Google as well as browsers such as IE.
Recommended Turn on Phishing filter
Phishing filter available from IE7 browser
and other software such as Google Desktop.
227
Network Security Checklist
Priority
Task
High
Install packetfiltering, SPI firewall
and proxy server
High
Ensure secure
wireless network
High
Prevent Broadcast or
Multicast storms
High
Ensure strong
passwords in all
computers
High
Ensure all servers are
physically secure
High
High
Backup server data
Server and client

Patches and Updates
Recommended Install and run
security software
from Microsoft
Recommended Intrusion detection
(IDS) software
Details
Many routers from vendors like Linksys provide
packet-filtering, stateful packet inspection (SPI)
firewall and a proxy server.
WEP or WPA security keys recorded in the
router allow secure wireless communication.
Configure all routers to not repeat broadcast
packets.
Ensure passwords are at least eight characters
with a mixture of numbers and upper case
letters. Force password changes every 6 months
Security involves access privileges by
administrators, physical security from fire,
natural disasters, and sabotage.
Daily backups of server data, and weekly
transition of data to a remote storage location.
Install latest patches and updates regularly from
Microsoft and other software vendors.
Download, install and run the Microsoft
Baseline Software Analyzer (MSBA) and the
2007 Microsoft Office Security Guide.
Several vendors provide IDS, including the
open source Snort for Linux and Windows.
Basic Online Fraud Policy Checklist

Policy
Details
Reputable
Reputable banks, online merchants and smaller vendors can be
vendors
identified by secure logos such a BBB Online.
Phishing
No online vendor asks for social security numbers and other identifying
scams
information over the phone, pop-up windows and other solicitation.
Pharming
Ensure that the website is the legitimate web site, has the padlock
image, and identified by SSL technology using https://
Public
Public computers in libraries, internet cafes, airports, schools and other
computers
venues may be insecure and contain stealth key logger software
Review Credit Review credit report every six months from Equifax, Experian or
Report
TransUnion.
Security
Choose your security questions and answers carefully as the answer to
questions
some questions may be readily available to cyber and identity thieves.
Passwords
Change passwords to banks and financial institutions every 6 months.
228
Basic Information Security Policies
Policy
Details
Downloading Written policies to prohibit downloading of software by users. Only IT
Software
administrators with privileges can download software from the internet.
Email
Policies prevent email attachments over 12MB in size from reaching
Attachments users, and block or quarantine high-risk file types in email attachments.
Users are cautioned to not download attachments from unknown users.
Terminated
Policies to ensure that terminated employees are relieved of access to
Employees
computers and physical facilities. Transfer of hardware such as laptops,
peripherals and devices such as memory cards, PDAs, and cell phones.
Security
All employees are made aware of organizational and information security
Training
policies. All employees affirmatively agree to follow policies.
Disaster
Documented disaster recovery plan is understood by IT staff and owners.
Recovery
Security drills to prepare for disasters conducted every year.
Background
All administrators of computers and networks require extensive
Checks
background checks for criminal activities, credit and references.
Encryption
All sensitive communications with external vendors must follow
encryption policies. All laptops must have encrypted hard disks.
Security
Basic security audits of computers and servers performed every six
Audits
months. A full security audit of entire facility conducted every year.
Security
Users are provided security bulletins and warnings of current scams,
Bulletins
viruses, malware and other attacks.
Media
Old or obsolete media and computers are first cleaned of data.
Destruction
Peripherals and old computers can be recycled or donated to charities.
Basic Computer Use and Misuse Policies
Policy
Details
Passwords
Employees agree to not share passwords and account information with
other employees. Passwords should be changed every six months.
Disclaimers
All emails and written online communication from employees contain a
legal disclaimer that protects company from legal liability.
Posting to
Employees must follow clear documented rules when posting messages
Newsgroups to public newsgroups and blogs.
Privacy
Employees must adhere to the documented privacy policy of the
Policy
business, as well as privacy policies of partners and other vendors.
Intellectual
Employees are prohibited from copying or downloading copyrighted
Property
material in violation of copyright laws, or without an active license.
Harassment
Employees are prohibited from any form of online harassment,
and Abuse
forwarding chain letters, sending unsolicited email and other messages.
229
APPENDIX L: POST-HOC CONFIRMATORY FACTOR ANALYSIS
230
Intercorrelations
Mean SD
IIA
IIB
IIA
3.06 0.64
IIB
2.93 0.69 0.52 a
IM
IS
IC
CR
MBEA MBEP
0.00
IM
2.92 0.75 0.45 a 0.67 a

0.00
IS
IC
CR
2.82 0.75 0.34 a 0.59 a 0.74 a

0.00
0.00
3.06 0.60 0.46
0.00
0.00
2.96 0.66 0.46

1.98 0.86 0.21
0.56
0.00
0.00
0.68 a 0.59 a
0.00
0.00
0.00
-0.18 b
-0.17
-0.26
0.97
0.01
0.00
0.05
0.07
-0.46 a
0.39 a
-0.47
-0.52
-0.33
0.01
0.00
0.00
0.00
0.00
0.00
0.30 a
0.68 a
0.00
0.00
0.00
0.89 0.77 -0.10 -0.31

0.30
0.70
0.00 -0.25
1.42 0.73 -0.06 -0.25

0.51
LF
0.68 a 0.66 a
0.02
MBEP
0.62
0.00
0.00
0.00
MBEA
0.00
0.00
-0.57
0.00
b
-0.51
0.00
-0.38
0.00
-0.48
Note: N = 122. aSignificant at the 0.01 level. Significant at the 0.05 level. IIA & B Idealized Influence Attributes and Behavior, IM Inspirational Motivation, IS Intellectual
Stimulation, IC Individual Consideration. There is high positive, correlationals among the five
transformational leadership factors. Also, transactional contingent reward (CR) factor has high
positive, correlational with each of the five transactional leadership factors. Transactional
leadership style of MBEA is moderately, positively correlated with Passive-Avoidance style of
MBEP. Passive-avoidance styles of MBEP and LF display a high positive, correlational score.
231
Factor Matrix
Factor Matrix Rotated Factor Matrix
1
2
1
2
IIA - Idealized Influence Attributes
0.48
0.49
0.15
0.67
IIB - Idealized Influence Behavior
0.35
-0.10
0.72
0.79
IM - Inspirational Motivation
0.06
-0.44
0.89
0.78
IS - Intellectual Stimulation
0.00
-0.46
0.84
0.70
IC - Individual Consideration
0.21
-0.24
0.75
0.74
CR - Contingent Reward
0.07
-0.37
0.79
0.70
MBEA - Mgmt by Exception Active -0.27 0.45
0.02
0.52
MBEP - Mgmt by Exception Passive -0.61 0.54
-0.22
0.79
LF - Laissez-Faire
-0.65 0.45
-0.30
0.74
Note: Extraction Method Maximum Likelihood. 2 Factors were extracted in 4 iterations.
Rotation Method: Varimax with Kaiser Normalization, for orthogonal rotation. Rotation
converged in 3 iterations. Data in bold indicates strong correlations above 0.60. Five
Transformational Factors (IIA, IIB, IM, IS and IC load into one factor), along with Transactional
Factor Contingent Reward (CR), load into Leadership Style 1 in the Rotated Matrix. Both
Passive-Avoidance Factors (MBEP and LF) load into Leadership Style 2 in the Rotated Matrix.
The Transactional factor of MBEA has a moderate correlation with Leadership Style 2.
Factor Transformation Matrix

Factor
1
2
1
0.84 -0.55
2
0.55 0.84
Note: Extraction Method Maximum Likelihood. Rotation Method: Varimax with Kaiser
Normalization. This matrix is used to generate the rotated factor matrix, shown above, from the
unrotated factor matrix.
Chi-Square Goodness of Fit Test

Chi-Square
df
Sig.
23.76 19.00 0.21
Note: Chi-Square/df values < 2, indicates a good fit. Here Chi-Square/df = 1.25, with p > 0.05.
232
APPENDIX M: NON-RESPONSE BIAS ANALYSIS
233
Non-Response Bias Analysis Results of Independent t-Test
Respondent
Quartile
1
4
1
2
1
4
Transformational
Transactional
Passive-Avoidance
Mean
30
31
30
31
30
31
2.96
2.93
2.60
2.53
1.37
1.24
Std.
Deviation
0.48
0.58
0.40
0.57
0.74
0.82
Std. Error
Mean
0.09
0.11
0.07
0.10
0.13
0.15
Note: The first 30 respondents (25% of N=122, 10/27/07 to 11/8/07) and the last 31 respondents
(25% of N=122, 11/26/07 to 12/26/07) were selected for the analysis of non-response bias.
Levene's
Test of
Equality of
Variances
F
Sig.
Transformational
Transactional
PassiveAvoidance
1.56
3.80
0.55
df
0.22 0.24 59.00

0.06 0.58 59.00
0.46 0.64 59.00
Sig.
Mean
(2-tailed) Difference
0.03
0.81
0.07
0.56
0.13
0.52
Std. Error
Difference
0.14
0.13
0.20
Note: Levenes test indicates equality of variances as p > 0.05 for all leadership styles. The results
of the independent t-tests do not indicate a statistical significant difference between the means of
the two samples (p > 0.05, 1-tailed), for any leadership style. The results indicate no statistical
significance between respondents to the study and those who did not respond to the survey.
234
APPENDIX N: RESOURCES FOR CYBERCRIME VICTIMS
235
Resources for Cybercrime Victims
Resource
Details
IC3
The Internet Crime Complaint Center (IC3, 2006) is a partnership
between the US FBI and the National White Collar Crime Center
(NW3C, 2006). The Internet Crime Complaint Center accepts online
complaints from all businesses located in the United States, and
coordinates responses with local, state and Federal law enforcement
agencies. The IC3 handles a variety of crimes ranging from auction
fraud, counterfeit cashiers checks, credit card fraud, escrow services
fraud, internet extortion, investment fraud, identity theft, Nigerian
letter, phishing, spam and other pyramid schemes.
US DoJ
The United States Department of Justice (USDoJ, 2008) provides a list

of appropriate federal investigative law enforcement agencies to report
various types of computer, internet-related, or intellectual property
crime. These agencies include the US FBI and US Secret Service.
FTC
The Federal Trade Commission accepts online (FTC, 2008) complaints

from individuals and businesses who are victims of identity theft. The
online web site provides resources and information for individuals and
businesses to recover from an incident of identity theft. The FTC also
provides an identity theft hotline at 1.877.ID.THEFT (438.4338). Filing
a complaint with the FTC generates a detailed Identity Theft Report.
Credit Reports
Toll Free Numbers are available from three consumer reporting

companies to place a fraud alert on the account of a business who may
be a victim of fraud or identity theft. These companies include Equifax
(1.800.525.6285) or Experian (1.888.397.3742) or TransUnion
(1.800.680.7289). Victims may place a fraud alert on their credit
reports, or may choose to place a credit freeze on their credit report.
Local Police
Department
The Identity Theft Report, generated by filing a complaint with the

FTC, may be submitted to the local police department. While the
procedures for filing a local police report vary by jurisdictions, the
Identity Theft Report may be incorporated into the local police report.
Local Bank
The local bank of a small business may retain an individual responsible

for handling cases of online fraud, identity theft and cyber extortion.
The Identity Theft Report from the FTC can be submitted to the bank.

Infromation Security Leadership Related

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Infromation Security Leadership Related

Uploaded by

Copyright:

Available Formats

LEADERSHIP STYLES AND INFORMATION SECURITY IN SMALL

BUSINESSES: AN EMPIRICAL INVESTIGATION

A Dissertation Presented in Partial Fulfillment

2008 by DEBASIS BHATTACHARYA

This dissertation is dedicated to my family and friends, who supported me with

Unauthorized login by employees

Programs that enter through attachments in email

Loss of data due to abrupt shutdown of computers

Vulnerable software due to absence of patches

Corruption of customer list or sales data

Corruption of financial transaction with bank

Outsider access abuse

Unauthorized entry by former employees

Confidentiality of payroll information

Availability of access to time sheet data

Theft of confidential employee information

Intentional destruction of financial data

Accidental erasure of data by untrained user

Damage to computer systems from floods

Impersonation and deceit used to elicit information

transactional, and passive-avoidant leadership styles as defined by Bass and Avolio

Examples in small businesses

Transformational leadership Visionary, dynamic owner

Leader focused on costs and benefits

Absentee, unavailable leader

The research was statistically controlled by five intervening variables derived

Examples in small businesses

Industry as in Agriculture, Transportation or Mining

Number of employees Ranges from 1 to 500

Ranges from less than $500,000 to more than $5 million

Ranges from less than five to more than 100 computers

Various types as in Internet, Intranet, E-Commerce

Factors within leadership style

Transformational leadership Idealized attributes (IA)

Contingent reward (CR)

Management-by-exception (passive) (MBEP)

Information security issues and concerns (defined in this research as a dependent

CHAPTER 2: LITERATURE REVIEW

and Govt (G)

Small Business Metrics

Figure 1. Torbjorns (2004) Four Worldviews and Grid/Group Typology.

Set the focus on common vision, goals, and objectives.

Coach employees and foster a team environment.

Set an example to fellow employees.

Take calculated risks that benefit the company.

Have the guts and resolve to survive a company crisis.

Efficiently execute tasks needed to achieve a goal.

Virus, worms, trojans

Wireless network misuse

Figure 2. Computer Security Incidents in the US (CSI/FBI, 2006).

Limits on User Installations

Access Control Lists

Periodic Password Changes

Encrypted Files (Transfer)

Website Content Filtering

Encrypted Files (Storage)

Figure 3. Technologies Used by Businesses in the US (CSI/FBI, 2006).

Figure 4. Map of Research Methodology and Design

+ 3x3 + + e, where y represents the dependent variable, or alpha represents the

Leadership Q1-18 from MLQ (Interval Scale 1-5) Independent Variables

Leadership Q19-36 from MLQ (Interval Scale 1-5) Independent Variables

Business Area (Nominal); # Employees (Ordinal), Revenue (Ordinal), and #

Security Policies (Nominal), Technologies (Nominal), Data Importance

Security Experiences (Nominal) Other Security Variables; Security Concerns for