Information Technology Governance: Applying the Theory of Planned Behaviour

Journal of Organizational Management Studies

Download PDF

Wil Ly Teo1,  Azizah Abd Manaf1 and Phyllis Lai Fong Choong2

1Universiti Teknologi Malaysia, Malaysia


2Multinational High-Tech Company, Malaysia

Volume 2013 (2013), Article ID 827871, Journal of Organizational Management Studies, 15 pages, DOI: 10.5171/2013.827871

Received date : 21 April 2013; Accepted date : 9 July 2013; Published date : 17 September 2013

Academic editor: Abd Rahman Ahmad

Cite this Article as: Wil Ly Teo, Azizah Abd Manaf and Phyllis Lai Fong Choong (2013), " Information Technology Governance: Applying the Theory of Planned Behaviour” Journal of Organizational Management Studies, Vol. 2013 (2013), Article ID 827871, DOI: 10.5171/2013. 827871.

Copyright © 2013. Wil Ly Teo, Azizah Abd Manaf and Phyllis Lai Fong Choong. Distributed under Creative Commons CC-BY 3.0

Abstract

The importance of IT governance has received increasing attention in the recent years. Extensive literature addresses top management and organisational issues of IT governance. However, recent findings suggest that people issues in IT governance equally deserve attention. Guided by the Theory of Planned Behaviour, this study examines the influence of IT practitioners and management guidance on the extent of their participation in IT governance initiatives. A quantitative study was conducted among IT practitioners in Malaysia. Data analysis using Partial Least Squares suggests that subjective norms and perceived behavioural controls on IT practitioners result in greater participation in IT governance initiatives. However, attitudes do not have significant relationship with participation in IT governance initiatives, in contrast with prediction of the theory. Further analysis reveals that awareness and perceived importance of IT governance are the two most important factors from the practitioner perspective. As for management guidance, organisational processes and reward system are the most important, closely followed by organisational structure. The findings reaffirm that IT governance requires control in the form of organisational structures, processes, goal settings and reward system to encourage desirable behaviours in IT governance initiatives.

Keywords: IT governance, Theory of Planned Behaviour (TPB), practitioner-centric, partial least squares (PLS)

Introduction

Information Technology (IT) governance has received increasing attention in the recent years. ISACA (previously known as Information Systems Audit and Control Association, but now goes by its acronym only) is a non-profit global association of IT governance professionals that publishes bi-yearly IT governance status reports. The most recent report revealed that IT governance is a priority for most organisations worldwide (ISACA, 2011).

IT governance is a term with diverse meanings. The definition of IT governance by Korac-Kakabadse and Kakabadse (2001) and the IT Governance Institute (ITGI, 2003) reflects the focus on IT organisational structures and processes to achieve the organisation’s strategy. Some authors also address IT governance as the location of decision-making rights and accountabilities (Peterson, 2004, Weill and Ross, 2004, Monnoyer and Willmott, 2005). Yet, other authors approach IT governance from the perspective of strategic alignment between IT and business, with the aim of maximising IT’s value delivery to business (Grembergen, 2002, Webb et al., 2006). Balocco et al., (2013) consider all three aspects to IT governance in their definition of IT governance.

Motivation for the Research

Although there is growing acceptance of the importance of IT governance, only two-thirds of respondent organisations in the global status report on IT governance have some sort of IT governance activities in place (ISACA, 2011). This finding is supported by a subsequent survey among IT governance professionals worldwide, where only half of them have some form of IT governance in their organisations (ISACA, 2012a).

Past IT governance studies have taken different approaches. One stream of research focuses on the location of decision-making (Weill and Ross, 2004, Brown and Grant, 2005). The second stream of research focuses on contingency factors. These studies aim to understand the fit between contingency factors and governance (Brown and Grant, 2005). The third stream of research addresses structures, processes, and mechanisms for IT governance (Haes and Grembergen, 2009, Weill and Ross, 2004).
Recent findings also suggest that people issues in IT governance deserve more attention. IT practitioners form the execution layer for IT governance initiatives, translating IT governance strategies into action. Failure on the part of IT practitioners has negative consequences on IT delivery, such as IT system outages, poor performing IT projects, and IT security breaches.

IT practitioners is the leading cause of IT system outages, causing six out of seven high-profile outages in 2012 (Evolven, 2013). They also have significant contribution towards effective delivery of IT projects, in which people and process issues account for 40% of overspending in IT projects (McKinsey, 2012). In the area of IT security, PricewaterhouseCooper (PwC, 2012) recently reported that IT security breaches due to staff remained consistent between 2010 and 2012, and IT practitioners were responsible for security incidents, such as data loss and weak data security.

Problem Statement

Existing literature addresses IT governance primarily from the top management and organisational perspectives. Recent findings on the importance of people issues support the argument that effective IT governance requires attention to be given to IT practitioners. Unfortunately, there is a lack of focus on the importance of IT practitioners, although this has been recognised as a critical issue in IT governance (ITGI, 2003, National Computing Centre, 2005, ISACA, 2012b). IT practitioner is an important link to translate IT governance strategies into action, because IT governance initiatives are cascaded down to the execution level to achieve IT governance goals. Therefore, there is a need to consider the practitioners’ participation in IT governance initiatives, while acting under management guidance.

Research Objectives

The objective of this study is to investigate influence of IT practitioners and management guidance on the extent of their participation in IT governance initiatives. Dixon (2002) views IT practitioner as “someone who designs, develops, operates, maintains, supports, services, and/or improves IT systems, in support of end-users of such systems”. The scope of work of IT practitioners covers a range of IT functions throughout Information System lifecycle, namely strategy and planning, management and administration, development, implementation, and service delivery. Recent literature on the role and scope of work of the IT function suggests that this description of IT practitioners is still valid (Goles et al., 2008, CEPIS Professionalism Taskforce, 2010).

Literature Review

IT Governance Research in Malaysia

Early published research in IT governance in Malaysia began in the education sector (Ismail et al., 2007a, Ismail et al., 2007b, Ismail, 2008, Mansur, 2010). In the private sector, prior studies concluded that the adoption of IT governance is at an early stage and familiarity with IT governance frameworks could be improved further (Tan et al., 2008, Teo and Tan, 2010). Two different approaches were proposed for IT governance in Malaysian small and medium enterprises, one taking the generalisation path (Tan et al., 2009, Tan et al., 2011), while another adopting customised frameworks (Ayat et al., 2011a, Ayat et al., 2011b).

Malaysian private organisations are increasingly aware of IT governance (Yap et al., 2010, Maidin and Arshad, 2010). However, they are faced with barriers to IT governance adoption (Othman et al., 2011, Othman and Chan, 2013). Another area of interest for Malaysian researchers is development of frameworks to assess effectiveness of IT governance (Kaur et al., 2011, Mohamed and Gian Singh, 2012).

The Theory of Planned Behaviour

This research approaches IT governance from the perspective of the IT practitioner using the Theory of Planned Behaviour (TPB). TPB has been used in information systems research studies in areas related to IT governance, such as compliance with information security policies (Ifinedo, 2012, Chang et al., 2012, Bulgurcu et al., 2010, Leonard et al., 2004).

TPB has its roots in the Theory of Reasoned Action (TRA). TRA (Fishbein and Ajzen, 1975) is a theory derived from social psychology. According to Fishbein and Ajzen (1975), behavioural intentions are influenced by the individual’s attitude towards the behaviour and subjective norms surrounding the performance of the behaviour. These behavioural intentions drive actual behaviour.

TRA’s limitation is the theory does not explain spontaneous, impulsive and habitual behaviours (Hale et al., 2003). Subsequently, Ajzen (1991) introduced the Theory of Planned Behaviour (TPB) as an extension of TRA. Constructs in TPB and how they are applied to this study are explained in the following sections.

Attitudes and Organisational Commitment

Attitude towards behaviour is defined as “an individual’s positive or negative feelings (evaluative effect) about performing the target behaviour” (Fishbein and Ajzen, 1975). As an attitude, Mowday et al., (1982) define Organisational commitment as “an individual’s identification with and willingness to embrace organisational goals”. Organisational commitment has various influence on employee outcomes on influences employee performance (Mowday, 1998).

Meyer and Allen (1991) identify three facets of organisational commitment. Affective commitment, continuance commitment and normative commitment have the following meanings (Meyer and Allen, 1991):

  1. Affective Commitment: “An employee’s emotional attachment to, identification with, and involvement in the             organisation.”
  2. Continuance Commitment: “An employee’s perceived costs of leaving the organisation.”
  3. Normative Commitment: “An employee’s obligation to remain in an organisation.”

Ali and Green (2012) found that in the IT governance context, commitment is related to culture of compliance leading to effective IT governance. In studies of a related area, Chang et al., (2012), and Herath and Rao (2009), argue that employees with high organisational commitment are more likely to comply with information security policy. This is consistent with earlier study that employees with high organisational commitment are less likely to engage in non-productive and counterproductive behaviours that potentially result in negative consequences to their organisation’s IT systems (Stanton et al., 2003).

Past information systems research also found that IT practitioners may have close identification with their profession (Bryant et al., 2007, Scholarios and Marks, 2004). The Professional Commitment construct is defined as “one’s attitude towards one’s profession or vocation” (Blau, 1985, Blau, 1999).

Based on TPB, attitudes of IT practitioners are hypothesised to influence intention to participate in IT governance initiatives, and therefore influence the actual behaviour of participation.

H1: Attitudes of IT practitioners increases participation in IT governance initiatives.

Subjective Norms

Subjective norm is “the person’s perception that most people who are important to him think he should or should not perform the behaviour in question” (Fishbein and Ajzen, 1975). Past information systems research has shown that an individual’s behaviour is influenced by the norm as observed by the individual (Chan et al., 2005, Knapp et al., 2006, Johnston and Warkentin, 2010).

Although the issue of IT governance is complex, a general awareness of IT governance is important (Yap et al., 2010). Awareness of IT governance should be cascaded down from direction setters to decision-makers, and finally down to the execution level.  In the recent ISACA survey of 843 IT professionals in the Asia Pacific region, increasing awareness among employees is rated as the most important action to improve IT risk management which is one objective of IT governance (ISACA, 2012c).

Subjective norms are normative beliefs together with the motivation to comply with referent group expectations. Perceived importance of IT governance to the IT practitioner influences to compliance to the expectations. The issue on hand influences judgment (Robertson et al., 2002, Al-Rafee and Cronan, 2006), and individuals who rated an issue high in perceived importance issue characteristics are less likely to behave against the norm (Leonard et al., 2004). Therefore, high perceived importance of IT governance is expected to result in positive behaviour in IT governance issues.

Learning and development is an important part of organisational culture (Bollinger and Smith, 2001). Kilic and Metin (2012), and Hefner (2003) conclude that learning and development is one of the most important and challenging issues for implementing and improving IT governance. The availability of learning and development opportunities in IT governance signals the organisation’s view that IT governance is important part of the IT organisational culture and therefore a component of subjective norm.

Subjective norms are characterised by awareness, perceived importance and learning and development opportunities in IT governance. Based on the TPB, subjective norms among IT practitioners are hypothesised to influence the actual behaviour of participation.

H2: Subjective norms among IT practitioners positively influence participation in IT governance initiatives.

Perceived Behavioural Controls

In TPB, Ajzen (1991) defines Perceived Behavioural Control as “the perceived ease or difficulty of performing the behaviour”. IT governance has become a core IT capability (Willcocks et al., 2006), and implementation of effective IT governance requires all IT team members to have adequate and appropriate skills to fulfil their specific role (National Computing Centre, 2005).  Unfortunately, gap in sufficient competencies for effective IT governance still prevails (Al Omari et al., 2012). Being equipped with necessary competency allows the IT practitioner to participate effectively in IT governance initiatives.

The management could introduce order in the execution of IT governance initiatives by implementing necessary organisational structures and processes. Prior studies on organisation structures considered integration of governance/alignment tasks in roles and responsibilities, IT steering committees, IT strategy committees and architecture committee (Haes and Grembergen, 2009, Gallagher and Worrell, 2008, Haes and Grembergen, 2006, Nolan and McFarlan, 2005, Weill and Ross, 2004).

Organisational processes studied in prior research include service level agreements, portfolio management, IT governance frameworks, strategic information systems planning, balanced scorecard, and financial and chargeback arrangements (Haes and Grembergen, 2006, Grembergen et al., 2004, Weill and Ross, 2004, Grembergen, 2000). Having the necessary organisational structures and processes creates the environment where IT practitioners have access to the necessary support (or lack of barriers), resources and opportunities to participate in IT governance initiatives.

In the case of IT governance, the organisational goal of IT governance success are cascaded down to the individual in the form of personalised goals. IT goal setting is an integral part of IT strategic planning and IT governance (Haes and Grembergen, 2004, Grembergen et al., 2004, Simonsson and Johnson, 2006).

The main objective of reward system is to reward behaviours required by the company’s strategy (Hertel et al., 2005). The use of reward system in IT governance initiatives in IT governance has  been researched by previous studies by Hefner (2003) and Haes et al., (2011). Reward system based on attainment of IT governance goals is a form of behavioural control.

This research is interested in investigating perceived behavioural control as a combination of internal and external factors. Therefore, based on (Ajzen, 2002), perceived behavioural control is a unitary latent variable in a hierarchical factor model aggregated from competency, organisational structures, processes goals and reward system towards IT governance. This leads to the final hypothesis.

H3: Perceived behavioural controls on IT practitioners result in greater participation in IT governance initiatives.

Participation in IT Governance Initiatives

The board of directors and executive management are responsible for IT governance (ITGI, 2003). Although accountability for IT governance cannot be delegated (ISO/IEC, 2008), participation of senior management from IT and business is crucial for effective IT governance (Huang et al., 2010, Haes and Grembergen, 2009, Weill and Ross, 2004). These initiatives are cascaded down to the execution level to achieve IT governance goals, hence, participation of IT practitioners in IT governance initiatives is also important.

Applying TPB to the context of this study, the IT practitioner’s participation in IT governance initiatives is determined by his/her intention to participate. Such intention is influenced by his/her attitudes toward the behaviour, subjective norms and perceived behavioural controls.

Since behavioural intention precedes the behaviour itself, inclusion of both constructs in the same model requires longitudinal study. Szajna (1994) suggests that self-reported measures of intention suffer from common-method bias, especially when intention is measured at the same time as its antecedents. Furthermore, measuring both as the same time yields intentions as a reflection of future behaviour. In contrast, reports of actual behaviour had happened in the past (George, 2004).
 
Given the cross-sectional design of this study, the dependent variable is a measure of the actual behaviour rather than behavioural intention. The research framework is shown in Figure 1 along with variable names.

 

Fig 1: Research framework


Methodology

Measurement Instrument

Perceptual measure of the variables in this study was employed. The instrument for organisational commitment was adopted from Allen and Meyer (1990) with eight items each for affective, continuance and normative commitment. Professional commitment was measured using a five-item questionnaire Blau (1999). The remaining items are based on the study of IT governance structures, processes and relational mechanisms among IT and business leaders by Haes and Grembergen (2008), but adapted to suit the perspectives of IT practitioners. The questionnaire was designed with five-point Likert scale to measure the multi-item constructs (1 = strongly disagree and 5 = strongly agree).

Sampling

After undergoing expert review and pre-testing of questionnaire, primary data collection was started. The sampling frame consisted of IT practitioners in Malaysia according to definition of Dixon (2002). Due to the limitation of not having a national registry of IT practitioners, purposive sampling was used to solicit potential respondents from Multimedia Super Corridor (MSC) status companies in Cyberjaya, Malaysia.

Eligible respondents who signed up for the survey received e-mail invitations to the online survey website. Follow-ups or reminder was sent for increasing response as suggested by Dillman (2000). The response rate of 84% was good according to Babbie (2008), with 167 valid responses out of 198 invitations.
 
Non-response bias was checked as suggested by Armstrong and Overton (1977) where characteristics of non-respondents are assumed to be similar to late respondents. Non-response bias was found to be not existent based on independent samples t-test with none of the demographics being statistically significant (p > 0.05, two-tail tests).

Respondent Profile

The majority of respondents have job functions in the area of application (40.7%) and infrastructure (30.5%). Most respondents have bachelor degree (86.2%) with mainly IT and related majors (86.8%). Certification is relatively widespread, with nine out of ten respondents having one or more certifications. More than half of the respondents have project management, service management or security certifications, but IT governance certification is rare. Majority of the respondents fall within the 10-year experience band, but overall, the different experience levels are adequately represented.

Data Analysis Using Partial Least Squares

Partial Least Squares (PLS) was selected for this study for three reasons. Firstly, the research objective is oriented towards prediction rather than parameter estimation and goodness-of-fit, hence, PLS approach is more suitable (Chin et al., 2003). Secondly, PLS places minimal demands on measurement scales, and distributional assumptions (Chin et al., 2003, Marcoulides et al., 2009).

Finally, PLS is able to handle both reflective and formative constructs. Although PLS path modelling algorithm requires that every latent variable has at least one manifest indicator, second order constructs in this research are possible using repeated-indicator approach (Wold, 1982, Lohmöller, 1989).

The software used for data analysis is SmartPLS Version 2.0 M3 (Ringle et al., 2005). A two-step analysis approach as suggested by Anderson and Gerbing (1988) was adopted to analyse the data with two conceptually distinct models which are measurement model and structural model.

Results and Discussion

Assessment of Measurement Model

Recommended value of 0.7 for outer loading (Hair et al., 2010) was used. After removing items due to poor outer loading and cross-loading, average variance explained (AVE) and composite reliability (CR) were calculated. The results are shown in Table 1.

 

Table 1: Average Variance Explained (AVE) and Composite Reliability (CR)

All CR values were 0.7 or higher, indicating adequate convergence or internal consistency (Gefen et al., 2000), hence reliability was established.

Convergent validity was established based on all AVE values exceeding 0.5 (Fornell and Larcker, 1981). Table 2 shows latent variable correlation. Diagonals in the table represent AVE while the off-diagonals represent square of correlations. Discriminant validity was established based on AVE of all latent variables higher than the squared correlations between the latent variable and all other variables (Chin, 2010, Chin, 1998, Fornell and Larcker, 1981).

 

Table 2 : Latent variable correlation

Note: Diagonals represent AVE, off diagonals represent square of correlations

Common Method Variance (CMV) was tested using Harman’s single factor test (Podsakoff et al., 2003). Using Exploratory Factor Analysis (EFA) with unrotated principal components factor analysis, none of the factors explained majority of the variance, therefore CMV was not significant.

Assessment of Structural Model

After establishing reliability, validity and absence of common method variance, the structural model was evaluated using bootstrapping procedure with 500 iterations. To test hypotheses H1 to H3, the paths of attitudes (ATT → PPAR), subjective norms (SN → PPAR) and perceived behavioural controls (PBC → PPAR) to participation in IT governance initiatives were examined. The results are shown in Table 3.

 

Table 3: Path coefficients and significance

* p<0.05 (t value > 1.645)
** p<0.01 (t value > 2.33)

Subjective Norms (β = 0.495, p < 0.01) and Perceived Behavioural Controls (β = 0.336, p < 0.01) have positive relationship with participation in IT governance initiatives. Therefore hypotheses H2 and H3 are supported. These two factors explain 57.5% of the variance. 

However, Attitudes (β = -0.014, p > 0.05) are not significant predictors of participation in IT governance. Therefore hypothesis H1 is not supported.

Discussion

Results show that subjective norms and perceived behavioural controls on IT practitioners result in greater participation in IT governance initiatives. Both findings are consistent with the Theory of Planned Behaviour (TPB).

Surprisingly, attitudes do not have significant relationship with participation in IT governance initiatives, in contrast with prediction of TPB. Ajzen (1991) points out that when constraints are either extremely high or extremely low, attitudes do not predict behaviour very well.

Attitudes are a good predictor of behaviour when the constraints are minimal. This means that in the absence of organisational structures, processes, goal settings and reward system for IT governance, the IT practitioners’ participation in IT governance initiatives depend on their attitudes. This means, participation depends on their own organisational and professional commitment, with the condition that they are sufficiently competent in this area.

However, attitude is difficult to change, and it is easy to manipulate the other constraints. Competency leads to greater participation, and environment that promotes participation should be created. In addition, IT governance remains a topic requiring control over the behaviour of IT practitioners. This could be achieved using organisational structures, processes, goal settings, and reward system, to encourage desirable behaviour in IT governance initiatives.

Deeper analysis reveals that awareness and perceived importance of IT governance are the two most important factors from the practitioner perspective. Competency in IT governance is also a significant factor. As for management guidance, organisational processes and reward system are the most important, closely followed by organisational structure.

The three main constructs explain 57.7% of the variance in behaviour, that is, participation in IT governance initiatives. This value is superior to empirical studies in which only 40% of the variance of behaviour could be explained using TPB (Ajzen, 1991). The explained variance is also compared with a related study using the same theory (Bulgurcu et al., 2010), where the explained variance of intention security compliance was 34.5%.

Contribution

This research adds the IT practitioner perspective to the existing IT governance knowledge that mainly focuses on top management and the organisation. The research demonstrates that TPB could be used to study IT practitioners’ participation in IT governance initiatives. Within the context of the theory, the three main constructs of attitude, subjective norms, and perceived behavioural control are adapted to constructs relevant to IT governance. Actual behaviour is represented by participation in IT governance initiatives.
For managerial contributions, the findings from this research help the IT management to focus on the most important issues that will maximise participation of IT practitioners in IT governance initiatives.

Limitations and Suggestions for Future Research

Due to the nature of the population, where no register of IT practitioners was available, purposive sampling was used. Purposive sampling is a non-probability technique which limits generalisability. Further replication studies to assess applicability in other geographical locations within and outside of Malaysia will increase generalisability of the findings.

Finally, extensions of the proposed model could be considered. Suitability of the model proposed in the research could be assessed in small and medium enterprises to uncover specific requirements of such organisations.

Conclusion

This research investigated the people issues in IT governance using the Theory of Planned Behaviour. It examined the influence of IT practitioners and management guidance on the extent of their participation in IT governance initiatives. Based on data from IT practitioners in Malaysia, this research reaffirms that IT governance requires controls, in the form of organisational structures, processes, goal settings, and reward system to encourage desirable behaviours in IT governance initiatives.



References

Ajzen, I. (1991), ‘The theory of planned behavior,‘ Organizational Behavior and Human Decision Processes, 50, 179-211.
Publisher

Ajzen, I. (2002), ‘Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior,‘ Journal of Applied Social Psychology, 32 (4), 665-683.
Publisher Google Scholar

Al-Rafee, S. and Cronan, T. P. (2006), ‘Digital piracy: Factors that influence attitude toward behavior,‘ Journal of Business Ethics, 63 (3), 237-259.
Publisher Google Scholar

Al Omari, L., Barnes, P. H. and Pitman, G. (2012), An exploratory study into audit challenges in IT governance : A delphi approach. Symposium on IT Governance, Management and Audit (SIGMA2012). Universiti Tenaga Nasional, Malaysia.

Ali, S. and Green, P. (2012), ‘Effective information technology (IT) governance mechanisms: An IT outsourcing perspective,‘ Information Systems Frontiers, 14 (2), 179-193.
Publisher Google Scholar

Allen, N. J. and Meyer, J. P. (1990), ‘The measurement and antecedents of affective, continuance, and normative commitment,‘ Journal of Occupational Psychology, 63, 1-18.
Publisher

Anderson, J. C. and Gerbing, D. W. (1988), ‘Structural equation modeling in practice: A review and recommended two-step approach,’ Psychological Bulletin, 103 (3), 411-423.
Publisher

Armstrong, J. S. and Overton, T. S. (1977), ‘Estimating nonresponse bias in mail surveys,‘ Journal of Marketing Research, 14, 396-402.
Publisher Google Scholar

Ayat, M., Masrom, M. and Sahibuddin, S. (2011a), ‘IT governance and small medium enterprises’ Proceedings of International Conference on Software and Computer Applications (ICSCA 2011).

Ayat, M., Masrom, M., Sahibuddin, S. and Sharifi, M. (2011b), ‘Issues in implementing IT governance in small and medium enterprises’ Intelligent Systems, Modelling and Simulation (ISMS), 2011 Second International Conference on, 197-201.

Babbie, E. R. (2008), The basics of social research, Wadsworth Publishing Company.

Balocco, R., Ciappini, A. and Rangone, A. (2013), ‘ICT governance: A reference framework,‘ Information Systems Management, 30 (2), 150-167.
Publisher Google Scholar

Blau, G. (1999), ‘Early-career job factors influencing the professional commitment of medical technologists,’ The Academy of Management Journal, 42 (6), 687-695.
Publisher Google Scholar

Blau, G. J. (1985), ‘The measurement and prediction of career commitment,‘ Journal of Occupational Psychology, 58 (4), 277-288.
Publisher Google Scholar

Bollinger, A. S. and Smith, R. D. (2001), ‘Managing organizational knowledge as a strategic asset,’ Journal of Knowledge Management, 5 (1), 8-18.
Publisher Google Scholar

Brown, A. E. and Grant, G. G. (2005), ‘Framing the frameworks: A review of IT governance research,’ Communications of AIS, 2005 (15), 696-712.

Bryant, S. E., Moshavi, D. and Nguyen, T. V. (2007), ‘A field study on organizational commitment, professional commitment and peer mentoring,’ SIGMIS Database, 38 (2), 61-74.
Publisher Google Scholar

Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010), ‘Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness,’ MIS Quarterly, 34 (3), 523-548.

CEPIS Professionalism Taskforce (2010), ‘Promoting IT professionalism in Europe: CEPIS vision and action plan,’ The European Journal for the Informatics Professional, 11 (5), 6.

Chan, M., Woon, I. and Kankanhalli, A. (2005), ‘Perceptions of information security in the workplace: Linking information security climate to compliant behavior,’ Journal of information privacy and security, 1 (3), 18-41.

Chang, A.-T., Wu, C.-Y. and Liu, H.-W. (2012), ‘The effects of job satisfaction and organization commitment on information security policy adoption and compliance’ Management of Innovation and Technology (ICMIT), 2012 IEEE International Conference on, 442-446.

Chin, W. W. (1998), ‘Issues and opinion on structural equation modeling,’ MIS Quarterly, 22 (1), 7-16.

Chin, W. W. (2010),  How to write up and report pls analyses. Handbook of partial least squares: Concepts, methods and application. Esposito Vinzi, V., Chin, W. W., Henseler, J. and Wang, H. (eds.), Springer, New York.

Chin, W. W., Marcolin, B. L. and Newsted, P. R. (2003), ‘A partial least squares latent variable modeling approach for measuring interaction effects: Results from a monte carlo simulation study and an electronic-mail emotion/adoption study,’ Information Systems Research, 14 (2), 189-217.
Publisher

Dillman, D. A. (2000), Mail and internet surveys: The tailored design method, John Wiley and Sons, Inc., New York.

Dixon, M. (2002), Information technology practitioner skills in Europe. Frankfurt: Council of European Professional Informatics Societies.

Evolven. (2013). A year in review: 7 major outages from 2012 [Online]. [Retrieved 24 May 2013] [Available: http://www.evolven.com/blog/7-major-outages-from-2012.html].

Fishbein, M. and Ajzen, I. (1975), Belief, attitude, intention and behavior: An introduction to theory and research, Addison-Wesley, Reading.

Fornell, C. and Larcker, D. F. (1981), ‘Evaluating structural equation models with unobservable variables and measurement error.,‘ Journal of Marketing Research, 18 (1), 39-50.
Publisher Google Scholar

Gallagher, K. and Worrell, J. (2008), ‘Organizing IT to promote agility,‘ Information Technology and Management, 9 (1), 71-88.
Publisher Google Scholar

Gefen, D., Straub, D. and Boudreau, M. C. (2000), ‘Structural equation modeling and regression: Guidelines for research practice,’ Communications of the Association for Information Systems, 4 (7), 1-80.

George, J. F. (2004), ‘The theory of planned behavior and internet purchasing,‘ Internet Research, 14 (3), 198 – 212.
Publisher Google Scholar

Goles, T., Hawk, S. and Kaiser, K. M. (2008), ‘Information technology workforce skills: The software and IT services provider perspective,’ Information Systems Frontiers, 10 (2), 179-194.
Publisher Google Scholar

Grembergen, W. V. (2000), ‘The balanced scorecard and IT governance.,’ Information Systems Control Journal, 2, 40-43.

Grembergen, W. V. (2002), ‘Introduction to the minitrack IT governance and its mechanisms‘ Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), 7-10.
Publisher

Grembergen, W. V., Haes, S. D. and Guldentops, E. (2004),  Structures, processes and relational mechanisms for IT governance. Strategies for information technology governance. Van Grembergen, W. (ed.), Idea Group Publishing., Hershey, PA.

Haes, S. D., Gemke, D., Thorp, J. and Grembergen, W. V. (2011), ‘The evolution of KLM’s enterprise governance of IT,’ MIS Quarterly Executive, 10 (3).

Haes, S. D. and Grembergen, W. V. (2004), ‘IT governance and its mechanisms,’ Information Systems Control Journal, 1, 27-33.

Haes, S. D. and Grembergen, W. V. (2006), ‘Information technology governance best practices in Belgian organisations’ System Sciences, 2006. HICSS’06. Proceedings of the 39th Annual Hawaii International Conference on, 8, 195b-195b.

Haes, S. D. and Grembergen, W. V. (2008), ‘Practices in IT governance and business/IT alignment,’ Information Systems Control Journal, 2, 23-27.

Haes, S. D. and Grembergen, W. V. (2009), ‘An exploratory study into IT governance implementations and its impact on business/IT alignment,’ Information Systems Management, 26 (2), 123-137.
Publisher

Hair, J. F., Black, W. C., Babin, B. J. and Anderson, R. E. (2010), Multivariate data analysis: A global perspective, Pearson Education, Upper Saddle River, NJ.

Hale, J. L., Householder, B. J. and Greene, K. L. (2003), The theory of reasoned action. The persuasion handbook: Developments in theory and practice, Dillard, J. P. and Pfau, M. (eds.), Sage, Thousand Oaks, CA.

Hefner, R. (2003), ‘Aligning strategies: Organizational, project, individual [IT governance]’ System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on, 9 pp.

Herath, T. and Rao, H. R. (2009), ‘Protection motivation and deterrence: A framework for security policy compliance in organisations,’ Eur J Inf Syst, 18 (2), 106-125.
Publisher Google Scholar

Hertel, G., Geister, S. and Konradt, U. (2005), ‘Managing virtual teams: A review of current empirical research,‘ Human Resource Management Review, 15 (1), 69-95.
Publisher Google Scholar

Huang, R., Zmud, R. W. and Price, R. L. (2010), ‘Influencing the effectiveness of IT governance practices through steering committees and communication policies,’ Eur J Inf Syst, 19 (3), 288-302.
Publisher Google Scholar

Ifinedo, P. (2012), ‘Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory,‘ Computers & Security, 31 (1), 83-95.
Publisher Google Scholar

ISACA (2011), Global status report on the governance of enterprise IT (GEIT) – 2011.

ISACA (2012a), 2012 governance of enterprise IT (GEIT) survey – Global edition.

ISACA (2012b), COBIT 5: A business framework for the governance and management of enterprise IT, ISACA, Rolling Meadows, IL.

ISACA (2012c), Isaca 2012 IT risk reward barometer survey results.

Ismail, N. A. (2008), ‘Information technology governance, funding and structure: A case analysis of a public university in Malaysia,’ Campus-Wide Information Systems, 25 (3), 145-160.
Publisher Google Scholar

Ismail, N. A., Raja Mohd. Ali, R. H., Mat Saat, R. and Mohamad Hsbollah, H. (2007a), ‘Strategic information systems planning in Malaysian public universities,‘ Campus-Wide Information Systems, 24 (5), 331-41.
Publisher Google Scholar

Ismail, S., Alias, R. A., Ibrahim, O. and Abdul Rahman, A. (2007b), An integrated framework for IT governance in the Malaysian Ministry of Education. Postgraduate Annual Research Seminar (PARS ’07). UTM, Malaysia.

ISO/IEC (2008), ISO/IEC 38500:2008 Corporate governance of information technology. International Organization for Standardization/International Electrotechnical Commission.

ITGI (2003), Board briefing on IT governance, IT Governance Institute, IL.

Johnston, A. C. and Warkentin, M. (2010), ‘Fear appeals and information security behaviors: An empirical study,’ MIS Quarterly, 34 (3), 549.

Kaur, J., Mohamed, N. and Ahlan, A. R. (2011), ‘A confirmatory factor analysis of the information technology governance effectiveness: Evidence from Malaysia’ Research and Innovation in Information Systems (ICRIIS), 2011 International Conference on, 23-24 Nov 2011, 1-5.

Kilic, N. and Metin, B. (2012), ‘Importance of education in information technology governance’ Logistics and Industrial Informatics (LINDI), 2012 4th IEEE International Symposium on, 65-68.

Knapp, K. J., Marshall, T. E., Rainer, R. K. and Ford, F. N. (2006), ‘Information security: Management’s effect on culture and policy,‘ Information Management & Computer Security, 14 (1), 24-36.
Publisher Google Scholar

Korac-Kakabadse, N. and Kakabadse, A. (2001), ‘IS/IT governance: Need for an integrated model,’ Corporate Governance, 1 (4), 9-11.
Publisher Google Scholar

Leonard, L. N. K., Cronan, T. P. and Kreie, J. (2004), ‘What influences IT ethical behavior intentions—planned behavior, reasoned action, perceived importance, or individual characteristics?,‘ Information & Management, 42 (1), 143-158.
Publisher Google Scholar

Lohmöller, J.-B. (1989), Latent variables path modeling with partial least squares, Physica-Verlag, Heildelberg.
Publisher

Maidin, S. S. and Arshad, N. H. (2010), ‘Information technology governance practices in Malaysian public sector‘ 2010 International Conference on Financial Theory and Engineering (ICFTE), 281-285.
Publisher Google Scholar

Mansur, A. (2010), ‘Measuring IT governance effectiveness using ITG diagnostic diamond: A case study of information technology division, IIUM’ Information and Communication Technology for the Muslim World (ICT4M), 2010 International Conference on, C-1-C-6.

Marcoulides, G. A., Chin, W. W. and Saunders, C. (2009), ‘A critical look at partial least squares modeling,’ MIS Quarterly, 33 (1), 171-175.

McKinsey. (2012). Delivering large-scale IT projects on time, on budget, and on value [Online]. [Retrieved 31 Oct 2012] [Available: http://www.mckinsey.com/insights/business_technology/
delivering_large-scale_it_projects_on_time_on_budget_and_on_value].

Meyer, J. P. and Allen, N. J. (1991), ‘A three-component conceptualization of organizational commitment,‘ Human Resources Management Review, 1 (1), 61-89.
Publisher Google Scholar

Mohamed, N. and Gian Singh, J. K. (2012), ‘A conceptual framework for information technology governance effectiveness in private organizations,’ Information Management & Computer Security, 20 (2), 88-106.

Monnoyer, E. and Willmott, P. (2005), ‘What IT leaders do: Companies that rely on IT governance systems alone will come up short,’ McKinsey Quarterly on IT, 2-6.

Mowday, R. T. (1998), ‘Reflections on the study and relevance of organizational commitment,‘ Human Resource Management Review, 8 (4), 387-401.
Publisher Google Scholar

Mowday, R. T., Porter, L. W. and Steers, R. M. (1982), Employee-organization linkages: The psychology of commitment, absenteeism, and turnover, Academic Press, San Diego, CA.

National Computing Centre (2005), IT governance: Developing a successful governance strategy – a best practice guide for decision makers in IT, National Computing Centre, Manchester.

Nolan, R. and McFarlan, F. W. (2005), ‘Information technology and the board of directors,’ Harvard Business Review, 83 (10), 96-106.

Othman, M. F. I. and Chan, T. (2013), ‘Barriers to formal IT governance practice–insights from a qualitative study’ System Sciences (HICSS), 2013 46th Hawaii International Conference on, 4415-4424.

Othman, M. F. I., Chan, T., Foo, E., Nelson, K. J. and Timbrell, G. T. (2011), Barriers to information technology governance adoption : A preliminary empirical investigation. In: Soliman, K. S. (ed.) Proceedings of 15th International Business Information Management Association Conference.

Peterson, R. (2004), ‘Crafting information technology governance,‘ Information Systems Management, 21 (4), 7-22.
Publisher Google Scholar

Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y. and Podsakoff, N. P. (2003), ‘Common method biases in behavioral research: A critical review of the literature and recommended remedies,‘ Journal of Applied Psychology, 88 (5), 879.
PwC (2012), Information security breaches survey – Technical report.
Publisher Google Scholar

Ringle, C. M., Wende, S. and Will, A. (2005), SmartPLS. 2.0 (beta) ed. Hamburg, Germany: SmartPLS.

Robertson, C. J., Crittenden, W. F., Brady, M. K. and Hoffman, J. J. (2002), ‘Situational ethics across borders: A multicultural examination,‘ Journal of Business Ethics, 38 (4), 327-338.
Publisher Google Scholar

Scholarios, D. and Marks, A. (2004), ‘Work-life balance and the software worker,‘ Human Resource Management Journal, 14 (2), 54-74.
Publisher Google Scholar

Simonsson, M. and Johnson, P. (2006), ‘Assessment of IT governance-A prioritization of Cobit’ Proceedings of the Conference on Systems Engineering Research, 1-10.

Stanton, J. M., Stam, K. R., Guzman, I. and Caledra, C. (2003), ‘Examining the linkage between organizational commitment and information security’ Systems, Man and Cybernetics, 2003. IEEE International Conference on, 3, 2501-2506.

Szajna, B. (1994), ‘Research note,’ MIS Quarterly, 18 (3), 319-324.
Publisher

Tan, K. S., Eze, U. C. and Teo, W. L. (2008), ‘Information technology governance in the Malaysian electronics manufacturing industry,’ Communications of the IBIMA, 3, 138-144.

Tan, K. S., Teo, W. L. and Lai, K. P. (2009), ‘The applicability of information technology governance in the Malaysian SMEs’ Proceeding of 12th International Business Information Management Conference.

Tan, K. S., Teo, W. L. and Lai, K. P. (2011), ‘The applicability of information technology governance in the Malaysian SMEs,’ Journal of Innovation Management in Small and Medium Enterprises, 2011, 1-10.
Publisher

Teo, W. L. and Tan, K. S. (2010),  Adoption of information technology governance in the electronics manufacturing sector in Malaysia. Enterprise IT governance, business value and performance measurement. Shi, N. S. and Silvius, G. (eds.), IGI Global, Hershey, PA.

Webb, P., Pollard, C. and Ridley, G. (2006), ‘Attempting to define IT governance: Wisdom or folly?’ System Sciences, 2006. HICSS’06. Proceedings of the 39th Annual Hawaii International Conference on, 8, 194a-194a.

Weill, P. and Ross, J. W. (2004), IT governance: How top performers manage IT decision rights for superior results, Harvard Business School Press, Boston, MA.

Willcocks, L., Feeny, D. and Olson, N. (2006), ‘Implementing core IS capabilities:: Feeny–Willcocks IT governance and management framework revisited,‘ European Management Journal, 24 (1), 28-37.
Publisher Google Scholar

Wold, H. (1982),  Soft modelling, the basic design and some extensions. Systems under indirect observation: Causality-structure-prediction. Part ii. Wold, H. and Jöreskog, K.-G. (eds.), North-Holland Publishing Company, Amsterdam.

Yap, M. L., Noor Habibah, A., Halilah, H., Yap, B. W., Muhammad, Y. and Azlinah, M. (2010), ‘IT governance awareness and practices: An insight from Malaysian senior management perspective,’ Journal of Business Systems, Governance and Ethics, 5 (1), 43-57.