A neo-institutional perspective on the establishment of information security knowledge sharing practices

•Institutional factors impact the establishment of ISKS practices in a firm.•Top management participation is a fundamental requirement for establishing an ISKS.•ISKS practices are necessary for ensuring security compliance.•ISKS practices are required to ensure proliferation of effective security culture.•ISKS = information security knowledge sharing. Information security knowledge sharing (ISKS) among an organization's employees is vital to the organization's ability to protect itself from any number of prevalent threats, yet for many organizations, their ability to establish ISKS practices is hampered by a lack of understanding of where and how the key drivers of these practices will emerge. Based on neoinstitutional theory and a multi-study field survey of 834 professional managers in the USA, we develop and test a model that explains the establishment of ISKS practices in an organization as a product of the institutional forces abut to the organization providing normative, mimetic, and coercive influences on top management beliefs and participations in ISKS. Our findings also emphasize the importance of establishing ISKS practices for ensuring employee compliance with information security policies and an effective culture of security. Prior research has shown the importance of institutional forces on organizational processes as well as the importance of ISKS to organizational security efforts. However, this study is one of the early studies to provide insight into the manner, in which institutional forces hold sway over the people responsible for establishing the ISKS practices of a firm; insight that it is essential for firms that have yet to establish such practices or have struggled in their attempts to do so.